By Venkat Sarma, Banking and Financial Services Risk Management Professional
A Business Case for ERM in the Non-Financial Sector
TLDR Summary:
1. Non-Financial sectors have not had a track record of practising “Enterprise Risk Management” (ERM) best practices or strategic planning
2. Enterprise Risk Management (ERM), which has been in place since the 1960’s and was refined during the 2008 crisis, was created by regulators to protect financial institutions which held public money from “failing”
3. ERM offers many tools and concepts for entities ranging from Fortune 500 companies to SMEs to government/NGOs to proactively identify, assess, mitigate, and monitor its key risks in a structured and holistic fashion
4. ERM can manage Strategic risks (business model disruption and disintermediation), Operational risks (risks of human, technology and process failures, Fraud), Legal & Regulatory risks (adverse changes to govt regulations) or Compliance Risks (Violations, Misconduct etc).
5. The Business benefits of an ERM program go far beyond just managing unforeseen calamities and make strategic planning more solid and resilient.
6. Good ERM programs need the buy-in of senior leadership and proper governance and metrics to ensure that progress is sustained and measured.
As I sit at home in lockdown, I am reminded of the lyrics of the song “Beautiful boy” containing this famous quote from John Lennon “ Life is what happens when you are busy making other plans”.
Covid 19 has disrupted life and thrown the spanner into the works without exception for everyone; individuals, Businesses, and Governments alike.
It has struck us all swiftly and ferociously and changed our daily routines, mindsets, and perhaps our futures in a dramatic fashion.
A question that comes to mind is “Could we have anticipated this and therefore could we have been better prepared to deal with this”?
We all have to acknowledge that the risk of a global pandemic has been talked about many times and parts of the world have experienced the impact of SARS , Ebola, Zika in the not too distant past.
A global pandemic has been on the list of the World Economic Forum’s lists of top risks for the last several years.
Despite this, it appears that most organizations and Governments of Countries have been caught completely unprepared and are struggling to deal with various aspects in almost an unplanned or “thinking on the fly mode”.
As a risk professional I believe that this is because the Non-Financial sectors (excluding BFSI) have not had a track record of practising “Enterprise Risk Management” ( ERM) which the financial sectors (thanks to regulators and the Global Financial Crisis of 2008) have internalized in their strategic planning and are perhaps better off for this.
Those of us who have worked in the BFSI industry and especially in Risk management are all too familiar with ERM.
This discipline has been around at least since the 1960’s and has evolved since then rapidly into a complex science replete with sophisticated models, frameworks, tools and indeed is also a favorite pastime of Regulators.
Credit for this must go to the Regulators who rightfully have to “protect “Financial institutions from “failing” as they hold public money.
The Global Financial Crisis of 2008 also provided a lot of impetus for development of ERM.
Financial institutions therefore are required to have a strong functioning Risk management structure which is independent, knowledgeable and accountable to regulations and demonstrate risk frameworks which model and mitigate all types of risks (known and less known across the Probability/ Impact spectrum and a variety of scenarios).
In contrast, other industrial sectors such as Retail, Hospitality, Healthcare, Manufacturing , Construction , Digital, IT , Food ( and the list can go on) do not appear to show too much evidence of well- structured Enterprise level top-down Risk management functions and discipline.
This is borne out by a 2017 Global ERM survey carried out by RIMS (Risk Management Society) with nearly 400 senior executives across 14 industries including Financial services.
Nearly 2/3rd of the respondents were from large companies with revenues greater than USD 500MM and 80% of respondents were from the United States with rest from developed economies.
While 92% of respondents from the Financial Services sector said that ERM is either fully or at least partially integrated in their companies (implying that it is practiced in a structured fashion at the Corporate and Business unit level), in contrast, only about 50% of respondents from Non-financial sectors stated that their organizations were practicing some sort of an ERM program.
It would be a fair assumption therefore that if in large companies in developed markets in the Non-Financial sectors this is the picture, in emerging markets and in smaller companies ERM would be a bridge too far.
ERM as a discipline offers many tools and concepts which enable any entity ranging from a Fortune 500 company to an SME or a part of the government / NGO to proactively identify, assess, mitigate and monitor its key risks in a structured and holistic fashion.
Risks are not just limited to “Event Risks” like COVID-19 or a geopolitical event but can be any major risk which prevents achievement of strategic objectives of an organization.
Other major risk categories which are addressed in ERM can be strategic risks (business model disruption and disintermediation), Operational risks (risks of human, technology and process failures, Fraud), Legal & Regulatory risks (adverse changes to govt regulations) or Compliance Risks (Violations, Misconduct etc).
The Business benefits of an ERM program go far beyond just managing unforeseen calamities and make strategic planning more solid and resilient.
Senior management and board levels in organizations which have not invested in ERM need to make amends by first getting buy-in for initiating dialog and discussions at their level and building awareness through specialists or external interventions.
It would be useful thereafter to embark on a structured process of risk identification, assessment, mitigation, monitoring and cascading ERM in the firm. All of this would have to be supported by proper governance and metrics to ensure that progress is sustained and measured.
Most importantly, senior management has to be truly committed to create a risk aware culture in every part of the organization and key domains like the vision, mission, strategic objectives and planning must reflect a risk philosophy.
ERM is a journey and not the destination.
R.I.P John Lennon.