ERM, short for enterprise risk management, plays a fundamental role in identifying, preventing, and managing potential risks that may impact business and influence a company's results, ensuring its long-term viability.
The concept was elaborated by COSO (Committee of Sponsoring Organizations of the Treadway Commission), a private organization created in the United States in 1985, with the purpose of preventing and avoiding fraud in business practices and processes. Originally founded as the National Commission on Fraudulent Financial Reporting, the COSO eventually formulated an enterprise risk management structure in 1992.
Furthermore, COSO's recommendations for establishing internal controls are widely practiced and followed as a global benchmark of excellence. One of the icons created by the Committee is its famous cube, illustrated below:
It is a misconception to assume that a report resulting from the implementation of ERM in a company can be seamlessly applied to another company, since the results may be ineffective. This happens because risks change according to each company's business environment and infrastructure. Therefore, the more diverse the business, the greater the diversity the identified risks. Even companies in the same line of business will certainly differ in several aspects, considering their differences.
The design of an ERM project encompasses the entire company, relying on the responsibility and dedication of each manager and each employee to ensure its success. Its review at pre-determined periods is equally important, in order to meet changes in the risk matrix, necessary to adapt to changes in the business environment or in its infrastructure.
Nevertheless, the pressing question is how to implement an ERM project in an organization. The optimal approach is following the steps below:
STEPS TO IMPLEMENT ERM IN A COMPANY
1. Create a task force specific for the project.
2. Define the meaning of what could be considered a risk for the company's business.
3. Rate risks.
4. Start developing an action plan and remediation plan, establishing an implementation schedule and defining responsibilities.
5. Clearly communicate the project results to company members, encouraging everyone's engagement following the previously defined order of priorities.
6. Monitor the implementation progress with periodic meetings, in order to correct deviations, remedy delays, and ensure that results will be achieved.
7. Periodically review the ERM project to adapt it to changes in business.
Within the steps described above, several critical factors of success must be carefully observed by those responsible for implementing the ERM, otherwise it could jeopardize the entire work. Particularly, identifying the meaning of what constitutes a risk for the company. For instance, companies engaged in exporting or importing goods can be severely affected by a macro exchange rate devaluation; conversely, other companies, even in the same industry, might remain unaffected, if they have hedging contracts that lock the price for future operations, regardless of exchange rate variations. Therefore, the meaning of risk for a given company must be customized to its reality.
Action and remediation plans must consider important premises, such as the identification of potential risks, the assessment of such risks in relation to the company's business, the management of incidents or emergencies or even disasters, the mitigation of damages, business recovery in response to the identified problem and the preparation of reports when dealing with the existence of such risks. On the other hand, establishing an implementation schedule and defining responsibilities is crucial to the success of an action and remediation plan, otherwise the project may end up suffering considerable and unwarranted delays, becoming an orphan without clear accountability.