Seven Myths about Enterprise Risk Management

22 March, 2024Gero Renker


Do you believe ERM is only for large corporations that spend bottomless budgets to maintain it? Or maybe you think risk management is a tick-box exercise done by a risk manager for a compliance report? In this blog, we revisit seven persistent myths about Enterprise Risk Management and show why they could be out of date.

Does your organisation have a well-established function for managing risks?

If so, you will be in a great position to minimise potential threats, making your operations compliant and sustainable, driving continuous improvement and much more. You will also be enjoying strategic conversations about how to convert risks into opportunities.  

If not, you may have fallen foul of some of the common misconceptions about Enterprise Risk Management and ended up with an approach of ‘hoping for the best’ as you’re navigating the uncertainties of your operation. So let’s look at seven of the most common misconceptions about Enterprise Risk Management:  

1. “Risk management is expensive!”  


Implementing enterprise risk management best practices can save you money in the long run by identifying and addressing potential risks before they become costly problems. This way, you can convert visibility and understanding of risks into tangible, bottom-line-boosting business benefits. (In fact, risk management could DELIVER that innovative business idea you’ve been waiting for!) 

You may think that you will need expensive risk management IT solutions. However, if you operate within a Microsoft 365 environment, you already have the platform to deploy ERM software with relatively little expense and surprising ease, as your users will be accustomed to the interfaces and ‘modus operandi’. 

2. “Risk management is only for large organizations!”  


Enterprise risk management is important for enterprises of all sizes and sectors. Just because your organization may be small and you may have fewer resources to devote to risk management, you are nevertheless still exposed to risks that can have a significant impact.  

Once you have a slick process for understanding the nature of the risk your enterprise faces you will quickly wonder why you weren’t managing risks previously. 

3. “Risk management is only about avoiding negative events.”  


Of course, enterprise risk management is about avoiding negative events! Who wouldn’t want to avoid those in their business??  

Nevertheless, risk management is also about identifying and seizing opportunities. Perhaps even uncovering that nugget of inspiration that could drive an important innovation in your organization. 

Without enterprise risk management best practices that define, assess, and evaluate risk, how can potential negative events be converted into business benefits? And why wouldn’t you want to do that?

Reduce organisational risk and achieve your strategic goals with our guide to  enterprise risk management best practices. Read now.

4. “Risk management is only the responsibility of the risk manager.”  


(Although if you’re in an organization that has taken the step of establishing a distinct risk management role, then that’s progress.) 

The trick here, though, is not only to have one or multiple nominated risk managers but also to make enterprise risk management part of everyone's responsibility. All employees should be aware of the risks that their actions may pose and take steps to mitigate them.  

This isn’t quite as bureaucratic as it sounds. High-risk working environments such as construction and engineering enterprises have demonstrated how empowering and motivating it can be for the workforce to share risk management responsibilities with the whole team. There are many reputable companies that have made an organizational strength out of making enterprise risk management best practices part of the enterprise culture. 

5. “Risk management is a one-time process.”  


Just as you would never say running your staff payroll is a one-time process. 

Enterprise risk management is an ongoing process reflecting the fact that the challenges, opportunities and uncertainties faced by organisations are forever changing. ERM needs to be integrated into day-to-day operations to effectively adapt to these changes and ensure that enterprise risk management best practices remain relevant and responsive. 

And here’s a thought: without continually keeping abreast of risk, you might face the scenario where your organization runs payroll for the last time. 

6. “Risk management is only about complying with regulations.”  


 This is a dangerously shallow reason for engaging in enterprise risk management. It potentially completely neglects your employees’ health, safety, and livelihoods, as well as the value and purpose of your organization.  

 Of course, compliance with regulations is an important aspect of risk management, but it should not be the only one.  

 You also need to consider the many other risk areas that are likely to be relevant to your own organization’s operation, such as financial, operational and strategic risks. 

7. “Risk management is a tick-box exercise.”  

Wrong – ish.

There is a world of difference between ticking boxes for the sake of them, and creating a comprehensive procedure that presents a series of considerations to check to mitigate or eliminate risk. It’s all in the intention.  

Enterprise risk management best practices done correctly means a straightforward, ongoing process that not only requires regular monitoring, review and updating, but also a good deal of common sense and clear intentions.  

In other words, every box you tick in a clearly defined and compliant process needs to be meaningful! If it appears that there is no point in spending time reflecting on whether to tick a box, perhaps your boxes need to change. What matters is that you use your time and your focus to manage risks better. 

In summary, far from all these misconceptions Enterprise Risk Management is in fact a living, breathing, dynamic, opportunity-defining, business benefit-driving, whole-team-engaging organizational activity. And one that is particularly easily achievable if your teams already collaborate using Microsoft cloud. 

To find out more about introducing meaningful and effective Enterprise Risk Management software into your organization, get in touch today.