As enterprise risk management (ERM) has become popular in the past two decades, organizations have been trying to implement a program that makes all stakeholders satisfied that they are "doing risk management right." The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM--or more generically "risk management"--is an integral component of decisionmaking. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does. Unfortunately, many organizations don't execute risk management well and suffer the consequences.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently published an update to its 2004 COSO ERM framework. The name of the 2017 version says it all: Enterprise Risk Management--Integrating With Strategy and Performance. Risk management is all about strategy and performance.
MAKING BETTER DECISIONS
Risk management is an integral part of decision-making. What does this mean? Consider two different situations.
Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such.
Beta Co. is repainting the exterior of its headquarters buildings. The company turns to its normal painter to get the job done. There also were risks related to this project, but it is less obvious how Beta managed the risks.
Both Acme and Beta made decisions (multiple ones, in fact). Risk management was an integral part of both organizations' decisions. While the risk management may have looked different in the two situations, it was still risk management. Acme took a more formalized approach, outlining its path forward while considering what deviations from this path might occur because of unexpected events (i.e., risks) and planning accordingly. Beta was not nearly as formal, but relied on past habits to try to accomplish its objectives. The questions for both organizations are how good was the risk management and did they use the right approach?
Risk management does not need to look the same for every organization and every...