Enterprisewide Risk Management: An Opportunity Defined
It aggregates risks and opportunities for improved business results and makes RM an integral part of management's decision-making process.
- By Scott Vanlandingham, Paul Pettit, Jim DeLoach
- Jul 01, 2004
OCCUPATIONAL health and safety professionals understand the importance of effective risk management. This understanding, combined with the ability to implement risk mitigation strategies and tactics, creates an opportunity. The current market emphasis on corporate governance and new legislation, such as the Sarbanes-Oxley Act of 2002, have put enterprisewide risk management (EWRM) on the minds of many senior executives. Because OH&S requires the application of many of the same concepts, principles, and skills as EWRM, you should consider taking the opportunity to apply them on an enterprisewide basis to yield an even greater impact within your organization.
First, let's define "business risk" and EWRM. Business risk is the level of exposure to uncertainties that the enterprise must understand and effectively manage to achieve its objectives and create value. For example, the lack of an effective OH&S risk management process could prevent the business from achieving its business objectives and executing its strategies successfully. Enterprisewide risk management, it follows, is a structured and disciplined approach that aligns business strategy, process, people, technology, and knowledge for the purpose of evaluating and managing the uncertainties an enterprise faces as it creates value. Its objective is to build and improve the capability of the enterprise to identify and manage risk. In turn, the objective of an effective OH&S risk management process is to manage and control OH&S risks across the entire organization.
Effective EWRM helps companies manage the risks affecting their sources of value, which often include people, strategy, intellectual property, information, capital, materials, and supplier base. Risks that affect these sources of value typically can be grouped into three classes: environment (or external) risk, process risk, and information for decision-making risk. Effective EWRM will optimize opportunities, risk, growth, and capital. It will aggregate risks and opportunities for improved business results, enhance corporate governance, and make risk management an integral part of management's decision-making process.
The OH&S Risk Management Process
Why should OH&S professionals embrace a risk management process across the entire enterprise? Regardless of how large or small your organization is, an effective process is needed to manage and control OH&S risks. The OH&S risk management process is a comprehensive, integrated approach for carrying out risk management activities. It enables senior management to minimize the potential impact of OH&S risks in achieving objectives to create and protect shareholder value.
Establish OH&S Risk Management Process--OH&S professionals need to understand the organization's risk capacity and tolerance and have an effective framework and organizational structure for managing OH&S risks. An effective framework includes such activities as recordkeeping, material handling, machine guarding, fire protection, hazard communications, hazardous waste operations, and many more. The organizational structure must support these activities in order to manage and control any associated risks (e.g., risk of non-compliance).
Assess OH&S Risks--Using laws and regulations such as those provided by OSHA, OH&S professionals need to create a common language and roadmap for identifying, sourcing, measuring, and prioritizing OH&S risks. OSHA requires recordkeeping. By establishing a roadmap, OH&S professionals will understand which reports, logs, and other safety forms are required and how long they need to be stored, posted, and copied.
Develop OH&S Risk Management Strategies--OH&S professionals need to provide information to help the organization reach decisions on whether to avoid, accept, transfer, reduce, or exploit each of the organization's defined OH&S risks. OH&S professionals cannot avoid the risk of non-compliance; however, insuring a risk is one way to transfer the risk from the organization to an insurance provider. Risk transfer should be supplemented with effectively functioning processes that reduce compliance risk to an acceptable level.
Design and Implement RM Capabilities--OH&S professionals need to define actions the organization can take, and the information the organization needs to do so, based on the right combination of people, process, and technology. Take management and distribution of material safety data sheets, for example. By utilizing the right combination, MSDSs can be updated and controlled easily by a single point of contact using a Web-based portal.
Monitor RM Performance--OH&S professionals need a structured process to help the organization measure the impact of OH&S risk management and identify ways to improve. By periodically reviewing or auditing the company's activities, they can monitor and measure the impacts of OH&S risk management where activities such as ergonomics have been implemented.
Continuously Improve RM Capabilities--While building a database of best OH&S, risk management, and control practices, OH&S professionals need to apply quantitative and qualitative diagnostic tools to benchmark the organization's performance against world-class performers in RM. By documenting the organization's own practices and being aware of what others are doing in the industry, OH&S professionals ensure they are continuously improving their capabilities.
Using EWRM to Expand the Process to Other Risks
Perhaps your organization also would benefit by implementing EWRM to manage business risk. The following indicators of need will help you determine whether there might be an opportunity to implement or improve EWRM within your organization:
- Senior management and the board are not in a position to confidently make informed business decisions because (1) the trade-off between risk and reward is not evaluated, or (2) operating-level decisions are not evaluated within the context of the company's overall strategies for taking and bearing risk.
- RM does not appear to be actively integrated with strategic and business planning.
- Risks are not systematically identified, sourced, measured, and managed on an aggregated basis.
- Different parts of the organization are discussing, approaching, and adopting RM processes in different ways.
- Increasing demands are made for more information relating to risks and internal controls from the board, investors, regulators, advisors, financial institutions, media, and the public.
- A major change in the business and operating environment, such as a merger, acquisition, divestiture, change in management, or change in primary customer base, has recently occurred.
- Common reasons for implementing EWRM include:
- Build confidence in the investment community by improving transparency into RM capabilities and performance.
- Enhance corporate governance by augmenting board and management interaction, assessing the need for a senior-level risk management committee, and clarifying roles, responsibilities, authorities, and accountabilities.
- Successfully respond to a changing business and operating environment.
- Reduce unacceptable performance variability. That is, improve the ability to respond to significant events, manage sources of value, reduce the costs of risk mitigation, improve performance of critical processes, or accomplish strategic initiatives.
- Align and integrate risk management functions such as insurance, treasury, succession planning, systems security, and IT business continuity.
- Align strategy with corporate culture.
A Journey, Not a Destination
Implementing EWRM should be viewed as a journey rather than a destination. It requires a disciplined and methodical approach to navigate successfully. Eight key steps can be taken to elevate your organization's business risk management to an EWRM capability. Each of the steps builds the company's business risk management capabilities, with the last three steps being the culmination of the journey to EWRM. These final steps link risk with opportunity and position business RM as a source of sustainable competitive advantage.
Experience consistently has shown that initially the two most critical success factors to getting the EWRM journey started are executive leadership and a high level of ownership and commitment. Charting and navigating the EWRM journey begins with understanding the organization's priority needs and requires rationalization of EWRM as the solution of choice. Far from a product on a shelf, EWRM requires an articulation of clear objectives and goals, along with the components that need to be in place to make those objectives and goals happen. Management needs a project management discipline to design and implement the solution components required to execute and manage the EWRM journey over time.
This article originally appeared in the July 2004 issue of Occupational Health & Safety.