The report, authored by Peter Teuten, looks at how risk management is coming to be understood as a management process rather than simply as an insurance-purchasing method. In the face of many recent risk-impacting events, followed by resulting regulations and awareness, companies are being forced to deal with multiple overlapping situations at once; whereas rushing management plans into action to solve individual problems was sufficient for the past, such methods are falling short in dealing with the increasing complexity of risk management. As such, governance and compliance are beginning to be treated as elements of the risk equation.
Current business circumstances are forcing companies to re-evaluate their risk management plans as such plans are playing larger roles in overall management. Boards of directors are having to understand risk in greater detail than in the past, and their understanding of the basic factors contributing to risk processes is advantageous. Typical people make everyday decisions through identifying and evaluating circumstances, through taking action to minimize negative potential and maximize positive potential, and through keeping track of the actions and their effects; in the same way, risk professionals address risk through these respective steps of measurement, management, and monitoring. In the determination of final outcome, both risk and opportunity are figured into the “balance sheet,” which takes into consideration risk from diverse sources. These sources include disaster recovery; business continuity planning; network security; internal policy management; human resources and personnel risk; physical security; and financial asset protection and integrity.
Given the trend of increase in the complexity of risk management, with little expectation of a reduction in either regulation or events of high risk impact, the solution of continuous risk consideration on an enterprise-wide level, formally known as ERM, is gaining widespread recognition and support. As compliance and governance programs drive the application of ERM, the resulting convergence is increasing the demand for ERM to the expectation of an $80 billion market over the next five years. Unfortunately, executives focus on ERM’s expenses as necessary for compliance and miss its potential return on investment.
In addition to compliance and risk-impacting events, basic market drivers such as cost management, revenue growth, competition, shareholder investment, and employee satisfaction are encouraging companies to embrace ERM. In relation to governance and compliance, ERM addresses the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the following ways: in the measurement, management, and monitoring of processes and the application of controls for the Sarbanes-Oxley Act, ERM benefits companies in its use of internal measures and controls that are documented, monitored, and tested on a regular basis; in the implementation of progressive controls in the handling of patient information for the HIPAA, ERM benefits companies as the information handled is of utmost security and in need of ongoing monitoring.
Several factors contribute to a successful enterprise-wide process that effectively reduces the risk of noncompliance.
- Buy-in and education refers to employee understanding, acceptance, and recognition of responsibility;
- accountability refers to an organization-wide sharing of responsibility that includes the participation of all employees;
- transparency refers to the organization’s ability to demonstrate controls and processes in place and provide documentation of them;
- collaboration refers to the achievement of risk mitigation through the combined efforts of individuals and departments within an understanding of interdependence; and
- repetition refers to the ongoing nature of the ERM process.
If properly implemented, an ERM initiative within a company will mature over time from a tactical solution to a strategic imperative with the ultimate goal of improved performance. In its ongoing search for potential, ERM will produce results from risk elimination to preparation for possible problems to opportunity exposure. From a general management perspective, coordination of efforts concerning risk management will also improve general communication within the organization; help in defining company strategy; align resources; and drive performance in staying ahead of the curve.
In terms of the practical implementation of ERM in a company, a lack of precedent, standards, and methodology in legislation leaves the situation wide open with little guidance. One document, Enterprise Risk Management – Integrated Framework, published by the Committee of Sponsoring Organization of the Treadway Commission (COSO), provides some initial structure for such an implementation but lacks practical advice for the application of its principles. The complex nature of the plan is intended for application across an entire given organization, leaving business executives with a large task ahead of them requiring substantial costs and vast changes in risk management approach and method.
Hurdles involved in the implementation of enterprise-wide ERM range from concrete needs such as decent software to less easily-definable needs such as a paradigm shift in the minds of employees. Despite data figures that show how prevention of problems saves great amounts of money, companies have difficulty allotting funds when compared with optimistic and ignorant belief that catastrophic events won’t occur. Data also shows that relatively small percentages of small and midsize companies have basic plans in place such as crisis-management, business recovery, and others. Given these statistics, it is not surprising that very few companies have set into motion a true enterprise-wide ERM approach.
Software, which is needed to perform basic repetitive steps that ERM requires, has not yet been developed to meet need in the market. Given the abundance of risk management information systems software on the market, already available in advanced versions, few software developers are creating new software that truly incorporates ERM; instead, developers offer add-on ERM packages to their mature software versions in an attempt to reduce their capital investments. However, these products tend to fall short in categories such as provisioning and risk mitigation.
Even current software specifically designed for ERM lacks applicability to an enterprise-wide environment. A comprehensive technological solution, addressing key ERM processes in an integrated fashion, will take evolution through time. Such a system would require the following three unique characteristics:
- platform – must be accessible by many people across the organization; be expandable as the organization matures; and enable collaboration and integration.
- features and value – must provide a level of automation beyond data input and recording and be adaptive to systemized business rules.
- stakeholders – must support the diverse roles of stakeholders with customizable access and views in order to be relevant for administrators, providers, auditors, and others.
The system, in the end, must also provide ease of use; support for the multiple needs of the broader organization; automations and adaptation of processes; a level of transparency; and the ability to provide a benchmark.
ERM is gaining wide acceptance and will become more necessary for enterprises to embrace. The need for implementation in the face of costly professional services and potentially affordable software solutions will drive the market to produce viable technology. A baseline, established by the acceptance of standards where unique takes on ERM once existed, will make it possible for software developers to provide a solution applicable to a greater audience. Economics, while pushing technological innovation by the principle of supply and demand, will also push companies to adopt ERM by the principle of competition.