The discipline of Enterprise Risk Management (ERM) is developing rapidly. The industry is awash with consultants, software providers and trainers together with an ever expanding language and acronyms. Many people struggle with what the labels mean: ERM, GRC (Governance Risk and Compliance), ORM (Operational Risk Management) and other terms. Suppliers add to the confusion by labelling anything that relates roughly to risk as “GRC”.
This confusion is obviously part of the growing pains of a rapidly developing discipline. Another more fundamental reason, we believe, is the blurring of the lines between risk management and the wider field of general management. Where does ERM stop? When it stops, what then takes over? What is the difference between risk management and internal controls, audit, performance management and the like?
As a firm we began the development of our current Protecht.ERM system over 10 years ago as a Key Risk Indicator (KRI) System. As the industry developed so did the requirements of the ERM system. Risk and Control Self Assessment, Incident Management, Assurance and Audit and Compliance were added and it became increasingly difficult to ring fence the development. Going forward, we see the blurring of the boundary between ERM and management increasing. We see this blurring of the boundary as key in ensuring that the maximum value is created from your investment in ERM systems and processes.
Key Risk Indicators as Detective Controls
A detective control such as a smoke detector or data reconciliation has the objective of identifying when a risk is in motion so that action can be taken to either halt the risk in its tracks or reduce it. A key risk indicator system as part of an ERM framework does exactly the same thing. A KRI is a detective control. The KRI process part of ERM is therefore a comprehensive and flexible framework for developing a comprehensive set of detective controls across your business over and above your existing controls. Are KRIs therefore just part of the normal internal control framework?
Key Risk Indicators and Key Performance Indicators (KPI)
We are often asked what the difference is between a KPI and a KRI?. Our standard answer is "nothing" Why? Performance should be measured based on the level of reward achieved against the level of risk taken (risk based performance). KRIs track the risk side of the equation, KPIs have traditionally tracked the reward side. KRIs are therefore KPIs. Your KPI system should therefore be the same as your KRI system. If you are not using your ERM system for collecting and reporting all of your KPIs as well as KRIs then is your return on investment being maximised?
Using the ERM process to improve other processes
A robust ERM system should allow the development of tailored data collection processes together with automated escalation and comprehensive analytics and reporting. This functionality should typically support incident management, risk assessments and so on. However, this functionality is also ideal to improve many existing management processes in that require data collection, data analysis and escalation and reporting. The ERM system should therefore be leveraged to improve many of your existing processes.
Taking risk incidents as an example – flexibility for users to design their own operational risk incident, safety incident registers and analytic dashboards, has expanded our client base into the retail, entertainment, wagering, transport and defence services sectors. The flexibility in form design has resulted in the register module being used to support the following areas or processes:
Other areas such as fraud, compliance breaches, audit findings are also being monitored through registers.
Where does it stop?
We believe that the blurring of the lines between ERM and wider management is occurring because of the following reasons:
Risk Management is fundamentally the collection of data, both manual and automated. This data is then analysed and turned into intelligence which is then escalated / reported to users to assist in risk based decision making. Risk management to date has focussed on this process from a “risk only” perspective. However, the wider field of management is the same – the collection, analysis and reporting of data. Why not leverage this fundamental capability to a wider audience?
Risk Management is new and has attracted many software developers and vendors using the latest technologies. Many existing legacy management systems may be technologically out of date. The technology of the ERM system may be better than your existing management systems?
As a result, we as a firm believe the blurring of the lines does not stop. We see the leveraging of risk management capabilities, especially from your ERM system, as an excellent way to maximise the return on your ERM investment. As a Risk Manager, you may even be able to “sell” your capabilities to the business and truly turn risk management from its often perceived position of “overhead” to a recognised “value creator”.
If you want to get more than just ERM from your ERM system, please feel free to contact Protecht at firstname.lastname@example.org or Request a personalised Demo and see what we can do for your company.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).