ERM: An easy way to get risk under control

No company can prevent every risk from becoming reality, but businesses can — and should — take steps to manage potential perils. Among the most popular approaches is enterprise risk management (ERM). This article explains what ERM is and isn’t, and provides simple tips for integrating ERM principles into any organization.

For more information, please contact:
  • Douglas G. Martin, CPA

    Douglas G. Martin, CPA

    618.233.0186 | .(JavaScript must be enabled to view this email address) | vCard

    About Doug

Newsletter Signup

How it’s different

Unlike traditional risk management techniques, which often are informal and “siloed” (meaning that each department focuses on minimizing its own risks), ERM is an integrated, companywide process. ERM assumes that all risks are related — that, for example, lax controls in your accounting department may enable fraud in receiving and, in turn, raise your business’s overall expenses.

ERM isn’t about eliminating every risk. It helps you clarify your company’s appetite and capacity for specific risks so you can develop a cohesive philosophy and plan for how they should be handled. In other words, ERM enables you to find an acceptable level of risk that allows you to promote your company’s strategic objectives.

Let’s say you run a pharmaceuticals company that has a new asthma drug. Many possible perils lie in wait as you conduct drug trials, seek FDA approval, establish reliable supply lines and try to avoid liability claims and intellectual property theft. Unfortunately, if you want to get your drug to market, you can’t avoid such scenarios. You need to minimize the risks inherent in a new product rollout and limit potential damage.

Making your list

ERM implementation starts at the top of your organization. Owners and executives must understand the need for ERM so they can sell it to their subordinates.

Once you have management buy-in, assemble a list with input from every division and department. Start with risks that endanger companies of all sizes and sectors, such as those involving finances, IT, natural or manmade disasters, regulatory compliance, and supplier and customer relationships. Then move on to company- or sector-specific risks.

Once your risk list is robust, rank items based on likelihood and impact. Then analyze worst-case scenarios for each one. If the list seems overwhelming, assign each risk to an “owner” who will be responsible for analyzing and monitoring it.

Enterprisewide view

Ultimately, you must come up with ways to manage your biggest threats. Do this by building on current risk management practices, such as audits, insurance coverage and internal controls. You can gradually incorporate an enterprisewide view of risk to make these activities into a true ERM process.

ERM software can help. If employees understand the software application and use it regularly, ERM will become part of their jobs. For you, frequent monitoring of important metrics is an integral part of keeping up with ERM. Many software packages come with “digital dashboards” that keep critical risk-related information instantly accessible on your computer’s desktop.

Incremental approach

You don’t have to implement every component of an ERM program at once. An incremental approach that begins with relatively simple processes and builds the program over time is easy to adopt and can be very effective. 

Other articles in the August 2015 Edition of Business Matters: