Introduction to Enterprise Risk Management
Enterprise Risk Management (ERM) isn't just about mitigating threats; it's about navigating opportunity amidst uncertainty. This forward-looking approach empowers organizations to chart a clear course across their risk landscape. By proactively identifying and understanding potential risks, both internal and external, ERM can empower organizations to achieve a competitive edge by embracing calculated risk taking.
What often gets overlooked with ERM is the underlying structure required to realize the benefits that the ERM framework and tools are meant to deliver. Often companies will confuse ERM for a singular platform or Excel spreadsheet which enables them to write their risks down and rate them according to impact and severity. This is frequently where the process starts and finishes. This is not ERM, but a mere component.
The ultimate outcomes you should be looking to achieve from any kind of risk management process are:
mitigating against potential high impact and high likelihood risks
enabling the business to achieve its business objectives
having absolute clarity on what your risk landscape looks like
The latter enables you to determine what risks are worth mitigating against, and which provide a greater risk-adjusted ROI if left less controlled.
Why is a robust ERM governance structure important?
To achieve the above outcomes, a robust governance structure is required. Multiple actors need to head up these efforts to continuously scan for unforeseen risks, communicate key risk information across business functions, and establish a strategic tolerance for risk taking.
Chief among these is a figure referred to as the Chief Risk Officer (CRO) or Head of Risk Management. This is a person who holds the ultimate accountability for ensuring the ERM framework adds value to the business, and for coordinating not only the information that is captured by the system, but also ensuring the company’s risk positioning is in line with its risk appetite. Risk appetite is the level of risk the organisation is willing to accept in pursuit of its objectives. Without this level of oversight and accountability behind a risk framework, an ERM system and process becomes little more than a collation of dashboards and unused documentation.
From our experience, this lack of appropriate supporting governance is what typically leads to ineffective risk management systems, propagating the perspective amongst executives that ERM is, at best, a “nice-to-have” but ultimately unimpactful tool, and at worst, a flat-out legal liability.
Having highlighted the importance of appropriate governance for risk management, how do we make sure that these structures are effectively put in place and are fit for purpose for companies of different sizes and risk maturities?
More than software platforms: how do you create a fit-for-purpose governance structure for risk management?
Small-sized organisations: There is no one size fits all solution here. Smaller organisations with smaller risk management requirements, as well as available resources, do not justify having a full-blown risk management team in charge of running ERM. In these cases, a governance structure and procedures are still required, just with a far smaller footprint.
To get around this issue, it is often optimal for an existing individual business function, which operates across the business and has frequent communication with other functions to assume responsibility for the ERM framework and tools. A good fit for this is often the business’ Compliance Function.
Unlike other business functions which can get easily tied down with the technicalities of specific procedures and internal operational risks, the Compliance Function, through its broader remit, can maintain a more strategic lens of risk. Therefore, a suitable approach is often for the Compliance Function to assume this role as a de facto CRO.
Medium-sized organisations: Once a company surpasses certain maturity thresholds, a more robust structure is required. At this stage the responsibilities of a CRO may still be attributed to an internal business function, but a broader internal risk governance board should be created.
This board would then be responsible for managing the company’s risk register and ensuring mitigation efforts are in line with the company’s strategic targets and risk appetite. The board should ideally be comprised of one chief risk owner from each function in the business. The concept of clearly assigning risk ownership and its importance is something we will elaborate further in our next ERM blog post.
Large-sized organisations: For larger and more mature companies, a dedicated Risk Management Team - with a designated CRO leading it - is optimal. As the complexity of the organisation and the volume of risks in the register grows, greater oversight is required to coordinate mitigation efforts across departments and provide direction. Here, the ultimate responsibility for ensuring risks are correctly ranked and prioritised, as well as efficiently mitigated, falls to the Risk Management Team.
An internal governance board should still be in place to facilitate communication between different departments and the Risk Management Team, with the latter now facilitating knowledge sharing. This becomes valuable when high impact and high complexity risks require a multi-departmental and orchestrated approach to their mitigation and control.Additionally, as larger companies are more likely to continuously expand into new markets and across products or therapies, this robust structure ensures new risks will be quickly and efficiently assessed and managed, facilitating quicker transition periods and strategic pivots, giving the company greater flexibility to be innovative and take calculated risks.
Looking forward
Life Sciences companies at the forefront of good risk management practices already exist and are employing similar structures to the ones we have outlined here. Therefore, these concepts are no longer theoretical but are actually being put into practice.
For larger companies, we are seeing centralised ERM Teams being led by an Enterprise Risk Management Director as well as a Head of Risk Management. In these cases, the two roles are jointly in charge of coordinating risk management across the business. For less mature businesses, the prevalence of risk governance bodies is increasing, as is their impact.
Ultimately, as the footprint and maturity of businesses increases, the implementation of ERM systems and frameworks becomes an inevitable component of good governance. It is not a question of whether ERM needs to be implemented, but rather how it can be done effectively.