Managing risks on an enterprise scale
In the past few years, risk has become a very important topic within the corporate precincts. Keeping in mind the business environment, risks can be of varied nature, right from a tangible one like security threat in terms of hacking or even hijacking, to a more intangible one like changing business scenario like an economic crisis on a global scale.
Over the years, there are numerous examples of businesses that went bust, solely because they could not cope up with the risks associated with doing business. For instance companies like Polaroid or Nokia went under because they could not perceive the changing trends, meanwhile, Enron and Goldman Sachs went down for a completely different reason.
The fact is that risks are a part of doing business and one cannot wish them away. The only thing that a good company can do is to try to mitigate risk, rather than ignore them. Managing risk is an effort that needs to be undertaken on an enterprise scale and this is where EWRM comes to play.
Enterprise Wide Risk Management is gaining popularity across the globe, as companies redouble their efforts towards mitigating risks. The concept is pretty simple, companies are encouraged to adopt a more open and objective view towards risk. Rather than getting worried or daunted, business leaders are encouraged to model and plan out strategies that will help them counter those risks. The idea is pretty simple, create a checklist, formulate a holistic plan about the various threats (ranging from inconsequential to existential), examine it, plan out things, and then to manage them in a manner that they no longer pose a threat.
Usually, companies view risks from a financial perspective. Yet, the fact is that anything that poses a threat to the overall needs to be tackled. EWRM on the other hand, goes much beyond the financial purview, it encompasses within its ambit, almost all that can negatively impact your organization, right from a disgruntled employee stealing in the company IP on an USB drive to a surge of natural gas blasting through a concrete core and causing the single largest oil spill in human history. Consequently, risk management is all about planning, coordinating, and investing in activities that reduce or mitigate the risks posed to a company.
To be able to deal with risks, companies need to first create a scale. and classify them according to the dangers they pose. More often than not, corporates err by creating an overarching category named risk, and then fill it up with everything that threatens business. Before managing risks, one needs to understand it. The hazards need to be classified as threat, vulnerability, and risk.
Take, for example, employee attrition is a universal issue that plagues almost every company on the globe, hence it can be labelled as a threat. But say, there's a niche company that has some highly specialized employees on board, who are much in demand in the market, then the vulnerability and threat combine to become a risk, and then it needs to be managed and mitigated.
Once, the classification is done, and a Risk Register created, companies need to create a process whereby these risks are evaluated at regular intervals of time, to ensure mitigation. As companies function in a very dynamic environment, what is a threat today might be a risk tomorrow, or vice-a-versa. That is why companies an enterprise wide stratagem for risks.
While there is indeed some confusion on how risks need to be evaluated or managed, but fortunately there seems to be a forward movement on it. Till date, EWRM was done under the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Framework that is guidance on design, implementation and conducting internal control and assessing its effectiveness. This was essentially to map the internal financial controls or IFCs, and ensure that the company was ready for any financial threats. EWRM is a sort of extension, of the IFCs, adding more dimensions to it. The good news is that it is also a compliance issue now. The new Companies Act 2013 mandates that companies need to take measures to address enterprise wide threats. They need to do so by setting specific responsibilities for different stakeholders, and address them appropriately through EWRM. With this shift, EWRM is no more just a stratagem but also a compliance issue.
In the end, whatever be the impetus, compliance or stratagem, a company that actively studies, manages risks on a regular basis can only do good in the dynamic world that we live today. Risk management is going mainstream and that can only be a good thing for all the stakeholders involved.