Most compliance and audit professionals understand at a gut level that enterprise risk management can transform large organizations — making your business more responsive, more agile, more disciplined about ethical conduct, less prone to blunders.
Sounds great in theory, right? So how does a company get there? Exactly why would enterprise risk management (ERM) transform your organization in all those wonderful ways?
ERM allows your organization to be responsive
Start with this premise: the future will go to competitors that are more nimble, not necessarily larger. If you are not convinced of that point, ponder it further the next time you’re riding in an Uber and pass a taxi on the side of the road.
Nimble companies respond to changing circumstances quickly. Sometimes those changes come from regulators stepping up attention to anti-bribery or data protection. Other times they come from customers with fickle tastes or from social media campaigns calling for new business practices. Changing circumstance can even come from business partners pushing their ethical practices upon you.
Enterprise risk management, in the simplest analysis, is the system companies use to monitor activity and identify when something has changed beyond the risk thresholds you have.
So the more an organization embraces ERM, the more nimble and responsive it can be. When you are more nimble and responsive than your competitors, you prevail.
We can write whole books on how to apply ERM smartly, and it’s no easy feat to achieve. But that’s the logic of ERM at an abstract level, and that logic won’t recede. On the contrary, as we keep moving into a more complex, interdependent business world, the logic of ERM is only going to get more compelling.
That said, we can also derive a few “sub-principles” of ERM that will feel a bit more tangible to corporate ethics and compliance officers.
ERM blends leadership, values, technology, and policies
Risk management is about gathering information and acting upon it. No single item exists that an organization can implement and suddenly you’re “doing ERM.”
Instead, compliance and risk officers will need to ask questions like: How do we structure business processes so they generate information about how well they’re working? What policies will guide people in that way? What’s the technology we’ll use to capture all that information and relay it to senior executives in a concise, understandable format?
Nor can we ignore the importance of leadership and corporate values for successful risk management. The business environment is only going to get more chaotic, organizations only more complex. Events will happen that your policies, procedures, and technology didn’t anticipate. The only way to assure that employees will exercise their best judgment in those moments is for a strong culture that supports employees trying to do the right thing.
ERM embeds itself into operations
Much like compliance, risk management is about doing business smartly all the time — not doing business as usual and then having some specialist “add” compliance or risk management at the end. Risk management needs to permeate all business processes, via policies and procedures and culture. If you establish it as a separate business process unto itself, one that could be expanded or curtailed at whim, it won’t work.
ERM makes your organization more risk-aware
ERM doesn’t always reduce risk; it makes your organization more risk-aware. The axiom is “you can’t get the reward without taking the risk,” but saying those words is much easier than embracing their true meaning. Many companies at first will struggle to do it.
Risk management is all about gaining enough assurance for employees and organizations to believe, “OK, we can do this. The possible risk is worth the potential reward.” Too often today, we still make those decisions with incomplete or inaccurate information, or by instinct.
Risk management will, in time, bring discipline to those decisions as we’ve never seen. Companies will be more attuned to their environment and more responsive to change. That’s a game most companies haven’t played yet.