The recent highly publicized news about unauthorized account openings by staff members at a large national bank reminds us of the benefits of an experienced and empowered Enterprise Risk Management (ERM) practice. A more risk-informed company is better able to protect itself. The collection and analysis of a company’s risk environment also keeps it aware of potential hazards now and in the future.
Benefits of a Strong ERM Function
The proper implementation and application of ERM practices carry numerous benefits for multiple stakeholders within an organization.
- A company’s strategic plan can introduce new elements of risk beyond those presented in the context of day-to-day tactical operations. ERM can identify potential risk in a strategic plan and develop the appropriate mitigation processes to help maintain an acceptable level of risk exposure and ensure the successful execution of the company’s strategic objectives.
- The ERM discipline is critical to informing the decisions a company makes with respect to its investments in infrastructure and technology. A regimen of ERM oversight on mission-critical business plans and due diligence activities can be invaluable when evaluating the merits of particular investment ideas.
- A formal and highly visible ERM function heightens awareness among employees about the role individuals play in defending the enterprise against risk. The combination of employee training on risks that are specific to the business, with proactive monitoring of the work environment by all staff for anomalies or suspicious behavior, can lead to early detection and avoidance of risk. A broadly promoted “See something, say something” campaign can empower an army of employees to take an active role in protecting the organization from potential harm.
- Credit union partners of an organization committed to a world-class ERM practice benefit from higher levels of security around the data they entrust to the organization, along with the increased focus the enterprise places on regulatory compliance which, when missing, can negatively impact the organization and its clients.
Factors that Drive ERM Success
Many risk management processes start by identifying and assessing risks. But companies may first want to begin by better understanding their risk appetite, which is the aggregate amount of risk they are willing to accept in the execution of their business strategy. Think of appetite as the guardrails guiding a company along the road to achieving its objectives based on balanced risk taken in alignment with executive leadership’s preferences. Companies can more effectively identify, manage and monitor risks to their particular strategy when employees understand how their daily activities are related to and aligned with that appetite.
The structure and strategy of your risk organization should take three lines of defense into account:
- Risk Owners – Operational Management – A significant risk component is the technology and protocols in place to guard your company’s (and your clients’) data from cyber attacks. Managing risk at the first line of defense requires a team of “risk champions” who are mid-level leaders and subject matter experts throughout an organization, including but not limited to IT, finance and accounting, sales and account management, operations, product management and legal.
- Risk Oversight – Risk Management, Compliance & Risk Committees – A strong ERM team – which can include functions such as fraud investigations, business continuity, vendor governance and regulatory compliance, along with the executive leadership team and risk committees – benefits the company through its ability to leverage and share risk information. This helps expose issues, vulnerabilities in processes, and identify new potential and emerging risks across the entire taxonomy of corporate risk. Risk Committees help ensure the proper risk governance framework is in place while also meeting regulatory guidance. Make sure to choose a suitable model of oversight appropriate for your company size and the types and magnitudes of risks involved – there really is no “one size fits all” solution.
- Risk Assurance – An Internal Audit function provides senior management with comprehensive risk assurance from an independent perspective. Internal Audit provides assurance of the effectiveness of governance, risk management and internal controls.
Risk is a restless creature that never sleeps, and an inescapable reality in most organizations. However, through careful planning and continued vigilance, is can be more clearly understood and mitigated.