The business world today is undergoing a period of rapid and dramatic change. Geopolitical instability, environmental crises, supply chain disruptions, and the ongoing effects of the COVID-19 pandemic have forced organizations to rework their business models at an unprecedented rate. These changes have, in turn, given rise to new sources of risk for evolving enterprises. In light of this, companies need to reevaluate their enterprise risk management (ERM) strategies.
A company’s risk management measures can fail for many reasons. Poor judgment from business leaders, reckless risk-taking, or adverse external events can potentially compromise the company and render it vulnerable to financial crime. However, a great many enterprise risks are the result of systemic issues that companies can address with an active ERM program and robust financial risk management software.
Here are four of the most common risk management failures companies should strive to avoid:
1. Ineffective Leadership
Leadership failures will almost always destabilize a company’s risk management capabilities, no matter how strong these might appear to be on paper. For any risk management program to function effectively, company leaders must encourage continuous improvement, greater openness, and full transparency throughout the entire enterprise.
When it comes to ERM, poor leadership can take many forms. The following indicators, in particular, are among the most common:
- failing to understand the nature of the most urgent risks facing their organization
- failing to explicitly account for risk when making important business decisions, such as introducing new products, making complex investments or acquisitions, or entering new markets
- failing to proactively involve their board in discussions of ERM strategy and other policy matters
- unilaterally imposing their desired strategies without heeding warnings from their risk management officers about why these might be ineffective
- Poorly communicating risk information across the enterprise or not communicating it at all
Good governance is the ability of a company’s leaders to balance efforts to sustain and grow enterprise value with the controls, processes, and policies necessary to protect its interests. In many cases, ineffective governance comes about due to an unbalanced focus on generating near-term value and boosting profitability. Executives and management teams may then fail to invest in necessary protections that would serve their company well into the future.
2. Undisciplined Risk-Taking
All companies must exercise discipline regarding the risks they willingly embrace. When markets are favorable, and opportunities for significant growth are abundant, companies may be tempted to make unnecessarily reckless business decisions. However, poor decision-making in this area may end up endangering the health of the business, employees’ welfare, and even the well-being of the community the company serves.
A company’s culture, rewards systems, and incentive compensation programs may inadvertently or advertently encourage reckless risk-taking behavior among its leadership and employees. If responsibility for risk management is not adequately incentivized, certain individuals or departments may—in an attempt to drive greater profits—willingly take more risks without considering the consequences.
Given this, all companies should have systems that allow them to determine accountability for results and promptly escalate concerns. Open discussions about relevant sources of enterprise risk, sensible risk-taking, and regular risk scenario analyses should be encouraged across the entire company.
3. Poorly Implemented ERM
Many companies attempt to implement ERM systems without an adequate understanding of risk management or what place it necessarily occupies within their particular enterprise. The result is often an unfocused, highly fragmented, and resource-constrained system with little actual relevance to the company’s operations. Common signs of an ineffective ERM plan include the following:
- lack of support or involvement from executive management regarding risk management efforts
- unclear primary company motivations for implementing ERM
- delegation of ERM initiatives to lower-level managers and officers, making it difficult for these initiatives to gain traction throughout the enterprise
- treatment of ERM initiatives as the sole responsibility of particular individuals or teams only
- employee non-compliance with the organization’s stipulated risk management policies
Devising an effective ERM program must begin with clearly delineating the role of risk management in the company’s specific context. Company leaders can begin by empowering a team of senior executives to lead these discussions. Leaders can also foster discussions regarding the organization’s priority risks and possible measures that can be used to address them. The results of these discussions will pave the way for developing a more strategic, companywide approach to risk management.
4. Inadequate Risk Assessment Efforts
A company’s risk assessment initiatives may fail to identify key risks clearly and efficiently. At other times, management may struggle to convert the issues identified by risk assessment teams into concrete courses of action that can be incorporated into the company’s business plan.
A common language for discussing risk and a consistent, enterprise-wide risk assessment process is necessary for boosting the efficacy of any company’s risk assessment efforts. Company leaders should seek to involve key stakeholders across the business in this process. Risk assessment activities should also prioritize the most vital strategic risks to the business rather than focusing on minutiae.
All risk assessment activities must ultimately lead to identifying concrete steps that can be included in the business plan. It’s likewise important for management to report the results of these activities to the company’s board of directors to obtain their perspective on the matter.
Risk management mistakes can severely compromise a company’s resources, security, and reputation. Fortunately, taking a strategic, disciplined, and holistic approach to ERM can help companies mitigate potential threats to their business and protect themselves from bad actors.