Each day, people assess risks in their lives and apply controls to mitigate those risks, achieve their goals and enhance value. The process is so natural that you likely don’t even realize it’s happening.
For example, you might slow down when driving on icy roads, watch a how-to video before attempting a home repair or build an emergency fund to cover life’s unexpected pitfalls.
The same principle is true for organizations.
But multi-faceted organizations often require a more formal, organized approach to assessing and mitigating risks. That’s where enterprise risk management comes in.
What is Enterprise Risk Management?
According to COSO, enterprise risk management “is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
With enterprise risk management, responsibility for identifying and addressing risks isn’t placed on individual employees, managers, departments or business units. Instead, enterprise risk management addresses strategic risks identified by governance (i.e., the Board of Directors), so the organization’s leaders address risk with a company-wide lens and set expectations accordingly.
Some organizations have been stretched to their limits over the past two years, while others have seen record growth. In any case, whenever there are significant shifts within an organization, the company may need to alter its strategies, adjust financial goals and deal with newly triggered compliance requirements.
An enterprise risk management program helps the organization identify these new demands and weigh risks against opportunities.
For example, many organizations have dealt with supply chain issues in the past two years. Enterprise risk management can help the organization improve the supply chain, better forecast demand, plan inventory, avoid supply chain interruptions and ultimately lower operational costs and improve revenues.
Specific Considerations for Enterprise Risk Management in the Coming Year
As your organization approaches new opportunities in 2022, consider how your enterprise risk management program can enhance value in the following areas.
- Internal Controls – Whether you’re reducing staff or bringing on new hires in key positions, personnel changes can impact your internal control system. You may need to update who is responsible for performing certain tasks, review each individual’s scope of authority and ensure people have been properly trained and are well-versed in the company’s internal controls.
- New Accounting Standards – Take some time to review new accounting standards and evaluate their impact on your organization and its internal controls over financial reporting. For example, you may need to update your policies and internal controls to address the new lease accounting standards(ASC 842).
- Liquidity – Consider your organization’s liquidity risks and determine whether new funding is needed or how you can efficiently deploy excess funds.
- Compliance Requirements – Consider the impacts of new compliance and regulatory requirements. For example, nonprofit organizations, state and local governments, tribes and higher education institutions need a Single Audit if the organization receives $750,000 or more in federal funding in a fiscal year. Additionally, due to new grants and federal funding related to COVID-19, many for-profit entities will require a Single Audit for the first time if the funds received were $750,000 or more.
- Information Technology – Evaluate the organization’s IT impacts, such as automated application controls, systems/control configurations, report writers and cybersecurity incidents.
- Company Culture – Consider the pandemic’s impacts on your organization’s culture. For example, will team members continue to work remotely on a full- or part-time basis? How will that impact your company culture going forward? How will you ensure remote employees feel like a part of the team? How will you rebuild elements of company culture that suffered while team members were working remotely?
Elevating Your Enterprise Risk Management with Risk Assessments
If you’re wondering where to start with a solid enterprise risk management plan, consider your company’s risk assessment document.
A risk assessment investigates your business’s infrastructure in order to:
- Identify weaknesses and risks;
- Help a business prioritize which risks and weaknesses to prioritize at a given time; and
- Determine how to eliminate those weaknesses and risks.
Remember that risk assessments are living, breathing documents that must be nurtured and updated regularly—possibly more often than annually.
For example, if your organization is dealing with rapid growth or high staff turnover, you need to ensure the way new staff members perform their roles aligns with the risk assessment and provide training on internal controls and safe working practices where necessary.
Think of risk assessments this way: if something were to change or go wrong with your body suddenly, you would want to visit your doctor immediately, regardless of whether you’d had your annual checkup last month.
Likewise, you should review risk assessments when you notice a sudden increase in employee absences, high turnover, large budget variances, lost revenues and other situations that may signal changes in the company’s risk profile. Frequent and regular checkups will help the Board and management ensure that the organization stays on track.
Connect with an Advisor about Enterprise Risk Management
The only thing certain in business is uncertainty. By establishing an enterprise risk management program, you can set your organization up to be resilient in the face of uncertainty and create a path to improved business performance.