This was first published in The Business Times on 05 August 2019
All forms of business operations and growth carry risks.
Many organisations manage these risks by implementing some form of enterprise risk management (ERM) systems.
With the continuously evolving risk landscape and risk management standards, organisations have started to ask the question: how can we further mature our ERM programme – to ERM 2.0 as it were?
The latest ERM good practices and hot topics among company boards and senior management seem to converge on a few pertinent questions:
The answers to these questions may lie in some of the latest ERM trends and initiatives in the industry. But organisations will need to ensure that their ERM roadmap is progressive and tailored to the individual needs and context of their business.
In our view, the journey towards ERM 2.0 is underpinned by four key pillars: exploring risk inter-connectivity; linking risk management to strategy; implementing a technology-enabled ERM; and breaking through the barriers of risk culture.
Risks can be inter-connected in various ways. A risk may have a causal or consequential relationship with another. Risks may also have common causes or drivers.
Risk exposures, where there is a connection, can be either positively or negatively co-related. Positively co-related risks increase or decrease in risk exposure correspondingly, while an increase in exposure of a risk will result in a decrease in exposure of negatively co-related risks.
It is important to note that connections between risks can have varying degrees of strength. Strong co-relations between risks indicate a higher probability of interactions should one risk materialise.
Besides exploring the inter-connectivity between risks, another dimension is risk velocity, which can be defined as the time taken for the full impact of the risk to affect the organisation should it materialise. Evaluating risk velocity may give organisations insights into the state of preparedness that should be maintained to react to potentially high velocity risk events.
Many organisations today still find it challenging to put into practice the continuous linkage and feedback between risk management and strategic decision-making. Strategic objectives are often used as starting points for risk identification and assessment.
In cases where organisations have successfully established a structured and consistent process to integrate risk management with strategy, we have observed marked improvements not only in the robustness and speed of risk-based decision-making, but also breakthroughs in the understanding and appreciation of risk management among stakeholders.
To effectively link ERM with strategic decision-making, the set-up and role of the risk management function is central.
The chief risk officer (CRO), or equivalent, of the organisation has an important role to play not only in leading risk discussions, but often providing differing views to challenge senior management at key junctures within the strategic planning or decision-making process.
Technology is a key enabler to build a connected and integrated ERM framework. It allows boards and senior management to focus on the most critical risk areas and make decisions based on most updated risk information.
ERM processes can be enhanced with more timely and accurate reporting of information from operations and improved consistency of risk management practices.
Technology allows organisations to deploy “sensors” within operational processes and functions and perform analysis on the data and information collected, in order to improve timeliness of risk escalation and management.
Despite the numerous benefits of technology enablement in ERM, common roadblocks include cost and overall ERM maturity.
In our view, while the cost of automation may fall as technology advances, the key consideration of whether to purchase an off-the-shelf system or build a customised solution still remains.
Organisations are strongly encouraged to consider the pros and cons of both models to make an informed decision.
Risk culture is the most critical enabler to a successful and sustainable ERM programme. To build a culture where desired risk thinking and behaviours are “business-as-usual” for stakeholders, there must be continuous efforts to emphasise the role of ERM and incentivise good risk practices in line with organisational objectives. It is critical to start this from the onset of ERM framework development.
Boards and senior management today generally have good risk awareness. At operational levels, risk awareness and understanding may manifest more on specific topics, such as health and safety, and data confidentiality.
But many organisations still find it challenging to mature risk culture from strong awareness to true appreciation of the value proposition of ERM and ultimately drive the right risk behaviours.
As stakeholders become increasingly focused on in-depth risk discussions, it may b difficult to constantly maintain a high degree of objectivity. These are some mental traps that should be managed:
ERM is not a static exercise but a continuous journey to improve an organisation’s ability to anticipate and manage its risks.
There is no “one-size-fits-all” ERM programme and something you can easily buy off the shelf. ERM is best tailored to the context of your organisation, taking into account factors such as size, nature of operations and resources available.
The article was contributed by Jonathan Ho, Head of Enterprise Market and Head of Internal Audit, Risk & Compliance, KPMG in Singapore and Tea Wei Li, Risk Consulting partner, KPMG in Singapore. Views expressed are their own.