By: Glen Justis, Senior Partner and Doug Menendez, Partner
All leaders of commercial enterprises know that business involves risk. In fact, the definition of an entrepreneur is “one who organizes, manages, and assumes the risks of a business or enterprise.”[1] At Experience on Demand, we frequently find that business leaders who enjoy sustained success are uniquely capable of navigating and managing risk. The question we would like to pose to our readers is, “how well are you managing risk in your business?” Specific points to consider include:
- What is the short-list of business objectives that truly defines success for you?
- What are the biggest risks associated with each objective?
- What are you specifically doing to manage each risk?
- Who in your company is accountable for leading the management of each risk?
- How are you measuring results?
Risk management as a discipline has existed for centuries. In the introduction to Peter Bernstein’s bestselling book Against the Gods, he argues that “The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk.”[2]
Commonly, risk is defined as “uncertainty” or “the potential for loss.” In business, risk is defined in both broad terms (e.g. risk as the general possibility that performance could fall short of objectives) as well as specific terms (e.g. specific potential events or conditions that could cause a shortfall in performance.)
Several events occurred after 1990 that led to increased focus on risk management. For those interested, historical information is provided further below. This evolution in “risk intelligence” culminated in what is now known as “enterprise risk management” or “ERM”. In short, ERM can be defined as “a collection of integrated processes and resources designed to minimize the potential for business performance shortfalls.”
As a business leader, are you managing risk across your enterprise in an intentional manner using modern methods? If not, we encourage you to consider doing so. You know from experience that bad surprises can and do occur. The business environment is moving faster than ever. Risks are everywhere, some of which you can see and many around the curve that you can’t. So, how do you manage risk in an intelligent, methodical way?
Some examples of Enterprise Risk include:
- Loss of a key customer
- Cyber-attacks; data breach or intellectual property loss
- Cost and/or price volatility
- Operational disruptions
- Failure to comply with industry standards or regulations
While the terminology in formalized ERM standards varies, a common theme exists. Structured ERM relies on the process depicted above. To be most effective, this process is coordinated with a firm’s strategic planning and budgeting processes where objectives are set.
While all businesses can benefit from structured risk management, those that can gain the most value tend to fit one of the following profiles:
- Mature organizations wanting to protect their success. These companies tend to care more about avoiding bad surprises than growth and can afford to invest in extra processes and resources to reduce risk.
- Small companies with limited capital. Such companies tend to have little room for error. Even relatively modest adversities can cause the business to spiral into distress.
- Companies wanting to manage risk as a competitive advantage. These businesses tend to invest in advanced analytic capabilities and proactively seek to exploit operational flexibility they believe they have.
While ERM is still considered by some as an optional management technique, the management of certain forms of risk is required in virtually all business settings. Cybersecurity risk is arguably receiving the greatest attention today. Since the existence of this risk is so well known and is frequently the subject of media attention, the cost of not managing cybersecurity risk proactively can be extreme. All businesses are exposed to cybersecurity risk, even if they have strong programs to manage it. But, for companies that experience a significant business interruption or data breach, the reputational loss of “not doing enough ahead of time” can be catastrophic. Doug Menendez, a new Partner at EOD specializing in IT risk management, will be covering this topic is our next article in this series.
For those interested in a brief history lesson, four main developments and competing industry standards arose over the last few decades that contributed greatly to modern risk management methods. First, the COSO “Internal Control-Integrated Framework” was published in 1992 through the efforts of the Treadway Commission after a series of U.S. financial debacles. Variations of this framework spread internationally thereafter. Then, as businesses sought greater control of strategic and operational risks, an international standard originating from Australia/New Zealand, AS/NZS 4360, emerged in 1995 and gained popularity. Wanting to avoid falling behind international standards, U.S. COSO reconvened and, with the assistance of Price Waterhouse, published in 2004 the “Enterprise Risk Management – Integrated Framework” which then grew in influence in the U.S. Finally, in 2009 the International Organization for Standardization developed and published “ISO 31000 – Risk Management”, which largely mirrors AZ/NZS 4360. In the U.S., roughly two-thirds of businesses implementing formal ERM programs have adopted COSO ERM or ISO 31000 (roughly split equally), and the remaining third allocated to various less prominent standards. ISO 31000 dominates internationally. In general, ISO 31000 is considered more practical and operations-focused. COSO ERM retains a highly finance/account/auditing flavor.
Experience on Demand offers a range of services dedicated to helping our clients manage risk. From basic independent risk assessment to full ERM program design and implementation, we’re here to help. Please contact Glen Justis or Doug Menendez to get an objective look at the state of your ERM program.
[1] Against the Gods – The Remarkable Story of Risk, Peter L. Bernstein, John Wiley & Sons, 1996
[2] From www.merriam-webster.com