By: Ash Noah, CPA, CGMA, VP of CGMA External Relations, AICPA
Given the increasingly digital and interconnected global environment, business risks are occurring with greater frequency and velocity than ever before.
Boards and senior management know this and are calling for more effective risk oversight, including the adoption of a holistic approach to risk management known as “Enterprise Risk Management” or ERM.
A recent survey by the AICPA and North Carolina State University, however, found that only 28% of companies have a complete ERM process in place. Additionally, less than half of companies have a partial ERM process in place, with some, but not all risks addressed. Those are pretty low numbers.
Many people associate the term ERM with a big enterprise initiative — and something too formal, burdensome and unnecessary for an organization to take on, especially if it’s not mandated. Even for companies that do have ERM in place, its true value often isn’t realized since it’s perceived as a mundane “checking the box” exercise.
However, risk impacts everyone. It’s not limited to any one industry or size company. And the value that ERM can provide to large and small organizations alike should not be overlooked. In this environment of unprecedented risk, ERM is imperative. If companies want to create and maximize value for their shareholders and stakeholders, they must approach and evaluate risk in a very systematic way.
Implementation – tips for success
ERM differs from traditional approaches to risk oversight that focus on managing silos or distinct pockets of risks. ERM emphasizes a top-down, holistic view of key risks potentially affecting an organization’s ability to achieve its objectives.
It’s not just about protecting the organization’s tangible and financial assets; rather, ERM focuses on the enterprise-wide risks that have the potential to derail your business strategy. Implementing ERM in an organization should not be burdensome, however. Here are a few tips to help you get started:
- Get buy-in from the top. ERM must start at the top with the board and CEO, and include the senior management team being committed to implementing a formal process and proactively managing risks. Also ensure that the importance of ERM and why it’s being implemented is communicated to all levels in the organization.
- Talk with your CFO. As financial leaders, they are already deeply involved in managing traditional and financial risks, and thus play a critical role in understanding how a structured way of managing business risks will better help to identify and mitigate issues that can take your organization off track.
- Perform a risk process inventory. Take a look at what your organization is already doing to mitigate risk to avoid duplication of efforts. Your organization may already be doing a quite a bit in the risk area, so when you implement a program you won’t necessarily need to engage in a whole new set of activities that’ll increase the team’s workload.
- Adopt a framework. Research and adopt a risk management framework that works for your organization. The framework suggested by COSO is a robust and popular version.
- Pinpoint the biggest threats. Work across the enterprise to identify the risks which have the highest impact and the highest likelihood to occur. This will allow you to focus on major target areas instead of putting effort on every little risk that doesn’t represent a big threat. Use tools such as the CGMA Risk Heat Map to make this process simple.
- Keep processes up to date. Implementing an ERM process is not a one-off exercise. Review the risk registers and mitigation plans regularly to keep them up to date and ready for deployment.
ERM, if not viewed as an exercise in compliance, is an opportunity to empower your organization. Engaging in risk management in a systematic way — including looking holistically both within your own organization as well as at external risks that may impact your organization — will improve business performance and governance, and is critical in this volatile business environment.