There’s no way around it — owning and operating a business comes with risk. On the one hand, operating under excessive levels of risk will likely impair the value of a business, consume much of its working capital and could even lead to bankruptcy if those risks become all-consuming. But on the other hand, no business can operate risk-free. Those that try will inevitably miss out on growth opportunities and probably get surpassed by more ambitious competitors.
How can you find the right balance? One way to manage your company’s “risk profile” is to implement a formal enterprise risk management (ERM) program.
Optimization, not elimination
Most businesses have internal controls to prevent fraud, maintain compliance and reduce errors. But an ERM program goes much further. It’s a top-down framework that starts at the C-suite and addresses risk at every level of the organization. An effective ERM program helps you and your leadership team not only identify major threats, but also devise feasible strategic, operational, reporting and compliance objectives.
Traditional risk management techniques, which are often informal and ad hoc, use a “siloed” approach. In other words, each department focuses on minimizing its own risks. The efficacy of this approach is limited at best, for a couple reasons. First, it fails to address how risks may arise in the way departments interact — or don’t interact — with each other. Second, it often wrongly assumes that the goal of risk management is to eliminate risk. In truth, the proper goal of risk management is to optimize risk; that is, develop strategic objectives and operate the business under acceptable levels of inevitable risk.
An ERM program takes an integrated approach. It recognizes that many risks are enterprise-wide and interrelated. For example, say a business identifies a new vendor offering substantially reduced prices on key materials. From the accounting department’s perspective, the deal may seem like a no-brainer. But an analysis under an ERM program could reveal that the vendor is situated in a high-risk area for natural disasters or civil unrest. Or the ERM analysis might show that the vendor is a bad match technologically or has poor cybersecurity.
Good starting point
Naturally, every company’s framework for an ERM program will differ depending on factors such as its size and structure. But one tool that’s proven helpful to many businesses is the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management — Integrated Framework, which was originally published in 2004.
COSO is a joint initiative of five private sector organizations that develop frameworks and guidance on ERM, internal controls and fraud deterrence. The five organizations are the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants.
The original COSO framework covers four categories of objectives: strategic, operations, reporting and compliance. It also sets forth eight key components: 1) internal environment, 2) objective setting, 3) event identification, 4) risk assessment, 5) risk response, 6) control activities, 7) information and communication, and 8) monitoring. Note that, in 2017, COSO published an updated complementary publication entitled Enterprise Risk Management — Integrating with Strategy and Performance.
Are you tired of putting out fires or having to rethink major strategic decisions because they’re just a little bit off the mark? If so, a formal ERM program may be the solution you’re looking for. We’d be happy to help you build the perfect framework for your business.