Guidelines for Implementing ERM (Enterprise Risk Management) Software
Enterprise Risk Management (ERM) has become a hot topic in the marketplace in the past decade. This article focuses on what you should consider while implementing Enterprise Risk Management.
Most risk management software packages are equipped with tools to help manage product design and manufacturing operations. The tools derive cost, schedule, labor and materials estimates by assessing the interaction and impact of product, organizational and even operational variables. They provide standard database functions to add and delete risks, as well as specialized functions for prioritizing and retiring project risks. Each risk can have a user-defined Risk Management plan and a log of historical events.
They should make business continuity management plans, which are logical, easy to implement when the company has a need to implement them and be written in a systematic fashion so that it is execution and who needs to do what is easily comprehended. These plans have to be tested under realistic conditions and assessed. The success of any business continuity management plans is in its careful execution and implementation. The employees have to be informed and made to implement these plans by introducing procedures and policies to ensure they take preventive measures against risks and deal in the prescribed way if there be a need for it. They have to plan how to deal with the media too if need be.
If you want to be one among the four who are confident in handling risk, read on and enhance your knowledge of ERM.
Companies have to customize enterprise risk management by making risk management a part of its strategic plan. Risk management committees can carefully and meticulously analyzing the risk factors that threaten the company, determine the company’s capacity to deal with each risk, work on ways to improve risk management, conducting periodic checks to monitor if each personnel does his share to minimize risks, and steering the company to achieve its target goals despite the risks.
Enterprise risk management (ERM) is the process of planning, organizing, and controlling the activities of an organization in order to minimize the effects of risk. Enterprise risk management includes not just risks associated with accidental losses, but also financial, strategic, operational and other related types of risks.
There are firms that offer services as well as products to help new businesses succeed.
The primary objective laden in the financial perspective of the BSC is all about developing and sustaining values of shareholders. Several methods have been developed to drive shareholder value and a couple of them pertain to productivity improvement and revenue growth. This is the common practice amongst a lot of companies. A third method that is missing, however, would be risk management – and this should be incorporated as well so that valid metrics of risk management can be found.
Contingency planning is activity undertaken to ensure proper and immediate follow-up steps will be taken by a management and employees in an emergency. Its major objectives are to ensure:
One of the most critical challenges for businesses today is determining how much risk they can tackle to create value. Research indicates that six out of ten senior executives lack confidence in their company’s risk management practices.
After you find one or more of these past reviews, designate someone to become your Enterprise Risk Management (ERM) expert. He or she will be pleased to find the nuggets for starting your ERM process. One unfortunate reality is that some, most or even almost all of those old suggestions may never have been acted on. Whichever of those activities you or your company have been involved in the past will help create this beer budget version to at least get started in the risk management arena.
In recent years, many external risk factors have lead to a heightened interest in ERM packages. Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies’ risk-management policies and procedures. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
The worlds of business and finance are not much different from our lives when it comes to risk-taking. In any business venture, owners or shareholders are bound to face risks. Like the risks we face in everyday life, some of these business risks can be easily handled and some cannot, and the process of deciding which is which belongs to the practice of risk management.
Business Continuity Management Strategies:
• Delegate responsibilities for the role of designing, building and monitoring the implementation process.
• Contingency planning,
• A due diligence review,
• An acquisition review,
• A merger and acquisition review,
• An operational assessment
• A strategic facilitated top management session in this approach, or
Risk management.
(3) assessment of the reliability of the operations.
The function of risk management is to organize and carry out a plan to control or reduce the risks to which a firm is exposed. This planning involves a five-step process. The first step is to identify potential risks. The method of identifying risks may depend on the organizational culture, industry practice and compliance. Once risks have been identified, the next step is to assess the potential severity of loss and probability of occurrence. The third step is to find a potential treatment for the problem. This may involve the transfer, avoidance, reduction or retention of a potential risk. Next is to implement the plan by choosing the right method of treatment. Prior to implementation, a review and evaluation of the plan is necessary.
For the most part, financial institutions would already have metrics that are related to risk exposure – an example of which is ‘value at risk’. However, risk management is not given that much importance, and this is quite the common mistake amongst companies that failed. But you should not think that just by incorporating risk management, the company would then be at a failsafe already. This is because it is a bit difficult to measure accurately the risks involved in each company, largely because each company does have its own sets of standards, goals, and objectives. So, how then can companies take on a clearer sense of their exposure to risks so that they can foster risk management?
The end result is a more robust risk management process.
Wanda A. Wallace, president and CEO of Leadership Forum, Inc., and others like her issued warnings of the pending financial crisis dating back to the 1990s. In her August 1999 article, “Risk Evaluation: Just Who Is Minding the Store?”–published in Accounting Today, Wallace warned that that all market participants need to be assessing risks, rather than presuming the risks have been effectively shifted.
Risk management refers to the entire process of identifying, analyzing, evaluating, and treating risks. But since businesses are faced with many different types of risks, risk management specializations have also been created to deal with them. One specialization of risk management is enterprise risk management, which deals with non-financial risks.
This warning is relevant today. Company leaders must take responsibility for identifying and managing the risks that may unwittingly threaten the survival of their companies. Below are a few starting points that will get your executive team thinking about how to manage your company risk while staying the course in these risk-fraught times.
The secret for you may be that you have gone through one of the following processes which can be the foundation for your Enterprise Risk Management expert process. Where do you have copies of an internal report or consultant survey that was done as part of:
(a) contingency planning,
(b) a due diligence review,
(c) an acquisition review,
(d) a merger and acquisition review,
(e) an operational assessment, or
(f) a strategic facilitated top management session in this approach.
Instead of leaving businessmen with a variety of choices for risk treatment, financial risk marketing is focused primarily on hedging, which is the use of two counter-balancing investment strategies to offset the negative effects of price fluctuations. Aside from these differences, everything else is essentially the same.
There are a few basic strategies that can be adopted in the process of Enterprise Risk Management. Experts in ERM recommend a five-year financial plan whereby a business can identify, prioritize and map all aspects of the most critical risks. Businesses must subject themselves to regular financial audits in accordance with government accounting standards. ERM calls for stricter corporate governance that provides greater transparency to stakeholders. More empowerment and responsibilities are given to Internal Audit Departments. A greater emphasis is laid on the code of ethics.
Initial risk management plans are never perfect. Practice, experience and actual results, will necessitate changes in the plan. Therefore, the plan should make room for flexibility in decision making. Risk management is considered an art in management circles and experience and exposure to situations helps mastering this art.
2. Optimizes risk management cost.
Enterprise Risk Management (ERM) will be a business requirement for family-owned businesses, private companies, and nonprofits. This represents a strategy shift for such organizations, which up until now thought Sarbox and other ERM issues applied only to public companies. ERM is defined as the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives.
Several companies offer their services to identify assess and manage risks factors and customize enterprise risk management. This could be an ideal option to those companies lacking experience as well as resources to implement risk management techniques.
When the economic climate changes as dramatically and as frequently as it does nowadays, contingency planning and risk management should be on every executive dashboard regardless of the size of your organization. Face your risks squarely and come up with an adaptable ERM plan. Don’t wait until you’re forced to make a Mayday call to a world that is embroiled in its own crisis.
Acquisition planning coordinates the activities of the personnel involved in the purchase of an asset or supply to ensure its timely and cost effective acquisition.
Just how important is the BSC or balanced scorecard in this time of financial crisis? The answer to that is simple: EXTREMELY IMPORTANT. In fact, companies have gone the extra mile in incorporating what is known as the downturn BSC to better deal with the effects of recession. There is crisis in just about all sorts of financial institutions today. Even the multibillion dollar automobile producers that are based in America are having a lot of difficulty right this moment. This is actually one of the unfortunate realities that prodded the development of the downturn balanced scorecard. Incorporating such could have help companies prevent financial disasters from occurring so better late than never then.
For someone looking for a reference to concepts used in the past or for the newly designated risk expert, you will see elements of enterprise risk management in some of the concepts below. You may have been part of:
For one thing, they can identify variables that are macro-economic in nature – the ones that bear the greatest potential in placing your company at risk. Once these are determined, then more attention can be placed on these variables. Should there be anything out of the ordinary, even the slightest bump would then be detected, and the proper course of action would then be implemented.
Welcome to the world of risk management or what is sometimes now called enterprise risk management or ERM.
When risk management is part of the daily operations companies can combat and face risks more confidently. This is possible only if they customize enterprise risk management techniques.
Often the new expert in a function has to obtain a working knowledge of the buzzwords and industry jargon as one of their first steps. If you are the new enterprise risk management expert, or risk management expert, you will see these terms regularly.
• Set objectives bearing in mind your company’s capabilities. For example, are there any cultural issues that might come in the way of enterprise-wide implementation?
When private and nonprofit organizations will implement ERM strategies remains a tougher question. Understandably, they have a range of reasons – some legitimate; others questionable – on why they prefer delaying the time when ERM factors will be applied to them. However, the question is mainly when, not if, some form of ERM requirements will be applied to their enterprises.
Enterprise Risk Management (ERM) is defined as the process of planning, organizing, leading and controlling the activities of an organization in order to minimize the effects of risk on its capital and earnings.
Business continuity management plans are necessary to ensure the business suffers minimal losses in case disaster strikes to ensure they begin operating as soon as possible. There are firms that offer their help and services to help run a business smoothly.
Operational assessment is an evaluation of working effectiveness and suitability of a system through test methods aimed at:
1. Acknowledge that real risks exist in your company
2. Make a reasonable effort to analyze the risks your company is taking
3. Evaluate the consequences of those risks should these risks back fire
4. Estimate what the costs would be to solve, eliminate, or minimize those risks
5. Look for profit leaks that may be threatening your company cash flow, a huge risk!
6. Implement a flexible Enterprise Risk Management (ERM) strategy that you can adjust as needed
Enterprise Risk Management is not only about compliance and control; it is more about strategic risk-taking and building an effective organization. If implemented properly, it can help your organization follow growth opportunities with greater speed, skill and confidence. Books like “Enterprise Risk Management: From Incentives to Controls” and “Simple Tools and Techniques for Enterprise Risk Management” from might come in handy while implementing ERM.
Companies should have good business continuity management techniques in place. These would help companies to identify, assess and manage both external as well as internal risk factors that may hinder business continuity. Business continuity management strategies will help keep the company working no matter what kind of risk threatens its operations. This will be helped greatly if they have implemented well-developed and customized enterprise risk management strategies. The 9/11 attacks on the twin towers reinstated the need for business continuity management plans. It helped create awareness at how unpredictable risks can be and how nothing can prepare us to deal with risks such as the attack but an effort has to be made, to ensure that a business can continue even after such disasters strike.
Software vendors are discovering ways to deliver risk management systems at affordable costs in a bid to attract new customers. Internet-based application service providers (ASPs) allow software firms to provide off-the-shelf and far cheaper versions of their risk management programs on universal websites.
Every business carries an element of risk. Therefore, managing risks is crucial process in many organizations. Depending on the business, steps can be taken to reduce the frequency and intensity of risk. Risk management is a process or group in an organization that takes management action to reduce risk. This activity involves the process of measuring and developing strategies to manage the risk. The strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of risk, and accepting some or all of the consequences of a particular risk.
3. Improves business performance.
(1) containment of damage or injury to, or loss of, personnel and property.
Standard & Poor published a report (May 2008) on its approach to ERM analysis and how it plans to factor it into its corporate ratings. Their article How Corporate Governance Can Bolster or Hinder Enterprise Risk Management summarizes their position: “Given the current market environment and the new, ever-increasing and changing risks companies are facing, the roles and responsibilities of boards and senior management in overseeing and managing those risks likely will continue to increase in terms of quantity and complexity. Therefore, one of the biggest challenges for companies now is adopting the ‘right’ risk governance model to support its underlying ERM practices. There is increasing pressure around the world for companies to create governance structures that support strong ERM policies and procedures.”
ERM is a new approach to risk management which differs from traditional ones in terms of focus, objective, scope, emphasis and application. Under the new approach, the uncertainties that can affect both tangible and intangible assets of the organization are taken into account. Hence, ERM will help you align your organization’s strategies, people, processes, technology and knowledge so that the company is well equipped to handle risk.
There are some risks that companies can minimize and others they can embrace. For example, there are risks associated with people and their behavior or risks in technology and its impact on the organization. There are risks that may harm a business such as compliance failures, system downtime and software glitches. These are risks that can grow and differentiate a business.
Names like Levitz, Sharper Image, Linens n Things and Circuit City are not supposed to just disappear so quickly. Every day it seems like another article in the news warns that no company, from a small private company to a conglomerate, is immune from dealing with business risks.
1. Creates sustainable competitive advantage.
The Committee of Sponsoring Organizations published an enterprise risk management integrated framework in 2002, which has helped companies that were desperately seeking a good enterprise risk management program. The framework guides companies to customize enterprise risk management. This framework has created an awareness to comprehend the risks their companies face, judge how well equipped they are to meet the risks, what steps needed to be taken to minimize the risks and counter them and to make sure risk analysis is an ongoing process in order to identify new risks. Companies have to coordinate risk management, its internal controls and enterprise performance management, in order to eliminate risks effectively.
The term “risk” describes the probability of an undesirable event happening as a result of a present decision or of some future event. In life, we face multitudes of these risks. There are risks that we would readily take while there are also those that we would try to avoid. There are risks that we consider worth taking and those that we would not consider because they are surely headed for a loss.
For those growing or middle market companies with no ERM program or just a shell of a program, somewhere sitting on a dusty shelf or boxed away in the warehouse may be step one of the risk management process.
ERM Defined
Aided by technology and a wealth of information about risk mitigation, managers of the new millennium are more confident of absorbing risks. Risk management software has contributed immensely to this favorable trend.
For the most part, organizations that have failed or are failing suffered from having too narrow a focus on financial performance in a short-term basis. This is then the reason behind the development of the BSC itself. And if you would take time to look at the financial perspective of the BSC, you would see that it is actually the inevitable location for ERM or enterprise risk management objectives as well as measures.
In a service driven economy, businesses cannot afford to let risks remain unidentified. Currency fluctuations, wide distribution channels and an unprecedented dependence on technology are just a few of the new risks businesses must assess. Many organizations are choosing to implement an Enterprise Risk Management process to ensure that a uniform approach is adopted towards risk identification, analysis and treatment.
Companies can set up committees to structure business continuity management strategies that are customized to suit the needs of the business. The committee should be given a budget and a timeframe to develop the core plan, which will then be implemented. They have to identify, classify, assess and device strategies to deal with the risks. They have to analyze the impact the risks will have on the business and take necessary action to minimize technical, internal, external, economic, human, natural, credit, market and operational risks etc. Taking preventive measures such as getting the right insurance coverage, implementing safeguards and constant monitoring will help companies become aware of risk indicators and how to manage the risks to ensure business continuity.
Enterprise Risk Management (ERM) is defined as the methods and processes used by organizations to manage risks (or seize calculated risk opportunities) in relation to achieving their corporate objectives. While executive teams may have their reasons for delaying the implementation of an ERM plan, the truth is that every company needs one. Simply put, it is not a matter of if but a matter of when a company will put an Enterprise Risk Management strategy in place.
• Integrate the risk management process with your business plan.
(1) identification of defects, gaps, areas of risk
Due diligence is a measure of prudence, responsibility, and diligence that is expected from, and ordinarily exercised by, a reasonable and prudent person under the circumstances.
Whenever the economy hits a rough patch, companies turn to less defined financial issues like risk, uncertainty, liquidity or even enterprise risk management (ERM). Having an accurate read on your company financial underbelly is even more critical in turbulent economic times. This includes unearthing and managing the seemingly invisible profit leaks that put your company cash flow at risk. As we are learning the hard way in this economy, cash is king. Without it, your company may be at risk.
The Sarbanes-Oxley Act of 2002 became the driving force behind Enterprise Risk Management. Financial institutions are good examples of companies that have benefited from effective ERM.
• Develop an ERM plan and set priorities for implementation. Discuss the plan with your team members and seek their opinion.
You must bear in mind that ERM is a journey, not a destination. It represents a sea change in organizational attitude and behavior. Like any other important change, the adoption of ERM is basically a process of building awareness, implementing and ultimately driving ownership throughout the organization. What makes it all the more challenging is that in any organization, individual perspectives about risk will differ.
Yet the idea of creating or improving an Enterprise Risk Management (ERM) program to anticipate or plan for business risks sounds overwhelming in terms of the time and money it would take. Just think of those Sarbanes Oxley nightmares and overruns. In this volatile economic climate where cash and liquidity must be husbanded, how do you afford such a champagne sounding budget item in the current beer budget reality?
There are two kinds of risk management. Traditional risk management is focused on risks stemming from physical and legal causes like natural disasters, accidents, death or lawsuits. Financial risk management focuses on risks that can be managed by using traded financial instruments. Large corporations employ risk management teams while smaller corporations practice informal, if not formal, risk management techniques that are rolled into the responsibilities of operational managers. Risk managers recognize and review their organizations loss exposures including property, liability, personnel and net income. This helps promote growth through profit, continuous operation and stable earnings.
Using a common source for definitions from Business Dictionary, think of these concepts as:
Many companies are turning to IT and software to understand, evaluate and manage these various types of risks. According to a recent survey from Forrester Research, 62 percent of CIOs indicated they already had a company-wide initiative focused on enterprise risk and compliance management.
Risks are inherent in any business venture, and when it comes to financial risks, businessmen don’t have much choice but to face them. It is for this reason that knowledge about financial risk management is very important in the business world. The practice won’t help businessmen avoid risks, but it gives them a chance to counterbalance the negative effects of risks whenever they have to take one.
When the economic climate changes as dramatically and as frequently as it seems to be nowadays, risk management should be on every executive team agenda. Do not ignore the warning signs and watch your ship go down. Face your risks squarely and come up with a flexible ERM plan. Do not wait for Mayday!
Since the advent of risk management as a specialized function in many organizations, software plays a greater role in the operational health and growth of a company. Software have been developed to minimize business risk, as well as identify opportunities where ‘risk taking’ can accelerate growth. They are designed to provide IT organizations with the training, technology and process improvements they need to manage software risk, and view risk as an enabler, not an obstacle to success.
ERM improves the way a company handles the more predictable risks that businesses face. It allows a company to avoid bad investments, and conversely, make investments that might intuitively seem too risky. Companies that have adopted risk management methodologies report fewer failed ventures and less damage from unforeseen events.
When companies find ways to customize enterprise risk management using the COSO framework as a guide, they will succeed in identifying and facing risks as well as assign personnel to plan and device ways to nullify risks. Companies have to develop systems to classify risks, identifying key risk indicators, conduct checks to see if the employees are taking the prescribed action to minimize risks. Planning risk management is not sufficient; the extent to which it is implemented is what matters. Both external and internal risks have to be identified. The ways to combat them have to be identified, by carefully listing the necessary action to be taken by employees to minimize the risk.
How to Customize Enterprise Risk Management:
And then there’s financial risk management, which is very similar to general risk management with a specialization in a business’s finances. Like general risk management, financial risk management also follows the processes of risk identification, analysis, evaluation, and treatment. Financial risk management, however, is more focused on finances and makes use of financial instruments to manage a business’s exposure to risks.
(2) continuity of the key operations of the organization.
Last but not least, be sure to factor in future goals and capabilities for managing critical risks.
Lastly, companies can aggregate risk exposure right onto the downturn BSC. This should be done so as to prod discussions and forums about the risks involved in the current strategies put into play. With these measurement challenges all lined up, any company would have better footing when faced with the depressing effects of economic downturn in the corporate world today.
Again, by addressing the need for internal control measures, ERM helps your company anticipate and manage uncertainties better. It also enhances the enterprise’s value in the three ways listed below.
If companies have good business continuity management plans, they may reduce potential damages by as much as 90%. Due to poor business continuity, management plans. About 150 companies went out of business during the World Trade Center bomb attack. Bad insurance coverage selection, inadequate risk management guidelines and its implementation have resulted in the closure of several businesses due to fire attacks.
Risk management includes policies, procedures, and practices involved in identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. A firm may use risk assumption, risk avoidance, risk retention, risk transfer, or any other strategy (or combination of strategies) in proper management of future events.
To customize enterprise risk management, companies have to analyze all aspects of their businesses carefully. They have to involve each department head, discuss and gather information, classify (market, credit and operational risk etc) and study the risks, use prescribed guidelines to form a detailed plan to manage the risks. They have to introduce policies and procedures to ensure each employee is implementing risk management techniques and periodically holding discussions to identify and device ways to combat new risks.
(2) measurement of the adequacy of the output, and
Another thing companies can do is the estimation of the recession’s impact on profitability – most especially now that there are potential modifications surfacing from these macro-economic variables.