How to build a successful business case for enterprise risk management (ERM) implementation project

Many business and finance managers see the importance of having a robust risk management process for their organisations. However, they often struggle with convincing their business owners, boards and senior management or how to gain their support for implementating an ERM solution. Here are some tips and recommendations of what you should do to build your business case:

Step 1 – Don’t scare people off with complex ERM model and method.

Step 2 – Start with some risk related questions to draw their attention of the potential risk to the organisation. Show them the implication of such risks if they are not properly managed. For example:

  1. What are the current threats to the profits and/or assets of the organisation?
  2. What impact has the current economic environment and legislative changes had on the business?
  3. How is the business performing against its competitors?
  4. Is the organisation experiencing increasing cost, why and how this affects the organisation’s performance?
  5. What are the events, if occur, will significantly damage the organisation’s reputation / image?
  6. What will happen if the organisation’s computer system is hacked, or interrupted or its data are loss?
  7. What happen if the organisation’s sole supplier or one of the major suppliers stop supplying goods and services to your organisation?

Step 3 – Prepare and present a comprehensive business case for ERM implementation covering the following key areas:

  1. Explain what is risk management.
  2. Communicate and explain the importance of ERM, why it is necessary, the objectives and benefits as well as the value propositions to different stakeholders.
  3. Estimate of the cost and resources required, to justify that the ERM implementation will create more value to the organisation than its cost.
  4. Provide details of the proposed implementation approach
    • Form a risk management committee to oversee the implementation and the risk management process of the organisation.
    • Determine the risk management organisation and the governance structure that enforces accountability for risk management, the roles and responsibilities of each party involved in the process (i.e. The board (or business owners), audit and risk committee, senior management team, risk owners (head of business units and corporate functions), risk management function and all employees).
    • Establish a risk management function i.e. a center of excellence for risk management to provide expertise and support in developing and enforcing risk management policy and procedures; coordinate, review and consolidate corporate risk reporting; monitor and assure the effectiveness of the risk management process.
    • Develop risk management policy, process and procedures which include the risk appetite statement, risk tolerance limits, risk assessment and prioritization criteria, as well as risk identification, analysis, treatment, reporting and monitoring procedures.
    • Conduct risk management training.

Step 4 – Formulate a fit-for-purpose and cost-effective risk management process for your organisation. By adopting the ISO 31000 2009 standard, a 7-steps process is recommended:

  1. Establish Context
    • Understand your organisation’s mission, values and objectives; culture; business and operating environment; regulatory environment; complexity of your business processes and transactions.
    • Identify internal and external stakeholders and determine their involvement in the risk management process.
    • Define risk assessment criteria; how to rank and prioritize a risk event based on its likelihood, impact, velocity and vulnerability assessment.
  2. Risk Identification
    • Identify risks and opportunities to the business such as strategic, financial, operational and compliance etc.
    • Perform risk identification during annual business planning process, when evaluating investment decisions and project planning, and for daily operation
    • Evaluate existing as well as emerging risks to the business.
    • Asking 3 key questions: what can go wrong, what are the existing controls to mitigate the risks, what additional mitigated actions should be taken to reduce these risks to be within the organisation’s risk tolerance level.
  3. Risk Analysis
    • Determine the likelihood, impact, velocity and vulnerability of the identified risk events.
  4. Risk evaluation
    • Rank and prioritize risks.
  5. Risk treatment and Implementation
    • Determine appropriate risk response or treatment for the identified events (i.e. Avoid, Mitigate, Transfer, Accept).
  6. Reporting & Communication
    • Update corporate risk register with prioritized risks and mitigated action plans.
    • Prepare risk heat map showing the list of risk items and their significance.
  7. Review and monitoring
    • Monitor the proper implementation of risk mitigated actions.
    • Monitor the effectiveness of the ERM process for continuous improvement.

The following are the importance, objectives and key benefits of risk management which you can quote when drafting your business case:

  1. Importance of risk management
    • Compliance – HK Listed companies are required to have an effective risk management and internal control system to comply with HK Stock Exchange Listing Rules.
    • Internal factors – An effective risk management process can:
      • Rescue a company from disasters.
      • Reduce operational surprises and losses.
      • Improve company-wide understanding of risks and enhance internal controls.
      • Increase risk awareness and promote a “healthy” risk culture.
      • Develop a common, consistent approach to risk across the organisation.
    • External factors – Improve regulator, rating agency and shareholder perception.
  2. Key Objectives
    • Foster a risk aware culture in your organisation;
    • Promote identification and effective treatment of risks and at the same time, also enhance the identification of business opportunities;
    • Establish a center of excellence for risk management;
    • Employ a standardize risk evaluation process;
    • Enable risks be managed at all levels of the organisation; and
    • Have risk management be embedded in the strategic development, planning, capital allocation, investment decision, internal control and day-to-day operations.
  3. Key benefits
    • Taking a risk based approach to manage the business, balance risk and reward, managing risks as well as seizing opportunities.
    • Improving shareholder value and governance.
    • Increase the chance of business success.
    • Lower cost of capital, reduce operational losses and cost savings.
    • Improve proactive management and better contingency.
    • Align risk appetite / tolerance and strategy.
    • Optimize capital structure and resource allocation based on risk priority.
    • Facilitate board and senior management oversight.
    • Enhance risk response decisions, improve communications on risks and develop risk awareness in the organisation.

How to build an agile and risk aware organisation with strong control culture

Irrespective of the size of your organisation, you are exposed to risks that would prevent you from achieving your business objectives or could lead to significant financial losses. Some companies, particularly SMEs, consider risk management is unnecessary as if they can be immune from risk exposure or unexpected events that could cause financial losses to their company. They also think that it is not economical to put resources in risk management but should just focus on company’s revenue, profitability and growth. Contrary to what they perceive, the fear of incurring risk or trying to ignore managing risk will eventually inhibit business growth. Also, SMEs with smaller capital base and risk capacity are generally more vulnerable to the adverse impact of unexpected events and hence are more imminent to be better equipped for managing business risks. Large corporations may have a risk management process in place and generally a bigger risk capacity, but they may be less flexible or agile.

This article describes how to build an agile, risk aware organisation with strong control culture by implementing Enterprise Risk Management (ERM) process that deploys a Plan-Do-Check-Act (PDCA) method. The process involves planning -> risk identification and analysis -> controls and mitigations implementation -> checking and monitoring the effectiveness of controls and risk mitigation measures -> revising the plan of actions where necessary; then repeats the above steps for continuous improvement, fine-tuning and monitoring.

Implementing ERM involves a change management exercise to upskill the organisation’s capability for managing risks, increase the organisation’s understanding of its own strengths and areas of improvement required, and cultivate a stronger control culture / discipline for implementing risk mitigation actions and monitoring of business performance. For more information on ERM implementation, please refer to How to setup Enterprise Risk Management (ERM) process in your organisation.

Key elements of organisation agility

  • Agility means adaptable, flexible, change quickly and succeed in the rapidly changing and turbulent environment. Speed, responsiveness and dynamic are the key elements for agility.
  • Agility is not incompatible with a structured, well-controlled environment. Quite the contrary, agility requires good control discipline to ensure planned actions are efficiently and effectively executed, with deviations from plans promptly identified or flagged for rectification.
  • Adopting a PDCA method that continuously monitors and improves the efficiency and effectiveness of business processes, strengthens the planning process with the ability to quickly / dynamically reallocate resources and re-prioritised actions, is also an important element for organisation agility.

How to promote a risk aware culture in your organisation

A risk aware culture can be cultivated under the following areas:

1. Tone from the top

  • Establish a risk management governance structure with senior management and the Board setting the tone for the importance of risk management, with risk management be seen as an important element of corporate governance and forms an integral part of all of the organisation’s business processes.

2. People / Mindset

  • Risk Management should be recognised as the responsibility of every employee in the organisation.
  • Employee’s attitude should change from being reactive to unexpected events to being responsive and proactive, seizing opportunities as well as managing risks.
  • Recognise important interrelationships among risks, break down organisational silos, increase collaboration between departments to assess and manage risk interactions.

3. Process

  • Establish an ERM process with policy and procedures, system and tools that facilitates the discussion and communication of risks and treatment of these risks; promotes the identification of emerging risks, and integrates risk management into business planning, strategy development, project implementation, investment decision and daily operations.

4. Structure

  • Create a risk management function or center of excellence for risk management in the organisation that manages the implementation of all aspects of the ERM process; provides guidance and advice on the identification, assessment and treatment of risks; and performs risk management training to upskill the knowledge and capability of risk management in the organisation.
  • Establish a risk management structure with clear roles and responsibilities and assign ownership for identified risk items.
  • Appoint risk managers or coordinators, one for each business unit or function, to support their respective risk owners who are head of business units or functions, to identify risks, determine and coordinate the implementation of risk treatments for their respective business unit or function.

ERM process with Plan-Do-Check-Act (PDCA) – How it all works together

PDCA approach helps to improve the agility of the organisation, enhances the organisation’s problem solving capability, promotes collaboration amongst operational and functional teams for prompt discussion and feedback, and requires the organisation to adjust its plans swiftly in response to the changing business environment. Combining this approach with the ERM process mean that risks can be promptly identified and effectively treated. This is how planning, internal control and risk management working together with PDCA approach to build an agile, risk aware and control focused organisation, as follows:

  1. Plan
    • Have a robust planning process that set business goals and objectives.
    • Establish and communicate clearly the targets and accountability for the achievement of business objectives.
    • Incorporate risk management into the business planning and strategy development process.
    • Develop control and mitigation plan to bring risks to acceptable levels.
  2. Do
    • Execute planned actions and business activities in accordance with established company policies and control procedures.
    • Implement the additional controls and mitigation actions which are identified during the risk management process.
  3. Check
    • Monitor the effectiveness of business execution and controls such that deviations from the set objectives and targets are promptly spotted and rectified.
    • Perform regular review on the effectiveness of internal controls and risk management process, pinpoint areas and develop plan for improvement.
  4. Act
    • Determine the causes for the deviations and identify solutions to rectify the deviations.
    • Adjust the plans, reallocate resources, re-prioritise actions, revise the control procedures and/or risk responses where appropriate. For example: If the cause of deviation is due to poor execution and controls, enhance the process and revise the control procedure to rectify the control deficiency. If it is due to over aggressive or optimistic targets, then revise the plans, milestones, targets and budgets.
    • Work on continuous improvement of internal control and risk management process.

How to setup Enterprise Risk Management (ERM) process in your organisation

The revised Hong Kong Stock Exchange Corporate Governance Code provisions (“the Code”) on risk management which came into effect on 1 January 2016 places the Board as a pivotal component of an effective risk governance framework and enhances its accountability with regard to risk management. This implies that directors not only have the important role of being actively involved in the development of business strategies, and in understanding existing as well as emerging risks impacting their company, but also have the oversight role of the company’s Enterprise Risk Management (ERM) so as to understand how such risks are identified, measured, monitored and mitigated.

All businesses are exposed to risks that would prevent companies from achieving business objectives or could lead to significant financial losses. Implementing a robust risk management system is not just for compliance purpose. More importantly, it can rescue your company from disasters; enables your organisation to effective identify key business risks in every aspect of the business operations and gives management the knowledge needed to develop a plan to reduce those risks. It is a structured approach of aligning business strategy, processes, people, technology and knowledge to proactively manage uncertainties and risks, to increase the odds of achieving your business goals and objectives, power business growth, increase competitiveness and shareholder value.

Objectives and benefits of ERM implementation

ERM implementation involves a change management process with the objectives to:

  • Foster a risk aware culture in your organisation;
  • Change the mind-set and up-skill the capability of individual employees regarding risk management;
  • Promote identification and effective treatment of risks and at the same time, identification of business opportunities; (for example, in analysing the risk of technological changes that may disrupt your business, you can also identify how your organisation can leverage on the technology such as Cloud computing, social media, Big Data Analytics, artificial intelligence or robot technology etc. to boost business growth);
  • Establish a centralized risk management function and expertise for risk management; and
  • Employ a standardize risk evaluation process.

Critical Success Factors

Organisations often encounter problems regarding risk management such as the following:

  • There is no risk management process in place, or even if there is, the process is no more than an annual desktop review exercise with little interaction between business operations and departments, and totally detached from the day to day operations. Risk management process also does not form part of the business strategy and planning process of the organisation nor being deployed when making significant investment decisions. Senior management and the Board, however, are concerned whether the process can be able to identify and effectively manage material risks to the organisation.
  • The existing risk management process does not promote a risk awareness culture in the organisation. Management and staff have little appreciation nor the required knowledge of risk management.
  • Risk management process is perceived by management and staff as a bureaucratic process and have doubts whether the process is adding value to the business.

For ERM to be implemented successfully, it requires:

  • Full support from senior management;
  • Buy-in from the management and staff. They are properly briefed on the risk management process, fully understand its importance and fully on board of what they are required to do;
  • Risk management to be fully integrated with the organisation’s business processes and is embedded in the strategic development, planning, investment decisions and daily operation; and
  • Fully equipped tools and process with clearly defined roles and responsibilities, policy and procedures.

ERM Implementation Approach

To have a robust risk management process, this is what you can do:

  1. Determine the risk management organisation structure that enforces accountability for managing risks.
  2. Establish a centre of excellence for risk management by establishing a Corporate Risk Management Function. You can train some employees internally or recruit the right talents from outside. My experience indicates that organisations generally do not need to significant increase their man power as part of the ERM implementation. It is more important to up-skill the risk management capability and re-calibrate the mind-set of your employees to effectively identify and manage risks of your organisation.
  3. Assign a risk manager or risk coordinator for each business unit and function who will be the key person to guide and facilitate the identification and assessment of risks and to coordinate / monitor the implementation of risk mitigation / treatments for their respective business unit or function. They are the corner-stone of a robust ERM process, working closely with the Risk Management Function and are properly trained to perform their role effectively.
  4. Establish a risk management policy, process and procedures on matters such as risk oversight responsibilities, risk ownership, risk identification and management processes, risk event notification and escalation.
  5. Have a risk appetite statement that determines the level of risk your organisation is willing to take in pursuit of your business objectives.
  6. Define the company’s risk assessment criteria for the assessment and prioritization of the identified risks.
  7. Systematically identify risks events which could cause a loss or disruption to the business as part of the business planning process and day-to-day management of the business, and include systems, processes, people and external events that can impact your organisation’s daily operation. Risk identification should also cover investment decisions and any major project development activities.
  8. For each identified risk, apart from documenting the existing control, additional control mitigation or risk response should also be considered in order to bring the risk level into the level within the risk tolerance level set by management. Analyse to ascertain the likelihood of their occurring and the impact or how serious the result would be if they occur.
  9. Identify important interrelationships among risks to assess and manage risk interactions. Risks do not exist in isolation. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity. Groups of related risks (for example, related risks that would cause business interruption, loss of revenue or supply chain interruption) are identified and the connecting points between each of the risks are explored. This analysis allows the organisation to understand the impact of risk mitigation efforts in any given area on related areas, as well as potentially develop mitigation strategies that can address multiple related risks at once.
  10. Document the identification, assessment and treatment results in the Corporate Risk Register for regular review and update. Developed a prioritized list of the top 10 or 20 risks to the company based on the established risk assessment criteria for monitoring by senior management and the Board.
  11. Monitor the implementation and effectiveness of planned control action and risk mitigation measures.
  12. Communicate the risk management process and results internally and to external stakeholders. Information channels should be established to make sure management and staff are aware of risks that fall into their area of responsibility and the actions needed to mitigate risks. Process and procedures should be in place such that incidents of non-compliance (safety, security, legal, company policies or ethical behaviour), adverse events, control failures, critical emerging risks or unmitigated risks will be escalated to senior management or the proper authorities in a timely manner.
  13. Review and monitor the effectiveness of your ERM process regularly.