Enterprise Risk Management: Best Practices to Guide Your Business

Book cover for enterprise risk management

What is enterprise risk management (ERM)?

What is enterprise risk management (ERM?)

Enterprise risk management applies to businesses of all sizes (despite its name). It’s the process of identifying and evaluating the potential risks to an organisation, prioritising those risks, and taking steps to prevent, reduce, and manage them. Rather than focusing on a single discipline, such as cybersecurity or health and safety, ERM covers every kind of organizational risk, including strategic, operational, legal, financial, and reputational.  

For example, operational risks include business interruption (perhaps due to power outages or supply chain disruption), IT failures or cyberattacks, human error, process failure, and non-compliance with regulations. Typical strategies to address such risks include business continuity planning, IT disaster recovery, employee training, process improvement, and compliance audits. 

ERM isn’t a one-off activity or tick-box exercise. Just as risks change and evolve over time, risk management activities and processes also need to be kept up-to-date and regularly reviewed.  

The bottom line is that ERM helps to protect your organisation and people – including employees, customers and investors – from costly or damaging problems. But it is not just about negative aspects of risk - it is also about the identification and exploitation of business opportunities.

Why do you need ERM?

Why do you need ERM?

Fundamentally, we need ERM to reduce and manage organisational risk, thereby potentially saving time, effort and money – preventing problems is usually far more cost-effective than remediating them. By providing decision-makers with a structured framework for assessing risks, ERM can help to enhance decision-making processes, protect stakeholder interests, ensure compliance with regulations, optimize resource allocation, and foster organisational resilience and agility.

But ERM can also be a source of competitive advantage by enabling organisations to take calculated risks and seize opportunities that competitors may overlook. By integrating risk management into strategic planning and decision-making processes, your organisation may be able to differentiate itself in the marketplace, drive sustainable growth or progress towards its strategic goals in new ways.

The benefits of ERM

The benefits of ERM

ERM plays a crucial role in navigating the complexities of the modern business landscape and achieving strategic objectives. Its benefits extend into all areas of the organisation, these are our top three: 

Enhanced decision-making 

ERM enhances decision-making in several ways. 

  • It provides valuable reporting, by capturing greater levels of risk data consistently and turning that into useful insights for consumption by decision-makers. 
  • If provides a framework and guidance on how to respond to certain events. So when something becomes a potential problem, a decision on what to do will benefit from this advance preparation.
  • ERM moves us from a siloed risk management approach to a more holistic view of the business or organisation, with all departments and functions able to see and understand shared risks, and the potential impacts their actions have on each other.

Increased Agility 

ERM enhances organisational agility by enabling timely responses to emerging risks and opportunities. By fostering a culture of risk-awareness and adaptability, you can respond quickly to changing market conditions, technological advancements, and competitive pressures, thereby maintaining a competitive edge or accelerating your journey towards strategic goals.

Increased efficiency

Looking from an ERM viewpoint helps you to spot gaps, duplication and inefficiencies. It can help you see where staff are under unnecessary pressure, identify potential loopholes that could lead to theft, or discover better ways of working that will save your business money. You may avoid disruptions and break-downs that would slow down your processes and incur cost.

ERM and ISO 31000

ISO 31000 is the international standard for risk management, providing a framework of general principles and guidelines to help organisations:

  • Understand the concept of risk and how it affects the organisation
  • Establish a risk management framework that’s consistent with the organisation's overall objectives
  • Identify, assess, and prioritise risks in a systematic and structured way
  • Implement and communicate effective risk controls
  • Monitor and review the performance of risk management activities
  • Continuously improve the risk management process

ISO 3100 is flexible and can be applied to any type of organisation. It is worth investigating as a source of guidance for setting up your own ERM framework.

ERM best practice tips

ERM best practice tips

Risk Management Framework

Develop a formal framework that outlines your approach to ERM, including roles, responsibilities, processes, and methodologies.

Risk Identification

Regularly identify and assess risks across all relevant areas of your organisation, including strategic, financial, operational, compliance, and reputational risks. Encourage input from different teams to ensure comprehensive risk identification.

Risk Assessment and Prioritisation

Evaluate the likelihood and potential impact of identified risks to prioritise them based on their significance to organisational objectives. Use qualitative and quantitative methods to assess risks, considering both their individual and aggregated effects.

Risk Mitigation and Controls 

Develop and implement risk mitigation strategies and controls to reduce the likelihood or impact of identified risks. Ensure that mitigation measures are aligned with your organisation's risk tolerance and strategic priorities.

Monitoring and Reporting

Establish mechanisms for ongoing monitoring of key risk indicators and the effectiveness of risk mitigation efforts. Implement regular reporting processes to communicate risk information to relevant stakeholders, including management, the board of directors, and external parties as appropriate.

Integration with Business Processes

Integrate ERM processes into overall decision-making and strategic planning processes to ensure that risk considerations are incorporated into business activities and initiatives.

Risk Culture and Awareness

Foster a strong risk-aware culture by promoting awareness of risk management principles and encouraging accountability and risks ownership at all levels.

Continuous Improvement

Regularly review and update the ERM framework and processes to reflect changes in your organisation's risk profile, business environment, regulatory requirements, and best practices. Encourage a culture of continuous learning and improvement within the ERM function.

Board Oversight and Governance

Ensure active involvement and oversight from the board of directors in setting risk management objectives, monitoring key strategic risks, and evaluating the effectiveness of the overall ERM framework.

External ERM support

External ERM support

Your risk management processes are not just internal - there could be various external parties that may support, collaborate or set expectations for your ERM approach.

Auditors

External auditors can help with risk identification and assessment by reviewing internal controls and financial statements. They can also provide recommendations for improving risk management practices.

Regulators

As well as setting standards and guidelines for risk management, regulators can conduct inspections and audits to ensure that organisations comply with regulations and take appropriate steps to manage risk.

Insurance companies

Insurance companies can provide financial protection against potential losses. They can also help assess and manage risks by providing services such as risk assessments and loss control consulting.

Suppliers and partners

Many organisations work closely with their suppliers and partners to manage risks, e.g. by working together to identify and mitigate supply chain risks.

Industry associations

Industry associations can provide valuable information and resources for managing risks. They often provide training, best practices, and networking opportunities for members.

Customers

Customers are often the first to notice issues or vulnerabilities in products or services. Encouraging them to provide feedback about their experiences can help identify potential risks or areas for improvement. This could be through engaging with customers during business continuity planning exercises, understanding their experiences with products or services sourced through you from third-party suppliers,  or getting their feedback on how you are meeting regulatory requirements and industry standard. 

What are the challenges involved in ERM?

What are the challenges involved in ERM?

Implementing and continuing to operate a mature and useful enterprise risk management process is no small feat, and of course the challenge increases with size and complexity of an organisation. 

Some organisations struggle at the first hurdle: making available the required resources to make it happen - people, budget, expertise. Unless ERM is part of someone's job description and they have the capacity to work on it, no progress will be made.

It doesn't help that ERM can feel like a moving target, particularly when implementing it within an organisation that is itself in flux (maybe due to rapid growth or ongoing internal reorganisation). For ERM to remain effective and robust, it has to be created as an organisational framework that is flexible enough to remain valid even after that next reorganisation.

Cultural ERM challenges

Key to ERM success is the emergence of 'risk-aware culture', i.e. the existence of collective attitudes, beliefs, values, and behaviours regarding risk management that are shared and upheld by its members. This is only created through a proactive approach where employees are empowered to identify and address risks before they escalate into problems, with a focus on prevention rather than reaction. The kind of culture we strive for has good communication, clear accountability, a defined approach to continuous learning, and data-driven decision making.  Creating it can be described as an organisational journey, keeping it simple to begin with and then growing maturity over time, with strong leadership support.

Cultural change may be hampered by human nature, not least our natural human tendency to deny risk and believe that bad things happen to others. This optimism bias has to give way to a more measured and objective assessment of risk, driven by organisational rules.

80 percent statistic diagram

Across many different methods and domains, studies consistently report that a large majority of the population (about 80% according to most estimates) display an optimism bias.

Science Direct, Current Biology (2011)

Organisational engagement is essential for ERM

Addressing the 'people change' challenge is critical when implementing an ERM framework to ensure its successful adoption and integration within the organisational culture. Effective communication is paramount. Clear, transparent, and consistent communication about the purpose, benefits, and expected outcomes of ERM helps to alleviate fears and uncertainties among employees. This communication should come from senior leadership, emphasizing their commitment to the ERM initiative and the importance of employees' roles in its success. By fostering an open dialogue, organizations can address concerns, clarify misconceptions, and garner support for the ERM framework.

Providing comprehensive training and development opportunities is essential for equipping employees with the necessary knowledge to engage with the ERM process effectively. Training sessions should not only focus on the technical aspects of risk management but also emphasize the broader organisational context and the role of individuals in identifying and mitigating risks. Tailoring training to different levels of the organization ensures that everyone understands their responsibilities and how they fit into the ERM framework.

Ongoing support and guidance should be provided to employees as they navigate the complexities of risk management, fostering a culture of continuous learning and improvement. By investing in their development, employees are empowered to embrace change and actively participate in the ERM journey, driving its long-term success. 

Technical ERM challenges

When organisational risk data is limited or difficult to access, then this is a blocker for risk culture transformation. This is where we need tools, to capture data, to collaborate and report.

Anyone putting together a risk log for the first time is likely to be using a spreadsheet. It is not unusual for organisational risk management to end up being an amalgamation of spreadsheets submitted from different areas of the business. This approach has many challenges, chiefly the fact that it is much harder to enforce a shared information standard when everyone is freely designing or modifying risk logs in their own area. Spreadsheets are also not ideal when it comes to report automation, data protection, integration with organisational data and so on.

There comes the point when no progress can be made unless a suitable ERM solution is deployed, that essentially provides us with an enterprise database for risk information. This is the foundation for process maturity as it will guide everyone to work with the same templates. Everyone will be collaborating on shared data, and have instant visibility of risk.

The benefits of using ERM software

The benefits of using ERM software

The right enterprise risk management software solution will provide a solid foundation for your organisation's ERM journey and can be game-changing compared to the alternative of running ERM on spreadsheets.

The business case for implementing such a system will most likely break down into these high level benefit cases:

 

Informed decision-making

Easy access to rich, reliable data from a single source of truth is the number one driver for implementing an ERM software. Automated instant reporting and analytics provide insights that are simply not available without it. Armed with this, executives are in a position to make better decisions that are data-driven and informed, driving the right outcomes for the organisation. 

Supporting organisational maturity

With ERM software as a shared platform, different business functions are enabled to adopt common process standards, have visibility of risk and collaborate more effectively. This enables a journey of continuous improvement, building engagement with risk data, assigning clear ownership and thus growing your organisation’s risk culture. 

Reduced admin, improved efficiency

An easy-to-use application will provide time savings for all involved, due to reduced effort for activities such as maintaining risk data, checking and chasing, error correction, creating and distributing reports.

The essential foundation for ERM

Enterprise Risk Management as a discipline delivers fundamental benefits. Once an organisation has reached a certain size and complexity, the investment in an ERM tool should be seen as essential if we are serious about managing and reducing risk as well as safeguarding quality and compliance.

A bunch of spreadsheets simply won't do the job.

Selecting your ERM software

Selecting your ERM software

There are many ERM software applications on the market - here are some hints on what to look for when evaluating different solutions:

 

ERM software features you should look for

Configurable and secure "Single Source of Truth"

It can be difficult to get an overall view of risks across the organisation when the data is stored in multiple spreadsheets. ERM software is designed to easily capture risk data in a single enterprise database that can be adequately secured from unauthorised access. It ensures that data is validated and conforms to business rules. It will support a much richer data set, reflecting not just the status-quo but also historical data so you can understand trends over time. The data model itself should be flexible and configurable, so it can be tailored to information requirements that are specific to your organisation.

Integration

Risk information is more valuable if it is linked to your organisational context. This could mean relating risks to customers, suppliers, products, assets, buildings, projects, processes or any other data set that is personal to your organisation. These data sets exists in your organisation and are maintained by other applications in their own data silos. Through integration, your ERM software will be enabled to 'see' those and allow the user to tag these relationships during risk capture. This will help to create much greater insight into the sources of risk. Identify all the various databases that are candidates for integration and confirm that your ERM tool can link to those.

Automation

Ensure that your ERM software can automate alerts, reminders, escalations and other processes, thus avoiding repetitive manual activities and driving process maturity.

Collaboration

Most likely you want to engage a greater number of people in your organisation in risk related processes - but potentially also external parties, such as customers, suppliers or partners. There are many functional aspects that your ERM software could provide to facilitate this, such as working in Microsoft Teams, sharing documents and reports, security controls to limit what different user groups and do and see, the ability to securely invite external parties.

Governance

On the journey to mature ERM, governance is key. Assigning and tracking tasks, identifying non-compliance or missing data, highlighting overdue events - risk managers should have the tools to make this easy and efficient. No time should be wasted tracking down issues, instead the focus is on helping people to put things right and drive process adoption.

Reporting

This is where we deliver business value from all the data collected. Any ERM tool will claim to deliver user-friendly dashboards, visualisations and reports, but can these be easily extended to include any custom data items that are personal to you? How easy is it to create ad-hoc reports? If your organisation uses Microsoft tools, then Power BI is likely to be your strategic reporting tool - is this supported? These are key questions to be asked when selecting your ERM software.

Artificial Intelligence (AI)

AI is transforming ERM by offering assistance, advanced analytics and predictive modelling. Any ERM tool evaluation should include the underlying technology platform and how it can deliver AI capabilities now and in the future. 

 

Finally, if your organisation uses Microsoft cloud then you should consider the potential "Single Platform" advantage that this offers - all of the features described above are best delivered by placing your ERM tool right into this platform where your teams already collaborate. The key question for any prospective Microsoft ERM software choice then should be: how will it make the most of the strategic investment your organisation has already made in the Microsoft cloud.

Ready to change your approach to enterprise risk management?

See how Power Framework RISK unlocks the collaboration, automation and integration capabilities of your Microsoft platform, to help you engage your organisation and build a culture of risk awareness and compliance.

 

Request a demo