In 2019, 57% of senior-level executives report they are ill prepared to address business risk and compliance. This comes as no surprise, with only 36% of organizations adopting a formal enterprise risk management (ERM) program.
It’s clear that we have a problem. Corporations are failing to address the risks inherent in their business, and lack the appropriate risk management systems.
Because of this, we at FAT FINGER want to offer a helping hand. We want to help organizations take control of risk and address this risk using ERM solutions.
In this FAT FINGER article, you’ll learn what enterprise risk management is, and why this approach should be used over traditional risk management methods. We’ll display ERM as a process to help you implement your ERM strategy, before discussing how you can use cloud technology (such as FAT FINGER) to manage enterprise-level risk.
- What is ERM?
- Limitations of traditional risk management approaches
- Enterprise risk management as a process
- The future of risk management: How cloud technologies and analytics accelerate the power of ERM
With that said, let’s jump straight to it!
What is ERM?
ERM is an acronym that stands for Enterprise Risk Management. ERM is a methodology that considers risk management from the perspective of an entire firm, to develop a strategy that addresses organizational risk.
The ERM methodology replaces traditional approaches to risk management. Traditional risk management considers risk from the perspective of isolated business units. With this, each business unit would have a separate risk manager. For instance, the Chief Technology Officer (CTO) is responsible for managing risk to an organization’s IT operations. A Chief Operating Officer is responsible for managing production and distribution risk. Each functional leader has one job, that is, to manage the risk associated with their unit specifically.
The problem with this traditional approach is, as a business grows, it will take on multiple divisions or business segments. Having a separate risk manager for each segment leads to inefficiency and the amplification of the misrecognition of risk. These business units are unable to see the risk exposure of other business divisions, how these risks interact over time and impact an organization as a whole.
ERM considers the risk each business unit faces, and then supports coordination and communication between these business units. Each business unit contributes to an organization’s risk portfolio, which is managed by a dedicated risk management team that’ll oversee the workings of the entire firm.
Limitations of traditional risk management approaches
Traditional risk management approaches rely on isolated risk reports, which cause limitations, such as:
- Limitation #1: Certain risks won’t fall into a specific business segment. An example would be climate change threatening the supply of a vital business resource. If the business does not have a department dedicated to environmental management, this risk could fall between the boundaries of an organization’s isolated units.
- Limitation #2: Risk will impact business units in different ways. One risk might seem innocuous for one business unit, but could be severely detrimental for another business unit. Once more, the cumulative impact of a given risk on multiple business units could have a significant impact on the company at large.
- Limitation #3: A unit manager may respond to risk in a way that seems appropriate to that unit in question. However, this risk response may impose a significant risk on other business units.
- Limitation #4: Traditional risk management tends to have an internal focus, looking at the risks that lie within a business, rather than the risks that are external to a business. In addition, traditional risk management approaches rarely consider an entity’s strategic plan. This is because the leaders of each business unit have not been involved in the strategic planning process. Risk is therefore not considered in regard to a company’s strategy.
Enterprise risk management as a process
It’s important to regard ERM as an ongoing process to risk management. Look at a given ERM strategy as an active and alive risk management approach. Once an ERM management team begins the ERM process, they embark on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model.
The starting point for ERM is to gain an understanding of what currently drives value for the business, and what’s in the strategic plan to build new value drivers for the business. This means thinking about what’s most important for the business’s short-term and long-term success.
With this rich understanding, an ERM management team is then well-positioned to move through the ERM process. Management can focus on identifying risks that might impact the continued success of each of the key value drivers. For instance, how might risks emerge that impede the launch of a new strategic initiative?
The ERM process
- Step #1 – Establishing context: This includes an understanding of the current conditions in which the organization operates in terms of internal and external risks, plus strategic objectives and future risks.
- Step #2 – Identifying risks: Risks to key value drivers need to be identified. This includes documentation of the material barriers that impede organizations in their ability to achieve objectives, and includes areas the organization may exploit for a competitive advantage.
- Step #3 – Analyzing/quantifying risk: Risk is calibrated using a probability distribution of outcomes for each material risk (measuring risk likelihood). Plus a measurement of risk impact.
- Step #4 – Integrating risks: All identified risks (plus their likelihood and impact) are aggregated to identify correlations between risks and how these impact businesses’ key performance objectives and overall strategy.
- Step #5 – Assessing/prioritizing risks: The contribution of each risk to the aggregate risk profile is determined. Certain risks are then prioritized over others.
- Step #6 – Treating/exploiting risks: Strategies are developed to manage the identified risks, starting with the highest priority risks first. A response strategy could be to accept, share, mitigate or avoid risk.
- Step #7 – Monitoring and reviewing: The risk environment is continually measured and monitored to decipher the performance of the risk management strategies implemented.
Choosing the right risk response strategy to treat organizational risk
During step #6 of the ERM process, a risk response strategy is chosen to treat/exploit the identified risks. There are different types of response strategies that can be selected, such as:
- Avoidance: Activities that present the identified risk are stopped.
- Reduction: Actions are taken to reduce the likelihood or the impact of risk.
- Alternative actions: Other feasible steps are considered as alternatives to the risky processes implemented.
- Share or insure: Risk is transferred or a portion of the risk is shared, usually via an insurance policy.
- Accept: No action is taken and the risk is accepted, usually after a cost/benefit analysis indicates this is the best action to take.
Understanding the different types of business risk
In 2003, the Casualty Actuarial Society (CAS) defined four types of risk that an ERM system needs to be able to manage. These risk types include:
- Hazard risk: Includes liability torts, property damage and natural catastrophe.
- Financial risk: Includes pricing risks, asset risks, currency risks and liquidity risks.
- Operational risk: Includes customer satisfaction, product failure, integrity, reputational risk, internal poaching and knowledge drain.
- Strategic risk: Includes competition, social trend and capital availability.
It’s important to be aware of these risk types, and categorize identified risk items accordingly. Knowing the risk type helps you implement an effective mitigation strategy.
The future of risk management: How cloud technologies and analytics accelerate the power of ERM
To help businesses with their ERM solution, cloud technology has been utilized to develop ERM assistance tools. Cloud technology has accelerated the power of ERM in two essential ways:
- The ERM process is more data-driven: Traditional ERM has had a top-down focus. Business leaders delineate enterprise risk as they perceive this risk. Technology backs up observation with measures, creating a reliable bottom-up, data-based ability to classify existing risk and identify new risk. The more your business incorporates ERM into your business processes, collecting data around these processes, the more powerful your ERM solution will be.
- The ERM process is user-friendly: Cloud technology simplifies the ERM process. Before Cloud applications and devices were developed, organizations mainly relied on spreadsheets, websites, and email for their risk management processes. This means ERM processes and actions are uncoordinated and spread across multiple applications. This haphazard approach causes confusion among users. Cloud technology centralizes the ERM process increasing process effectiveness and ease.
- The ERM process is more secure: Before cloud technology, ERM processes relied on multiple platforms (Excel, websites and email). This meant there was an absence of secure risk governance processes creating opportunities for data breaches. Cloud technology is designed with security functions in place reducing cyber-security risk.
With the above benefits in mind, you can see how cloud technology has revolutionized the ERM space. To bring this technology to your organization’s risk and compliance effort, you need to look for a purpose-built ERM solution that’s able to give you the following:
- Simplicity: You want to use an ERM solution that’s easy for all stakeholders to use. This is crucial because you need multi-stakeholder engagement to be effective. ERM is not a stand alone process and relies on deep integration within existing business systems. Every business process needs to feed risk-relevant data into your ERM solution. This means your business can account for every operation to devise full company-wide risk management operations.
- Integration: To build a risk management system that is enterprise-acting means every business operation needs to be integrated into the risk management system. ERM cloud solutions can be isolated and separated from the rest of the organization, as one person’s or a group’s responsibility. Siloed risk management will not reach every business unit and will fail to spot important risk items. The ERM solution needs to be integrated into an organization’s culture, used by everyone, with a collaborative and systemic adoption.
- Engagement: This factor is also relevant to a tool’s simplicity. Simple tools will improve engagement because they are user-friendly. You also want to choose a tool that’s intuitive. The ERM solution needs to engage frontline and organizational leaders so that it becomes part of everyone’s daily responsibilities and decision-making.
- Standards and best practices: An ERM solution needs to embody standards and best practices. Important standards to note include ISO 31000 International Standard for Risk Management, published on the 13th November 2009. ISO 31000 has an accompanying standard, ISO 31010 Risk Assessment Techniques which was published on December 1st 2009, together with the updated Risk Management Vocabulary ISO Guide 73. An ERM solution must have the means of incorporating these standards.
Cloud technology represents the future of ERM. This technology is pervasive and data-driven making it an integral part of every decision and process.
Use FAT FINGER as your cloud-technology ERM solution
FAT FINGER acts as an ERM solution. With FAT FINGER you can document every business process, integrate these processes together, identify risk areas and collect process data in real-time. Processes are securely stored yet accessible to the relevant personnel at any time, from anywhere, giving full operational transparency across a business.
FAT FINGER is an effective ERM solution by offering the following:
- Simplicity: Documenting business processes in FAT FINGER uses a simple drag-and-drop functionality. This empowers anyone to digitize business operations in seconds. FAT FINGER then collects process data and presents this data in a real-time management dashboard, which users can customize to graphically represent this data as required. FAT FINGER simplifies and streamlines process documentation and data collection to easily identify process risk items and alleviate risk.
- Integration: Documented processes in FAT FINGER can be linked together using FAT FINGER’s integrations feature. Once more, this feature can link FAT FINGER to other applications, such as your CRM, connecting work done by multiple departments.
- Engagement: FAT FINGER’s simplicity means no formal training is needed to use the application, making the tool accessible to every team within a company. Running a documented process in FAT FINGER requires active participation from the user, engaging users to the process.
- Standards and best practice: Standards and best practices can be integrated within business operations, documenting these standards as process tasks. You can can document ISO 31000 standards as a separate process, to run this risk management process alongside other document business operations.
For more information about the FAT FINGER application and how to get started, watch the below video:
Digitized, cloud technology such as FAT FINGER offers a fluid platform that every team member can easily engage with to the greater benefit of the organization. Documenting business operations collects risk-relevant data from these operations, meaning risk management becomes integral to every activity across an organization. Using a robust application, like FAT FINGER, to drive ERM solutions is making risk management part of every activity across a business. ERM becomes the fabric of everything everyone does.
What are you waiting for?
By utilizing ERM software tools, you can keep your business on track to meet your broader business goals and increase your chance of success, despite inherent risks.