MANAGING THE NOISE OF RISK: WHAT IS ERM? 

During a January 2024 episode of the podcast “On Purpose,” creator and host Jay Shetty sat down with former First Lady of the United States Michelle Obama. He asked one pointed question that may by far be the thoughts and sentiments of most organizations in such a disruptive business climate.

“What is the thing that keeps you up at night now, or what is your biggest fear now, after having overcome so many?” Shetty inquired.

“It has less to do with me personally and more to do with the world that we’re in,” Obama states. “There’s such a thing as knowing too much, and when you’ve been married to the president of the United States who knows everything about everything in the world, sometimes you just want to turn it off. Those are the things that keep me up because you don’t have control over them,” she continued.

WHEN WE TURN IT OFF

It is quite evident that disruption has been here for some time now and the business community has not been able to “turn it off” or ignore it. We have seen countless examples where companies knew what was coming, but the inherent desire to “turn it off” just made more business sense. Many times, focusing on the controllable is the easier and less costly thing to do. Blockbuster and Polaroid are two examples of companies that knew digitalization was an uncontrollable, emerging risk but could not pivot and manage their expectations of just how quickly it would change the world. Even more recently, the PEO industry was impacted by the closing of regional banks, requiring more robust payroll processing resiliency plans. Whether it’s controllable or not, it is imperative that businesses not continue to ignore emerging threats as though events are too impossible to occur. Instead, they should rely on a trusted advisor to manage the noise of disruption while balancing day-to-day, apparent demands.

WHAT IS ERM?

Enterprise Risk Management, or ERM, serves as that very advisor that maintains a broad, forward- looking view of risks to organizations. According to North Carolina State’s Poole College of Management Enterprise Risk Management Initiative, “the objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the strategic objectives of the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business”.

To achieve this, ERM focuses on three main processes. First, ERM identifies broad level risks such as operational, financial, legal, strategic, and technological. Secondly, ERM assesses those risks based on factors such as impact (i.e., how will it feel), likelihood (i.e., what are the chances it will be felt), velocity (i.e. how soon will it be felt ), control effectiveness (i.e. have we reduced the impact), and management preparedness (i.e., are we ready to fell it) to determine the look and feel of those risks to the organization. Thirdly, ERM manages and monitors how these risks are behaving in the presence (or absence) of mitigating actions (based on the level of risk a company is willing to tolerate) over time as they may otherwise be deeply interdependent across a company’s people, processes, and systems.

The early identity of ERM was not always as broad as it is today, however. Risk management has always been a part of business operations, but it is typically siloed within individual departments such as security, insurance, and safety. These departments manage risks specific to their areas of expertise, maintain a reactive view of risks, tend to be risk adverse, and have limited coordination or integration across the organization. Throughout the 1990s to 2000s, several high-profile corporate scandals and failures, such as Enron and WorldCom, prompted the need for a more holistic, proactive approach to risk management that included greater transparency and accountability amongst senior leaders and boards. Regulators began requiring formal ERM programs for U.S. financial institutions and some government-sponsored enterprises. By 2008, the global financial crisis further emphasized the importance of effective risk management with a stark reality: The crisis exposed weaknesses in risk management practices, leading to a renewed focus on ERM within non-financial sectors.

MANAGING THE NOISE

It is critical to have a risk oversight program constantly scanning the risk landscape for potential threats as the volume and complexity of risk is increasing. The 2023 Global State of Risk Oversight Report highlights that 55% of companies of different sizes and industries have experienced a major operational surprise within the last five years. However, only one third of organizations have complete ERM processes in place. For companies that do have a formal ERM program, ask yourself what they see that others do not. According to the 12th Annual Executive Perspective on Top Risk for 2024 and a Decade Later, below are top risks for leaders in all industries to consider.

Top 5 Risks for 2024

1. Economic conditions, including inflationary pressures
2. Ability to attract, develop and retain top talent, manage shifts in the labor market expectations and address succession challenges
3. Cyber threats
4. Third-party risks
5. Heightened regulatory changes and scrutiny

Top 5 Risks for 2034

1. Cyber threats
2. Ability to attract, develop and retain top talent, manage shifts in the labor market expectations and address succession challenges
3. Adoption of digital technologies requiring new skills in short supply
4. Rapid speed of disruptive innovations enabled by new and emerging technologies and/or other market forces
5. Heightened regulatory changes and scrutiny

As can be noted, each of the above risks can have a material impact on the PEO industry. The question is not if these risks will truly manifest, but rather when they will do so. This is not the only question, however, that should be asked. Whether you have a dedicated ERM program or not, leaders are encouraged to talk to their teams and ask these questions about the above risks: Do we know enough about this risk? Which of these risks should “keep us up at night”? Has this risk been “turned off” in terms of our willingness and/or ability to give it more attention? Is it controllable or non-controllable? And if controlled, how well controlled is it? Have we considered the opportunities associated with this risk? How might this risk impair our ability to meet our long-term strategy? Have we gotten so comfortable with our ability to successfully react that we are undervaluing our need to proactively respond to any of these risks?