Demystifying Enterprise Risk Management (ERM)

Navigating the complexities of the modern business world means facing increasing uncertainty head-on. Potential risks lurk around every corner, from supply chain disruptions to cyber threats, new technologies and transformative market shifts. Confidently managing uncertainty is now fundamentally important to organisational survival and success. That's where Enterprise Risk Management (ERM) comes in. Whilst many organisations hear about ERM but aren't entirely sure what it means, why it matters, or how to approach it effectively. The theory might seem straightforward, but successful implementation can be challenging. Let's break it down with answers to your most common questions.  

Q: What exactly is Enterprise Risk Management (ERM)?

A: Simply put, ERM is a structured and holistic process for understanding and managing potential threats and opportunities across an entire organisation. It aims to optimise success by minimising threats and maximising opportunities. It involves:

• Identifying potential risks (and opportunities).
• Evaluating their likelihood and potential impact.
• Prioritising these risks based on importance and alignment with organisational objectives.
• Planning and implementing responses to effectively prevent, reduce, transfer, accept, or make the most of them.
• Continuously monitoring the risk landscape and the effectiveness of responses.

Q: Sounds corporate. Is ERM only for large multinational companies?

A: Not at all. Despite the name "Enterprise," ERM principles apply to businesses and organisations of all sizes. The complexity might scale, but the core idea of understanding and managing risk is universal for achieving objectives.

Q: What kinds of risks does ERM cover? Isn't that what my IT or Health & Safety departments do?

A: While specific departments manage certain risks, ERM takes a holistic view. It doesn't just focus on one area, like cybersecurity or safety. Instead, it aims to ensure the level of overall risk is compatible with organisational objectives and encompasses every kind of organisational risk, including:

• Strategic: Risks related to your long-term goals, market position, and major decisions.
• Operational: Risks in your day-to-day activities (e.g., supply chain disruptions, IT failures, cyberattacks, human error, process breakdowns, non-compliance).
• Legal & Compliance: Risks associated with laws, regulations, and contractual obligations.
• Financial: Risks related to financial stability, investments, credit, and market fluctuations.
• Reputational: Risks that could damage your brand image and public trust.

For example, addressing operational risks like IT failures might involve strategies like IT disaster recovery planning, while managing human error risks might involve improved employee training and process checks.

Q: Is ERM just a one-off project or a tick-box exercise?

A: Absolutely not. ERM is a continuous and dynamic process often guided by ERM tools and Enterprise Risk Management Software. The risk landscape constantly changes due to new technologies, market shifts, regulations, and unforeseen events. Therefore, your risk management activities, including ongoing risk identification and process reviews, must be regularly updated and adapted.

Q: Okay, but why do we need ERM? What's in it for us?

A: Fundamentally, ERM helps protect your organisation, people (employees, customers, investors), and assets from costly problems. Preventing issues is almost always cheaper than cleaning up the mess afterwards! Poorly managed risk can create havoc and even lead to strategic misalignment where the organisation's risk profile is no longer compatible with its objectives. But the benefits go deeper:

• Smarter Decisions: Provides a structured framework and better risk assessment data, leading to more informed choices.
• Cost Savings: Reduces the likelihood and impact of costly incidents.
• Increased Efficiency: Helps spot operational gaps, duplication, and better working methods.
• Enhanced Agility: Fosters a risk-aware culture, allowing faster responses to threats and opportunities.
• Stakeholder Protection: Safeguards the interests of employees, customers, and investors.
• Compliance Assurance: Helps meet regulatory requirements.
• Optimised Resources: Allows better allocation of time, money, and effort towards managing the most significant risks.
• Competitive Advantage: Enables calculated risk-taking to seize opportunities competitors might miss.
• Opportunity Identification: It's not just about preventing bad things; it's also about spotting potential upsides revealed through risk analysis.

Q: Can you specify how ERM improves decision-making, agility, and efficiency?

A: Absolutely. Let's take a deeper dive into some of the specifics!

• Enhanced Decision-Making: ERM delivers valuable reporting based on consistent risk data, turning it into valuable insights. It provides a framework for responding to events, meaning decisions during a crisis benefit from prior planning. It also breaks down silos, allowing departments to understand shared risks and the ripple effects of their actions.
• Increased Agility: By fostering risk awareness, ERM allows organisations to pivot quickly in response to market changes, new tech, or competitive moves, helping maintain an edge.
• Increased Efficiency: Looking through an ERM lens with Enterprise Risk Management Software helps you identify bottlenecks, redundant tasks, potential fraud loopholes, and process improvements that save money and prevent costly disruptions.

Power Framework has changed the dialogue. We reviewed 15 risks in two hours using live Power BI dashboards, previously we may have gotten through five if we were lucky as there were so many people involved.

Justin Hammond
Head of the Reconfiguration Program Management Office for University Hospitals of Leicester 

The University Hospitals of Leicester is one of the biggest NHS Trusts in England. To support its ambitious hospital building programme, its PMO needed a powerful programme management and business intelligence platform. Read the full case study 

Q: Is there a recognised standard or framework for ERM?

A: Yes! ISO 31000 is the international standard for risk management, providing a framework of general principles and guidelines to help organisations: 

• Understand the concept of risk and how it affects the organisation
• Establish a risk management framework that’s consistent with the organisation's overall objectives
• Identify, assess, and prioritise risks in a systematic and structured way
• Implement and communicate effective risk controls
• Monitor and review the performance of risk management activities
• Continuously improve the risk management process

ISO 3100 is flexible and can be applied to any type of organisation. It is worth investigating as a source of guidance for setting up your own ERM framework.

Q: What are the essential steps or best practices for setting up ERM?

A: While specifics vary, key best practices include:

• Developing a Formal Framework/Plan: Document your approach, roles, processes, methodologies, etc.
• Clarifying Roles & Responsibilities: Ensure everyone involved understands their part in the process.
• Defining & Sharing Risk Appetite: Understand and communicate the organisation's strategic tolerance for risk, guiding decisions.
• Clarifying Risk Identification Methods: Ensure everyone knows how and when to identify risks – this should be continuous, not just at the start.
• Assessing and Prioritising: Evaluate likelihood and impact to focus on what matters most.
• Link Risks to Objectives: Connect identified risks back to key organisational objectives or success factors to clearly understand their potential impact.
• Implementing Mitigation & Controls: Develop resource strategies aligned with your risk appetite.
• Budgeting for Risk: Allocate resources for risk management activities and mitigation actions.
• Monitoring and Report: Track key indicators and communicate relevant risk information regularly.
• Integrating with Business Processes: Embed risk thinking into strategic planning, budgeting, and decision-making.
• Fostering a Risk-Aware Culture: Promote awareness and accountability at all levels.
• Aggregating Risks: Collate risks from different departments or projects to get a portfolio or organisation-wide view, helping to spot trends and cascading risks.
• Continuously Improve: Regularly review and update your framework based on performance, changes, and best practices.
• Ensuring Board Oversight: Keep leadership involved in setting objectives, defining appetite, and monitoring key risks.

Q: Is ERM an internal affair, or do others get involved?

A: ERM often involves external parties and requires drawing in information from across the business:

• External Stakeholders: Auditors, regulators, insurance companies, suppliers, partners, industry associations, and even customers can support, influence, or provide input to your ERM approach.
• Internal Integration: When aggregating risk, consider information from operational teams and corporate risk management activities covering business-as-usual work to get the full organisational picture.

Q: What are the common roadblocks or challenges when implementing ERM?

A: Implementing and sustaining effective ERM isn't always easy. Here's why:

• It Feels Difficult: ERM can seem too complicated, academic, time-consuming, or intimidating to people.
• Cultural Resistance: Building a 'risk-aware' culture takes effort. People can fear sounding negative when discussing what could go wrong or overcoming their natural human optimism bias (the "it won't happen to us" mentality). A lack of transparency or an honest company culture where people feel safe raising concerns is counterproductive to effectiveness.
• Resource Constraints: Finding the necessary people, budget, and expertise can be tough initially.
• Dynamic Environments: ERM needs to be flexible to adapt to organisational changes (growth, restructuring).
• Data Issues: Unlike industries like insurance, many organisations lack easily accessible, quality historical data to support robust risk analysis.
• Technical Limitations: Relying on scattered spreadsheets makes standardisation, reporting, aggregation, and collaboration difficult. Limited access to integrated risk data is a major blocker.

Q: Cultural challenges sound tough. How can we foster a 'risk-aware' culture?

A: Building a risk-aware culture is an ongoing journey that transforms how organisations approach risk. Here's how to make it happen:

1. Promote an Honest Culture: Create an environment where employees feel safe raising concerns, asking questions, and reporting risks early without fear of blame. As the saying goes, "There's no such thing as a stupid question." By fostering a culture where curious, direct, honest, and open dialogue is encouraged, you'll prevent small issues from becoming bigger problems later.
2. Strong Leadership Commitment and Buy-in: Leaders must actively encourage and participate in ERM.
3. Clear Communication: Transparently and consistently explain the 'why', benefits, processes, and roles. Define and share the organisation's risk appetite.
4. Comprehensive Training: Equip employees with the knowledge and skills needed. Tailor training programs to different levels.
5. Ongoing Support: Provide guidance as people learn and adapt.
6. Empowerment & Accountability: Encourage employees to identify risks and define clear responsibilities.
7. Focus on Prevention & Opportunity: Shift the mindset from solely reactive problem-solving to proactive risk mitigation and opportunity seeking.
8. Data-Driven Approach: Base assessments on objective information where possible.

Over time, these steps embed risk awareness into the organisation's DNA. A collaborative Enterprise Risk Management Software solution, backed by strong leadership and a culture of openness, creates a mature risk management framework where everyone speaks the same language and works toward shared goals as one team.

Q: You mentioned technical challenges. Are spreadsheets really that bad for ERM?

A: While often the starting point, relying solely on spreadsheets for ERM quickly becomes problematic as complexity grows due to:

• Lack of Standardisation: Different formats make aggregation and consistent analysis hard.
• Data Silos: Information isn't connected or easily accessible across the organisation.
• Reporting Difficulties: Automating reports and gaining real-time insights is cumbersome. Aggregating risk effectively is complicated.
• Data Security & Integrity Issues: Harder to secure and control versions.
• Scalability Limits: Spreadsheets don't scale well.

Simply put, there comes a point where spreadsheets hinder progress rather than help mature Enterprise Risk Management.

Q: So, what's the alternative? Why consider dedicated ERM software?

A: Dedicated ERM Software provides a solid foundation and can be a game-changer by:

• Informing Decision-Making: Provides a "single source of truth" with reliable, accessible data, enabling better reporting, analytics, and data-driven insights.
• Supporting Organisational Maturity: Facilitates standardisation, collaboration, visibility, aggregation, and clear ownership and helps grow your risk culture.
• Reducing Admin and Improving Efficiency: This feature saves time on manual tasks like data entry, chasing updates, error correction, and report generation.
• Desiloing Data Access: Overcomes the limitations of inaccessible or siloed data often found when relying on spreadsheets alone.

Q: What's the difference between a risk and an issue in ERM?

A: There's a key distinction:

• A Risk is an uncertain event that, if it occurs, could have a positive or negative effect on organisational objectives. It hasn't happened yet!
• An Issue is a problem or consequence that is happening now or has already happened. It requires immediate attention or resolution.

A risk can become an issue if the uncertain event actually occurs. However, an issue (which has already happened) cannot become a risk (which is uncertain). An issue can, however, create new risks that need managing.

Q: How should we report risks effectively to senior management?

A: Always try to avoid overwhelming leadership with raw data. Try focusing on providing actionable insights by:

• Asking Them: The best approach is to ask key stakeholders what information they need for decision-making and oversight.
• Focusing on Materiality: Report on the 'Top X' significant risks (e.g., top 3 or 5 based on potential impact). Don't list every low-level risk.
• Highlighting Impact: Explain the potential consequences if the risk materialises, linking it to strategic objectives if possible. Consider reporting potential financial impact (£).
• Showing Actions: Briefly outline the mitigation plan and who owns it. Clearly state whether leadership needs to make a decision or provide support.
• Using Visuals Wisely: Dashboards showing risks by category (strategic, operational, financial, etc.) or impact level (High, Medium, Low) can be useful. Avoid metrics like 'total number of risks', which lack context.
• Indicating Trends Carefully: It can be useful to show whether the overall risk profile is increasing or decreasing (based on impact or the number of high risks), but avoid simple trend lines of total risks opened/closed, as these can be misleading. Focus on a snapshot in time with context.

Enterprise Risk Management: The Bottom Line

Enterprise Risk Management isn't just another corporate buzzword. Rather, it's a discipline that is fundamental to organisational health, resilience, and success in an uncertain world. As organisations grow and face increasing complexity, moving beyond basic spreadsheets to a structured approach, supported by appropriate ERM Tools and an engaged culture, becomes essential for effectively managing threats, safeguarding operations, ensuring compliance, and confidently seizing new opportunities. 

Book a demo today and discover how your organisation can thrive in an uncertain world with Power Framewor'ks  Enterprise Risk Management Software.  Built on the Power Platform and deployed into the Microsoft cloud you already own.

It’s a powerful toolbox for organisations looking to transform how they solve the challenges of enterprise risk management.