“All of life is the management of risk, not its elimination” -Warren Buffet
As risk is an indispensable part of any business undertaking, it transpires that risk management is also an essential role of any business leader. Traditionally, a functional leader managed all the risks within his zone of operations. This, though simplistic, often led to oversight and evoked catastrophic results. Recognition of such potential shortcomings
gave way for the embracement of a more holistic concept called Enterprise Risk Management (ERM).
ERM is a process which should complement the strategy of a business and make decisionmaking more informed. It seeks to identify potential risks on the horizon which may impact the viability of any undertaking. Proactive knowledge of such intelligence should be supported with rigorous mitigation strategies, thereby reducing the likelihood of their
occurrence. This makes an entity secured against the dynamic environment which it is exposed to.
The International Organization for Standardization issued the ISO 31000 guidelines on risk management. This framework lays down a generic foundation of risk management which can be adopted by any kind of organization. It recognizes the dynamic environment of an
organization, its stakeholders, and tries to capture the diversity and complexities of risks involved. It thus enhances entity value.
ERM is not a start and end activity. It is an ongoing process which continuously evolves based on the core value drivers of the entity. It focuses on any and every kind of risk, be it operational, compliance, strategic or reporting risk. Moreover, it also strives to recognize opportunities with upside potential. Ergo, it involves identifying, assessing, managing and
monitoring risks, as well as the integration of this process with strategic leadership.
Identification of risks:
The focal point in the process of risk identification is clarity on objectives of the enterprise. Adoption of multiple techniques such as brain storming, scenario analysis and SWOT analysis, result in a more comprehensive result. The management should then focus on “vital” risks rather than the “trivial” ones. The end result of the identification process could be in the form of a risk map such as the one exhibited below:
Assessment of risks through ERM:
Risks are assessed by evaluating the likelihood that the event will occur and its impact on the viability of the project. These evaluations are performed by a number of sophisticated statistical and probabilistic techniques like value at risk (VAR). Innovative methods like Scenario Planning and Wargaming (published by Deloitte) have also come up in addition to various qualitative techniques which augment the decision making process.
Managing and monitoring risks:
Once the severity of risks is ascertained, management then explicitly or
implicitly ranks them. A suitable plan of action is devised to decide whether the risk should be mitigated, transferred, avoided or accepted. A Risk-based
the management control system is implemented and monitored regularly.
ERM is a business paradigm which shifts focus from reactive risk management to proactive risk management. This enables directors to procure a more effective risk oversight in the face of rapidly changing risk complexities and global business environment. It is thus, widely embraced in order to achieve objectives in the most cost-effective manner.
Test your knowledge, by taking this quiz.
Written by: Shreya Shah
