How to create an enterprise risk management plan for your company

Running a business comes with many types of risk. They can have negative impact, positive impact, or both. Some of these potential hazards can destroy a business or cause serious damage that is costly and time-consuming to repair. Other risks may represent opportunities.

Companies invest time and money in business risk management but often treat it as a compliance issue with rules and regulations for employees to follow. This approach is limited:  rules-based business risk management alone cannot diminish either the likelihood or the impact of a disaster and can also lessen your ability to seize business opportunities that may involve some degree of risk.  

Business risk management is a subset of risk management which evaluates, prioritises and addresses the risks involved in any changes to your business operations, systems and processes. It acts as a guide in decision-making and planning in the event of an emergency or an opportunity.

Business risk management also enables an integrated response to multiple risks and facilitates informed, risk-based decision-making capabilities.

The Harvard Business Review  divides company risks into three parts: Preventable Risks (those within your organisation), Strategy Risks (those which you may undertake to generate higher returns), and External Risks (those occurring outside of your organisation and therefore beyond your control).   

More specifically, the following examples should be considered in your business risk management assessment:

• Hazard risks: anything in the workplace with the potential to harm people, which is not under the control of the business environment. This includes such items as hazardous materials or fallout from machinery. 
• Physical and environmental risks: fires or explosions; anything that can damage your premises, including natural disasters such as area fires, storm damage, floods, hurricanes or tornadoes, earthquakes, etc. Some of these can be considered climate-related.
• Human risks: personnel-related issues that can affect your company’s operation, such as alcohol and drug abuse, embezzlement or business fraud.
• Technology and operational risks: anything that compromises your company’s operations, such as a power outage, cyberfraud, system failures, etc. 
• Strategic risks: failure to respond to changes in the business environment, often the result of poor or wrong business plans and losing the competitive edge in your sector (think Blockbuster video vs Netflix).
• dummy Financial risks: risks taken with financial assets, including risks in pricing, currency exchange or liquidation of an asset. Customers and partners can also present financial risks in business, such as a credit risk  for example if you sell on credit terms. Business risk management can indicate how much risk your company can handle in financial relationships, including the risk of payment defaults.

Creating effective business risk management involves your entire company and is implemented through enterprise risk management.

Both enterprise risk management and business risk management sit under the overarching umbrella term of risk management. There are, however, subtle differences between the two.

Risk management involves evaluating and acknowledging risks involved with making any changes to your operations and processes. Risk management helps organizations make informed decisions to mitigate risks, as well as create informed action plans to capitalize on a business opportunity, or have a plan in case of an emergency – such as a facility fire, loss of key personnel, or a critical technological failure.

By contrast, enterprise risk management (ERM) is the methodical process of identifying and creating responses to potential events that represent risks to the achievement of your entire company’s strategic objectives, or to opportunities to gain a competitive advantage. It’s the expression of your company’s risk culture, your risk tolerance, your appetite for risk. Enterprise risk management takes a holistic approach. It evaluates risks to your company as a whole – how a risk within one department or wing of the organization may extend to different parts of your enterprise and the impact it may have.

These are important elements with which to create an appropriate enterprise risk management framework. One such example of an enterprise risk management strategy is to hire expert risk analysts. This can involve seeking outside professional to determine risks and responses, helping to create a more effective framework.

Additionally, an enterprise risk management framework can also include developing a system of policies and procedures rolled out to all departments within the organization, as well as documenting different risks and evaluating them. This includes looking at past risk response mistakes and remedial actions taken to future-proof against risk.

When structured efficiently, the acceptance of strategy risks can create highly profitable operations and improve your compliance with legal, regulatory and reporting requirements.

There are likely to be many advantages and disadvantages of enterprise risk management because it gives you greater awareness of the risks facing your organisation and your ability to respond effectively. This should provide you and your employees with an increase in your operational efficiency and effectiveness while boosting your confidence about your company’s ability to achieve strategic objectives.

However, there can also be a downside to enterprise risk management, as it has inherent limitations. For example, human judgment in decision-making can be based on past experience, false assumptions or sheer gut feeling, resulting in simple errors or more serious mistakes.

Insufficient understanding of what enterprise risk management is might overlook your sector’s business and economic climate, which can result in conflicting data or an overly conservative approach to risk… and missed opportunities. To be effective, enterprise risk management should assess the risks inherent in specific business objectives, anchored in key value drivers.

Remember: strategy-related financial risks in business are inherent in companies’ strategic objectives. For example, financial institutions such as banks or credit unions take on risk when lending to consumers, while pharmaceutical companies are exposed to strategy risk in their R&D development for new products.

Companies exposed to substantial financial risks can mitigate the potential for negative consequences by creating and maintaining infrastructures and solutions such as trade credit insurance.

The first step in creating an effective process is to understand the types of risks your organisation faces vis-a-vis the main components or drivers of your business strategy.

Comprehensively analyse your company's specific business activities and components. What internal and external events could impede or derail each of them? Do you have systems and processes in place to handle these risks? Overall, how likely are these risks likely to occur?

Specific initial steps to take in business risk management are:

• Identifying risks by studying internal and external factors that impact your objectives.
• Analysing risks by calibrating and calculating the outcomes for each risk.
• Responding to risk by adopting the appropriate strategy needed to mitigate the risk, either by establishing new processes or eliminating old ones.
• Monitoring risk and opportunities by continually measuring and documenting the risks and opportunities of your sector, including financial risks in business and your own risk management protocols.

Make sure to incorporate accountability in your enterprise risk management. Appoint a staff member with managerial authority to oversee business risk management responsibilities. You might also form a risk management committee with members assigned to specific tasks. 

Risks in today’s age of technology and climate change have multiplied in number and complexity. Advance planning and expert consultation can mitigate the downside of some of these risks. Many risks are in fact insurable: fire, product liability, or embezzlement among them.

For example, as a specialist in risk monitoring and credit risk management, we cover companies against risks such as credit risk and risks linked to “green” transactions  by offering predictive protection in the form of trade credit insurance.

But the best risk insurance is still prevention. Many risks in your operations, including financial risks, can be tackled through employee training; background checks on employees, customers and partners; safety checks; equipment maintenance, and maintenance of your company’s physical premises.

In the case of monitoring financial risks in business, try embedding experts within your organisation to work with line managers whose activities are generating new ideas, innovation, risks — and, if all goes well, profits.

Enterprise risk management is a company-wide process, but multiple studies have found that people overestimate their ability to influence events, many of which are heavily determined by chance.