From our Partner,Deloitte Private

Enterprise risk management (ERM): The modern approach to managing risks

Introduction

When radar systems were introduced in the early 20th century, their primary purpose was to keep ships from colliding on the high seas. From this narrow but important starting point in managing risk, the technology evolved over the ensuing decades as new innovations yielded greater range and precision, reducing risk by tracking more objects, from aircraft to speeding cars to atmospheric phenomena.

Much in the same way, organizations' approaches for identifying and addressing the risks they face have grown increasingly sophisticated since the term “enterprise risk management” (ERM) was first used in the late 1990s. While the common definition of ERM still holds — an enterprise-wide strategy for identifying and preparing for the most impactful risks an organization faces — the scope of what's possible through ERM has well exceeded its original bounds, backed by technology gains, the proliferation of data, and leading practices in risk governance. Today, ERM is widely used not just for spotting possible threats to strategy, but also for identifying new opportunities and building organizational resilience.  

While ERM has long been a staple of many public companies that needed to adopt a top-down approach to risk-taking given their regulatory obligations and shareholder expectations, in our experience many private companies and family enterprises have managed risks more from a subjective, bottom-up approach. This tactic may work for spotting and putting out fires, but it may have positioned such organizations as constantly being in reactionary mode, oftentimes at a cost to their brand, reputation, and culture. We observe that many such entities still manage risk at the individual business unit level—with little integration across the enterprise or the type of coordination that is often required by the leaders of these entities to effectively govern and fulfill their oversight responsibilities.

Due to mounting pressures in the operating environment, there's a growing expectation for companies to modernize their risk management approaches. This dedicated series on ERM is meant to help prepare the leaders of private companies and family enterprises as they seek to build or strengthen their risk management capabilities.

Shifting the mindset

Practicing effective ERM involves private companies and family enterprises to elevate the risk conversation to help them make more informed strategic choices. For many organizations, this might be more of a subtle shift than a dramatic one, but myriad benefits can be realized by integrating risk intelligence in strategy setting, business planning, and performance management. In our extensive ERM work with clients, we've discovered a few lessons that can help pave the way for organizational buy-in and, ultimately, successful ERM projects.

#1. Call it what it is

It's important from the start to convey ERM initiatives as what they are: efforts to build an organization's risk intelligence. The fact is, no matter where they reside on the risk-management maturity curve, organizations can typically be more risk intelligent by creating a structure or process that sparks and facilitates risk conversations across the business (figure 1).

#2. Look for incremental improvements

Some believe ERM initiatives represent massive commitments that tend to upset cultures that are resistant to change. However, even incremental gains in risk intelligence can matter for helping to achieve these ends. It's important to think of risk intelligence as a journey. Often, simply getting risk ownership right and creating processes for staying on top of risk-taking on an ongoing basis can move organizations up the maturity curve. You don't need a small army of people to achieve this — most companies can benefit from having a chief risk officer or someone in the organization who understands the concept and principles of ERM and has the passion and relationships with senior leaders to help inform strategy.

#3. Begin today

Companies manage risks every day—one of the challenges is how to integrate risk intelligence across the enterprise so that it aligns with overall strategy and becomes part of the culture. No matter where your company is on the maturity spectrum in managing risks, there are some basic steps in implementing an ERM program that can help you become more risk intelligent:  

  • Take a risk inventory. Companies should be able to map the risks they face based on their likelihood and potential impact. This is the focus of risk assessments, which identify key risks and create a foundation for strategic planning and decision-making. Risk assessments are tailored to each company— correctly sized to the enterprise's size, complexity, and geographic reach. Risks aren't static, and the process should be repeated anytime your strategy shifts, market conditions evolve, or your risk profile changes.
  • Prioritize risks and establish thresholds. Opportunistic and growing companies should have some basic guardrails for risk-taking at an enterprise level, as they can prevent unilateral decisions that put the company at risk. How these thresholds are applied depends on the company's culture—some have hard curbs embedded into their organization, while others could reject rigid frameworks.
  • Embed risk discussions in your culture. Risk assessments only capture a point in time, but the risk landscape is constantly changing. Consider making risk part of regular strategy sessions. Establish risk owners throughout the organization to spearhead these discussions by risk area and talk about changes in the operating environment or economy that might change the organization's risk appetite. Conduct table-top risk management exercises and consider setting up an advisory committee that includes members from outside the company or board to get additional perspectives.
  • Activate a risk monitoring program. Organizations competing today should be thinking about leveraging strategic intelligence provided by risk-sensing tools such as AI, data analytics, and risk dashboards. Leading companies are already tapping these tools to pull in data and let them know when they're exceeding their established risk thresholds.


Conclusion

As your enterprise seeks to become more risk intelligent and build organizational resilience for when disruptions occur or the risks you face evolve, it's likely going to need new capabilities and skills that extend beyond its current capacities.

Want to learn more? Get a list of questions to ask about your organization's risk management approach and capabilities. Read more  

###

Disclaimer:

This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. Deloitte shall not be responsible for any loss sustained by any person who relies on this article.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2023 Deloitte Development LLC. All rights reserved.

Family Business Sponsored Content for

Family Business Sponsored Content

This content is made possible by our sponsor and is independent of Family Business Magazine’s Editorial Staff

About the Author(s)

Kevan Flanigan

Kevan Flanigan is the US Deloitte Private Leader, Risk & Financial Advisory & US Deloitte Private Leader, Private Equity


Adam Regelbrugge

Adam Regelbrugge is the Risk & Financial Advisory Real Estate Leader, Deloitte & Touche LLP


This is your 1st of 5 free articles this month.

Introductory offer: Unlimited digital access for $5/month
4
Articles Remaining
Already a subscriber? Please sign in here.

Related Articles

KEEP IT IN THE FAMILY

The Family Business newsletter. Weekly insight for family business leaders and owners to improve their family dynamics and their businesses.