By Neer Rama, Force Solutions Product Manager at thryve
Enterprise Risk Management (ERM) gained popularity for a specific reason. It offered what risk management was initially meant to provide: strategic value. Even the most basic strategic management course is an introduction to organisational risk. The ever-present SWOT analysis is essentially about identifying risks and opportunities, two sides to the same coin.
But risk management lost sight of this, perhaps because the demands of specific risk categories took over. First, it was to mitigate risks through insurance. When that became too expensive, additional approaches were developed to address what was considered visible risks.
But those approaches were still not comprehensive enough because they mostly focused on three of the four primary risk classes. If we break risk down to categories, there are four generally accepted classes: hazards, financial, operational and strategic. Traditional risk management tends to focus on the first three in varying degrees. But a lack of capacity and appropriate support systems has separated risk and strategy.
Enter ERM. ERM as a discipline aims to cover all risks in an aggregate fashion. Instead of risks being treated individually or left to silos in an organisation, ERM reveals the interdependency between risks and the organisation’s different areas. ERM is about overall risk, with a finger in each of the categories. It also expands risk-based decision-making beyond risk managers and into the hands of senior executives such as the CEO.
Yet while ERM is certainly making some gains, it hasn’t quite unified risk back with the rest just yet. Specifically, many are questioning whether ERM enhances an organisation’s ability to realise its strategy.
This has prompted a tightening of ERM’s focus, namely objective-based ERM.
There are very reliable frameworks through which to deliver ERM, such as ISO-31000 ERM or that supplied by the Commission of Sponsoring Organizations of the Treadway Commission (COSO). These show a clear correlation between ERM and a company’s ability to execute strategy. But, as Mark McNamee points out in his excellent article, strategic intent or similarities in strategic processes doesn’t naturally make ERM a strategic tool.
ERM falls short for several potential reasons, but they all involve how risk is treated. Risk is often managed and compiled as a stable metric when instead it’s dynamic. There is a tendency to categorise risk for the sake of a neat registry instead of matching moving strategic targets. Risk can also get stuck viewing nuanced indicators such as employee attendance, which might be too narrow for strategic use, or it can be too high-level, serving strategy but not offering much guidance at the coalface.
Objective-based ERM aims to fix this. Most risk ends up being managed in silos, which contradicts a strategy’s holistic approach. Objective-based ERM doesn’t initiate from the many risks visible at the silo levels, but with the organisation’s strategic objectives. Risk and strategy are married at the objective level, then guide all other activities resulting from the objectives. By using an objective-based approach, risk becomes an organisation-wide function that always leads back to the ultimate question: what defines organisational success?
As I mentioned earlier, objective-based ERM has been developing for a while now. ISO and COSO frameworks already encourage the use of risk as a direct strategy tool. But practice is harder than theory. The rise of modern risk management platforms, popularly referred to as GRC or IRM (integrated risk management) services, has vastly increased our capacity to identify, track and aggregate risk information. They are more inclusive, giving different stakeholders access to risk tools suited to their contexts and roles.
thryve, the solution provider I represent, develops and supports integrated risk management solutions that are the foundation for modern ERM environments. Part of our solutions stack includes Riskonnect, a market leader among integrated risk platforms, as recognised by Gartner and Forrester. This platform combines with our in-house development teams and IP developed through more than a decade working with enterprise customers.
We’ve seen first-hand how the principles of objective-based ERM can deliver tangible and exciting change to our customers. It works incredibly well, expanding the value of risk information into the thoughts of different stakeholders and directly supporting the organisation’s strategic objectives.
There is no reason to avoid this new approach to risk management. Platforms such as Riskonnect, which we implement as part of our services, make it much easier to adopt and adapt the relevant frameworks, gain buy-in from employees and slowly transform your strategic use of risk without rocking the boat.
Risk and strategy fit with each other. Until now the limitations have been around capacity and the tools available. But modern GRC/IRM solutions such as Riskonnect can finally channel the power of objective-based ERM. Is it something your company is thinking about?