Right-Sizing Enterprise Risk Management

Enterprise Risk Management (ERM) should be used by every manufacturer to some degree.

Aw 2089 1003 Econv
In a right-sized effort, manufacturers can address risks associated with supply chains, workplace safety, information technology (IT) systems and other crucial concerns. ERM also helps ensure achievement of objectives, and identifies opportunities for competitive advantage. ERM focuses attention on the following activities and questions:

•   Risk Identification: What can go wrong?
•   Risk Assessment: How significant is a risk?
•   Risk Response: Should the risk be accepted, mitigated or avoided?
•   Risk Monitoring:  Is something really being done about the risk?

Risk—the potential of an adverse event or lost opportunity—is always present. Every organization has a risk tolerance that dictates how it responds to risk. ERM allows for intelligent risk response decisions. ERM enables manufacturers to realize the benefit of lower costs without ignoring risks associated with such outsourcing.

The questions ERM pose are simple and straightforward. ERM has been difficult to implement primarily because organizations approach it as a massive project. Initially, combining distributed risk management efforts is a big job. It takes time to migrate from the old risk-management model that often involved diverse, independently operated functional areas to one that is holistically managed and owned by a specific functional area.

However, ERM should be a phased, evolutionary process that focuses first on the highest entity-level risks and supporting process-level risks. Using this right-sized method, the effort gradually filters outward through the organization while keeping the scope manageable.

While ERM does not eliminate functional area efforts, a realignment of authority, accountability and responsibility establishes greater risk-management timeliness, consistency, efficiency and effectiveness. The holistic perspective provides the basis for managing risk across the organization, rather than just assessing risk in a vacuum.

Establishing agreed-upon organizational objectives is integral in identifying risk, but may be the most difficult ERM task. Each manufacturer has unique objectives, based on its products, suppliers, customers and other factors. Defining those objectives helps leaders recognize the most crucial exposures.

As a model, the ERM effort can be pictured as a declining effort represented by an inverted triangle, with the broad top representing risk identification, and the narrow bottom point representing risk monitoring.

A broad range of risks can be identified. The potential impact or likelihood of most risks, however, does not present significant exposure. Risk assessment then focuses on the more crucial risk events.

Risk response

Leaders then determine the most appropriate risk response for each exposure. Responses include accepting, mitigating or avoiding risk. Risk acceptance depends upon the organization’s risk tolerance. A company that invests heavily in new product development, for example, has a higher risk tolerance than a manufacturer that makes incremental improvements to long-established products. Risk tolerance awareness enables leaders to define a threshold or level of acceptable risk. Ongoing controls to mitigate risk should be established only for exposures that would significantly impair the organization’s achievement of objectives. In extremely high-risk situations, or instances in which a risk does not align with objectives, organizations may avoid risk entirely by exiting an activity.

Finally, risk monitoring is applied to situations in which a failure could produce a material or devastating impact to the organization.

Change continually confronts manufacturers. Commodity prices and interest rates fluctuate. New competitors emerge. With periodic reviews of the risk management scope, manufacturers can use ERM to continuously identify and respond efficiently, consistently and effectively to risks and opportunities that accompany change.

Joseph R. (Jody) Allred, CPA, jody.allred@weaverllp.com, is a partner in Risk Advisory Services at independent public certified accounting firm Weaver, with offices in Dallas, Fort Worth, Houston, San Antonio and Austin.

Subscribe to Automation World's RSS Feeds for Columns & Departments

More in Control