Search close
Hexagon ppm

Enterprise Risk Management: The strongest cost-cutting measure

Enterprise Risk Management: The strongest cost-cutting measure

What is Enterprise Risk Management (ERM)

Risk Management is an increasingly critical part of modern enterprise. Catastrophic events in the last few decades have catalysed industry to develop and implement the principles seen across industry today, which we will discuss shortly. Risk, according to the definition set out in ISO Guide 73, is the “effect of uncertainty on objectives”. Guide 73 also clarifies that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence, according to a report by The Institute of Risk Management (TheIRM). There appears to be a growing consensus that risk management is now expected not just to be a tool to protect the company from loss, but also to play a role in constructing and presenting the right corporate image to clients, partners and others.

According to The Risk Management Association, Enterprise Risk Management (ERM) is “the management capability to manage all business risks in pursuit of acceptable returns.” ERM is, in practice, the application of risk management process, principle, and projects to reduce the impact and consequences of risk. It is an enterprise-wide approach to the management of regularly occurring, expected, and preventable types of risk and their potential impacts on all enterprise processes, activities, stakeholders, products and services. The goal of ERM is also to activate benefits that attend well informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation, better marketplace presence and, in the case of public service organisations, enhanced political and community support, a necessity in the post-catastrophic event across the enterprise landscape.

The principles of risk management 

Context for risk management 

  1. Risk management is a continuous process that supports the development and implementation of an enterprise’s strategy. 
  2. It methodically addresses all risks associated with the normal activities of an enterprise.
  3. With risk comes potential for events that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty.

Risk aware culture

  1. Risk management must be integrated into the culture of the organisation including mandate, leadership, and commitment from the board or other governing body.
  2. Mandate will translate risk strategy into tactical and operational objectives, assigning risk management responsibilities across the enterprise. Enterprise-wide investment
  3. Strategy will support accountability, performance measurement, and reward, promoting efficiency at all levels. 
  4. Achieving a good risk aware culture is ensured by establishing an appropriate risk architecture, strategy and protocols.

Risk management processes can be presented as a list of coordinated activities

The following represent the 7Rs and 4Ts of (hazard) risk management:

  1. Recognition or identification of risks 
  2. Ranking or evaluation of risks
  3. Responding to significant risks (Tolerate, Treat, Transfer, Terminate) 
  4. Resourcing controls
  5. Reaction planning 
  6. Reporting and monitoring risk performance 
  7. Reviewing the risk management framework 

Operational risk management vs enterprise risk management 

a) Differentiating slightly from ERM, with a focus on loss directly, Operational Risk Management (ORM), is described by the Basel Committee on Banking Supervision as "the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems and operations risk, people related risks and health and safety, and information technology risks."

Value of ORM

  1. Validating and improving the reliability and effectiveness of business operations and the operation of the risk management framework.
  2. Enhancement of risk-based decision-making and improving the risk management capability of staff.
  3. Greater confidence in the planning or delivery of a capital investment preventing delays and cost overruns.
  4. Enhance organisational capability in ensuring staff safety.

b) Where ORM is focused on loss specifically, ERM focuses on three areas of potential effect of loss on enterprise: opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty. 

  • Implies a broader integration of process and program for effective management in ERM.
  • Necessitates more nuanced and adaptive software for management.
    • Data gathering and analysis

Here is an example of the Risk Management Process:

Risk architecture, strategy and protocols

Risk architecture is the outline of the ERM project, specifying the roles, responsibilities, communication, and risk reporting structure to be integrated into the enterprise. Risk strategy, appetite, attitudes, and philosophy should be defined in the Risk Management Policy. The risk protocols are presented in the form of the risk guidelines for the organisation and include the rules and procedures, as well as specifying the risk management methodologies, tools and techniques that should be used.

Risk architecture requires top down implementation and participation at all levels of an enterprise to be effective. Strategy is included. Let’s look at the enterprise from the top down: 

  • At the leadership level of an enterprise, the architecture establishes a coherent, transparent and rigorous risk governance structure that supports an organisation’s risk strategy. The goal of this structure is to achieve commitment and ownership from key decision makers to a proportionate (appetite-based) risk strategy and architecture. 
    • At this level, the primary ERM outcome is the development of the risk management strategy and approach that optimises risk appetite.
  • Senior level personnel ensure consistency between an organisation’s risk management strategy, organisational strategies and its governance structure with a mandate to evaluate the extent to which individual risk strategies are consistent with the overall risk strategy. 
    • Senior level personnel will assign ownership and levels of authority that comply with the requirements of the strategy.
  • Management level team members communicate the requirements of the risk governance structure. Their job is to explain the purpose and role of a risk management framework, strategy and architecture to team members who implement at the micro-level of operations. 
    • Management personnel will make recommendations for improvements to the risk management strategy based on experience at the implementation review level of enterprise management. 
  • Following up and ensuring consistency across units and divisions, support level personnel describes the features of an effective risk governance structure, explaining the components of a risk management framework, strategy and architecture to individual employees.
    • Support personnel provide the management relevant information to support risk strategy development, improvement, and enhancement.

Here is a risk architecture example from the IRM:

Appetite, working along the same top-down format from Leadership to Support level, means the following: Leadership level influences decision makers’ understanding of risk appetite and its implications. Senior level has the task of nurturing the balance between risk taking, risk management and rewards in line with an organisation’s risk appetite. Management level will explain how an organisation establishes its risk appetite and tolerance. Finally, the support level explains the factors that influence people’s perceptions of risk and opportunities and their impact on risk appetite

Risk Strategy 

A typical risk management policy has several components, all of which are necessary in integrating a well developed and efficient ERM. A risk management policy should include the following sections: 

  • Risk management and internal control objectives (governance) 
  • Statement of the attitude of the organisation to risk (risk strategy) 
  • Description of the risk aware culture or control environment 
  • Level and nature of risk that is acceptable (risk appetite) 
  • Risk management organisation and arrangements (risk architecture) 
  • Details of procedures for risk recognition and ranking (risk assessment) 
  • List of documentation for analysing and reporting risk (risk protocols) 
  • Risk mitigation requirements and control mechanisms (risk response) 
  • Allocation of risk management roles and responsibilities 
  • Risk management training topics and priorities 
  • Criteria for monitoring and benchmarking of risks 
  • Allocation of appropriate resources to risk management 
  • Risk activities and risk priorities for the coming year

An example of  a suitable structure in terms of the risk architecture, strategy and protocols, via TheIRM:

Risk protocols include the rules and procedures, methodologies, tools, and techniques. These should be clearly defined and shared across enterprise for effective implementation. Policies and Procedures are critical in establishing an effective and well integrated Risk Management Policy. Roles and resources vary at different levels of personnel:

  • At the enterprise leadership level, you will develop a risk management policy that is consistent with the risk management strategy. Leadership roles and responsibilities are to define risk management accountabilities and methodologies that meet strategy requirements by securing commitment and resources that will enable the implementation of the risk strategy.
  • Senior level personnel implement plans and priorities to deliver risk management policy within agreed timescales and budgets to meet enterprise timetables (whether internally determined or externally imposed) and fiscal concerns. They will implement the risk management policy ensuring that ownership and responsibilities are fulfilled within authority limits and will review the effectiveness of the risk management policy and processes and the use of resources and makes recommendations.
  • Management level personnel, at the policy level, explain the purpose, role and benefits of embedding risk management policy and procedures into organisational policies and procedures. They will advise on the appropriate use of methodologies, tools and techniques within the context of the risk policy and use a range of resources to analyse management information to support recommendations for improvements to risk management policies and procedures.
  • Support level staff will explain the purpose of risk management policy and procedures and its components and explain the features of methodologies, tools and techniques and their uses. They will use the information gathered to provide management information to support improvements to risk management policies and procedures.

Enterprise Risk Management Framework

Culture is at the center of the ERM Framework. An institution that lacks the right culture and strong leadership at the top will negate the positive, intended effects of the other framework elements. Simply put, firms that comprehend and adopt ERM as a way of thinking typically outperform those that do not. 

There are eight major areas of framework to be considered that surround culture. They are, in no particular order: 

  1. Stress Testing: What else can go wrong and how are risks interconnected? 
  2. Response: What are we doing about the risks? 
  3. Control Environment: How well do we manage the risks? 
  4. Measurement, Evaluation, and Communication: How do we determine the size and scope of the risks and report the results?
  5. Risk Data & Infrastructure: How do we ensure we have the right information to manage risk? 
  6. Governance and Policies: How good are we at overseeing risk taking? 
  7. Risk Appetite? How much are we willing to take? 
  8. Coverage: What are all the risks to our business strategy and operations?

The components should be understood as parts of a wheel circling the center component: culture. The components are meant to be dynamic, reviewable back and forth in any sequence. They interact and affect each other. 

The Risk Management Association points out that ERM Frameworks are designed to help management and boards of directors answer critical business questions:

  1. What are all the risks to our business strategy and operations (coverage)?
  2. How much risk are we willing to take (risk appetite)?
  3. How do we govern risk taking (culture, governance, and policies)?
  4. How do we capture the information we need to manage these risks (risk data and infrastructure)?
  5. How do we control the risks (control environment)?
  6. How do we know the size of the various risks (measurement and evaluation)?
  7. What are we doing about these risks (response)?
  8. What possible scenarios could hurt us (stress testing)?
  9. How are various risks interrelated (stress testing)?

Here’s an example of a suitable Risk Management Framework:

Enterprise Risk Management is an essential component for any enterprise, encompassing all relevant risks. An effective ERM framework supports Leadership, Senior, Management, and Support level staff competency in managing risks effectively, comprehensively, and with an understanding of the interrelationship/correlation among various risks. A successful enterprise integrates a robust ERM capability and strategy at the culture level of operations by incorporating what currently exists to develop a comprehensive and integrated view of the institution’s risk profile in the context of its business strategy.

Standardising Risk Process

The role of standardisation in the ERM risk process cannot be understated. Risk protocols - the guides, methodologies and standards of risk process - are drawn up with the purpose of formalising the risk management implementation and also the process, the organisational structure, and the objectives of risk management. Standardisation can be applied to any process or task that is relevant to an enterprise, and is the process by which an enterprise or other entity may bring processes or tasks into conformity with an enterprise or industry wide standard, especially in order to assure consistency and regularity.

With regard to ERM, the purpose of standardisation is the formalisation of the risk management process in order to improve effectiveness, but without a guarantee of effectiveness. Once an organisation decides to adopt a standard for risk management, it also has to deal with some practical considerations in order to achieve successful implementation. These include, but are not limited to: 

  • elaborating a plan for risk management implementation
  • designing an organisational structure for risk management with a greater level of specificity
  • making risk management part of the enterprise culture
  • determining all risks categories of the organisation
  • establishing a group of criteria and indicators that measure risk management effectiveness

The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) are the leading organisations in the development of international standards for risk processes. There are numerous standards already established; incorporation of standards is the challenge for enterprise bringing ERM into their enterprise: 

  • ISO 31000:2009 provides principles and generic guidelines on risk management and can be used by any public, private or community enterprise, association, group or individual. This standard is not specific to any industry or sector and is not intended for use as a certification criterion. 
  • ISO/IEC Guide 73:2002 Risk Management provides standards writings with generic definitions of risk management terms. Its purpose is to contribute towards mutual understanding amongst the members of ISO and IEC rather than provide guidance on risk management practice.
  • ISO/IEC Guide 51:1999 refers to any safety aspect related to people, property or the environment, or a combination of one or more of these. The specific approach of this guide provides the risks analysis of complete life cycle of a product or service.
  • This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK (IRM, AIRMIC and ALARM) based on the views and opinions of a wide range of other professional bodies with interests in risk management, during a period of consultation. The standard proposes a process by which risk management can be carried out. It is not intended for use as a certification criterion.
  • AS/NZS 4360 is a generic guide for risk management so that it applies to all forms of organisations. The standard specifies the elements of the risk management process and describes how to develop, establish and sustain systematic risk management in an organisation.
  • CSA Guideline CAN/CSA-Q850 is intended to assist decision-makers in effectively managing all types of risk issues, including injury or damage to health, property, the environment, or something else of value.
  • PD 6668:2000T elaborated by British Standards Institute provides the risk factor of corporate governance requirements and how an organisation can implement effective risk management system.
  • BS 6079-3 Project Management This standard gives guidance on the identification and control of business related risks encountered when undertaking projects. It is applicable to a wide spectrum of project organisations operating in the industrial, commercial and public or voluntary sectors. This standard offers generic guidance only and it is not suitable for certification or contractual purposes. It is not intended as a substitute for specific standards that address risk assessment in distinct applications, such as health and safety, or areas of technological risk.
  • ON Rule series on risk management represent an ensemble of complexes guides with different objectives. T his guides refers to the terms and basics (ONR 49000), risk management (ONR 49001), guidelines for embedding in the management system (ONR 49002-1) , methodologies for risk assessment ( ONR 49002-2), crisis and business continuity management (ONR 490002-3) and the requirements for qualification of the risk manager (ONR 49003) . The present ONR essentially is in line with ISO 31000 "Risk management - Principles and guidelines" .

A clear understanding of what the applied standards are, what they require, and what adoption means to the enterprise is fundamental to the implementation of risk management standards. Organisations will be unable to set concrete implementation targets or to measure progress in reaching those targets should this not be a part. The best methodologies are rooted in use of appropriate enterprise wide software systems. Data gathering and analysis for risk probability projects, utilizing risk matrices, as well as enterprise wide risk policy/process communication, adherence, and review will require effective, modern digital solutions.

How to calculate probability in projects

a) Probability is the likelihood of one or more events happening divided by the number of possible outcomes. When you calculate probability, you’re attempting to figure out the likelihood of a specific event happening. Calculating the probability of multiple events is a matter of breaking the problem down into separate probabilities and then multiplying the separate likelihoods by one another.

b) When we discuss probability, we’re determining a risk score for a particular (or several) risk areas. This score is a calculated number that reflects the severity of a specific risk due to some factors. Typically, project risk scores are calculated by multiplying probability and impact though other factors. 

  • For qualitative risk assessment, risk scores are normally calculated using factors based on ranges  in probability and impact. 
  • In quantitative risk assessments, risk probability and impact inputs can be discrete values or statistical distributions.

c) Using Excel probability function: The PROB function in Excel uses a set of values and associated probabilities to calculate the probability that a variable equals some specified value or that a variable falls within a range of specified values. The function uses the syntax 

>> =PROB(x_range,prob_range,lower_limit,[upper_limit]) << 

where x_range equals the worksheet range that holds your values and prob_range holds the worksheet range that specifies the probabilities for the values from x_range. To calculate the probability that a variable equals a specified value, enter that value using the lower_limit argument. To calculate the probability that a variable falls within a range, enter the bounds of that range using the lower_limit and upper_limit arguments.

Risk assessment matrix template 

a) In enterprise, oftentimes, project managers don’t tackle risk assessments with the same eagerness as they do other aspects of their work. Why is this? It is a part of human nature to avoid uncertainties and place them on the back burner. Risk assessment is a necessary, critical aspect to ERM and will, if properly engaged and thoroughly integrated, will save time, effort, and money across the enterprise. Using a risk assessment template to identify, highlight, and assess potential risks can help make uncertainties more tangible and thereby eliminate the “real” risk in not properly addressing them from the start of the project.

Here’s an excel based risk matrix template. 

b) Before constructing a risk assessment template, you will first need to decide upon the nomenclature and scale to express the probability and magnitude of the possible loss that could be encountered if the risk materialises.

c) Determining Magnitude of the Consequence: 

  • Insignificant – Easily handled within the normal course of operations with no additional costs. (Impact level <10.)
  • Minor – Some disruption within the normal functions. Manageable risk with minimum estimated cost. (Impact level between 11 and 25.)
  • Moderate – Immediate time/resource reallocation will be necessary with a moderate estimated cost. (Impact level between 26 and 50.)
  • Major – Operations are severely disrupted and significant risk of failure to part of the business is possible. (Impact level between 51 and 75.)
  • Critical – Significant growing concerns exist with the business and the risk is classified as critical. (Impact level >75.)

d) Determining Probability of the Consequence

  • Remote – Probability of less than 10%.
  • Highly Unlikely – Probability between 10% and 35%.
  • Possible – Probability between 36% to 50%.
  • Probable – Probability between 51% to 60%.
  • Highly Likely – Probability 61% to 90%.
  • Certain – Probability above 90%.

Here’s an excel based risk matrix template with a focus on the probability and consequence: 

Enterprise 

  • A major issue with risk assessments is subjectivity, which negates their ability to meet their objective. 

  • Common standards and assumptions makes information collected across the organisation objective, quantifiable and comparable, enabling better analysis, issue resolution and issue escalation when necessary. Integrated software systems make these processes effective and efficient.
  • Effective risk management for ERM demans a few key areas of digital competence:
    • Uniformity of numerical scale for cross-enterprise analysis
    • Objective evaluation criteria
    • Calibrated assessment criteria
    • Consolidated resource data collection
    • Holistic, accurate ERM reports
    • Task & workflow portals that are integrated and built for the user.

Construction 

  • Occupational industries face serious risk beyond profit and loss. A construction risk assessment is a critical examination of health and safety hazards for a construction enterprise. Performing regular construction risk assessments can help construction stakeholders comply with health and safety regulations. Construction risk assessments can help safety teams implement corrective measures to protect workers from health and safety threats.
  • The construction industry poses numerous hazards accounting for a high number of serious injuries and accidents. Most accidents are due to the “Fatal Four”, namely falls, electrocution, struck by object and caught in/ between objects.
  • Risk assessment of potential health and safety hazards cannot be effectively completed without the digital tools to collect, collate, analyse, review, and disseminate enterprise wide. 
  • Risk assessments on sites should be done with mobile devices that are used across the enterprise and which collect and store data for access, review, and use in enhancing and improving risk strategies and enterprise safety.

Safety and compliance

a) Managing health, safety and enterprise risk is a core responsibility for every organisation. That responsibility needs to be built into the culture of the organisation and exemplified at every level of enterprise, from the board to support staff.

  • All three elements - health, safety, and enterprise risek - are inextricably linked. Therefore, a performance gap in any one area can have broad implications and negative impact on business outcomes.

b) Health, safety and risk are often associated with preventing problems, but they can also deliver tangible business benefits – a reminder of the three effects of risk (benefit, negative, and uncertainty). 

  • Visionary enterprises are increasingly viewing health and safety performance as a leading indicator of overall operational performance – and a powerful vehicle for driving transformation.
  • Organisations should be able to identify and address the health, safety and risk priorities across enterprise to see the benefits unlocked. 
  • By taking advantage of an integrated digital approach to Safety and Compliance, and utilising advanced solutions, enterprises can:
    • Increase employee engagement;
    • Inform decision-making;
    • Safeguard compliance;
    • Reduce risk and costs; and 
    • Drive continuous improvement in safety and operational performance.

Project risk

a) Project risk is determined by risk assessment, which is the overall process of risk analysis and risk evaluation.

b) Risk Analysis is a composite understanding based on risk identification and risk description.

  • Risk Identification: sets out to identify an organisation’s exposure to uncertainty. This requires a deep knowledge of the entire enterprise, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. 
    • Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be identified and categorised.
  • Risk Description: The objective of risk description is to display the identified risks in a structured format, for example, by using a table.
    • The use of a well designed structure is necessary to ensure a comprehensive risk identification, description and assessment process. By considering the consequence and probability of each of the risks set out in the table, it should be possible to prioritise the key risks that need to be analysed in more detail. Identification of the risks associated with business activities and decision making may be categorised as strategic, project/tactical, operational. It is important to incorporate risk management at the conceptual stage of projects as well as throughout the life of a specific project.
  • Risk Evaluation/Estimation: Risk estimation can be quantitative, semi-quantitative or qualitative in terms of the probability of occurrence and the possible consequences. For example, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low . Probability may be high, medium or low but requires different definitions in respect of threats and opportunities.
    • See  4, subsection b, paragraph iv for more info on risk probabilities.

Enterprise Risk Management Tools & Techniques

Enterprise in today’s risk laden economic landscape must work specifically to find new ways to invent and reinvent business models in order to sustain [expected] growth and create value for stakeholders. Revenues are created and stakeholder value increased by engaging in activities that often have inherent, embedded, or unavoidable levels of risk; stakeholders, however, tend to appreciate and reward some level of stability in their expected returns. Failing to identify, assess, and manage the varying risks facing an enterprise may result in significant, if unexpected, loss of stakeholder value. 

Leadership are responsible for implementing processes to effectively manage any risks that arise. This dual responsibility of growing the business and managing risk relies upon a well developed risk management framework and the utilisation of appropriate tools and techniques. (See TheIRM report of ERM Tools & Techniques for more info.)

SWOT

In starting a risk management project, a SWOT analysis is long considered global industry standard in determining major areas of improvement. SWOT (strengths-weaknesses-opportunities-threats) analysis is a technique often used in the formulation of strategy.

  • The strengths and weaknesses are internal to the company, including the culture, structure, and financial and human resources. The major strengths of the company combine to form the core competencies that provide the basis for the company to achieve a competitive advantage. The opportunities and threats consist of variables outside the company and typically are not under the control of senior management in the short run, such as the broad spectrum of political, societal, environmental, and industry risks.

Technology 

a) The risk identification process should utilize the company’s existing technology infrastructure or, if the existing structure isn’t amenable to such work, new technologies which can be brought in to supplement or supplant. 

  • Most organizations utilize an intranet (or, more often, cloud technology) in their management processes. Leadership can encourage units to place their best risk practices on the ERM site. 
    • Risk checklists, anecdotes, and best practices on the intranet serve as stimulation and motivation for operating management to think seriously about risks. 
    • Tools that have been found particularly useful to various units can be catalogued and shared.

b) A secondary use of technology in this area is to recognize the company’s potential risk that resides with the Internet. For example, a company’s products, services, and overall reputation are vulnerable to Internet-based new media like blogs, message boards, e-mailing lists, chat rooms, and independent news websites. Some companies devote information technology resources to scan the blogosphere continuously for risks related to the company’s products, services, and reputation.

Additional techniques

Other possible approaches for identifying risks include value chain analysis, system design review, process analysis, and benchmarking with other similar as well as dissimilar organizations. Also, external consultants can add value in the risk identification process by bringing in knowledge from other companies and industries and by challenging the company’s list of identified risks.

Risk Assessment Tools

Qualitative

  • Risk identification
  • Risk rankings
  • Risk maps
  • Risk maps with impact and likelihood
  • Risks mapped to objectives or divisions
  • Identification of risk correlations

Qualitative/Quantitative

  • Validation of risk impact 
  • Validation or risk likelihood 
  • Validation of correlations 
  • Risk-corrected revenues 
  • Gain/loss curves 
  • Tornado charts 
  • Scenario analysis 
  • Benchmarking 
  • Net present value 
  • Traditional measures

Quantitative

  • Probabilistic techniques 
    • Cash flow at risk 
    • Earnings at risk 
    • Earnings distributions 
    • EPS distributions

Technology Support

a) Technology tools are available to assist in the facilitation/identification phase. Software is also available to assist an enterprise with the entire ERM process. Technology products not only help with the process, but they also assist with data gathering, modeling, and reporting. One risk software tool, for example, helps with capital optimization and data management. 

b) Other technology products are designed to help with issues such as time-series modeling, correlations, and other advanced modeling techniques. Finally, certain industries have software tailored for companies in that industry, such as the online maturity model available for insurance companies.

Conclusion

Enterprise Risk Management is a serious concern. Visionary companies are working hard to incorporate and integrate state-of-the-art risk management projects to ensure a degree of control over and mitigate negative consequences, increase net benefits of risk, and neutralise uncertainties. With the right strategies, beginning from risk assessment, utilising data gathered from the risk analysis and risk evaluation processes.

Enterprise personnel that take up the ERM mantle from their respective level of enterprise responsibility, from Leadership to Senior to Management to Support staff, will help to create and inculcate the type of institutional culture around which effective ERM can develop. Failure to create this culture and the requisite buy in - at any of these levels - will result in a breakdown in the ERM process and undeterminable consequence. 

Digital solutions exist to support the entire ERM lifecycle and your specific enterprise needs. These can be tailored to your specific industry or you can use tools developed for your industry. Working to solve today’s problems with yesterday’s solutions is not the way to toward the future. Being aware of the full spectrum risk appetite and risk management protocols in the enterprise will allow you to seek out and utilise the most advanced tools available. 

Articles you may be interested in
Account modal exit cross