The Case for Enterprise Risk Management

Date Posted:Wed, 3rd Apr 2024

The Case for Enterprise Risk Management

As the saying goes, the only constant is change. Which is particularly true of current times - from disruptive technological advancements (e.g. AI, Blockchain, ESG initiatives) to ever-evolving legal or regulatory changes (e.g. privacy, tax, capital) and unforeseen global crises or looming recessions. Organisations face a variety of risks that can threaten their viability and success. In such a volatile environment, the ability to proactively identify, assess, and mitigate risks is paramount. This is where Enterprise Risk Management (ERM) becomes crucial.


So what is ERM and why does it matter?

In short, it is the process of managing all of a company's risks (e.g. strategic, financial, operational, compliance) within an integrated framework to meet business objectives, minimise unexpected earnings volatility, and maximise firm value. This process, which has to be applied strategically, empowers the board and management to make informed risk/return decisions.

To expand:

1. ERM is a management process based on an integrated and continuous approach, including understanding the interdependencies across risks and implementing integrated strategies.

2. ERM has defensive applications (minimise unexpected variance) and offensive applications (maximise firm value). Risk management, as I mentioned in previous posts, is not about minimising or avoiding risks but optimising risk/return trade-offs.

3. ERM supports better decisions at board and management levels because they receive consolidated information through a holistic approach. Imagine receiving multiple reports from numerous divisions. How would you know what to do? Instead of viewing risks in isolation, ERM recognizes their interconnectedness and the potential ripple effects they can have on an organization's objectives.

To further understand the importance of interconnectivity, consider a cyber attack (IT/Operational Risk) that results in fund withdrawals (liquidity risk) which results in potential violation of customer rights (regulatory risk) and also causes inability to repay debt (credit risk). You can see how this spreads. If you have individual teams working in siloes, you likely won't have the right safeguards in polace or be able respond effectively.

What components do you need for an ERM programme?

- Corporate governance: To ensure that the required organisational practices and processes are in place to adequately control risks e.g. define risk appetite and tolerance levels

- Sound risk culture: Policies and procedures are not enough. ERM has to be communicated from the top through tone, culture and practices.

- Portfolio management: Provides an integrated and holistic view of a firm's risks.

- Risk management: Identification, Assessment, Management and Monitoring of risks including appropriate treatment.

- Risk analytics and reporting: Quantifies risk exposures for measurement and reporting.

- Stakeholder management: Everyone in the organisation is a risk manager. Convey the message and its importance. Involve staff that are accountable. 

What is the current state of ERM now?

It really varies and depends on many factors. The financial sector globally has largely adopted ERM practices but it is a very different story outside of that to this day. The de-facto role of risk manager seems to fall under the CFO or COO.

Middle East Insights: I am surprised that the above, for financial services, does not seem to hold true in Dubai, Abu Dhabi, Saudi Arabia etc. If I look at the DIFC and ADGM, many authorised entities don't have risk managers. The prevailing theme seems to be to aggregate under the Compliance Officer, which I believe is a significant shortcoming from a variety of perspectives including skill-set, unrealistic expansion of responsibilities, and ultimately missed risk/opportunity management.

In prosperous times, the consequences of potential mishaps often evade our thoughts, yet during periods of adversity, the spotlight shines brightly on previously overlooked vulnerabilities.

Want to learn more? Contact Ghassan Zeidan here