Businesses today face a large number of risks, and while many are aware of them, they lack an effective plan to deal with these risks cohesively.
Enterprise risk management (ERM) provides a framework to identify, assess, and prepare for risks an organization will face. According to Jim Wetekamp, CEO of global integrated risk management solution provider Riskonnect, properly implemented ERM, plus a dash of creative imagination, can shine a light on risks that aren’t visible to the human eye.
“Companies are generally risk aware and a have a high-level of understanding as to where they may be vulnerable as an organization,” Wetekamp told Corporate Risk and Insurance. “What we’re seeing now, however, is an increasing drive to connect the multiple domains of risk - insurable, operational, financial, and compliance - together to form a complete picture for best managing overall commitment to the organizational mission and protection of key assets, including reputation.”
He stressed the need for a connected and coherent risk strategy due to the complex and fast-changing nature of operational and compliance risks. These risks, he said, can appear out of nowhere, and with the advent of social media and the need to feed the 24-hour news cycle, an isolated issue can quickly turn into a full-blown business catastrophe.
To address this, companies are turning to ERM to have a clearer view of their organization’s entire risk exposure and to generate policies and procedures that can be quickly enacted in the case of a risk event. But not everyone is on the same page, yet.
“Larger organizations are further along and more mature in the implementation and execution of ERM strategies,” Wetekamp said. “As of 2018, 48% of the largest organizations in the US had complete ERM processes in place – a 7% increase from the prior year. Still, only 31% of organizations overall said the same. Smaller companies with lean teams are still in the early phases of adoption, where they’re realizing the need for more visibility and are committing to finding the right solution.”
A holistic view
According to Wetekamp, companies need an integrated, enterprise-wide strategy provides a holistic view of all types of risk – financial, reputational, strategic, technical, personnel and more — allowing organizations to see the big picture, including where potential threats could emerge, and the impact that risk event is likely to have on the organization.
“A complete organization-wide view is nearly impossible to achieve with the disparate tools, static information and siloed stakeholders typical of traditional risk management approaches,” he said. “Examples of risks that can be proactively planned for, mitigated and/or managed with ERM include everything from large, unexpected events – terrorist attacks, blackouts, the spread of an infectious disease – to those that are more common – product recalls, on-the-job accidents, natural disasters, and cyberattacks.”
One such example of an ‘unthinkable’ risk in recent history he identified is the Notre Dame fire.
“There were warnings of a malfunctioning fire-prevention system and concerns over inadequate staffing that were not addressed because the probability was considered low,” he said. “Aside from the sentimental impact of losing an iconic cathedral with 850 years of history, the rebuild will cost upwards of US$2 billion and take over two decades to complete. This is an example of an ‘unthinkable’ event that no one would have expected and stemmed from issues that, if addressed, could have minimized damage or possibly even prevented the fire altogether.”
Creative strategies in risk management
Wetekamp brought up several examples of how creative thinkers can help organizations identify risk scenarios. According to him, following 9/11, the cast and crews of hit movies such as Die Hard and Delta Force were invited by the Pentagon to help brainstorm potential terrorist targets and schemes. While odd at first glance, the Pentagon leaders felt a fresh perspective from those who created worst-case scenarios for movies could introduce new ways of thinking.
“Asking the management team to conjure up their worst business nightmare, and coming up with a plan to proactively mitigate and manage that risk, is another creative method. NASA recently took this approach, executing a worst-case scenario simulation to demonstrate what would happen if a giant asteroid crashed into NYC and the importance of proactive planning,” he said. “Reality is that risk managers don’t always have access to Hollywood stars and scientific simulations – but with ERM, they can position themselves to think outside the box.”
Finally, Wetekamp gave several pointers on how businesses can successfully execute their risk management strategies.
- Build a culture of risk into operational planning – establishing a strong environment for success before implementation begins is crucial. Although technology is making it easier than ever to mitigate and manage risk, it doesn’t work in a vacuum. An ERM mindset and risk aware culture must be embedded into the very fabric of the organization to get the most value from an ERM program.
- Break down silos within the organization – the entire team should work together to identify risks, understand the impact and develop an enterprise-wide strategy for responding to threats. Leveraging practices and strategies the organization is already doing to manage well-understood risks, such as worker injuries, can speed the path to tackling new or less familiar vulnerabilities.
- Drive the risk agenda from the top – Once this foundation is established, many successful programs assign a C-suite leader to champion the ERM cause as they have the authority to enlist the support of key stakeholders – accounting, legal, sales, operations – and hold the team accountable for managing risks tied to their individual business units. Assigning responsibility for each risk to whoever is most closely associated leads to faster results and makes it easier to identify and focus on areas with the highest risk.
- Deliver clear value linked to the organizational strategy – when it comes time for implementation, breaking the process down into phases and keeping a clear line of communication between all parties goes a long way. ERM technology is instrumental – it eliminates error-prone spreadsheets and handles threats on a broad scale by gathering all risk information into one source, but the cohesiveness and expertise of the team of people behind the software is what often determines success.