The Business Case for Enterprise Risk Management

Sword GRC Blog

The Business Case for Enterprise Risk Management

While it may be easy enough for risk professionals to appreciate the benefits that ERM can bring in driving robust risk management processes within an organization, it may be trickier to put the case for ERM investment to senior management, boards, or business owners. If you’re tasked with justifying ERM as a business performance driver, with a view to implementing an ERM solution, here are some key considerations that might just help to strengthen your case:

  • Get people thinking about business risks and their implications

The risk landscape is constantly evolving and traditional approaches to risk management lack the agility to adapt to unforeseen or emerging risks. What type of risks affects or could affect the business and what would happen if these risks aren’t managed? Questions around the impact of the current economic environment and legislative changes on the business, how the business is performing compared to its key competitors, and what events could damage the business’ reputation or market position will help you to articulate the value of ERM.

  • Do your homework – prepare a comprehensive ‘argument’ for ERM

With the buy-in of senior management in mind, it can be worthwhile to set out and explain exactly what modern enterprise-wide risk management is and rather than presenting a complex ERM model and methodology, provide a clear outline of why it is necessary, the business objectives it can address and the value propositions for respective stakeholders and decision-makers.

What exactly can be achieved by raising the profile of risk management and implementing an ERM approach within your organization? Business objectives may include:

    • Encouraging a risk-aware culture
    • The ability to identify and effectively treat risks that can be detrimental, whilst identifying and seizing opportunities as they arise
    • Building a center of excellence for risk management
    • Standardizing risk evaluation
    • Embedding risk management within strategic decision-making, business planning, and day-to-day activity
  • ERM – persistence pays off

Through your own research and/or prior experience, you will likely appreciate that effective risk management can help reduce operational surprises and mitigate losses, improve awareness of risks and enhance internal controls, promote a ‘healthy’ risk culture and ensure an aligned, consistent approach across the organization. But how do you get leadership buy-in?

“We must consistently, convincingly, and relentlessly articulate the value of ERM. We must lead by example, ensuring the needs of the business come first,” emphasizes Sam Elwell in ‘Making the Investment Case for ERM’ published in Enterprise Risk, the official magazine of the Institute of Risk Management. “To get from a blank slate to an effective and trusted ERM function, one-word springs to mind – persistence.” 

Key ERM Benefits at-a-glance:

    • The ability to balance risk versus reward – some risks pose opportunities
    • Improved shareholder value and governance
    • Maximized scope for business success
    • Reduced operational losses and costs
    • Aligned risk appetite, tolerance, and strategy
    • Optimized resource allocation based on prioritized risks
    • Enhanced decision-making
    • Improved risk awareness and better risk responses
  • Develop risk policies, processes, and procedures

In putting the case for ERM, it may be useful to scope out the roles and responsibilities of each party involved in risk management within your organization. Depending on the scale and nature of the enterprise, they may include business owners or board members, audit and risk functions, senior management, risk owners, and in some organizations, depending on risk culture, all employees.

Some may find it beneficial to promote a center of excellence for risk management – a risk management function dedicated to devising and enforcing risk management policies and procedures for the organization. A team who will co-ordinate, review and consolidate risk reporting, whilst monitoring the approach to risk management and its effectiveness.

It may also be useful to define and share your organization’s risk appetite statement, risk tolerance limits, criteria for risk assessment and prioritization, plus risk identification, analysis, reporting, and monitoring procedures.

  • Use case studies to strengthen your case

Perhaps you can use the experiences of other organizations within your sector to demonstrate the value of ERM? Or, as suggests Elwell, you could create your own case study: ‘Select a risk with upside potential… Pick sensibly. You need to deliver tangible, positive outcomes. Use risk appetite as a green light, not a red. Focus attention on a small set of critical KRIs and KPIs which affect strategic objectives. Block out background noise and focus the business on what the business wants.

“Before you know it you have created your own case study where ERM has delivered tangible value, quickly, with little investment. The case study involves your business and better still, you. Leadership sees ERM in a positive light and trusts you to deliver value. You secure the investment in technology and talent and can expand your approach across the full risk profile.”

  • Countering cost objections

If your end-game is to get leadership buy-in to ERM software investment, be prepared to justify your position. Try to calculate the true costs of common risks to your business, factoring in where possible issues such as downtime, work missed, legal expenses, mitigation costs. How disruptive and costly would a major incident be, for instance?

Quantifying the cost of risks is difficult, but a cost/benefit analysis can aid decision-making. Ultimately, if reducing the frequency of events and the impact (cost) of those that do occur is greater than the cost of investing in the software itself, then the case is clearer still.

More homework – consider the ERM software solutions available on the marketplace that best suit your business requirements. Be ready to detail how they will be able to solve your risk, governance, and compliance challenges, save on time and resources, and address current administrative pain points.

Time-to-value is always important, so perhaps also think about cloud rather than on-premise deployment, so you can be up and running with ERM software sooner, benefiting from the functionality and attaining ROI.

Best-in-class ERM software

Sophisticated technology underpins ERM and supports business performance.

If you are keen to discover how ERM software can drive business performance within your organization, learn more about the technology behind leading-edge risk management, Active Risk Manager.