Managing risk is imperative for successful leadership in today’s business world. Leaders must develop processes like enterprise risk management (ERM) to improve their ability to manage risks effectively. ERM cuts across an organization’s silos to identify and manage a spectrum of risks. Consider these ERM action items:
Resolve to proactively manage risks , rather than react to them. Implementing ERM takes total commitment by management, as well as recognition by the board of its responsibility.
Clarify the organization’s risk philosophy. As discussed in the COSO ERM framework (Enterprise Risk Management—Integrated Framework), organizations need to know their risk capacity in terms of people capability and capital. The board and management must come to an understanding, factoring in the risk appetite of all significant stakeholders.
Develop a strategy. Since risk relates to the events or actions that jeopardize achieving the organization’s objectives, effective risk management depends on an understanding of the organization’s strategy and goals. One of the benefits of ERM implementation is the revelation that those responsible for achieving the objectives have varying degrees of understanding about them. ERM helps get everyone on the same page.
Think broadly and examine carefully events that may affect the organization’s objectives. This involves taking your business and industry apart. Pore over your strategy, its key components and related objectives. Use a variety of identification techniques such as brainstorming, interviews, self-assessment, facilitated workshops, questionnaires and scenario analyses. In selecting among these techniques, consider how rigorously each business unit can implement them, and if openness among the participants would result. Analyze how both external and internal events can change the organization’s risk landscape. This initial effort does not have to take months to accomplish. Start with a top-down approach. Begin to identify risks through workshops or interviews with executive management and by focusing on strategies and related business objectives.
Assess risks. Initially, try to reach a consensus on the impact and likelihood of each risk. Placing risks on a risk map can be a valuable focal point for further discussion. As the risk assessment process matures, consider applying more sophisticated risk measurement tools and techniques.
Develop action plans and assign responsibilities. Every risk must have an owner somewhere in the organization. Manage the biggest risks first and gain some early wins.
Maintain the flexibility to respond to new or unanticipated risks. Put a business continuity and crisis management plan into place. If your organization is in a volatile environment, you should anticipate even more unknowns.
Use metrics to monitor the effectiveness of the risk management process where possible.
Communicate the risks identified as critical. Circulate risk information throughout the organization. The board of directors and audit committee should be given regular reports on the key risks facing the organization. It is not acceptable to identify important risks and never communicate them to the appropriate people.
Embed ERM into the culture. Integrate the knowledge of risks in your internal audit planning, balanced scorecards, budgets and performance management system. Leverage your organization’s compliance with SOX section 404 to benefit ERM implementation. The focus by PCAOB Auditing Standard no. 5 and the SEC’s new management guidance on “top-down” risks provides an opportunity to leverage compliance to enhance shareholder value though ERM.
— By Paul L.Walker, CPA, Ph.D., associate professor of accounting at the University of Virginia, and William G. Shenkir, CPA, Ph.D., professor emeritus at the University of Virginia. Their e-mail addresses are, respectively, firstname.lastname@example.org and email@example.com. The authors have taught ERM for businesses and executives worldwide. They have co-authored three books on ERM and have consulted with COSO on ERM framework.