Enterprise risk management (ERM) is an activity whose overall objective is to enhance organizational performance. ERM achieves this by providing the Board and senior management with insights into the key risks that could prevent the organization from achieving its strategies and objectives, enabling them to effectively manage those risks. In today’s rapidly shifting global risk climate, organizations face increased pressure to strengthen risk management practices. 83% of institutions in Deloitte’s latest Global Risk Management Survey, 11th edition, have an ERM program in place, up from 73% in the prior year’s survey. Further, now more than ever, mature ERM practices can form the foundation for effective risk response strategies during unprecedented events, such as the Coronavirus (COVID-19) pandemic.
Getting Risk Management Right: The Critical Case for Risk Maturity
As the magnitude and complexity of business risks grow, organizations face mounting pressure from Boards and investors to develop strong enterprise risk management plans. But not all business risks are created equal.
According to a 2014 CEB/Gartner study, 86% of significant market capitalization declines from 2004-2014 —characterized by a 40% or more drop in share price in a year— were caused by strategic risks, such as product/services competition or declining demand for a core product.
Source: CEB/Gartner, Reducing Risk Management’s Organizational Drag, 2014.
Deloitte’s Value Killers study found the triggering risks behind the largest company value loss events between 2003 and 2012 (~40% of their value lost in a month) were strategic and external risks, with the largest driver being the 2008 global financial crisis. Notably, 90% of companies were hurt by several of those risks working in concert, even if there was a single triggering risk event. There is much to be gleaned from these historical patterns in our current times. For example, an external risk, such as the COVID-19 pandemic, could couple with a strategic risk to set off a cascade of negative outcomes in an organization, leading to significant value losses.
Source: Deloitte, The Value Killers Revisited, 2014.
In light of this information, current risk management practices are greatly imbalanced. Organizations today spend a shockingly insufficient amount of their risk assessments on strategic and external risks. In particular, audit departments spend only 6% of their risk management time on strategic risks, compared to 81% spent on operational and financial risk management activities (though operational and financial risks comprise only 11% of value loss drivers).
What can organizations do to fix deeply imbalanced risk management practices and develop more mature risk programs?
“[ERM] is not a separate activity with its own objectives but an integral part of the organization’s strategy setting and performance processes.” — COSO, Creating and Protecting Value, January, 2020.
Adopting a strategy-centric position toward ERM—as opposed to overly focusing on risk prevention—empowers leaders to take the right risks and realize significant strategic advantages, while strengthening organizational resiliency and agility during times of crisis.
The key to building mature risk management plans requires embedding risk into business strategy, breaking through risk management silos, and empowering employees to manage risk with effective tools and resources. This involves:
- Engaging the C-Suite and Board in ERM Discussions
- Unifying Risk Management Across Siloed Business Groups
- Investing in Technology and Training
Strengthening ERM: A Key to Success in A Volatile Environment explores how to embed healthy risk practices into your risk management plan, including why investing in intuitive risk management software can help your organization centralize its risk management activities in one place and maximize collaboration between internal audit, risk management, and compliance functions. Regardless of your organization’s current risk maturity level, this whitepaper provides resources and tools for developing the maturity of your ERM program, empowering your business to cultivate a stronger risk culture and achieve its strategic objectives.