The discipline of Enterprise Risk Management (ERM) is developing rapidly. The industry is awash with consultants, software providers and trainers together with an ever expanding language and acronyms. Many people struggle with what the labels mean: ERM, GRC (Governance Risk and Compliance), ORM (Operational Risk Management) and other terms. Suppliers add to the confusion by labelling anything that relates roughly to risk as “GRC”.
This confusion is obviously part of the growing pains of a rapidly developing discipline. Another more fundamental reason, we believe, is the blurring of the lines between risk management and the wider field of general management. Where does ERM stop? When it stops, what then takes over? What is the difference between risk management and internal controls, audit, performance management and the like?
As a firm we began the development of our current Protecht.ERM system over 10 years ago as a Key Risk Indicator (KRI) System. As the industry developed so did the requirements of the ERM system. Risk and Control Self Assessment, Incident Management, Assurance and Audit and Compliance were added and it became increasingly difficult to ring fence the development. Going forward, we see the blurring of the boundary between ERM and management increasing. We see this blurring of the boundary as key in ensuring that the maximum value is created from your investment in ERM systems and processes.
A detective control such as a smoke detector or data reconciliation has the objective of identifying when a risk is in motion so that action can be taken to either halt the risk in its tracks or reduce it. A key risk indicator system as part of an ERM framework does exactly the same thing. A KRI is a detective control. The KRI process part of ERM is therefore a comprehensive and flexible framework for developing a comprehensive set of detective controls across your business over and above your existing controls. Are KRIs therefore just part of the normal internal control framework?
We are often asked what the difference is between a KPI and a KRI?. Our standard answer is "nothing" Why? Performance should be measured based on the level of reward achieved against the level of risk taken (risk based performance). KRIs track the risk side of the equation, KPIs have traditionally tracked the reward side. KRIs are therefore KPIs. Your KPI system should therefore be the same as your KRI system. If you are not using your ERM system for collecting and reporting all of your KPIs as well as KRIs then is your return on investment being maximised?
A robust ERM system should allow the development of tailored data collection processes together with automated escalation and comprehensive analytics and reporting. This functionality should typically support incident management, risk assessments and so on. However, this functionality is also ideal to improve many existing management processes in that require data collection, data analysis and escalation and reporting. The ERM system should therefore be leveraged to improve many of your existing processes.
Taking risk incidents as an example – flexibility for users to design their own operational risk incident, safety incident registers and analytic dashboards, has expanded our client base into the retail, entertainment, wagering, transport and defence services sectors. The flexibility in form design has resulted in the register module being used to support the following areas or processes:
Other areas such as fraud, compliance breaches, audit findings are also being monitored through registers.
We believe that the blurring of the lines between ERM and wider management is occurring because of the following reasons:
Risk Management is fundamentally the collection of data, both manual and automated. This data is then analysed and turned into intelligence which is then escalated / reported to users to assist in risk based decision making. Risk management to date has focussed on this process from a “risk only” perspective. However, the wider field of management is the same – the collection, analysis and reporting of data. Why not leverage this fundamental capability to a wider audience?
Risk Management is new and has attracted many software developers and vendors using the latest technologies. Many existing legacy management systems may be technologically out of date. The technology of the ERM system may be better than your existing management systems?
As a result, we as a firm believe the blurring of the lines does not stop. We see the leveraging of risk management capabilities, especially from your ERM system, as an excellent way to maximise the return on your ERM investment. As a Risk Manager, you may even be able to “sell” your capabilities to the business and truly turn risk management from its often perceived position of “overhead” to a recognised “value creator”.
If you want to get more than just ERM from your ERM system, please feel free to contact Protecht at email@example.com or Request a personalised Demo and see what we can do for your company.
David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.