Managing risk is imperative for successful leadership in today’s business world. Leaders must develop processes like enterprise risk management (ERM) to improve their ability to manage risks effectively. ERM cuts across an organization’s silos to identify and manage a spectrum of risks. Consider these ERM action items:
Resolve to proactively manage risks , rather
than react to them. Implementing ERM takes total commitment by
management, as well as recognition by the board of its responsibility.
Clarify the organization’s risk philosophy. As
discussed in the COSO ERM framework (Enterprise Risk
Management—Integrated Framework), organizations need to know
their risk capacity in terms of people capability and capital. The
board and management must come to an understanding, factoring in the
risk appetite of all significant stakeholders.
Develop a strategy. Since risk relates to the
events or actions that jeopardize achieving the organization’s
objectives, effective risk management depends on an understanding of
the organization’s strategy and goals. One of the benefits of ERM
implementation is the revelation that those responsible for achieving
the objectives have varying degrees of understanding about them. ERM
helps get everyone on the same page.
Think broadly and examine carefully events that may affect
the organization’s objectives. This involves taking
your business and industry apart. Pore over your strategy, its key
components and related objectives. Use a variety of identification
techniques such as brainstorming, interviews, self-assessment,
facilitated workshops, questionnaires and scenario analyses. In
selecting among these techniques, consider how rigorously each
business unit can implement them, and if openness among the
participants would result. Analyze how both external and internal
events can change the organization’s risk landscape. This initial
effort does not have to take months to accomplish. Start with a
top-down approach. Begin to identify risks through workshops or
interviews with executive management and by focusing on strategies and
related business objectives.
Assess risks. Initially, try to reach a
consensus on the impact and likelihood of each risk. Placing risks on
a risk map can be a valuable focal point for further discussion. As
the risk assessment process matures, consider applying more
sophisticated risk measurement tools and techniques.
Develop action plans and assign responsibilities.
Every risk must have an owner somewhere in the
organization. Manage the biggest risks first and gain some early wins.
Maintain the flexibility to respond to new or unanticipated
risks. Put a business continuity and crisis
management plan into place. If your organization is in a volatile
environment, you should anticipate even more unknowns.
Use metrics to monitor the effectiveness of
the risk management process where possible.
Communicate the risks identified as critical.
Circulate risk information throughout the organization.
The board of directors and audit committee should be given regular
reports on the key risks facing the organization. It is not acceptable
to identify important risks and never communicate them to the
appropriate people.
Embed ERM into the culture. Integrate the
knowledge of risks in your internal audit planning, balanced
scorecards, budgets and performance management system. Leverage your
organization’s compliance with SOX section 404 to benefit ERM
implementation. The focus by PCAOB Auditing Standard no. 5 and the
SEC’s new management guidance on “top-down” risks provides an
opportunity to leverage compliance to enhance shareholder value though
ERM.
— By Paul L.Walker, CPA, Ph.D., associate professor of accounting at the University of Virginia, and William G. Shenkir, CPA, Ph.D., professor emeritus at the University of Virginia. Their e-mail addresses are, respectively, pw4g@virginia.edu and wgs2z@virginia.edu. The authors have taught ERM for businesses and executives worldwide. They have co-authored three books on ERM and have consulted with COSO on ERM framework.