All organizations — no matter their industry — face business challenges, and their risks seem to be increasing in volume and complexity. In the past, organizations could rely on a traditional risk assessment to help them lessen their risk burden, but it’s no longer enough. Now the key to successfully meeting their challenges and mitigating their risks is by implementing an effective enterprise risk management (ERM) program.
Recently, ISACA hosted a “fireside chat” during which Baker Tilly risk advisory professionals Matt Reierson, senior manager, and Joe Shusko, principal, talked with Michelle Bolger, the University of Illinois Foundation’s vice president of financial operations and controller. During their conversation, which Shusko moderated, the presenters discussed the foundation’s nearly five-year journey into the ERM process as it has worked alongside Baker Tilly. They looked at how the need for ERM arose for the foundation, the process around the implementation and the factors necessary for making it an effective program.
Why organizations need ERM
Organizations may believe they don’t need an ERM because of their size or industry, Reierson said, but every organization faces business risk, and therefore every organization should evaluate how it can improve its risk management. The approach does not require sophistication. Even if methodology for implementing components of ERM may be less formal and less structured, the basic components can be present.
ERM will also help any organization meet its business challenges by establishing oversight, control and discipline to drive continuous improvement of risk management capabilities in a changing operating environment. It can redefine the value proposition of risk management by providing an organization with the tools and resources it needs to become more anticipatory and effective at evaluating, embracing and managing uncertainties.
In fact, Reierson said, effectively functioning ERM infrastructures can become a root differentiator between mere survivors and pace-setters in an industry.
Further, ERM will provide reasonable assurance to management and the board that its business objectives are being achieved. By creating a common framework that can be used by disparate areas within the organization, it also aligns and integrates varying views of risk management.
Organizations have started to integrate risk management into their critical management activities, linking risk management to more efficient capital allocation and risk transfer decisions. They are aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to their enterprise value and then formulating an integrated risk response.
