Enterprise Risk Management (ERM) encapsulates a comprehensive approach to managing all sorts of risks a business might face. Corporates and banks utilize distinct approaches in managing these risks, primarily driven by their varied operating environments and regulatory requirements. Let’s delve into the fundamental frameworks and differences that define how they tackle ERM, especially focusing on nonfinancial risk.
Unveiling the Four-Layered ERM Framework
ERM systems predominantly encompass four pivotal layers:
- Governance and Organization: Establishing a structural framework covering accountability and risk ownership.
- ERM Processes and Methodologies: Crafting processes and defining approaches tailored to manage distinct financial and nonfinancial risks.
- Risk-specific Control Processes: Implementing mechanisms to manage specific risk types through defined controls, such as “four eyes” principle or systems-embedded controls.
- Risk and Integrity Culture: Cultivating norms and behaviors concerning risk management within the organizational culture.
Let’s dissect these layers further with practical examples and understand their applications in various industries.
1. Structuring Governance and Organizational Layers: A Key to Accountability
Effective governance ensures a defined structure to assign, control, and exercise risk ownership. For instance, the three lines of defense model distinctly demarcates risk ownership, risk control, and assurance accountability across different organizational levels.
In banks, due to rigorous regulatory requirements, as much as 10% of staff might be situated in central risk functions, while in large corporates, it’s often less than 0.1%. J.P. Morgan, for instance, operates with a robust risk management structure, with well-defined roles and responsibilities across different levels.
2. ERM Processes and Methodologies: Navigating Through Risk Waters
Differing approaches are followed for managing financial versus nonfinancial risks. For instance, financial risks are usually managed through limit structures while nonfinancial ones use severity and probability matrices mapping inherent and residual risks.
An apt example is the ERM approach of ABB, a global technology company, that identifies and addresses risks with a structured methodology to ensure their robust and systematic management.
3. Building Risk-Specific Control Processes: A Mechanism to Counter Threats
Different industries impose diverse risk control mechanisms. In financial disclosure contexts, controls might involve reconciliations, while for managing cyberrisks, systems-embedded controls might be preferred.
For instance, when considering cybersecurity risks, companies like Microsoft employ advanced technology controls, including AI-driven data analysis and threat detection to manage risks.
4. Cultivating Risk and Integrity Culture: Aligning Behaviors with Governance
Managing the norms and behaviors concerning risk in an organization is crucial. Companies like Johnson & Johnson, have an extensive risk and integrity culture, addressing nonfinancial risks like product quality and integrity by ingraining them into their organizational ethos.
Divergent Roads: Banking and Corporate ERM Practices
- Banking Sector: With stringent regulations, banks generally have a robust, centrally governed ERM system. Banks tend to manage financial risks through quantitative means, employing various balance-sheet analyses and adopting a centralized approach.
- Corporate Sector: Corporates often embed risk management into their operational processes. ERM in corporates is typically driven by industry standards, such as those related to the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
ERM Approach: A Dichotomy of Applications
While banks utilize a top-down approach, defining risk profiles in relation to available capital and then cascading them into the organization, corporates leverage risk-management approaches rooted in expert data and performance data for processes and systems.
Lessons Across Industries
- Managing Process Risks: Banks developing complex products might look towards the automotive industry, where risk management in production and processes, especially concerning product cost, quality, and safety, is highly advanced.
- Software Development Risks: Banks can glean insights from tech companies in developing and deploying software efficiently and managing associated risks effectively.
- Security and Business Continuity: Industries like airlines, that manage significant geopolitical risks and safety requirements, offer immense learning in dealing with physical security and business continuity aspects.
- Debiasing Strategic Decisions: Industries with high capital expenditure, like oil and gas, provide models for assessing and managing large project risks, particularly in removing biases in decision-making on business cases.
Finding the Balance: Harmonizing Financial and Nonfinancial Risk Management
ERM, while multifaceted, has to maintain a balance between managing financial and nonfinancial risks. For corporates and banks, lessons are abundant in each other’s approaches and practices, providing valuable insights that can enhance their respective ERM frameworks.
ERM does not represent a one-size-fits-all solution. The practices and lessons across different sectors underscore the need for a tailored approach, harmonizing standard ERM frameworks with the specificity of individual corporate and banking environments.