One frequently comes across the terms Enterprise Risk Management (ERM) and Risk Management being interchangeably used by many stakeholders out there. However, it is important to note that it is also interchangeably wrong. In fact, that there are some practical examples to appropriately bring out the difference between the two, amplifying the importance of having a proper ERM framework in place within the organisation which will be discussed hereunder.
If one were to carry out a survey and ask organisations in Malta whether they take into consideration risk management issues when defining and establishing the organisation’s strategic direction, goals and objectives, many would reply in the positive. This may in itself seem a good response. However, if one would have to dive deeper into what actually occurs, one quickly realises that what is being inferred is the notion of traditional risk management which is not the same as having an enterprise risk management framework in place.
Traditional risk management entails the identification, analysis and control of risks at the departmental level. In fact, organisations that do practice risk management within the organisation generally place the onus and responsibility of the business unit leaders to manage risks within their respective domains. By way of example, the CFO would be responsible for managing risks relating to financial and cash flow aspects, whereas the Sales Manager may be responsible for managing risks with a focus on sales and customer relations.
|Risk 1||Risk 1||Risk 1||Risk 1|
|Risk 2||Risk 2||Risk 2||Risk 2|
|Risk 3||Risk 3|
|Risk 4||Risk 4|
Whilst this approach is not at all to be discarded, one could easily note that the way risks are being looked at and analysed is typically siloed and each to their own, without looking outside the confinements of their “four walls” and how their risks could impact (positively or negatively) the other departments within the same organisation.
Constraints and limitations
The traditional siloed approach does make sense from a business unit perspective but does come with a number of constraints and limitations.
- The first constraint relates to the fact that operational heads of departments and managers would normally look at risks from within the organisation. Their analysis is internally focused and, in many cases, would only identify internally triggered risks with a small element of external “black swan” events. A possible exclusion to this limitation are financial managers who would possibly also look at the external environment when it comes to prices, interest rates, exchange rates and other financially-related indicators. Very few are actually looking at the external environment and surrounding forces, including competitors, regulators, and new entrants just to name a few to gauge and gain a better understanding of what is or will the Organisation be up against in the near future.
- Unit managers are automatically focusing on their respective silo – in other words, concentrating on those risks that affect their unit and how can they address and mitigate such risks. In addition, many times they only cater for risks coming about from their internal processes and activities without thinking outside their zone of comfort. So what if all unit leaders think alike? Which one of them, if any, will manage to pick up and identify those risks which do not strictly fall within any of the silos, but sits somewhere in between. And what if such risks have and pose a major impact to some or all of the surrounding silos altogether.
- There may be instances of risks affecting multiple units at the same time but to varying degrees of impact. In my opinion, this leads to two separate issues in themselves. The first is that what might seem as minor to one manager may be deemed as detrimental to another manager. Thus, different attitudes and response treatments to address that same risk will be implemented. The other issue relates to the fact that if there is no liaison between the managers on how to respond to these risks due to their silo mentality and modus operandi, one manager’s actual response may counter or negate the other manager’s response.
- Which brings rise to another constraint. Without appropriate coordination and communication, one department’s response to a risk may trigger a series of negative impacts on other departments. The risk of a domino effect may be more detrimental than not addressing the initial risk in the first place.
- Another major constraint is that there is no alignment or interlinkages between the organisation’s strategy and the identified risks. At times, directors and executives fail to make the link between the two. Furthermore, they also fail to identify the risks for new approved strategies that are to be implemented. There is lack of foresight and a deep understanding of the strategy, its impact on the business, but also its impact on current, emerging, or totally unforeseen risks.
- A key characteristic of traditional risk management is also a major downside which relates to the issue of reporting to the Board. The fact that all risk management activities and outputs are compiled independently from each other, consolidating or aggregating the data into one report is overly time consuming which at times is perceived to provide little to no real value to the debate, leaving the Board no closer to identifying and solving any of the risk issues that may be on their mind.
Whilst there may be many entities in Malta that do seem to carry out some level of risk management, how many actually ensure a relevant and effective ERM framework is in place. Furthermore, these same organisations still rely heavily on the use of basic or semi-advanced excel sheets. In today’s day and age, there are dedicated systems like INSIGHT4GRC that provide the necessary support and technology backing to ease the pain of collating, analysing and reporting on risks at a department as well as enterprise-level.
Why don’t you get in touch with us today to discover how we can help you transform your ERM framework and enhance stakeholder value. Send an email to [email protected] or [email protected] to learn more.