C-Suits focus on implementing Enterprise Risk Management on enterprise-wide

Friday, 11 May 2012 00:01 -     - {{hitsCtrl.values.hits}}


In the context of global economic uncertainty the challenges and opportunities faced by companies around the world continued to evolved. And also evolution of information, communication & technology and convergence of technology, media, telecommunications and use of internet; leads business boundaries disappearing with globalisation.  Hence business enterprises been exposed to many risks and uncertainties.

In public domain there was news on instant collapse of business giants worldwide. Later it has been found that the cause were failure to foreseen risks that they would have to face in future.  Realising the facts many companies globally; have taken initiatives to establish enterprise-wide formal risk management processes which lead to build up Enterprise Risk Management (ERM). ERM means to manage the positive risks (rewarded risk) to grow the business, create value and realise the same and manage negative risk (unrewarded risk) to protect existing assets.

In this regard C-Suits initiated programs to create of risk intelligence culture across their companies as the priority in highly volatile business environment. The creation of risk intelligence business culture enables managers to take rewarded risks by investing reasonable resources and reasonably manage unrewarded risks within their risk appetite using minimum resources.

Through the recent survey by Harvard Business Review Analytic Service has found that ERM process are growing since past three years and found that still the companies have long way to go. However financial sector institutions have their established, well matured risk management process.

ERM concept

ERM is an emerging concept which is being enriched through the contributions made by non-profitable private and commercial organisations in the form of developing models for ERM frameworks, conducting research and surveys, publications on ERM knowledge areas and developing management tools and systems. To name a few such organisations are ISO31000:2009, COSO, AS/NZ4360:2004, Casual Actuarial Society, etc. Out of those, the framework developed by COSO is taken as a referenced framework by most of companies to initiate ERM.

ERM requirement

In the public domain, there were many cases reported concerning sudden occurrences that have caused losses to individuals, public/private and Government institutions, property, business. To mention few of such recent events: in the local context are service sector failures, Change Management failure, procurement issues, natural disasters, bankruptcy of financial institutions, diseases and epidemics;  in international contexts there are much more which  have had global impacts. On analysing the issues later it has been found that accountability lies within C-Suits, where attention was not given to effectively prepare an organisation see future risks and uncertainties.

Local Context

In local context the vision of Sri Lanka to become ‘Wonder of Asia’ there are several initiatives by Government institutions and private/public enterprises in the form of programmes and projects investing huge capital.

In achieving final objectives of those programmes, projects; it is appropriate to use best practices of programme and project management, risk management and Stage-Gate investment Governance process. So it is very important to establish risk management process and creating risk intelligence culture in most public, private business enterprises and Government institutions to reap best out of the investments. Creation of risk management culture is the foundation for ERM.


Establishing investment governance best practices processes it requires change of business culture within an organisation is not a very easy task. Addressing the task conducting training on best practices concept, workshops and establishing framework, risk management processes and, systems and tools are some steps that need to be initiated.

New Capability

Fig.1 shows the drivers that will be effective in ERM process and how those corner elements are being driven. All these effort would be success; only if the process be lead and owned by top management of the enterprises.

Further, to define an ERM framework, it involves defining risk appetite, defining and monitoring Key Risk Indicators (KRI), People, Process and Systems which are the main tasks to establish risk intelligence. C-Suits should have well understanding of, and well aware of how ERM concept works. They should arrange appropriate trainings for subordinates. It is also important for them leads action to establish risk management processes within each functional unit under the leadership of C-Suits and senior managers.

Initiate ERM

Establishing an ERM concept is a new change drive in an organisation. Initiating ERM process; it has been recommended to use existing resources, processes, forums, committees and start with incremental step-by-step approach since it has an impact across the organisation. Defining ERM Framework for a company is important. Fig .2 shows as example for an ERM framework.

Matured ERM process will provide information on business critical emerging dynamic risks. Having information on risks, the board of directors and C-Suits will have better insight into the company’s performance. Hence management would be able to initiate appropriate response plans and strategies for implementation to achieve organisational objectives.

Risk appetite

The risk appetite is unique for an organisation. In simply meaning of risk appetite is the amount of risk one can take in achieving set target at individual level. However, when considering an organisation, it is high level statements on risk appetite which is defined for each category of risks and in quantifiable means.

Defining of risk appetite statements is initiated by C-Suits managers and the CEO who will obtain approval from the board of directors. The approved statements will be cascaded down to functional units, risk owners and communicated to them with risk tolerance which is the deviation that could be taken by an individual from the defined risk appetite to achieve a task.

Key Risk Indicators

Key Risk Indicators (KRI) provides early signals to an organisation on the increase of risk exposures in various business units of the enterprise that prevents the achievement of organisational objectives. These indicators provide early warning on risks that an organisation will have to face.

Risk owners should identify risk indicators; interpret KRI and signals on intensity (probability and impact) and closeness of the risks (risks may be emerging). The managers then will have to change strategies to maintain outcomes, in order to achieve desired objectives.


Identifying and managing risks is the key to the survival of any business entity. Therefore to reduce losses, create value and realise the same to the satisfaction of stakeholders, any organisation should be prepared to manage risks and   uncertainties. In order to manage risks, initiatives for implementation of ERM should be the priority. To initiate ERM is very challenging and it may require compliancy to legal requirements.

In this regard it is appropriate Government and the relevant authorities to initiate actions to impose required legislations indicating requirement of implementing ERM process in the public & private institutions. This will enable better services to the public and protect public investments in corporate. It will also help to reduce unexpected surprises and business calamities at every level.


1. ISO 31000

2. Enterprise Risk Management Integrated Framework by www.coso.org

3. Risk Intelligent enterprise management by M/s Deloitte www.deloitte.com

4. Report on the Accenture 2011 Global Risk Management Study by Steve Culp

5. Risk Management in a Time of Global Uncertainty by Harvard Business Review Analytic Services

(The writer – C.Eng. MIE (SL). PG. Dip.DBFA (SL). MBA (USQ-AUS) – is Deputy General Manager of Project Portfolio Management, Sri Lanka Telecom PLC.)

Recent columns