The Case for Adopting an Enterprise Risk Management (ERM) Framework

By Jennifer Cho

Risk mitigation is an essential part of performance management and optimization at all companies. All businesses, from early-stage, emerging companies to enterprise size, must accurately and comprehensively scope and address a variety of risks for them to meet their strategic business goals. But this is a complex and layered process for most organizations and if not addressed systematically, has the potential to get sidelined, delayed, or siloed.

As a result, many executive leadership teams and boards now understand the strategic value inherent in adopting an enterprise risk management approach at their companies. The ownership and accountability for this workstream often falls within the CFO’s orbit. Over the course of my 20+ year career as a CFO, I have led, sponsored, and/or participated in various ERM programs for companies I have worked with. What I have learned through those experiences is that how ERM is implemented at a company really matters. ERM should never be viewed as just an exercise or compilation of a list of potential enterprise risks. It must be an operationally relevant, ongoing, and evolving approach to build better business processes, facilitate milestone achievement, and be fully integrated with overall company performance management to be the most successful.

What is Enterprise Risk Management (ERM)?

ERM is a framework for managing organizational risk. Organizational risk can include a diverse set of categories of risk which impact business performance in very different ways. Think cyber risk vs. PR/reputational risk. Legal risk vs. financial risk. Risks can be short term or long term. Many involve external parties outside of the control of the company (regulatory, cyber) whereas others are more internal in scope.

The objective of ERM is to develop a comprehensive view of the most significant risks to the achievement of the organization’s key initiatives and objectives. Every enterprise must decide what it perceives as priority risks to the organization and perform some form of risk assessment so that action plans can be created to mitigate the most salient risks. ERM attempts to identify all types of risk that might have an impact on the viability of the business and achieving its goals. The ERM framework then helps a company isolate and manage anticipated risk across the organization via a set of processes, policies, and activities.

Why Adopt an ERM Framework? 

An ERM framework can protect an enterprise from potentially significant losses and/or unexpected negative outcomes. ERM can also be an important tool promoting business continuity in volatile circumstances when a business pivots around changing dynamics. And finally, ERM results in a common organizational view, language, and metrics around risk exposure which can be communicated across the enterprise, leading to increased support for risk mitigation initiatives across departments and the workforce.

As such, an effective ERM can be an important strategic tool for the leaders of the business. Insights about risks identified from the ERM process should be an important input to the organization’s strategic plan. As a management team becomes more informed about potential risks on the horizon, it can proactively design mitigating controls and strategies to navigate through these challenges and still meet its key objectives.

In 2018, one of my clients, during an ERM assessment, identified a high concentration of their suppliers being based in China as both an “operational and strategic” risk. To mitigate this risk, they started diversifying their manufacturing requirements out of China to other markets such as Vietnam, Cambodia, and India. This risk mitigation plan allowed the company to avoid major business disruption and a negative financial impact during Covid, when China was largely shut down for over a year to the rest of the world.

What Types of Risks Does EMR Address?

ERM can help devise plans for almost any type of business risk that threatens a company’s ability to survive and thrive.

Typically, ERM addresses the following types of risk:

• Financial Risks impact the general financial standing and health of a company. Examples include interest rate dynamics, liquidity availability, inflation, etc.
• Operational Risks impact day-to-day operations required for the company to operate. Examples include ability to hire talent, physical equipment failure, supplier stability, etc.
• Strategic Risks impact the long-term strategic direction of a company, causing its future success or failure. Examples include competitive dynamics, industry consolidation, product obsolescence, etc.
• Compliance Risks threaten a company due to a violation of an external law or regulation.
• Security and Cyber Risks threaten the company’s assets if physical or digital assets are misappropriated.
• Reputational Risks impact relationships a company has with its key stakeholders, including investors, employees, suppliers, and its customers (a good example here is Wells Fargo’s fake account scandal which was a major blow to its reputation and its stock price).
• Legal Risks occur when the company faces lawsuits or penalties for contractual, disputes or regulatory issues.

The Four Essential Phases of an ERM Framework

Launching ERM at a company should be carefully planned. Choosing who participates, defining their roles, integrating the ERM process with other business processes, and defining success metrics are all key requirements. A typical ERM process addresses risk mitigation in four phases:

Phase I: Risk Identification

The first step in initiating an ERM process is to correctly identify all company risks that can negatively impact the business and delivering on the business’s key objectives. The risk identification process often involves interviewing key company stakeholders to identify significant risks.

Phase II: Risk Assessment & Prioritization

The next step is to apply both qualitative and quantitative assessment to prioritize risks. A qualitative assessment analyzes the level of criticality based on the probability of the risk occurring. A quantitative assessment then analyzes the financial impact of risk impacts to the business. Once these assessments are completed, risks can then be ranked based on their significance to business performance. This will help the company to focus on the top 10-15 ‘highest priority’ risks.

Phase III: Risk Mitigation Action Plans

Upon completion of risk assessment and prioritization, the next step in ERM is to develop a plan to address/mitigate each risk. The objective of this action plan is to reduce the probability of occurrence (preventive action) and/or to reduce the impact of the risk (mitigation action). These action plans are best developed by those actors most accountable for risk control in their respective departments. Success metrics should then be defined to allow management to better understand the impact of action plans on company risk management performance.

Phase IV: Risk Monitoring & Reporting

Once the risk treatment or action plans are developed, these need to be monitored according to the success metrics defined by the business owners responsible for implementing them. Regular reporting of progress across stakeholders and management is key to ensuring transparency and accountability. By developing a clear monitoring and reporting structure, the company can ensure that there are appropriate forums for escalation and that appropriate risk responses are being actioned. A Fortune 500 company I worked for revisited and executed Phase I, II, and III on an annual basis and reported out its ERM scorecard (Phase IV) on a quarterly basis to its leadership and the board. This rigorous monitoring and reporting served them well.

ERM Implementations: Final Thoughts

After implementing ERM frameworks at several client companies, I have learned the following:

• Ideally, ERM should be embraced by management and implemented before a major risk to business performance appears on the horizon. CFOs should take the lead in proactively demonstrating to management and the board the rationale and importance of adopting an ERM approach.
• ERM processes, procedures and metrics should be customized to a business’s specific goals and objectives so that KPIs and performance benefits can always be tied to areas of risk mitigation and control. A deep understanding of key business objectives tied to specific categories of risk is the key to prioritizing areas for effective action.
• Because risks constantly emerge and evolve, ERM must be accepted across the company as a continuous not a “once-and-done” process. Risks continually appear/disappear and evolve as a result of competitive, industry trends, technological innovation, and other external dynamics, to say nothing of changing internal players and priorities.
• Hire ERM Professionals to help you. There are many consulting firms that specialize in ERM assessment and implementation. In my experience, it has been highly useful to utilize professional consultants to design an initial ERM framework and have them partner with the company team through the entire process the first time you go through it. Once the organization becomes familiar with the ERM framework, the ongoing monitoring, reporting and management can be accomplished effectively in-house with clear accountability assigned to various leaders.

If your company is contemplating adopting an ERM approach, get in touch. I’d be happy to share my experience implementing these with your team.