Building an Enterprise Risk Management Framework for Companies of All Sizes
When you assess risk for a living, probably the biggest thing you see is how unprepared companies are for it. I read a report recently that said only 28% of companies had an Enterprise Risk Management system in place. That number is concerning because that means most businesses are operating without a plan and they’re spreading that risk to others.
A company can have an excellent enterprise risk management plan in place, but that doesn’t protect them if their vendors aren’t as proactive. An ERM program is a necessity in every business simply because of that. It’s like defensive driving in that you’re driving with the anticipation that others are not paying attention. Companies with ERMs in place recover faster when the worst happens. Creating a proactive process for assessing risk is the first step.
Categorizing Risk for an ERM
ERM comprises all the steps needed to monitor and minimize risk in a company. It operates under the theory that there’s no such thing as no risk, no matter how small or simple the business. However, certain risks are easier to manage than others, and can be quantified and even accounted for in budgeting. These risks are comprised of all internal and external threats to a company and are broken into four very broad categories:
- Hazard – Hazards are things that can’t be predicted or anticipated with any degree of certainty. An example of a hazard risk would be a financial firm in South Florida having to close for a month because of damage from a hurricane.
- Financial risk – Financial risk is tied directly to the cash value of the company. In the financial industry, an obvious example of this would be a sudden stock drop. It can also include liquidity risk, in which a firm has a high value, but its value is tied up in properties that can’t easily be transferred into cash. It’s mainly the risk that the firm won’t be able to pay its debts in a timely manner.
- Operational risk – Operational risk includes any risk incurred directly as a part of doing business. An example of this in the financial industry would be an employee illegally trading with client or company funds.
- Strategic risks – Strategic risks are risks that arise because of a plan. For example, a strategy to increase bond purchases during a period of stock market volatility would be considered a strategic risk.
The risks a company faces will almost inevitably fall into one or more of those categories. Once a company knows what risks it is facing, it can better plan for what course of action to take.
Proactive Responses to Risk
An effective ERM doesn’t just assess the risks facing an enterprise, but provides a plan for it, even if the plan is to avoid the risk entirely. Generally, there are five different approaches a company can take with an identified risk:
- Avoidance – An avoidance approach to risk simply involves shutting the risk down. For example, a firm may consider adding commodities sales to its portfolio. Then, they learn it poses a significant financial, strategic, and operational risk. As a result, they decide to not offer commodities, avoiding the risk entirely.
- Reduction – A reduction of risk is a way to minimize the risk and place it at an acceptable level. In this, take the commodities example from above. Only this time, the company policy is to limit commodities trading to 5% of total investment capital.
- Alternative Actions – An alternative action is to take a similar route, but one with lower levels of risk. For example, a company might choose to look into offering only stable commodities that consistently hold their value, like potash or copper.
- Share or Insure – Another method of reducing risk is to get someone else to finance the risk or a part of the risk. This can be done through insurance or it can be done through partnerships. In this case, a commodities trader would trade with the backing of the company and not with their own funds.
- Accept – Ultimately, the solution is to decide that the risk is worth the reward. Here, the firm would simply trust their employees to use their best judgment and stay in compliance while trading commodities.
While accepting sounds like an easy solution, it’s also the one that gets companies into the most trouble. This is because they often forget to account for employee risk in their equation. In the commodities example, the firm may trust their traders to do the right thing, then find their trust was misplaced. Employee risk is part of the operational risk category and it’s something you should proactively manage with vetting.
AC Global Risk offers tools for vetting those in positions of high responsibility. Our proprietary technology allows you to assess an individual for risk in under ten minutes, in virtually any location and language. For more information on how our Remote Risk Assessment solutions can work for your firm, contact us.