Proof of an ERM organisation

A topic like this confronts every organisation in our today’s world of changing shapes and sizes of risks. ERM regulated organisations are wont, perhaps, to make the proof with a compliance mindset. Even when an organisation is not ERM regulated, all organisations are invariably faced with a need to show that they manage risk. Why? The answer is as common as our daily living experiences. I mean temptation. Yes. Temptation is common to all men and women and it is not a respecter of persons. We all endeavour, daily, to overcome temptations of varying types. This is just the same way organisations are faced with risks of varying types. Risk, like temptation, does not respect organisations. Objectives generate risks. If there were no objectives to achieve, organisations will have no risks to tackle. And all enterprises, whether for-profit or not-for-profit, have objectives to deliver, and thus risks to manage. Organisations therefore start to mature ERM when they begin to deploy frameworks that manage risks within the context of their objectives. In this article, ERM Organisation and ERM Maturity will be used as synonymous expressions.

It is overly important to assess an organisation’s ERM maturity. This is because wrong indicators are often used in measuring ERM maturity. Documenting ERM framework means, to some, that the organisation is an ERM organisation. This is not often true. When an organisation has carved out an ERM unit and designated a head for it, people equate such status with an ERM organisation. This also is not always true. In the same vein, when an organisation has instituted risk committee (often at management and board levels), people ascribe to them the status of an ERM organisation. This also cannot be absolutely correct. The fact is that all or some of these situations could exist but ERM is still not mature. Assessing whether an organisation is an ERM organisation enables appropriate benchmarking of its ERM maturity.

To matured ERM, an organisation would need to have developed and deployed an ERM framework. But a lot of organisations stop at ERM framework design. When the rating agency, statutory auditors or their regulator asks and says ‘have you implemented ERM’? They reach out for the framework and showcase it. An organisation will not be and ERM organisation with a framework that is not deployed. Of the several but interrelated ERM framework components, we will illustrate deployment with just one: Risk Management Strategy. An organisation’s Strategic Planning unit will usually articulate and set its Strategic Objectives, different from the overarching Mission and Vision Statements. Organisational objectives or high-level goals are thus drawn to deliver stakeholders’ expectations. Deploying an organisation’s Risk Management Strategy, therefore, requires that the objectives that deliver these expectations are assigned ownership. Further embedding objectives ownership with the performance management system of the organisation integrates it with its decision making process on performance appraisal. When an organisation deploys the several other components that make up its ERM framework, the organisation is beginning to imbibe the practice of an ERM organisation.

Emerging solvency capital reforms now require organisations to demonstrate ERM maturity beyond framework deployment. Risk profiling, in a manner that attributes published profit or loss results to risk management activities, now form part of solvency capital directives of most world economies. This is similar to the way IFRS cash flow statement attributes movements in cash and cash equivalents in an entity’s published financial statements to the profit or loss declared. This is, yet again, convergence of solvency capital reforms with IFRS. It is a proof of best practice. When an organisation is thus able to show a linkage of ERM to the sources of profit and the causes of losses, it can be said to be making the proof of an ERM organisation. Enterprises, therefore, do not become ERM organisations just because they have created ERM department or because they have designated a Chief Risk Officer.

As already established, emerging solvency capital reforms are setting the tone for enterprises not just to develop and deploy ERM framework but to mature same and transit to becoming ERM organisations. But like ERM regulated organisations, all organisations are vulnerable to solvency stress and strains. Therefore, ERM deployment and maturity should permeate all organisations. Organisations that are not ERM regulated should self-regulate solvency capital and mature ERM. They should set target economic capital and benchmark solvency. Such organisation stand higher chances of gaining resilience in the face of changing shapes and sizes of risks.

 

Steve Nkwor MIRM (UK)

Steve Nkwor a risk management consultant and writes from Lagos, Nigeria. He is a passionate promoter of down side zero tolerance. He holds full membership of the Institute of Risk Management of London. He is also a fellow of the Institute of Chartered Accountants of Nigeria as well as an associate of the Chartered Insurance Institute of Nigeria and can be reached on [email protected]