ERM is evolving fast, in response to a more dynamic risk landscape and the compelling opportunities (and threats) afforded by the digital transformation.
Organizations that embrace it are winning the race (be it for revenue, service or whatever their driving objectives). An intelligent and integrated approach to ERM is the number one secret sauce differentiating performance outcomes today.
It has become obvious that failures in risk management processes can cause serious damage to an organization. Frequently, this is due to an inability to see both the “big picture” issues at the same time as a multitude of apparently minor risks.
Executive management may have little interest in regulatory compliance risks if historically a compliance infraction has simply meant paying a relatively small fine and moving on. Similarly, a breakdown in a financial control that allows some fraud to take place with negligible impact on corporate results will barely register on the radar.
Business managers responsible for operational risks in one business area may have no insights into patterns of operational and compliance failures in another area. They may also be focused heavily on their own mandate, without the context of impact on overall corporate objectives.
Each risk area, when viewed in isolation, may not be cause for concern in terms of achieving corporate objectives. Then, seemingly from nowhere, a combination of events turns out to create a major problem. All of a sudden, for example, a series of apparently low impact compliance failures can attract the attention of regulatory authorities and then the media, resulting in what can turn out to be major damage to brand reputation, financial penalties and a long-lasting impact on share price. The root cause of the problem is often the inability to determine the impact of combining and aggregating different categories of risks.
On the other hand, a more advanced risk management process enables early recognition of the potential risk—and the ability to respond in a timely fashion to the early warning indicators revealed through trend analysis and risk aggregation. The solution is to implement a framework and an efficient oversight system for relating risks to each other, and a consistent way of measuring risk impact on the achievement of corporate objectives by aligning key risk indicators (KRIs) with key performance indicators (KPIs).