Enterprise Risk Management: It is present in your organization, why not formalize it?

Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization’s board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.

The Informal Decision Process

Let’s look at a traditional informal decision process. By informal we are referring to a decision process that does not follow set policies outlined in an ERM program to make decisions. The process generally goes something like this:

A mid-level manager brings up an issue and a resolution. She states her case to a top-level manager, including the benefits of the solution offered. The top manager then in some way performs a cost/benefit analysis and either approves or disapproves of the resolution to the issue. If approved, the mid-level manager integrates the resolution into the business objectives, and reviews the resolutions performance to ensure it was an effective decision.

In this case principles of ERM are present. If we look at each step a little closer we can expose these principles.

Step 1: An issue and resolution are identified

A risk management context is established in this step. The mid-level manager understands that a risk is present and is caused by the issue at hand. She has an understanding of the current conditions of her organization and thus has identified an organizational risk within the context of the business objectives.

Further, as stated, the mid-level manager has identified a risk to the organizational objectives. Though, the process for identification in our example is not formalized, that is, no documentation of the issues is mentioned, a risk, never the less, has been identified. The process of identifying the issues shows that the mid-level manager is conscientious of organizational objectives and the process of achieving them to maintain a competitive advantage.

Step 2: Top-level manager performs a cost/benefit analysis

In our example, we do not provide the details as to how this analysis was performed by the top-level manager. In some cases, this analysis is experienced based which yields responses like, “we tried that before, it didn’t work.” Or, the decision is based on an understanding of the organization’s financial situation. In any case, the decision was made using ERM principles.

The top-level manager analyzed and quantified the risks associated with the issue and the proposed resolution. Our top-level manager completed the analysis using factors that assisted in determining the probability of the expected outcome and the impact on the organization’s key metrics, in most cases, the cost of the resolution and its effect on the organization’s bottom line.

Step 3: Approval of the resolution

The approval of the resolution means that the top-level manger in some way has assessed the risk and established a priority for its treatment. This entails two principles of an ERM program, the assessing and prioritizing of risks, as well as treating and exploiting risks. Our top-level manager understood the contribution of the risk on business objectives and made the treatment a priority to control the potential distribution of the risk.

Step 4: Integration of the resolution

In our story, the mid-level manager was successful in identifying a risk and obtaining approval to treat the risk. In order to assess the decision, she will need to track the resolution’s performance and monitor the resolution’s effect on continuous improvement. She does this for two reasons, one to ensure her department is operating at an optimal level and meeting business objectives, as well as maintaining a record of her own performance.

The argument for a formalized ERM

However, what our story does not expose is the dangers of an informal internal process for managing risk. ERM focuses on an organizations ability to manage all risks with an objective of maintaining acceptable returns. With that said, if the above process is implemented for every decision, then there is an inherent risk that the informal, “shoot from the hip” process will potentially end in a disastrous decision.

Let’s look at the example, “we tried that before, it didn’t work.” This deals with an opportunity or potential return from taking a risk in making a decision that could directly improve business performance and obtain business objectives in a more rapid pace. If the resolution is not examined in a formal process, taking all factors into consideration, such as new employees, a different vendor, or a new strategy, our example business could potential miss out on a substantial opportunity.

ERM framework can be applied to all business, no matter the size or the industry. Implemented ERM framework is essential, and in our opinion, not an optional business practice. ERM and its establishment are essential to understanding the implications of risks and opportunities on the organization. If a formal system for addressing risk is not established, the results could prove detrimental.

Article by Matthew Arnold