Enterprise risk management (ERM) must not be driven by events, as this approach usually does not result in an organisation getting the desired results.
So said Tichaona Zororo, director of EGIT, in a keynote address during the ITWeb Governance, Risk and Compliance Conference in Johannesburg yesterday.
According to Zororo, rather than being reactive, organisations must be proactive when putting ERM measures in place.
"EPM is not about patching up holes," he said. "It is also not about taking a 'stove pipe' approach that only fixes short-term problems."
Defining ERM, Zororo said: "ERM is a process effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the entity objectives."
On IT risk, he noted that it is business risk associated with the use, ownership, operation involvement, influence and adoption of IT within an enterprise. "It consists of IT-related events that could potentially impact the business."
When considering IT, he said organisations must realise that IT risk management is an integral part of ERM involving aspects like aligning the management of IT-related business risk with overall ERM.
He, therefore, pointed out that organisations must take an integrated approach to EPM, adding that among its objectives, ERM aims to provide reasonable assurance to an entity's management and board that the entity's business objectives are achieved.
He explained that this involves aligning risk appetite and strategy; seizing opportunities and improving deployment of capital; identifying and managing cross-enterprise risks; providing integrated responses to multiple risks; enhancing risk response decisions; as well as reducing operational surprises and loses.
"Risk management is an all encompassing and strategic requirement in any enterprise," Zororo added.
When implementing ERM, he pointed out that it is the duty of the board of directors to ensure that the risk appetite implicit in the company's business model, strategy, and execution is appropriate.
"The board must also ensure that management has implemented a system to manage, monitor, mitigate risk, and that system is appropriate given the company's business model and strategy. It must also see that the expected risks are equal to the expected rewards and ensure that the risk management system informs the board of the major risks facing the company."
It is also the duty of the board to make sure that an appropriate culture of risk-awareness exists throughout the organisation and see to it that there is recognition that management of risk is essential to the successful execution of the company's strategy, he added.
According to Zororo, ERM is a central part of the strategic management of any organisation. "It is the process whereby organisations methodically address the risks attached to their activities.
"Risk management should be supported by an appropriate structure to the organisation and its external environment like size, nature and complexity. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances."
He added that risk management must be integrated into the culture of the organisation and this will include mandate, leadership and commitment from the board.
Share