Risks in enterprises can cover a multitude of things and present themselves in many different ways. They can be simple and easy to address, or they can get left and at some point become catastrophic.
Risks can cover a multitude of things and present themselves in many different ways. They can be simple and easy to address, or they can get left and at some point become catastrophic. They can also be known and accepted, or just unknown, misunderstood or arise suddenly to surprise your organisation. Accordingly, it is imperative to understand and to assess the risks as they change, which is fundamentally the root-cause of much legislation across the globe. Today, it has become very much a cliché that ‘change is the only constant in business’, which makes for the need for continuous risk review, understanding and implementation of new protections and measurements. This is why we see in the media (and the reason why we work with a lot of our clients) details of sudden failures that usually stem from an absence of an understanding of the risks associated with a businesses. This is also why internal and external shareholders alike are often emphasising scrutiny and expectations of their risk management functions.
What is Enterprise Risk Management?
A lot is talked about ‘Enterprise Risk Management’ (ERM) as a framework to measure, understand, assess and report upon wider business risks and uncertainties; and we also offer such ‘formalised’ services, but at the end of the day, this is a ‘new name’ for a very old concept of better understanding our risks, taking a break from 100% selling and growing a business, starting to consider, manage, and understand the risk in most business decisions; but also then in understand and implement the right solutions. ‘Enterprise risk management consulting services’ or whatever you want to call them, not only refocus a business upon better decision-making but make sure that there is a continuing consideration of the risks and a maintenance of an intelligent culture within a business.
How ‘Enterprise Risk Management’ can help a company?
Again, let’s not get too hung-up on the terminology. The principles are about striking a balance between getting and keeping new business, and making sure that the risks that could destroy a business, or make it less profitable are mitigated. So it is about ‘applying a framework’ to identify, assess, communicate and address the risks. A risk-management framework can consist of many things, but these should form the core of any such framework:
a) Risk Governance, Management, and Culture development – i.e. the direction, policy and strategy.
b) Risk Prevention – by spending the time to put in protections.
c) Risk Assessment – i.e. looking at the risks
d) Risk Quantification and aggregation – to evaluate the priorities.
e) Risk Monitoring – to keep these in-mind and managed.
f) And Risk Reporting
Smaller businesses do not have such great challenges, as decisions every day are made (often by individuals) upon how to do things. Within larger businesses, it is hard for the CEO or the board-level people to make the right risk-based decisions when their businesses are so widely spread-out, and with so much else to do to please customers, shareholders, markets and (often) the public. Applying the latest ‘ethereal’ model to assess and manage risks, often imposed by legislation, is often the way that the biggest of companies go; and they do this without having a fundamental understanding or without properly thinking about what is actually needed as a bespoke solution for THEIR business.
Advise – What can you do?
a) Don’t adopt a single framework and try and squeeze it into your organisation and expect it to work. The design will depend upon your organisation’s culture and will want to ‘marry-up with’ your business development requirements – i.e. it has to be right for your business.
b) Build an understanding and consideration of the risks of new projects and doing business within your culture. We believe that all businesses (internally) should be transparent in including the risks in all decision making and take a broader view on understanding the risk vs. Business trade-offs. We never find that there is a need with the organisations that we work with, to change the existing organisation structure and management; but to improve communication of the risk-adjusted exposures-measurement and decision-making.
c) Conduct risk management reviews within your business and identify ways that the risk management functions can improve business growth rather than accepting that risk management is a business inhibitor. People buy and work with companies that are safe and have considered the risks properly. In addition, fraudsters and exploiters attack those with the lowest protections and risk management.
Bill Trueman is Director and CEO of UKFraud(ukfraud.co.uk) and RiskSkill(riskskill.com) and member of AIRFA.