Regulatory frameworks and methodologies are generally ways to complicate an enterprise risk management (ERM) strategy, and organisations need to simplify this by ensuring they have an understanding of their own risk requirements, says Avi Eyal, CEO of Cura Software Solutions.
The three main challenges organisations face when looking at implementing an ERM strategy are buy-in, scope and maturity, adds Eyal, who will speak at ITWeb's 2007 Enterprise Risk Management Conference at Gallagher Estate in Midrand on 24 July.
"While we see many companies grappling with frameworks, methodologies and policies, these are generally ways of complicating the environment."
He believes the real issue is having a business adopt ERM in the same way it does any other policy or process, which takes buy-in at the top, "as well as a risk manager who knows how to handle the softer issues, such as change management".
Buy-in needs to be coupled with the scope of any ERM project undertaken. "Many organisations adopt an attitude of leaving it in the risk manager's or internal auditor's office," he says, adding that others accept that roll-out to the entire organisation needs to take place.
"However, in truth, the best approach is to make a company-wide decision and make that known to everyone, but then implement one area at a time and secure quick wins before attempting ambitious roll-outs." A sectioned roll-out will help mature the implementation process.
According to Eyal, the third challenge most companies face is maturity. "Trying to reduce ideas and inherent management of risks into qualitative or quantitative parameters takes time, repeated assessments and, thus, a growing maturity."
Wrong choices
"Frameworks exist for managing risk. One can take standards such as ISO31000 and AS/NZS4360 and use them." Although, he says, many organisations choose the wrong policy items to comply with, rather than the few items that specifically relate to the business.
"The right approach is to understand which compliance items are material to the organisation and analyse the applicability of an Act or regulation to the business."
By simply tying each item into policy and procedure, unnecessary over-evaluation of compliance will be reduced.
Risk retention
In solving ERM challenges, Eyal highlights the fact that an organisation needs to "understand its business".
Companies need to stop outsourcing their risk. "Consulting firms can assist with specifics around compliance, because they have industry and regulatory knowledge, but don't hand over your risk to someone who understands less about your business than you."
The best solution to preserve the processes, procedures, policies and intellectual capital in a business is to reduce it to writing in a systematic way, and software enables this, he notes.
Related stories:
ERM education necessary
ERM needs IRM integration
Share
