A 9-Step Guide to Establishing an Enterprise Risk Management Process
An enterprise risk management (ERM) program is how many companies identify, assess, and manage the different types of risks they face. This is important because the consequences of working with the wrong supplier, vendor, client, or outsourcing partner may negatively impact a business’s financial standing, operations, and its ability to meet its business objectives.
By incorporating risk into their decision-making processes, senior management can protect enterprise-wide interests. This is more of a priority than ever because of the uncertainty presented by the rapid march in technology and the increasingly unstable geopolitical environment.
In this article, we cover:
- The key risks faced by modern enterprises
- Nine steps you can take to plan and implement an ERM program
- How to monitor the ongoing performance of your ERM processes
What Risks Do Modern Enterprises Face?
To reduce risk exposure across your business, you need to first identify and define the threats your company faces.
The six main risk vectors ERM initiatives address are:
- Operational risks: These are risks inherent in normal day-to-day business operations, like human error, system failures, and supply chain disruptions.
- Financial risks: Some businesses have heightened exposure to credit risks, changes in integ=AOvVaw2vKlgS4v3rest rates, and currency movements. If they go the wrong way, that will affect profitability and financial stability.
- Strategic risks: Many companies plan for the next five to 10 years to future-proof themselves. But these plans can be derailed by advancements in technology, shifts in end-user needs and preferences, and the loss of competitive advantage in a given market in the event it’s subject to disruption.
- Reputational risks: When a company’s activities put it at risk of negative publicity, this may spook regulators, investors, customers, and other stakeholders.
- Regulatory risks: Failure to comply with laws (like sanctions laws) and industry-specific regulations and standards may result in a fine and, in the worst cases, the loss of an operating license.
- Cybersecurity risks: Straddling many of these risk vectors is the threat of cyberattacks. These attacks have been rising in number and sophistication over several years and show no signs of stopping. Unauthorized access to, theft of, or damage to your IT systems and data poses operational, financial, reputational, and regulatory risks all in one.
9 Steps to Plan and Implement Your Enterprise Risk Management Program
There are a number of ERM frameworks you can base an enterprise risk management strategy on, like ISO 31000 or the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
While each framework approaches the strategic objective of organizational risk management in different ways, they share the following nine steps in common.
1. Align Your ERM Practices With Your Organizational Objectives
Risk appetite is a way of describing the level and types of risk you’re willing to accept in pursuit of your organizational objective. Being clear on your risk appetite not only helps decision-making but also helps define which risk management processes you need to include in your ERM strategy.
There is a potential risk in every action or decision taken. But setting the risk bar too high will present operational difficulties across the business and may deny your company the ability to take advantage of opportunities that present themselves.
2. Maintain a Comprehensive Risk Register
Your risk register is your online data room — a central store for the risks you’ve identified and how you respond if the risk turns into a threat.
By keeping a register, senior management can cast a broad view over not only the risks the company faces but how you respond according to the level of perceived risk. These observations can act as benchmarks when creating response plans to new risks as they emerge.
3. Establish Clear Roles and Responsibilities
You now need to identify who is ultimately responsible for risk management activities across your business. They’re the person who’ll be in charge of building, implementing, and continually updating your company’s overall enterprise risk management framework.
You may choose to install a chief risk officer (CRO) to do this. However, bear in mind that they won’t be able to run an effective ERM program on their own.
Give your CRO the power to delegate relevant responsibilities to other senior managers for their part of the business. And then compel them to report regularly on progress to the CRO.
If you don’t appoint a CRO, make someone ultimately responsible for enterprise risk management across the business instead.
4. Invest in Suitable Technology
Most companies need to use risk management software and data analytics tools to identify, assess, and monitor threats. Try to automate as much of the process as possible — especially in payment, procurement operations, and sourcing/category management — to reduce administrative burden and speed up internal processes
Make sure that the software and tools you choose are compatible with existing business processes and systems. Your ERM program has the greatest chance of success if it can fit in as naturally as possible to your existing technology and workflows.
5. Create the Right Internal Environment
Risk management, like a culture of cybersecurity within a business, is top-down.
Training your people on enterprise risk management concepts and practices is the start of building a risk-aware culture. Give staff the skills they need to identify, spot, manage, and report risk when they see it. As new threat vectors emerge, be prepared to renew their training. Moreover, give them the confidence to feel comfortable with these new responsibilities.
6. Identify, Assess, and Prioritize Risks
There are many risks, but which ones will most impact your business either positively or negatively? For strategic planning purposes, concentrate on these risks:
- They would incur the most damage to your organization.
- They are the most likely to become a threat.
- They are the risks against which you are least defended.
By prioritizing like this, you’ll divert time and resources to those areas that present the greatest threats or opportunities to you.
7. Decide on Your Risk Responses
Now that you know the risks, you need to decide on how you respond to them. If a theoretical risk turns into a reality, be clear on what you do to either reduce the potential damage or exploit the opportunity. To paraphrase Sir Winston Churchill, “Never let a good crisis go to waste.”
One risk mitigation strategy you could attempt is to make a condition of doing business with a risky third party that they share any losses or negative impacts with you if things go wrong. Of course, whatever decision you take in situations like these should align with your business objectives and your level of risk appetite.
8. Control Activities
Control activities are the actions you take to mitigate a theoretical risk turning into a reality. There are two types of internal control:
- Preventative: These are designed to stop something from happening. An example of this might be only giving a door keycode to the people you want to get into a particular part of your building and stop everyone else.
- Detective: These are systems designed to recognize when something unwanted has happened with a view to stopping it from happening again.
9. Communicate and Collaborate
To manage risk successfully, you also need a culture that encourages effective communication and collaboration. Vital information can not be kept in silos.
Make sure that risk reporting is done in a timely manner and that, through open dialogue, stakeholders decide what action to take. This embeds collaboration and information sharing at all levels of the business and helps a board of directors make better decisions.
Monitoring Your ERM Program Performance
To ensure continued successful enterprise risk management, you need to continuously monitor each risk and look for the emergence of new risks.
To stay current, use feedback from key stakeholders — ranging from your employees to your customers and investors. While risk information bought from third parties is very useful, what stakeholders share with you can lead to further refinements in your approach that benefit the business.
And keep the risk register up to date. By doing this, you’ll have a broad understanding of the risk landscape you occupy. Always be open to questioning the methodology you use to identify risks, the level of threat they pose, and your risk response.
When a risk does turn into a threat or opportunity, take time to examine your response to it and evaluate whether you’d handle it in the same way again.
A 9-Step Guide to Establishing an Enterprise Risk Management Process
An enterprise risk management (ERM) program is how many companies identify, assess, and manage the different types of risks they face. This is important because the consequences of working with the wrong supplier, vendor, client, or outsourcing partner may negatively impact a business’s financial standing, operations, and its ability to meet its business objectives.
By incorporating risk into their decision-making processes, senior management can protect enterprise-wide interests. This is more of a priority than ever because of the uncertainty presented by the rapid march in technology and the increasingly unstable geopolitical environment.
In this article, we cover:
- The key risks faced by modern enterprises
- Nine steps you can take to plan and implement an ERM program
- How to monitor the ongoing performance of your ERM processes
What Risks Do Modern Enterprises Face?
To reduce risk exposure across your business, you need to first identify and define the threats your company faces.
The six main risk vectors ERM initiatives address are:
- Operational risks: These are risks inherent in normal day-to-day business operations, like human error, system failures, and supply chain disruptions.
- Financial risks: Some businesses have heightened exposure to credit risks, changes in integ=AOvVaw2vKlgS4v3rest rates, and currency movements. If they go the wrong way, that will affect profitability and financial stability.
- Strategic risks: Many companies plan for the next five to 10 years to future-proof themselves. But these plans can be derailed by advancements in technology, shifts in end-user needs and preferences, and the loss of competitive advantage in a given market in the event it’s subject to disruption.
- Reputational risks: When a company’s activities put it at risk of negative publicity, this may spook regulators, investors, customers, and other stakeholders.
- Regulatory risks: Failure to comply with laws (like sanctions laws) and industry-specific regulations and standards may result in a fine and, in the worst cases, the loss of an operating license.
- Cybersecurity risks: Straddling many of these risk vectors is the threat of cyberattacks. These attacks have been rising in number and sophistication over several years and show no signs of stopping. Unauthorized access to, theft of, or damage to your IT systems and data poses operational, financial, reputational, and regulatory risks all in one.
9 Steps to Plan and Implement Your Enterprise Risk Management Program
There are a number of ERM frameworks you can base an enterprise risk management strategy on, like ISO 31000 or the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
While each framework approaches the strategic objective of organizational risk management in different ways, they share the following nine steps in common.
1. Align Your ERM Practices With Your Organizational Objectives
Risk appetite is a way of describing the level and types of risk you’re willing to accept in pursuit of your organizational objective. Being clear on your risk appetite not only helps decision-making but also helps define which risk management processes you need to include in your ERM strategy.
There is a potential risk in every action or decision taken. But setting the risk bar too high will present operational difficulties across the business and may deny your company the ability to take advantage of opportunities that present themselves.
2. Maintain a Comprehensive Risk Register
Your risk register is your online data room — a central store for the risks you’ve identified and how you respond if the risk turns into a threat.
By keeping a register, senior management can cast a broad view over not only the risks the company faces but how you respond according to the level of perceived risk. These observations can act as benchmarks when creating response plans to new risks as they emerge.
3. Establish Clear Roles and Responsibilities
You now need to identify who is ultimately responsible for risk management activities across your business. They’re the person who’ll be in charge of building, implementing, and continually updating your company’s overall enterprise risk management framework.
You may choose to install a chief risk officer (CRO) to do this. However, bear in mind that they won’t be able to run an effective ERM program on their own.
Give your CRO the power to delegate relevant responsibilities to other senior managers for their part of the business. And then compel them to report regularly on progress to the CRO.
If you don’t appoint a CRO, make someone ultimately responsible for enterprise risk management across the business instead.
4. Invest in Suitable Technology
Most companies need to use risk management software and data analytics tools to identify, assess, and monitor threats. Try to automate as much of the process as possible — especially in payment, procurement operations, and sourcing/category management — to reduce administrative burden and speed up internal processes
Make sure that the software and tools you choose are compatible with existing business processes and systems. Your ERM program has the greatest chance of success if it can fit in as naturally as possible to your existing technology and workflows.
5. Create the Right Internal Environment
Risk management, like a culture of cybersecurity within a business, is top-down.
Training your people on enterprise risk management concepts and practices is the start of building a risk-aware culture. Give staff the skills they need to identify, spot, manage, and report risk when they see it. As new threat vectors emerge, be prepared to renew their training. Moreover, give them the confidence to feel comfortable with these new responsibilities.
6. Identify, Assess, and Prioritize Risks
There are many risks, but which ones will most impact your business either positively or negatively? For strategic planning purposes, concentrate on these risks:
- They would incur the most damage to your organization.
- They are the most likely to become a threat.
- They are the risks against which you are least defended.
By prioritizing like this, you’ll divert time and resources to those areas that present the greatest threats or opportunities to you.
7. Decide on Your Risk Responses
Now that you know the risks, you need to decide on how you respond to them. If a theoretical risk turns into a reality, be clear on what you do to either reduce the potential damage or exploit the opportunity. To paraphrase Sir Winston Churchill, “Never let a good crisis go to waste.”
One risk mitigation strategy you could attempt is to make a condition of doing business with a risky third party that they share any losses or negative impacts with you if things go wrong. Of course, whatever decision you take in situations like these should align with your business objectives and your level of risk appetite.
8. Control Activities
Control activities are the actions you take to mitigate a theoretical risk turning into a reality. There are two types of internal control:
- Preventative: These are designed to stop something from happening. An example of this might be only giving a door keycode to the people you want to get into a particular part of your building and stop everyone else.
- Detective: These are systems designed to recognize when something unwanted has happened with a view to stopping it from happening again.
9. Communicate and Collaborate
To manage risk successfully, you also need a culture that encourages effective communication and collaboration. Vital information can not be kept in silos.
Make sure that risk reporting is done in a timely manner and that, through open dialogue, stakeholders decide what action to take. This embeds collaboration and information sharing at all levels of the business and helps a board of directors make better decisions.
Monitoring Your ERM Program Performance
To ensure continued successful enterprise risk management, you need to continuously monitor each risk and look for the emergence of new risks.
To stay current, use feedback from key stakeholders — ranging from your employees to your customers and investors. While risk information bought from third parties is very useful, what stakeholders share with you can lead to further refinements in your approach that benefit the business.
And keep the risk register up to date. By doing this, you’ll have a broad understanding of the risk landscape you occupy. Always be open to questioning the methodology you use to identify risks, the level of threat they pose, and your risk response.
When a risk does turn into a threat or opportunity, take time to examine your response to it and evaluate whether you’d handle it in the same way again.
Risk mitigation for your business
Enterprise risk management helps businesses achieve their wider goals while protecting them from potential harms.
Certa's Risk Management suite provides a range of features to help you achieve your goals and avoid potential harm:
- The Risk management platform provides full-spectrum risk coverage for your enterprise and your third-party risks.
- You can automate all your risk management workflows with the Certa Platform. The no-code Studio enables you to plug in risk management integrations and templatize your risk management processes for future use with simple drag-and-drop ease.
- Certa's built-in support for training modules in the sharable content object reference model format helps you periodically train your personnel.
Talk with our experts today to discover how we can be an integral part of your organization’s enterprise risk management strategy.