Enterprise risk management
Before we explore how organisations and businesses manage complex incidents and crises, we should first address how more commonplace risks are identified and managed.
Enterprise Risk Management (ERM) is:
‘… the process of identifying major risks that confront an organisation, forecasting the significance of those risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan, and holding key individuals responsible for managing critical risks within the scope of their responsibilities.’
(Hampton 2015: 35)
ERM was formalised, initially in the United States, due to the initiatives of the Committee of Sponsoring Organisations (COSO), which was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (Treadway Commission) following several cases of fraudulent accounting in corporations.
ERM provides a framework for risk management. This can be used to identify risks within an organisation allowing for a response in a timely manner. By having a well defined process, risks can be monitored and strategies for addressing them developed ensuring positive outcomes for all stakeholders. An example of a risk architecture that might be employed for a public limited company is shown below:
(Adapted from IRM 2010)
The organisation needs to define the scope of the ERM system and there must be commitment from The Board to ensure that it remains important. The Board will also set and monitor a level of ‘appetite for risk’, which the Institute of Risk Management (IRM) defines as:
‘The amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.’
The IRM produces guidance on setting the appetite, which can vary for different risks and change over time.
Below we see a figure adapted from the guidance that shows how appetite for risk is informed by the overall vision of an organisation and how this in turn informs multiple layers of operation including organisational strategy, operating models and policy.
(Adapted from IRM 2011)
Risk management is approached in one of two ways:
Based on actuarial and probabilistic models and numbers
Based on subjective beliefs about the future
When there is a reason to believe that the patterns of the past will be repeated — data, probability distributions, and models can be used to forecast future patterns; this is generally actuarial and how insurance companies work
This approach is well suited to identifying and quantifying the risk exposure of the more commonly occurring risks. Organisations can usually fall back on a wealth of internal experience of the characteristics, frequency and impact of these events. The organisation may also rely upon external insights such as their insurance claims history for a certain class of loss or industry trends and reports.
This approach holds true for both the high and low impact risks.
For example, an airport on the US North East knows with high certainty that highly debilitating winter weather will be an annual occurrence and hence it can build a snow clearance capability into its operations to manage the impact accordingly.
Similarly, a retailer knows that shoplifting will occur and whilst individual losses are typically small it could be death by a ‘thousand cuts’ if not managed through the adoption of simple security measures such as security tags, CCTV which are built into its operating model to manage/reduce its overall exposure to a tolerable level.
The matrix above depicts a simple example of placing possible risks in terms of disruption probability and impact. The space in which threats are placed is divided into four quadrants.
Clearly, an organisation does not have to worry too much about rare insignificant events (low impact/low probability).
Events with high probability and low consequences are also not a particular concern as these are the usual ‘fire-fighting’ events that Operations Managers deal with all the time and for which their data, statistical distributions and models often give them ample warnings and tools.
Even high impact, high probability events may be managed sufficiently (within the spectrum of the organisation’s capabilities) provided the organisation retains sufficient readiness in its planning including the ability to activate BCM and CM plans if required… eg, winter weather on the US North East.
The risks however in the lower right quadrant are of low probability, yet severe, impact and therefore cannot be overlooked. This is commonly called a black swan event.
Business continuity management and crisis management are vital components within an organisation’s ERM ‘toolkit’ to minimise risk and the likelihood of it becoming catastrophic, but there are events that may not fall into the jurisdiction of a BC manager, such as the shoplifting example above
Addressing BCM and CM Risks
The types of risk events that BCM and CM seek to manage necessitates a different approach to the one taken to the management of most organisational risks.
The risks occupying the bottom right quadrant of the risk matrix above are much less frequent but can be significantly trickier to manage. While an organisation can take comfort from the relative infrequency of such events as they cannot afford to overlook them.
These low probability yet high or even extreme impact events are the risks that business continuity management and crisis management seek to address.
What compounds an organisation’s ability to manage (high impact/low probability) events is their inherent unpredictability. Without strong organisational knowledge, or indeed market knowledge of when and how these risks may manifest an organisation could, to an extent, be guessing.
Business continuity management (BCM) and crisis management (CM) generally address the response to and management of (inclusive of high impact/low probability) events. Both BCM and CM go about assuming the risk event will occur, but it cannot be fully sized and shaped and therefore the response to these risks have to remain relatively agnostic of cause and flexible to detect, respond and recover from disruptive events. It is this that helps shape an organisation’s appetite for risk and supports the business case for BCM implementation.
BCM and CM are complementary management disciplines. BCM deals with foreseeable operational disruptions and routine chance events, whereas CM deals with significant strategic consequences that threaten the viability or strategic integrity of the organisation. As dictated by the incident an organisation may operate its BC plans and CM plans in parallel. They share the common goals of identifying, assessing, and managing interruption risks that could serve to prevent the achievement of the organisation’s strategic objectives.
Food for thought: It is important to be clear that BCM cannot protect an organisation from all the categories of risk that face it. To do this, a wider, more strategic framework is required, ERM, that incorporates the more operational or tactical BCM and CM
The Committee of Sponsoring Organisations (COSO) of the Treadway Commission contains further information on enterprise risk management
Think of three events that could affect either your organisation or one that you are aware of. How would you categorise them on the likelihood/impact matrix we have discussed?
What do you think is the organisation’s appetite for risk and how will this affect any response?
Finally, how plausible would it be for the organisation to develop detailed plans for high impact low probability events?
Hampton, J. (2015). Fundamentals of enterprise risk management : How top companies assess risk, manage exposure, and seize opportunity (2nd ed.). New York: AMACOM
Institute of Risk Management (n.d.) Risk Appetite and Tolerance [online] available from https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance.aspx [07 May 2019]
Institute of Risk Management (2010) A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000 [online] available from https://www.theirm.org/media/886062/ISO3100_doc.pdf [07 May 2019]
Institute of Risk Management (2011) Risk Appetite & Tolerance Guidance Paper [online] available from https://www.theirm.org/media/3779216/64355_Riskapp_A4_web.pdf [07 May 2019]
© Coventry University. CC BY-NC 4.0