Effective enterprise risk management (ERM) is essential for any organisation’s success, owing to key factors – from the evolution of technology to shifting compliance, governance, and stakeholder requirements.
Set against a backdrop of breakthrough technology, increased data availability, and new business models, a subset of ERM has risen in prominence: operational risk. According to the Basel Committee, this is: The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”
Consequently, firms both large and small are embedding robust Operational Risk Management (ORM) processes into their ERM framework – but can these two approaches work in harmony?
Recently, I was joined by Simon Levy, CEO at RMIA, and David Turner, Managing Director at RiskNZ, to discuss how these two concepts can be married to create a symbiotic relationship that drives organisational value.
Simon Levy, Chief Executive Officer at Risk Management Institute of Australia (RMIA)
Simon began by outlining his view of ORM: “Operational risk management is around the depth of the organisation and understanding all those operational enablers that need to percolate their way up, and from an enterprise-level need to be harnessed and looked at across the breadth of the organisation.”
In terms of the role of risk professionals, Simon added: “That challenges the thought process of the enterprise risk practitioners who then need to collate all that information and then package it up in a way that will ultimately enable the senior executives and the board to then make decisions.” Get this right and they can distil the information into something that is actionable and insightful for senior decision-makers – and contribute to the direction of the organisation.
When asked about the benefits of having a strong ERM programme within an organisation, Simon said: “A strong ERM system takes onboard threats, harnesses the opportunity and then links those back to the organisational strategy and then ultimately what the organisation is trying to achieve – both in the short, medium and long term.” This highlights how a robust ERM programme that’s aligned with strategic objectives and understands the threat landscape can define an organisation’s risk-related opportunities.
Simon underscored the legacy challenges of attempting to harness ORMs potential: “It was always difficult from an ORM perspective to aggregate risks. So, if you had the same risks…across the different divisions, how does that then roll up to an overall risk that will sit on that ERM register?” This siloed approach restricts the boards’ ability to gain an oversight of ongoing risk-related vulnerabilities.
For Simon, consistency is key when establishing harmony between ERM and ORM: “Getting that consistency in the identification, the consistency around the language, but also the consistency around the measurement of risk… will be in that consistent approach.” He recognised that perfect harmony stems from a consistent approach to both functions: “Consistently reporting on risks, in the same way, helps the decision-making process, that’s the strength of the system.”
On the topic of ERM frameworks, Simon echoed David’s view that stakeholder engagement is critical, particularly through the lens of ESG: “The rules…around stakeholder engagement are changing…and the Camms platform has embraced that and integrated ESG reporting.” He emphasised that ESG is a new way forward, and the next generation should be encouraged to adopt system usage to help achieve the organisation’s stakeholder objectives.
When it comes to how well risk frameworks and policies define the two concepts, Simon remarked: “for any organisation, the strength of a framework comes down to implementation and how it’s integrated into the organisation. Frameworks need to move away from the compliance element and the tick the box approach”. He added that frameworks ultimately should define the way the business will work, rather than being prescriptive.
When asked about the role technology can play in bringing ERM and ORM practices together – to raise the risk profile and support decision-making – Simon said: “Technology is certainly an enabling function…it’s the awareness of what’s out there and talking to your service providers and trying to understand what problems they can solve. There is no problem that can’t be solved these days. If a solution doesn’t actually do it there will be an API that will plug-in that will enable that to happen.”
Simon believes that when it comes to bringing together ERM and ORM programmes successfully “it’s about taking that hard data that’s coming through from ORM, turning it into insights to help decision making”. This will empower organisations with “the ability to be proactive, and it’s all about proactive risk management, proactive conversations.”
David Turner, Chief Executive
Officer at RiskNZ
David began by sharing his thoughts on the current shape of the ERM space: “We are also seeing a big shift to more education and actually how to do ERM. There’s a lot of questions on shifting on where we were a year or two ago to what we need now, especially going into a very uncertain 2022.”
He then explained how effective ORM is born out of strong ERM in terms of leadership, skill sets, and education: “When we get all that good education and the right and accurate information into our ERM, then that flows onto the ORM and helps make it accurate and effective.”
David stressed that strong ERM programmes can absorb the vital elements of ORM into the risk register and framework, such as legal risks, reputational risk, and workplace well-being: “It’s about getting all those right elements in your ERM, and when you have that that will stop the separation that we see frequently between ERM and ORM.”
David expanded on the concept of ERM frameworks, which can be rigid and prescriptive, by sharing RiskNZ’s findings from a workshop conducted with representatives from business and government: “People were saying: let’s include stakeholder understanding; let’s start emphasising context before identification of risk, so we can understand it better; training for executives, managers and board…we need to enable functions and focus, not just operational risk, so we can bring it all together.” By stimulating risk management buy-in through trust and value, ERM performance will improve.
David pointed out that when it comes to understanding the concepts of ERM and ORM within the context of the organisation, leaders require a holistic mindset: “What we always prescribe when consulting is that if an organisation can articulate the how, the approach, the measures in place, we get a good understanding that they are pretty much on top of it, especially if it’s integrated into the reporting as well.”
David’s view on the role of technology in bringing ERM and ORM practices together was more cautious: “Organisations are saying: how is this going to work for me? Is it really going to fit because many systems go in and don’t fit…and people pay a lot of money for these things, so we’ve really got to start challenging the providers by saying…how do you know it’s going to help us?” This will facilitate informed decision-making when choosing and implementing new risk solutions that align with the customer and evolve in parallel with the organisation.
It was great to hear such thought-provoking insights from these inspirational risk leaders, which brings the value of successfully conflating ERM and ORM into sharp focus for organisations. While both participants touched on the potential hurdles when trying to achieve harmony between both concepts, they banged the drum for robust ERM programmes that have the scope to incorporate ORM successfully.
To learn more about how Camms.Risk can help your organisation build out its ORM & ERM processes, request a demo here.