An Introduction to Enterprise Risk Management
When people hear the term Enterprise Risk Management (ERM), many things come to mind. Some associate the words with a complex and cumbersome process in which only large entities engage. Others immediately think of financial risk and asset protection. Often, the term elicits a negative connotation.
However, it’s important to understand why ERM is essential no matter what size business you operate. Experience shows that an ERM process can not only help to mitigate financial risks and protect assets but also that it does not have to be burdensome nor should it result in limiting what you or your company wants to do.
In fact, I’d argue to the contrary. My experience, both professionally as the Senior Safety and Risk Executive for the Outdoor + Adventure Practice at Fred C. Church and personally as an accomplished adventurer, has shown that the discipline of risk management should be used by everyone, not just the largest Fortune 500 companies. The process, when applied correctly, can help a family, individual, or organization of any size develop strategies to make smarter decisions, mitigate strategic, operational and financial risks, and thus, protect reputations and tangible assets.
What is Enterprise Risk Management (ERM)?
At its core, the discipline of ERM provides a structured process to Identify, Assess, and properly Address hazards and risks. It provides a framework for deciding which risks to assume, which to transfer, and which to avoid. The process can be described in four phases:
1. Identify – First, you need to make certain that you fully recognize and Identify all risks associated with your project or activity.
2. Assess – Then, for each identified risk, Assess the probability and severity of a negative outcome.
3. Address – Risks can be Addressed through the use of careful mitigation strategies (e.g., training and education, enhanced policy and procedure, equipment, etc.). Or, for those risks that cannot be mitigated, risk transfer through either contractual agreements with subcontractors or an insurance program should be investigated.
4. Assume – The final phase is to make a decision about Risk Assumption. In this phase, you need to ask yourself if the mitigation and transfer strategies are sufficient for your enterprise to engage in said activity, project, etc. If the answer is yes, then you are accepting the residual risks. Alternatively, you can decide that these activities pose too much risk for your company and avoid them. Inherent to the Assumption phase is that the enterprise will make decisions about which risks to Assume based on the organization’s overall risk tolerance.
In some cases, an enterprise might choose to assume more risk. An example of this would be a business that accepts a higher deductible on a Commercial General Liability policy, and thus transfers less risk to the insurance provider and takes on more responsibility themselves. A “human” example of this would be a mountaineer choosing to climb with less gear. They are betting that, with a lighter pack, they can move faster and summit and descend more quickly to avoid the risk of being exposed to on-coming bad weather. In both cases, a decision is being made to accept and assume more risk.
There are dangers for a business (or a climber) when they unintentionally fail to identify their risk fully or for those who don’t take the time to assess mitigation and transfer of risk adequately. It is my job as a mountain guide and a risk management professional to prevent that from happening.
Because we live in a dynamic world, and hazards and risks often change rapidly, I believe ERM – identify, assess, address and assume – should be an ongoing process that’s regularly used to re-evaluate organizational threats and the effectiveness of mitigation and transfer strategies.
Ultimately, the discipline of ERM can be used to help families, individuals, and organizations of any size, develop strategies, make decisions, and achieve goals. To prove that this is an accurate statement, I would like to share a real-life example of how one of my closest friends, along with his family, used ERM to weigh the pros and cons of a life-changing opportunity.
Enterprise Risk Management: A Case Study in International Travel
While at a teacher’s conference, my good friend Lee unexpectedly interviewed for and was offered a position as the Chair of the Math Department at a prestigious boarding school. This opportunity could be both an exciting professional challenge and a good career move for him. The offer should be no big deal, right? People change jobs all the time. Well, in my friend’s case there’s a bit more to the story.
Lee and his family lived in rural New England, right here in the United States, and this new position would require him to move India. To make matters a little more complicated, Lee has three children: a sophomore and a senior in high school and a middle schooler. Plus, his wife, Jill, just landed her dream job. With so many competing factors to consider, how would they ever decide what to do? This is where their application of a “family ERM” came into play.
Being a math teacher, my friend errs on the side of logic, and like solving any math problem, he and his family used a structured process to evaluate their options. They started the process by doing research and clearly identifying their potential risks. While they didn’t call it this, what they actually built was what risk managers call a Risk List or Risk Register.
I have organized their Risk Register and the risks they identified into three standard ERM categories – strategic, financial, and operational risks.
Once they had an initial list of risks and questions, they reconvened to assess them and create a plan to address and mitigate them.
Strategic Risk – Career and Education
Lee and Jill assessed both the Probability and Severity of the risk to their careers as Low. Lee had been preparing to be an administrator and this would be an excellent opportunity. However, he would also have the chance to continue being a classroom teacher. The combination of duties would not only be fulfilling for him but also serve to enhance his overall career. To further Address and Mitigate his career risk, Lee would engage in professional development and enroll in a Doctor of Education program.
Jill, who is a registered nurse, learned that the boarding school needed a nurse in the health center, and there would be a high probability that she could also volunteer at the local hospitals in India. In fact, during the summer months, she would have the opportunity to volunteer in one of the busiest hospitals where she would likely be involved in the delivery of +/- 30 babies/month. This experience would make her highly desirable and prove invaluable when they chose to return stateside. Similar to Lee, Jill would also engage in a professional development opportunity by pursuing an advanced nursing degree while abroad; further Mitigating potential risks to her career.
After talking with their children and their respective college counselors, Lee and Jill assessed the risk of this move having a negative impact on their children’s studies and college admissions, as low to moderate. They learned that colleges often view international travel and education in a positive light. An experience like this would set their children’s college applications apart as well as give the kids a broader view of the world. Although their children are very resilient, adventurous, and adaptable, and all three were excited about the possible move, Lee and Jill could not ignore that assimilation into a new school and culture could negatively impact the kids’ grades. To Address and Mitigate this risk, they uncovered that tutors and counselors would be available to assist.
Lee and Jill assessed the Financial Risks as low to moderate. There were a number of mitigating factors that could reduce the family’s inherent financial risks. Lee’s salary would be reasonable, and although Jill did not have a contract to work at the school yet, there was a high probability she would be hired soon after arriving in India. Additionally, the cost of living at the school would be very affordable. As a faculty member of the boarding school, room, board, and reduced tuition for the children are included as part of Lee’s overall compensation. Other expected living expenses were determined to be relatively low.
Operational Risk – Culture
The cultural risks associated with this move all centered on how well the family would assimilate and if they would feel isolated and alone in a new country. Although members of Lee and Jill’s family had traveled outside of the U.S., they had never traveled to a country like India. Additionally, some family members had not had a positive experience learning new languages, so there was a concern about their abilities to learn Hindi and communicate with colleagues, teachers, and locals. For these reasons, the family assessed the isolation risks in the upper end of the moderate range. However, the family was able to identify many factors that mitigated the cultural risks.
Inherent to the assessment and assumption phases is determining the probability of a positive outcome.
Probability of Gain
We in the risk management business often talk about risk as the Probability of Loss and therefore use the equation: Probability x Severity = Risk Value.
However, what we can miss in these conversations is the other side of the coin or the Probability of Gain. Meaning, in addition to the risks of negative outcomes, Lee and Jill also had to consider the possible benefits of this career move for their family. Those benefits are outlined below:
The family determined that they have a high tolerance for adversity and are comfortable with uncertainty.
Once Lee and Jill considered the mitigation strategies, and re-assessed their inherent risks, they determined that the overall residual risk to the family enterprise was in the low to moderate range. They also weighed the probability for gain and the risk of not accepting this opportunity, which they agreed was significant.
So, after a thoroughly conducted risk assessment, they decided to Assume the risks and go for it! However, they made a plan to periodically re-evaluate their decision and mitigation strategies to determine if their decision still fit their family’s risk tolerance.
Although I wrote this case study about a family enterprise and how they managed the risks of a trans-continental, cross-cultural move, the ERM process is essentially the same for all enterprises.
Of course, a large-scale enterprise would likely use risk evaluation tools, such as heat mapping, as part of a formal process to assess each risk and evaluate their risk transfer strategies. However, the basics are the same: Identity, Assess, Address, and Assume the strategic, financial, and operational risks to your enterprise and what you want to accomplish.
If I can leave you with one thing, let it be this: Risk Management is not a barrier to accomplishing your goals, but rather a tool that can help you reduce “siloed” thinking, and, ultimately, help you make sound decisions that will fit within your tolerance for risk.
About the Author
Mark Vermeal’s insight into the needs of the outdoor and adventure industry comes from his blend of outdoor industry experience in senior-level positions in the adventure and non-profit educational sectors. He holds a Master’s of Education and most recently, before joining the team at Fred C. Church, served as the Vice President of Safety for Outward Bound USA where he oversaw the safety management systems for the network of eleven regional schools across the US. Before Outward Bound, Mark held prestigious positions at the White Mountain School (1995-2007), where he was the Director of the Wilderness Skills Program, and as the National Director of Risk Management and Safety for the Student Conservation Association (2007 – 2010). Mark is also an accomplished outdoorsman and a well-respected leader outside the office. He is a certified American Mountain Guides Association Rock Instructor and Single Pitch Instructor Provider with rock, ice, and alpine guiding experience, both abroad and domestically. Currently, he serves on the Risk Oversight Committee for the Outward Bound Canada Board, the American Alpine Club Education Task Force, and has been a presenter at the Wilderness Risk Management Conference since 2007.
For more information about the Fred C. Church Outdoor + Adventure Practice and our Risk Advisory approach, be sure to visit www.fredcchurch.com or call Mark at +1.978.322.7272.