No, the title does not have a typo. ERRM refers to Enterprise Risk and Resiliency Management. And, no, it is not necessarily new. When ERM is practiced in a mature and robust fashion, it should add to an organization’s resiliency.
Resilience refers to both the ability to rebound after a loss has occurred due to risk that could not be fully mitigated or was unrecognized and also the ability to capitalize on the upside risk.
Let’s look at two scenarios.
Company A, an industrial manufacturer, implemented ERM several years ago. Its risk committee, recognizing changing climate conditions and weaknesses in an aging facility, got approval for a multi-year investment in flood protection. This decision was made part of the strategic plan. Not only did the company invest in flood gates for its access points to lower levels, but it also cemented over unneeded windows and redesigned storage racks at sub-levels. All drainage lines around the facility were tested and repaired, if required. Very importantly, its business continuity and disaster recovery plans were updated and had been rehearsed doing table top rehearsals. So, when a one-in-50-year flood occurred and crippled other businesses in the area for weeks, Company A was virtually unaffected. It was able to resume full business operations in two days. On top of that, it was able to capitalize on the excellent press coverage it got locally, which enhanced its ability to attract the talent it had been seeking from the area.
For this company, ERM was more than identifying risks and creating reports. It was about taking action to build true resiliency in the face of risk.
See Also: How to Measure the Value of ERM
Company B, a woman’s clothes design and manufacturing company, practiced ERM with a very strategic approach. By that is meant, the risks to the company’s strategic direction were focused on first and became a key component of the risk identification and mitigation processes. When changes in customer preferences and buying habits were identified as risks to the current strategy, the strategy was adjusted accordingly. Since women were trending toward buying fewer and more basic garments, (for example, slacks that could be worn with multiple tops), while buying more accessories at more expensive prices, the company added new product lines such as jewelry and handbags.
As margins became squeezed at less diversified companies, this company prospered. Its quick reaction to emerging risk by adding product lines was rewarded with year-over-year return on equity (ROE) increases for each year of the strategic plan period. In other words, the company found the upside of risk and enhanced its resiliency because of it.
These hypothetical companies, based loosely on actual ones, illustrate that ERM is not just about risk; ERM is about resiliency. It is about the ability to address risk in such a way as to wind up in as good or better a position as the company was before having dealt with the risk or its impact.
How do companies embed resiliency into their ERM programs? Each of the following points enables greater resiliency, when practiced consistently:
- ERM needs to be strategic. First, risks to the strategy must be analyzed as well as operational and other risks. Second, risk mitigation plans for all risks that require a significant commitment of organizational resources need to be documented in the strategic plan to ensure there is proper allocation of such resources. In its fifth annual risk report, PwC has a recommendation that reinforces this idea while adding the element of business continuity planning, “Ensure strong triangulation between strategy, risk management and business continuity management.”
- ERM must be seen to offer insights not only to the downside of risk but also to the upside. How does a given risk offer an opportunity in addition to or instead of a threat? If rising raw material costs are posing a risk to profitability, how can buying consortiums, vertical integration, multi-year contracts or changing the material composition of products pose opportunities? Innovation has a role to play in seeing and responding to the upside of risk. Indeed, risk and managing risk can be catalysts for innovation.
- ERM mitigation plans need to be as bold as necessary to meet the potential impact level posed by the risk. For example, it does little good to mitigate a reputational risk by issuing a statement of corporate values when hiring a new senior team is what is needed. A particular mitigation plan may need to be as big as entering a new market or leaving an established one, moving a manufacturing center to a new location or making a sizeable technology investment to stay competitive or safeguard property.
- Business continuity and disaster recovery plans are not sufficient to create resiliency. Public relations plans are also necessary to support resiliency. When there is a serious, public risk event, stakeholders want to know the what, why and how it will be handled. Companies such as British Petroleum (during the BP oil spill in the Gulf) and Toyota (during the faulty power window allegations and recall) learned that statements by CEOs could make the situation worse than it already was thereby heightening the risk. PR plans need to spell out how the company will communicate in terms of transparency, tone and types of meaningful responses it is prepared to make to address the issue in question.
- ERM must be a continuous process where risks are updated and mitigation plans are monitored and adjusted on a regular basis. Given the pace of change, the ERM process must be as dynamic as the environment within which it exists. When a risk morphs, the actions planned to address it must morph with it, when new risks emerge, tactics to deal with them must be developed. Complacency or slow reaction time will sabotage an ERM process. As such, neither must be allowed to invade the process. If they do, resiliency will surely be sacrificed.
The marketplace continues to see seismic disruption and more massive shocks than ever before. Companies lacking the ability to bounce back from the effect of these will not be able to survive long-term. That is why every effort must be made to create a resilient form of risk management that deserves to be labeled ERRM.