PwC urges firms to embrace ERM

ERM has been a subject discussed frequently with consultants such as PwC in recent times.

It is heartening that businesses in Vietnam are seeing the benefits of having structured processes to identify, assess, mitigate and monitor their key risks. However, we would caution that its implementation has to be pragmatic and consistent with an appropriate ERM maturity level, so that management can sustain the operations of the ERM processes and it does not become just another form of internal reporting. At PwC, we believe in pragmatic solutions such that organisations can leverage ERM to become more risk resilient and agile in responding to uncertainties.

In this article, we would like to share several tips for businesses that are considering the implementation of an ERM process.

Consistent terminology

We recommend that everyone in the organisation has the same definition of “risk”. At PwC, we normally define risk as “a potential future event that prevents an organisation from achieving its objectives”.

Appointing the CEO as the ERM project sponsor

ERM was developed as a response to the emergence of a more complex business risk landscape. In general, ERM involves the process of identifying, assessing, mitigating and monitoring risk events. In most organisations, the ERM approach has involved dividing risk into three main categories - financial, operational and strategic risks.

In PwC’s experience, companies generally do a good job of focusing on financial and operational risks. But they have often been less successful at linking these risk categories together, or understanding the interdependencies between them. In addition many businesses spend little time on strategic risk. Having the CEO as the ERM project sponsor will ensure that risks and strategy are linked and that appropriate risk-taking is seen as a key part of value creation in the organisation.

Assess the current and define the desired maturity level for ERM in your organisation

There are good ERM practices for organisations to base their ERM approach on, but the implementation of ERM is unique to each organisation due to differences in the decision-making process, management culture, business issues, the level of centralisation and decentralisation, the availability and level of management information and so many more. An experienced ERM consultant will assist the CEO to assess and design an appropriate ERM framework for the organisation and is consistent with its level of maturity.

Formalise your objectives

Quite often, we encounter organisations in Vietnam that have yet to document their objectives, such as mission/vision, key goals and strategies. We encourage that the key objectives of the organisation be defined.

Put simply, an organisation that can define its objectives is then able to identify the key risks that will prevent it from achieving those objectives, to effectively design controls to mitigate those key risks and finally to get the entire organisation to align their individual department/division objectives and controls with those at the group level.

Understand that uncertainty is the norm

Times have changed. Today’s fast-changing world creates more uncertainty for organisations and makes it harder for them to understand where new risks are going to come from and what form they will take. Therefore, ERM requires more than tools and historical data. It becomes necessary to engage with the workforce of the entire organisation where “Risk Management is everyone’s job, everyday”.

Notwithstanding which ERM tools are implemented, we recommend that organisations focus on these three goals:

·  Developing a risk aware culture;

·  Explicit focus on risk appetite; and

·  Alignment of risk and strategy.

The organisation’s managers should discuss about the resilience of the whole system in the face of known risks. They will also discuss the “low probability but high impact risks” and what agile approaches the organisation can take to manage this unpredictability. Through this, a new breed of managers who are more risk aware and also aware of the relationships between organisational units, different interests and external relationships will emerge.

Board clarity

Greater clarity from the Board/CEO on their risk appetite in pursuing their strategy is important as it will help to build awareness at all levels of what risks the Board/CEO is willing to bear. To achieve this, the likelihood, impact grading and risk tolerance could be shared with the managers.

Alignment of risk and strategy should get adequate discussion time at the Board level. The CEO should encourage for a more holistic view of risks and highlight the interdependencies between financial, operational and strategic risks.

The purpose of ERM is to assist the board and the organisation to understand what key risks that they are running with, or how the knock-on impacts can spread to other risk categories. The top management should leverage on ERM to transform the organisation to become more agile and innovative when facing risks. In other words, risks are all around us and are increasingly unpredictable but ERM can help to increase an organisation’s confidence that it has the business resilience to manage the known risks and is able to respond to uncertainties or unexpected risks that will inevitably arise.