How to setup Enterprise Risk Management (ERM) process in your organisation

The revised Hong Kong Stock Exchange Corporate Governance Code provisions (“the Code”) on risk management which came into effect on 1 January 2016 places the Board as a pivotal component of an effective risk governance framework and enhances its accountability with regard to risk management. This implies that directors not only have the important role of being actively involved in the development of business strategies, and in understanding existing as well as emerging risks impacting their company, but also have the oversight role of the company’s Enterprise Risk Management (ERM) so as to understand how such risks are identified, measured, monitored and mitigated.

All businesses are exposed to risks that would prevent companies from achieving business objectives or could lead to significant financial losses. Implementing a robust risk management system is not just for compliance purpose. More importantly, it can rescue your company from disasters; enables your organisation to effective identify key business risks in every aspect of the business operations and gives management the knowledge needed to develop a plan to reduce those risks. It is a structured approach of aligning business strategy, processes, people, technology and knowledge to proactively manage uncertainties and risks, to increase the odds of achieving your business goals and objectives, power business growth, increase competitiveness and shareholder value.

Objectives and benefits of ERM implementation

ERM implementation involves a change management process with the objectives to:

  • Foster a risk aware culture in your organisation;
  • Change the mind-set and up-skill the capability of individual employees regarding risk management;
  • Promote identification and effective treatment of risks and at the same time, identification of business opportunities; (for example, in analysing the risk of technological changes that may disrupt your business, you can also identify how your organisation can leverage on the technology such as Cloud computing, social media, Big Data Analytics, artificial intelligence or robot technology etc. to boost business growth);
  • Establish a centralized risk management function and expertise for risk management; and
  • Employ a standardize risk evaluation process.

Critical Success Factors

Organisations often encounter problems regarding risk management such as the following:

  • There is no risk management process in place, or even if there is, the process is no more than an annual desktop review exercise with little interaction between business operations and departments, and totally detached from the day to day operations. Risk management process also does not form part of the business strategy and planning process of the organisation nor being deployed when making significant investment decisions. Senior management and the Board, however, are concerned whether the process can be able to identify and effectively manage material risks to the organisation.
  • The existing risk management process does not promote a risk awareness culture in the organisation. Management and staff have little appreciation nor the required knowledge of risk management.
  • Risk management process is perceived by management and staff as a bureaucratic process and have doubts whether the process is adding value to the business.

For ERM to be implemented successfully, it requires:

  • Full support from senior management;
  • Buy-in from the management and staff. They are properly briefed on the risk management process, fully understand its importance and fully on board of what they are required to do;
  • Risk management to be fully integrated with the organisation’s business processes and is embedded in the strategic development, planning, investment decisions and daily operation; and
  • Fully equipped tools and process with clearly defined roles and responsibilities, policy and procedures.

ERM Implementation Approach

To have a robust risk management process, this is what you can do:

  1. Determine the risk management organisation structure that enforces accountability for managing risks.
  2. Establish a centre of excellence for risk management by establishing a Corporate Risk Management Function. You can train some employees internally or recruit the right talents from outside. My experience indicates that organisations generally do not need to significant increase their man power as part of the ERM implementation. It is more important to up-skill the risk management capability and re-calibrate the mind-set of your employees to effectively identify and manage risks of your organisation.
  3. Assign a risk manager or risk coordinator for each business unit and function who will be the key person to guide and facilitate the identification and assessment of risks and to coordinate / monitor the implementation of risk mitigation / treatments for their respective business unit or function. They are the corner-stone of a robust ERM process, working closely with the Risk Management Function and are properly trained to perform their role effectively.
  4. Establish a risk management policy, process and procedures on matters such as risk oversight responsibilities, risk ownership, risk identification and management processes, risk event notification and escalation.
  5. Have a risk appetite statement that determines the level of risk your organisation is willing to take in pursuit of your business objectives.
  6. Define the company’s risk assessment criteria for the assessment and prioritization of the identified risks.
  7. Systematically identify risks events which could cause a loss or disruption to the business as part of the business planning process and day-to-day management of the business, and include systems, processes, people and external events that can impact your organisation’s daily operation. Risk identification should also cover investment decisions and any major project development activities.
  8. For each identified risk, apart from documenting the existing control, additional control mitigation or risk response should also be considered in order to bring the risk level into the level within the risk tolerance level set by management. Analyse to ascertain the likelihood of their occurring and the impact or how serious the result would be if they occur.
  9. Identify important interrelationships among risks to assess and manage risk interactions. Risks do not exist in isolation. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity. Groups of related risks (for example, related risks that would cause business interruption, loss of revenue or supply chain interruption) are identified and the connecting points between each of the risks are explored. This analysis allows the organisation to understand the impact of risk mitigation efforts in any given area on related areas, as well as potentially develop mitigation strategies that can address multiple related risks at once.
  10. Document the identification, assessment and treatment results in the Corporate Risk Register for regular review and update. Developed a prioritized list of the top 10 or 20 risks to the company based on the established risk assessment criteria for monitoring by senior management and the Board.
  11. Monitor the implementation and effectiveness of planned control action and risk mitigation measures.
  12. Communicate the risk management process and results internally and to external stakeholders. Information channels should be established to make sure management and staff are aware of risks that fall into their area of responsibility and the actions needed to mitigate risks. Process and procedures should be in place such that incidents of non-compliance (safety, security, legal, company policies or ethical behaviour), adverse events, control failures, critical emerging risks or unmitigated risks will be escalated to senior management or the proper authorities in a timely manner.
  13. Review and monitor the effectiveness of your ERM process regularly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s