How to build a successful business case for enterprise risk management (ERM) implementation project

Many business and finance managers see the importance of having a robust risk management process for their organisations. However, they often struggle with convincing their business owners, boards and senior management or how to gain their support for implementating an ERM solution. Here are some tips and recommendations of what you should do to build your business case:

Step 1 – Don’t scare people off with complex ERM model and method.

Step 2 – Start with some risk related questions to draw their attention of the potential risk to the organisation. Show them the implication of such risks if they are not properly managed. For example:

  1. What are the current threats to the profits and/or assets of the organisation?
  2. What impact has the current economic environment and legislative changes had on the business?
  3. How is the business performing against its competitors?
  4. Is the organisation experiencing increasing cost, why and how this affects the organisation’s performance?
  5. What are the events, if occur, will significantly damage the organisation’s reputation / image?
  6. What will happen if the organisation’s computer system is hacked, or interrupted or its data are loss?
  7. What happen if the organisation’s sole supplier or one of the major suppliers stop supplying goods and services to your organisation?

Step 3 – Prepare and present a comprehensive business case for ERM implementation covering the following key areas:

  1. Explain what is risk management.
  2. Communicate and explain the importance of ERM, why it is necessary, the objectives and benefits as well as the value propositions to different stakeholders.
  3. Estimate of the cost and resources required, to justify that the ERM implementation will create more value to the organisation than its cost.
  4. Provide details of the proposed implementation approach
    • Form a risk management committee to oversee the implementation and the risk management process of the organisation.
    • Determine the risk management organisation and the governance structure that enforces accountability for risk management, the roles and responsibilities of each party involved in the process (i.e. The board (or business owners), audit and risk committee, senior management team, risk owners (head of business units and corporate functions), risk management function and all employees).
    • Establish a risk management function i.e. a center of excellence for risk management to provide expertise and support in developing and enforcing risk management policy and procedures; coordinate, review and consolidate corporate risk reporting; monitor and assure the effectiveness of the risk management process.
    • Develop risk management policy, process and procedures which include the risk appetite statement, risk tolerance limits, risk assessment and prioritization criteria, as well as risk identification, analysis, treatment, reporting and monitoring procedures.
    • Conduct risk management training.

Step 4 – Formulate a fit-for-purpose and cost-effective risk management process for your organisation. By adopting the ISO 31000 2009 standard, a 7-steps process is recommended:

  1. Establish Context
    • Understand your organisation’s mission, values and objectives; culture; business and operating environment; regulatory environment; complexity of your business processes and transactions.
    • Identify internal and external stakeholders and determine their involvement in the risk management process.
    • Define risk assessment criteria; how to rank and prioritize a risk event based on its likelihood, impact, velocity and vulnerability assessment.
  2. Risk Identification
    • Identify risks and opportunities to the business such as strategic, financial, operational and compliance etc.
    • Perform risk identification during annual business planning process, when evaluating investment decisions and project planning, and for daily operation
    • Evaluate existing as well as emerging risks to the business.
    • Asking 3 key questions: what can go wrong, what are the existing controls to mitigate the risks, what additional mitigated actions should be taken to reduce these risks to be within the organisation’s risk tolerance level.
  3. Risk Analysis
    • Determine the likelihood, impact, velocity and vulnerability of the identified risk events.
  4. Risk evaluation
    • Rank and prioritize risks.
  5. Risk treatment and Implementation
    • Determine appropriate risk response or treatment for the identified events (i.e. Avoid, Mitigate, Transfer, Accept).
  6. Reporting & Communication
    • Update corporate risk register with prioritized risks and mitigated action plans.
    • Prepare risk heat map showing the list of risk items and their significance.
  7. Review and monitoring
    • Monitor the proper implementation of risk mitigated actions.
    • Monitor the effectiveness of the ERM process for continuous improvement.

The following are the importance, objectives and key benefits of risk management which you can quote when drafting your business case:

  1. Importance of risk management
    • Compliance – HK Listed companies are required to have an effective risk management and internal control system to comply with HK Stock Exchange Listing Rules.
    • Internal factors – An effective risk management process can:
      • Rescue a company from disasters.
      • Reduce operational surprises and losses.
      • Improve company-wide understanding of risks and enhance internal controls.
      • Increase risk awareness and promote a “healthy” risk culture.
      • Develop a common, consistent approach to risk across the organisation.
    • External factors – Improve regulator, rating agency and shareholder perception.
  2. Key Objectives
    • Foster a risk aware culture in your organisation;
    • Promote identification and effective treatment of risks and at the same time, also enhance the identification of business opportunities;
    • Establish a center of excellence for risk management;
    • Employ a standardize risk evaluation process;
    • Enable risks be managed at all levels of the organisation; and
    • Have risk management be embedded in the strategic development, planning, capital allocation, investment decision, internal control and day-to-day operations.
  3. Key benefits
    • Taking a risk based approach to manage the business, balance risk and reward, managing risks as well as seizing opportunities.
    • Improving shareholder value and governance.
    • Increase the chance of business success.
    • Lower cost of capital, reduce operational losses and cost savings.
    • Improve proactive management and better contingency.
    • Align risk appetite / tolerance and strategy.
    • Optimize capital structure and resource allocation based on risk priority.
    • Facilitate board and senior management oversight.
    • Enhance risk response decisions, improve communications on risks and develop risk awareness in the organisation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s