You are here
Next steps in your enterprise risk management journey
All forms of business operations and growth carry risks.
Many organisations manage these risks by implementing some form of enterprise risk management (ERM) systems.
With the continuously evolving risk landscape and risk management standards, organisations have started to ask the question: How can we further mature our ERM programme – to ERM 2.0 as it were?
The latest ERM good practices and hot topics among company boards and senior management seem to converge on a few pertinent questions:
- How can we continuously streamline the ERM process to improve user-friendliness and efficiency, while improving the timeliness and quality of risk information reported?
- Are we able to leverage on various sources of existing data and information to further improve the robustness of our risk identification, assessment and monitoring process?
- How can we use the valuable output from our ERM process to continuously guide and challenge strategic decision-making?
- Can we minimise potential "blind spots" in our risk identification and assessment efforts?
- How do we continuously and effectively drive the right risk behaviours across the organisation?
The answers to these questions may lie in some of the latest ERM trends and initiatives we have seen in the industry. But organisations will need to ensure that their ERM roadmap is progressive and tailored to the individual needs and context of their business.
In our view, the journey towards ERM 2.0 is underpinned by four key pillars: exploring risk inter-connectivity; linking risk management to strategy; implementing a technology-enabled ERM; and breaking through the barriers of risk culture.
Exploring risk inter-connectivity
Risks can be inter-connected in various ways. A risk may have a causal or consequential relationship with another. Risks may also have common causes or drivers.
Risks exposures, where there is a connection, can be either positively or negatively co-related. Positively co-related risks increase or decrease in risk exposure correspondingly, while an increase in exposure of a risk will result in a decrease in exposure of negatively co-related risks.
It is important to note that connections between risks can have varying degrees of strength. Strong co-relations between risks indicate a higher probability of interactions should one risk materialise.
Besides exploring the inter-connectivity between risks, another dimension is risk velocity, which can be defined as the time taken for the full impact of the risk to affect the organisation should it materialise. Evaluating risk velocity may give organisations insights into the state of preparedness that should be maintained to react to potentially high velocity risk events.
Linking risk management to strategy
Many organisations today still find it challenging to put into practice the continuous linkage and feedback between risk management and strategic decision-making. Strategic objectives are often used as starting points for risk identification and assessment.
In cases where organisations have successfully established a structured and consistent process to integrate risk management with strategy, we have observed marked improvements not only in the robustness and speed of risk-based decision-making, but also breakthroughs in the understanding and appreciation of risk management among stakeholders.
To effectively link ERM with strategic decision-making, the set up and role of the risk management function is central. The Chief Risk Officer (CRO), or equivalent, of the organisation has an important role to play not only in leading risk discussions, but often providing differing views to challenge senior management at key junctures within the strategic planning or decision-making process.
Implementing a technology-enabled ERM
Technology is a key enabler to build a connected and integrated ERM framework. It allows boards and senior management to focus on the most critical risk areas and make decisions based on most updated risk information.
ERM processes can be enhanced with more timely and accurate reporting of information from operations and improved consistency of risk management practices. Technology allows organisations to deploy "sensors" within operational processes and functions and perform analysis on the data and information collected, in order to improve timeliness of risk escalation and management.
Despite the numerous benefits of technology enablement in ERM, common roadblocks include cost and overall ERM maturity. In our view, while the cost of automation may fall as technology advances, the key consideration of whether to purchase an off-the-shelf system or build a customised solution still remains. Organisations are strongly encouraged to consider the pros and cons of both models to make an informed decision.
Breaking through the barriers of risk culture
Risk culture is the most critical enabler to a successful and sustainable ERM programme. To build a culture where desired risk thinking and behaviours are "business-as-usual" for stakeholders, there must be continuous efforts to emphasise the role of ERM and incentivise good risk practices in line with organisational objectives. It is critical to start this from the onset of ERM framework development.
Boards and senior management today generally have good risk awareness. At operational levels, risk awareness and understanding may manifest more on specific topics, such as health and safety, and data confidentiality risks.
But many organisations still find it challenging to mature risk culture from strong awareness to true appreciation of the value proposition of ERM and ultimately drive the right risk behaviours.
As stakeholders become increasingly focused in in-depth risk discussions, it may be difficult to constantly maintain a high degree of objectivity. These are some mental traps that should be managed:
- Recency effect – Placing greater emphasis on the most recent information we have received, which may not always be the most critical, to make decisions.
- Anchoring bias – An illogical tendency to "attach" ourselves to information we first see or hear during a discussion.
- Uncertainty effect – An over-aversion to uncertainty which may sometimes lead to a risky prospect is valued less than its worst possible outcome. This may result in the over-emphasis or overreaction to risk events.
- Status quo bias – A preference for things to remain the same by not making changes even though the status quo may not be the best course of action.
ERM is not a static exercise but a continuous journey to improve an organisation's ability to anticipate and manage its risks.
There is no "one size fits all" ERM programme and something you can easily buy off the shelf. ERM is best tailored to the context of your organisation, taking into account factors such as size, nature of operations and resources available.
Jonathan Ho is Head of Internal Audit, Risk & Compliance, and Head of Enterprise Market, KPMG in Singapore and Tea Wei Li is Partner, Risk Consulting, KPMG in Singapore.
This article is part of a series brought to you in partnership with CPA Australia to share knowledge on topical issues relevant to business, finance and accounting.