MANAGING THE NOISE OF RISK: WHAT IS ERM? 

BY Dafni LeFlore

Director, Enterprise Risk Management
TriNet, Inc.

March 2024

 

During a January 2024 episode of the podcast “On Purpose,” creator and host Jay Shetty sat down with former First Lady of the United States Michelle Obama. He asked one pointed question that may by far be the thoughts and sentiments of most organizations in such a disruptive business climate.

“What is the thing that keeps you up at night now, or what is your biggest fear now, after having overcome so many?” Shetty inquired.

“It has less to do with me personally and more to do with the world that we’re in,” Obama states. “There’s such a thing as knowing too much, and when you’ve been married to the president of the United States who knows everything about everything in the world, sometimes you just want to turn it off. Those are the things that keep me up because you don’t have control over them,” she continued.

WHEN WE TURN IT OFF

It is quite evident that disruption has been here for some time now and the business community has not been able to “turn it off” or ignore it. We have seen countless examples where companies knew what was coming, but the inherent desire to “turn it off” just made more business sense. Many times, focusing on the controllable is the easier and less costly thing to do. Blockbuster and Polaroid are two examples of companies that knew digitalization was an uncontrollable, emerging risk but could not pivot and manage their expectations of just how quickly it would change the world. Even more recently, the PEO industry was impacted by the closing of regional banks, requiring more robust payroll processing resiliency plans. Whether it’s controllable or not, it is imperative that businesses not continue to ignore emerging threats as though events are too impossible to occur. Instead, they should rely on a trusted advisor to manage the noise of disruption while balancing day-to-day, apparent demands.

WHAT IS ERM?

Enterprise Risk Management, or ERM, serves as that very advisor that maintains a broad, forward- looking view of risks to organizations. According to North Carolina State’s Poole College of Management Enterprise Risk Management Initiative, “the objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the strategic objectives of the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business”.

To achieve this, ERM focuses on three main processes. First, ERM identifies broad level risks such as operational, financial, legal, strategic, and technological. Secondly, ERM assesses those risks based on factors such as impact (i.e., how will it feel), likelihood (i.e., what are the chances it will be felt), velocity (i.e. how soon will it be felt ), control effectiveness (i.e. have we reduced the impact), and management preparedness (i.e., are we ready to fell it) to determine the look and feel of those risks to the organization. Thirdly, ERM manages and monitors how these risks are behaving in the presence (or absence) of mitigating actions (based on the level of risk a company is willing to tolerate) over time as they may otherwise be deeply interdependent across a company’s people, processes, and systems.

The early identity of ERM was not always as broad as it is today, however. Risk management has always been a part of business operations, but it is typically siloed within individual departments such as security, insurance, and safety. These departments manage risks specific to their areas of expertise, maintain a reactive view of risks, tend to be risk adverse, and have limited coordination or integration across the organization. Throughout the 1990s to 2000s, several high-profile corporate scandals and failures, such as Enron and WorldCom, prompted the need for a more holistic, proactive approach to risk management that included greater transparency and accountability amongst senior leaders and boards. Regulators began requiring formal ERM programs for U.S. financial institutions and some government-sponsored enterprises. By 2008, the global financial crisis further emphasized the importance of effective risk management with a stark reality: The crisis exposed weaknesses in risk management practices, leading to a renewed focus on ERM within non-financial sectors.

MANAGING THE NOISE

It is critical to have a risk oversight program constantly scanning the risk landscape for potential threats as the volume and complexity of risk is increasing. The 2023 Global State of Risk Oversight Report highlights that 55% of companies of different sizes and industries have experienced a major operational surprise within the last five years. However, only one third of organizations have complete ERM processes in place. For companies that do have a formal ERM program, ask yourself what they see that others do not. According to the 12th Annual Executive Perspective on Top Risk for 2024 and a Decade Later, below are top risks for leaders in all industries to consider.

Top 5 Risks for 2024

  1. Economic conditions, including inflationary pressures
  2. Ability to attract, develop and retain top talent, manage shifts in the labor market expectations and address succession challenges
  3. Cyber threats
  4. Third-party risks
  5. Heightened regulatory changes and scrutiny

Top 5 Risks for 2034

  1. Cyber threats
  2. Ability to attract, develop and retain top talent, manage shifts in the labor market expectations and address succession challenges
  3. Adoption of digital technologies requiring new skills in short supply
  4. Rapid speed of disruptive innovations enabled by new and emerging technologies and/or other market forces
  5. Heightened regulatory changes and scrutiny

As can be noted, each of the above risks can have a material impact on the PEO industry. The question is not if these risks will truly manifest, but rather when they will do so. This is not the only question, however, that should be asked. Whether you have a dedicated ERM program or not, leaders are encouraged to talk to their teams and ask these questions about the above risks: Do we know enough about this risk? Which of these risks should “keep us up at night”? Has this risk been “turned off” in terms of our willingness and/or ability to give it more attention? Is it controllable or non-controllable? And if controlled, how well controlled is it? Have we considered the opportunities associated with this risk? How might this risk impair our ability to meet our long-term strategy? Have we gotten so comfortable with our ability to successfully react that we are undervaluing our need to proactively respond to any of these risks?

 

SHARE


RELATED ARTICLES

RISK

TIME ON YOUR SIDE: FIVE SCRAPPY WAYS YOUR PEO CAN USE AI TO SHRINK THE GROUP HEALTH SALES CYCLE

In your group health sales cycle, time is of the essence. Shorter sales cycles generally lead to larger volumes, higher revenues, more satisfied account execs, and repeat customers, especially for an annual purchase like group health insurance. You can shrink the time you turn a lead into a customer by adding a speedy new member to your sales team: artificial intelligence. AI can help you close deals faster than your competitors can get their boots on.

BY Kaitlyn Fischer

September 2023

5 QUESTIONS TO ASK A CLOUD SERVICE PROVIDER ABOUT CYBERSECURITY

One of the questions I’m frequently asked by PEOs is simple: Is the cloud safe?  Actually, this is a trickier question than it seems. The answer is yes, of course, but like any internet-based endeavor, there are certainly many caveats. Cloud security requires you to think about security differently than on-premise security or data center security.

BY Dwayne Smith

March 2023

DISASTER RECOVERY FOR PEOS

Disasters are inevitable, and their timing is unpredictable. Preparing your company and employees before disaster strikes can make the difference between a catastrophe or an inconvenience. While no one wants to experience a business disruption, especially any technology-related disruption, there are many reasons that you could end up in that position.

BY Hamesh Chawla

March 2023

NEXT GENERATION PEO RISK DEPARTMENTS

As we all know, the year is 2023, and as PEO risk managers it is important that we embrace the title of a Bob Dylan classic: “The Times They Are A-Changin'.” Given the myriad of changing issues facing the PEO risk manager, a detailed point-by-point examination of the evolving issues would be too lengthy to illuminate within the pages of this article. That being said, this article will focus on two emerging and evolving issues that the PEO risk manager should embrace: dynamic risk analysis and next generation risk department staffing.  

BY Scott Johnson

April 2023

ADVERTISEMENT

Ad for Sentara Health Plans