Regulatory compliance has become of increasing importance in recent years, as a multitude of new regulations and legislation has forced the arm of businesses into obedience at the risk of hefty financial penalties. However, compliance is only one aspect of a wider field of Enterprise Governance, Risk and Compliance (GRC), a discipline that evolved as part of a growing global need to ensure sustainability, accountability and sound business practices.
Managing risk lies at the core of any GRC endeavour, since if risks are not managed adequately they have the potential to result in decreased profitability, non-compliance to regulations and laws and ultimately a failing enterprise. Enterprise Risk Management (ERM) is the pivot upon which GRC turns, facilitating both good corporate governance and compliance, and is a vital part of the agenda for businesses of all sizes, large and small.
“Managing risk does not mean eliminating risk, since without risk organisations could not exist and remain profitable. However, these risks do need to be taken on board and brought to an acceptable level. With every business in South Africa subject to at least 80 or more Acts of Parliament that must be complied with, ERM is vital to ensure compliance,” says Ben Pieters, Executive at ESPconsult. “While large corporates and State Owned Entities are able to employ teams of risk managers and legal experts to analyse the relevant Acts and Regulations, smaller businesses and micro enterprises simply cannot afford such luxuries.”
While having the funds to employ teams of full time risk managers and legal advisors can be of benefit, many large organisations still view ERM as a tick-box exercise. They regard it as something that must be done in order to comply and avoid penalties but not something which will contribute positively to the organisation.
“Nothing could be further from the truth, however,” says Greg Bogiages, MD of Cortell Corporate Performance Management. “The excuse that small organisations cannot afford risk management is negated when you view ERM as a vital business process that will not only facilitate compliance, but improve profitability. Businesses should align their strategic plans with their risk management disciplines. Managing risk is not a ‘one size fits all’ concept, since each organisation’s risk appetite differs, and ensuring that a risk management solution is tailored to the individual needs of the organisation is vital.”
The reality is that risk, while it is part of business, can be detrimental if it is not managed correctly. Risk management software is a useful tool as it assists with automating and creating ‘work flow’ for procedures associated with risks and risk events. It also removes the risk of human error when it comes ensuring that processes are followed accordingly.
However, software alone is not sufficient to ensure risk is managed effectively. Once software has been installed, it is vital for risks to be identified and defined at various levels throughout the organisation, in order to create a risk framework. Consultants and experts in the field of GRC play an important role in ensuring that all risks are identified, incorporated into ERM tools, and processes around these risks have been defined and implemented.
“It is also necessary to workshop controls and identify the risk owners for each individual area. Without a risk owner, accountability cannot be assigned, which means that in effect the risk cannot be managed because it is not understood who is responsible for mitigating it,” says Pieters.
“Software acts as an enabler that eases the risk management workload, but true ERM relies on a top-down, culture driven approach. Managing risk requires the people within the organisation to understand what the risks are and why they need to be mitigated and managed, which often involves a change management process,” he adds.
Only once risks have been identified and controls put into place can risk be mitigated. Implementing a real risk management discipline, with the necessary controls and procedures in place and the correct combination of software and organisational culture, ensures that an enterprise operates in an environment of sound governance. It also helps to identify legislation and regulations as areas of risk, helping to ensure compliance. Aside from these soft benefits, improved risk management means a lower risk profile, which typically leads to decreased insurance costs, which can directly benefit the bottom line.
“ERM has multiple benefits for organisations of all sizes, from improved governance and compliance to better accountability, improved profitability and increased shareholder confidence. The real question is not ‘can your organisation afford to implement ERM’, but can it afford not to,” Bogiages concludes.