Enterprise risk management – how to prevent losses and create value

Organisations create value by taking risks and lose value by failing to manage them. Effective Enterprise Risk Management (ERM) is about ensuring that the organisation knows what risks it is taking, that these are the right ones and that they are appropriately managed. ERM provides the processes to help organisations protect and enhance value.

What risks are we talking about? The answer is simple in concept: ERM is about managing all risks that can impact the organisation’s objectives, whether financial, infrastructure, marketplace or reputational (see Fig. 1, from Ref. 1).


Figure 1 – ERM is about managing all risks

ERM focuses not only on the downside of risk but the upside as well. Traditionally, risk management focuses on the negative consequences, for example losses from currency movements in financial markets, losses caused by a disruption in a supply chain, or losses from a fire at a production plant.

In thinking about the upside consequences, organisations consider competitive opportunities and strategic advantages from taking well thought out risks. New business plans incorporate a focus on risk – for example, where to locate a plant abroad based on an analysis that would consider all political and economic risks in a country. In this way ERM moves risk management from simply protecting enterprise value to enhancing value as well. It seeks to make the best bets in pursuit of new opportunities for growth and returns; ERM is top-down, portfolio wide and strategic.

ERM encourages a balance between both the risk-taking entrepreneurial activities of the organisation and the risk-avoidance control activities so that one is not disproportionately stronger than the other. This balance is important. Unrestrained and unfocused entrepreneurial activity leads to excessive risk taking and unethical behaviour. An overemphasis on control leads to stifling risk averse behaviour. Neither of these extremes is as desirable as a reasonable balance.

 

HOW MUCH RISK CAN BE TAKEN?

An organisation may define its risk appetite as the amount of risk that it is willing to accept in pursuit of value (Ref. 2). This should underpin an organisation’s ERM philosophy, and in turn influence the culture and operating style. Many organisations consider risk appetite qualitatively, others quantitatively, trading-off goals for growth, return and risk.

A company with a higher risk appetite may be willing to allocate a larger portion of its capital to high-risk areas, such as newly emerging markets. In contrast, a company with a low risk appetite might limit its risk of large losses of capital by investing only in mature, stable markets.

Risk appetite is a signpost in strategy setting and every organisation has an inherent risk appetite whether it acknowledges it explicitly or not.

WHAT PROCESSES ARE APPLIED?

ISO 31000 Risk Management was established in 2009 to bring consistency to global risk management understanding and practice. Since then, it has become acknowledged as the international risk management standard. It sets out the principles, framework and process for effective risk management. One limitation of the standard is that there is a perceived lack of recognition of interdependent ERM controls such as risk appetite, business planning and risk culture. Whether this will be addressed when the standard is next updated remains to be seen.

WHAT ARE THE BENEFITS OF ERM?

The benefit of ERM in protecting value by preventing losses seems clear but how does ERM create value? Some reasons include:

  • Better understanding of aggregate risks across the enterprise, providing a more objective basis for resource allocation
  • Better understanding of the risk-return relationship at board level, with decision-making based on clear risk-return trade-offs
  • Better risk transparency, which reduces costs of regulatory scrutiny and external capital

Whilst there is a general lack of empirical evidence, research on 300 publically listed companies has shown that organisations exhibiting mature ERM practices realise a valuation premium of 25% (Ref. 3).

CONCLUSION

At less than two decades old, ERM is a relatively new management discipline that helps organisations identify and manage all risks to provide reasonable assurance that the organisation will achieve its objectives. In doing so, ERM can create value as well as prevent losses.

References:

1.  A Structured Approach to Enterprise Risk Management (ERM), IRM, 2010.
2.  Enterprise Risk Management – Integrated Framework, COSO, 2004.
3. The Valuation Implications of Enterprise Risk Management Maturity, Farrell & Gallagher, 2014.

This article first appeared in RISKworld issue 31