ERM involves a process consisting of establishing a
- appropriate infrastructure (different kinds of structure established within an enterprise such as organizational structure, different kinds of systems such as information system which refer to how information is collected, used and shared; determination of accountability, responsibility, methodologies to be used, control procedures),
- environment (involves matters associated with people such as culture),
- And operating philosophy (refers to command and control or empowering; centralized or decentralised), how people are trained and developed, how appropriate behaviour of employees are incentivized, reinforced and compensated).
ERM provides organizations with knowledge which allows them to systematically manage risks in an enhanced manner.
ERM infrastructure refers to different types of structure within an organization which is required for a successful risk management process. It refers to different tools that risk management process can use to ensure its success and include:
- An organizational structure.
- Risk management systems are another variable within the infrastructure of ERM. An example of a risk management system is the information system which provides for informational risk management needs throughout the enterprise. Information systems should be designed and managed in a way which ensures that the system is flexible; meaning that the way in which information presented will allow various users within the enterprise to use it for their specific informational needs. The information system must also be user friendly. This will ensure that employees within the enterprise can obtain the maximum value from the system. Information systems should allow for fast recording, evaluation, summary, consolidation and sharing of information. The informational system should also be efficient. This refers to the necessity for the system to be designed in an efficient way to ensure that no tasks are unnecessarily duplicated throughout the enterprise as well as to make sure that no unnecessary activities are performed.
- Determination of accountability and responsibility
- Methodologies and techniques to be used in risk management -
- Established control procedures
- Risk management unit which is at the center of risk management within the organization
- Risk management policies and procedures – refers to the set of rules of how risk management is undertaken within the enterprise. A top-down approach should be used to develop risk management policies and procedures. A top-down approach will ensure consistency and alignment with the risk appetite (how much of risk the company wants to accept) and business strategy. Risk management policies and procedures must be developed with input from all levels of the management from all areas of the business to ensure their alignment as well as to incorporate their knowledge about specific risks faced by their areas. Risk management policies and procedures should also be understood by all employees.
- Reporting on risk management process – the addressee of the reports on risk management process performance should be in close proximity to the risks to be able to take timely action.
What is risk appetite?
An enterprise need to establish its risk appetite. The risk appetite of an organization refers to the amount of risk and potential financial loss that enterprise is prepared to accept within a certain time period.
Determining risk appetite
In determining risk appetite, organizations need to consider internal constraints such as funding, investment requirements, potential risks, liability, various types of risks, strategy, competitive advantage and the external environment of the organization. Moreover, it needs to consider the preferences of shareholders towards risk taking. In determining the risk appetite, as in any other business activity, an organization needs to be guided by the ultimate objective of the enterprise which is the maximization of the shareholders’ value.
An enterprise’s risk appetite should be aligned to the amount of risk necessary for a business to take to achieve its objectives.
Risk appetite is determined by aligning the risk management and the value proposition to business strategy. Risk appetite will determine the level and nature of risks that the organization can tolerate. There are more technical ways to determine the risk appetite and there are covered in other parts of the site.
The risk appetite should be clearly stated and measurable. The risk appetite should be incorporated into organizational policies and procedures. In this way employees of the organization are able to get a clear indication of the enterprise’s risk appetite by examining its policies and procedures. With the risk appetite effectively linked to business strategy, it allows to more effectively assess performance of the business units with the help of risk/return analysis and risk limit monitoring.
Risk appetite is largely based on competitive advantages that organizations possess. When organizations have competitive advantage in a certain area of business, then for this particular organization certain risk taking in this area may entail much larger expected returns than the same risks would give rise to for another organization. Consequently, the risk appetite of such an organization should reflect it.
For example, imagine that company X, which is a leading direct insurance services provider in country 1 (one of the emerging markets), has competitive advantages in know-how of direct marketing in the insurance industry as well as in other aspects relevant to running a leading direct insurance services provider. Company X will have much higher expected return with regards to taking certain risks compared to company Y which does not have competitive advantages of company X, but tried to set up a direct insurance company in an emerging market.
For example, company X will have much higher expected return in undertaking a project of establishing direct insurance services provider in country 2 (another emerging market), compared to company Y which does not have competitive advantages of company X. Therefore, such risk taking for company X will be much more valid than for company Y.
Risk appetite should also be set below the limit that organization can actually handle. This will allow leaving a margin for error and prevents overestimation of the organization’s capacity to tolerate risk and serves as an allowance for unexpected catastrophic events. The limit of risk an organisation can handle is called the risk tolerance.
Once the risk appetite established is established, a new risk culture should be created to reflect the risk appetite of organization. The structures, managerial and employees’ level of knowledge, and resources should be aligned with the type and extent of risks the organization is undertaking.