Home Top News Risk Management The ABCs of ERM

The ABCs of ERM

How companies are using enterprise risk managers to do better business

Risk or heat maps show the results of a risk assessment and help companies set risk management priorities.

We are taught to manage risks from the time we are children in order to protect ourselves: look both ways before crossing the road, wear a helmet when you ride your bike, don’t get into a car with strangers. Organizations take it a step further by employing enterprise risk management strategies to protect their business from negative consequences should corporate risks become a reality.

“The basic idea around risk management is to figure out, based on what your goals and strategic objectives are, what the risks are to achieving them,” says Anne Kleffner, professor of risk management and insurance at the University of Calgary’s Haskayne School of Business.

While it’s mostly larger companies that have dedicated risk management professionals, these duties at smaller companies can be folded into the job descriptions of several different positions, hired out to a risk management consultant, or taken on by an insurance broker to ensure those roles are covered. Regardless of whether it’s a large or small company, a private, non-profit or public entity with an informal or structured department, risk management plays an important role in every business.

“We don’t have a formal risk management framework but still it is intrinsically embedded in the organization through activities and philosophies that enhance quality and patient safety,” says Steen Pedersen, director of EMS quality and patient safety for Alberta Health Services (AHS). “We manage risks in a variety of ways. One of the main ways is by using standardized evidence-based protocols that we take a great deal of time building. Paramedics in Alberta are guided by these standardized protocols for every patient encounter.”

Using a variety of methods such as risk-reporting systems, just-culture philosophies, the complaints and commendations framework, standardized policy, and third-party accreditation, the AHS is able to assess and address risks in order to maximize patient safety and empower staff to do the best job possible. After all, risk tolerance is very low for an organization like AHS, whereas private companies in business to make a profit have a much higher tolerance. Part of a risk manager’s job is to determine the corporate risk-tolerance level and mitigate the risks to fit that allowance.

Identifying tolerance and risk is not a new construct. Risk management has been around since the 1950s when it was predominantly an offshoot of insurance protecting companies from losses resulting from accidents. In the 1970s, companies started incorporating derivatives as risk management tools to protect against uninsurable risks. Throughout the 1980s and 1990s, more companies began to introduce risk management models to their corporate structure until the events of 2001 pushed risk management to the forefront.

“After 9/11 and the Enron bankruptcy, there was new legislation in the U.S. that also impacted Canadian companies. It changed the expectations for everybody,” says Kleffner. “Since then, companies have gone beyond compliance to figure out how to make risk management work more effectively and be more beneficial.”

Today’s risk managers need a comprehensive understanding of the business in order to help corporate decision-makers identify and understand their risk exposure. Regardless of the level of sophistication or size of the company, risk managers ask the same general questions: what could go wrong, how would the company plan for and prevent it from happening, and what would it do if things did go wrong?

These risks fall into five general categories: compliance, operational, reputational, strategic and financial. Risk managers identify their potential risks in these areas based on the organization’s past experiences, the experiences of similar companies, employee and customer feedback, and industry statistics. This process can generate a huge list of potential risks that can seem impossible to manage. Access databases and software programs allow risk managers to collect, sort, catalogue and code the potential risks in order to more effectively evaluate them.

To get to the core of which risks are most catastrophic, risk managers assess them according to frequency (the probability of the risk happening) and severity (the monetary impact to the company). A heat or risk map helps managers rank risk through a visual representation of which risks pose the greatest threat to a company’s success.

“It’s often a 5×5 grid with a severity scale up one side and frequency scale across the bottom. Green in the bottom left is good, yellow in the middle is in progress and red in the top right is the highest risk,” says Darius Delon, president of Risk Management 101. “Companies determine their tolerance on the heat map and anything over that is what you want to give more attention to.”

Once controls are applied to these inherent risks, the position of the risk on the map could change or disappear completely. For example, the risk of death after jumping out of an airplane is 100 per cent but by adding the control of a parachute that risk drops to around two per cent. The risk went from catastrophic red to negligible green. When risk managers do the same to the other potential risks, the position of the residual risks on the map dictates their risk management strategy.

Organizations can’t eliminate risk completely and still do business. The key is to reduce the impact of the risks through mitigation, whether that’s increased training and education for staff, having clear procedures in place, improved product design or even eliminating a high-risk practice or product altogether. Companies can also choose to accept the risk as is, finding it would cost more to mitigate than the risk poses. Risk managers also look at transferring the risk to others when possible. Insurance is a solid option to mitigate low-frequency, high-severity risks while third-party contracts and agreements can be an effective way of transferring the responsibilities associated with certain risks. These controls all bring down the risk map numbers and make risks more manageable for companies.

“An iPad has some sharp edges but if I rounded off the edges and threw it at you, you wouldn’t get cut but the impact from the weight of it might hurt. That’s kind of what you’re doing with your risk profile. You need to take risks but what you try to do is soften the corners,” says Delon.

Once a risk management plan is in place it requires yearly review to ensure new risks haven’t arisen or recent events haven’t changed the ranking of existing risks. That’s especially true given the rise in cyberattacks and technologically-based risks that change quickly and often. In order for the process to be effective, there has to be a culture conducive to reporting potential risks and open to spending the time and money necessary on changes to safeguard against them. In the past, risk management teams have been seen as doom-and-gloom downers pushing the worst-case scenario risk management agenda. Companies are now recognizing the importance of risk management strategy in relation to the business’ success, and that risk managers and the interests of the C-suite are two sides of the same coin.

“Risk management needs to be built into everyday business. Every decision-maker at an organization has to have risk at the back of their mind not only to safeguard the company but also to be aware of the types of risk strategically that they should be looking at,” says Curtis Desiatnyk, manager of insurance and operational risk at Mount Royal University and a director of SARIMS.

No matter the industry or size of business, risk management is a key business tool that is critical to a company’s growth and success.


Risks to Companies

Strategic – company is unable to reach goals due to such factors as technological changes, increased competition, change in customer needs, costs of materials

Compliance – company isn’t adhering to all the laws and regulations that apply to its business

Operational – unexpected inability to operate day-to-day due to such events as power outage, environmental/weather disaster, employee error

Financial – failure to collect payment, incurring debt, unexpected interest rate hike

Reputational – lawsuits, product recall, negative publicity, social media criticism