Risky Business: Why You Need to Assess and Manage Risk
From understanding your risks to addressing them, your small business could benefit from an ERM program. Karen Stern, Partner in Charge of BSW Small Business Services, discusses what an ERM program entails in this month’s “Financial Fitness,” as featured in Small Business Monthly.
Risk is everywhere. It can arise from your business strategy, your employees and anything else that surrounds your business. As evidenced by recent headlines about employee fraud and cybersecurity issues, certain risks are harder to control than others. With a changing economic environment, the volume and complexity of risks have changed dramatically.
Not understanding your risks can result in products failing, unreasonable revenue goals and an increase in uninformed risk taking. Putting an enterprise risk management (ERM) program in place can help identify and assess the potential impact certain risks can have on you and your company, helping you manage the knowns and unknowns of your business.
So, what is ERM? ERM is a process designed to identify events that could affect your company negatively. It helps you manage risks to be within your risk appetite and provides reasonable assurance that you can achieve your objectives.
Here are eight key steps to build a successful ERM program:
- Ask questions. Ask your employees and your management team what they perceive to be your risks; map them to get an overview of the full spectrum of risks.
- Determine your ERM maturity. Determine how mature your company is in terms of managing the risks identified in step 1.
- Project-plan. Set short- and long-term objectives and align them with your overall business mission and values.
- Perform a risk assessment. Internal and external events can affect whether you achieve your objectives. It’s important to identify them and determine whether they are risks or opportunities. Analyze these risks by considering the likelihood and impact of each risk and determining how you should manage them.
- Determine the risk responses. Based on your risk appetite, select risk responses, which can include avoiding, accepting, reducing and sharing risk.
- Design the control activities. Based on the risk response, determine the appropriate internal controls and the policies and procedures you need to implement to help ensure the risk responses are effectively carried out.
- Inform and communicate. Identify, capture and communicate appropriate information in a uniform and timely manner so employees can carry out their responsibilities.
- Monitor. Continuous monitoring of your environment and achievement of objectives are integral parts of the ERM framework. Effective management and separate evaluations will help you accomplish this in conjunction with the ERM framework.
Putting these steps in place and continuously updating your ERM program can help you manage your business and align your strategies and their underlying risks with your business objectives.