Eliminating Blind Spots With Enterprise Risk Management
October 06, 2023
Chief risk officers juggle a dizzying array of potential risks today. A comprehensive ERM program provides the big picture needed for taking control.
Executives typically stick to a familiar script when their company experiences a major loss incident. Typically, the refrain goes something like: “The underlying risk was well known and being actively managed until a sudden, unexpected external event transformed it into a major crisis.” A closer look often reveals that the company’s most critical problems could have been better identified and managed if senior management had given them greater attention.
The history of risk management failures is littered with cases in which executives assumed that compartmentalizing risk into individual disciplines such as credit risk, market risk and cybersecurity would protect the company as a whole, and — should one area go wrong — risks would be contained and controlled locally by specialists in those various disciplines. This approach, although understandable, has given rise to a critical blind spot: senior executives who fail to see the big picture cannot identify the risks that are most important to the full enterprise. This is why having a comprehensive enterprise risk management (“ERM”) program is so critical in today’s business environment.
A well-defined ERM program consists of an integrated set of policies, procedures and controls that work together to give organizations the tools to identify current and emerging risks, develop a complete risk appetite program and respond to incidents and near misses. The framework consists of the following five core capabilities, each fully developed, tested and consistently updated to reflect changing business conditions and priorities:
- Risk management framework roles and responsibilities
- Risk identification and risk inventory development
- Risk appetite statement development and calibration
- Incident reporting and response
- Risk aggregation and reporting
Establishing an ERM program is not a one-and-done proposition. Organizations need to constantly cultivate their ERM practices and risk approach to get the most out of their programs. FTI Consulting has identified the following three pillars to assess and refine the maturity, effectiveness and resilience of ERM programs as internal and external conditions evolve:
Risk Governance and Compliance – This is the formal management framework that ensures appropriate oversight of all risk-taking activities. It is a well-orchestrated set of policies, procedures, controls and reporting that promotes independent, informed and empowered management bodies so that:
- All members of senior management are aware of potential risks across the enterprise and are making informed risk-versus-return decisions
- Processes and controls governing business-as-usual operations represent a comprehensive framework for managing key risks aligned with the entity's policies and regulatory requirements
Risk Strategy – The risk function cannot simply be risk-averse at every turn. The work of revenue-generating functions naturally exposes the organization to risk in order to generate return. The role of the ERM is not to be an obstacle, but rather to help senior management assess whether risk-adjusted return has been optimized through activities including:
- Identifying plausible scenarios that would adversely impact the overall organization and planning to mitigate them accordingly
- Calibrating risk appetite and limits to achieve optimal outcomes that give the business room to operate and compete, all while protecting the firm’s capital and reputation
Risk Transformation – The needs of risk management functions constantly evolve due to factors including changes in market conditions, the company’s strategy and regulatory requirements. Employees who are responsible for day-to-day risk management need to keep performing their “day jobs” and in some cases are unable to focus on adapting the function as needed. In such cases, a dedicated team focused on transforming the risk function is needed to keep risk aligned with key vulnerabilities and business objectives. Key oversight needs of transformation programs include:
- Assessing whether ongoing transformation programs align to strategic imperatives and are likely to result in optimal cost-efficient outcomes
- Identifying an interim strategy until transformation projects are complete to best protect the organization
While the financial industry has a long history of adopting various risk management programs, non-financial organizations can also reap the benefits of building out their own ERM programs. An external perspective is often best when doing so as seasoned risk professionals will have the insights to establish the right framework, policies and procedures. With a well-defined, tailor-made ERM program, executives can overcome any blind spots by responding to current and future risks.
This article summarizes FTI Consulting’s two-part series on building and refining ERM programs. To read the articles from the series, click on the article links below.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.