Organisations which operate in industries that are highly regulated naturally place a heavy emphasis on compliance. These industries typically are those where failure can have significant impacts on human health, financial well-being and the environment. Thus, industries such as financial services, aged care, mining, airlines and power generation are heavily regulated. Consequences for noncompliance can be major, including operators losing their license and incurring major financial and reputational damage.
However, such a heavy emphasis on compliance can lead organisations to habitually overlook or even ignore opportunities and risks in other areas of the business where a more whole of enterprise and risk-seeking approach may be in the interests of the organisation. McLaughlin and Sherouse1 noted this phenomenon when they observed that entrepreneurialism was often suppressed in organisations that were subject to an intense level of regulation.
So how do organisations get the right balance between risk and reward in order to both protect and create value? An enterprise risk management (ERM) approach, when properly designed and implemented, can provide guidance for enhanced decision-making at all levels of an organisation. The genesis for such guidance is clearly at board level as primary responsibility for oversight of risk sits squarely with directors of the organisation.
What is enterprise risk management?
ERM is a comprehensive approach to managing risk across the whole organisation which involves identifying and treating risks which can influence the achievement of objectives.
ISO310002 defines risk as the ‘effect of uncertainty on objectives … [and risk management as] a coordinated set of activities and methods that is used to direct an organisation and to control the many risks that can affect its ability to achieve objectives’.
The ‘effect’ on objectives is a positive or negative deviation from what is expected. This deviation can be caused by a particular event or general conditions which include environmental factors such as the state of the market and the economy.
ERM includes all risks to organisational objectives at various levels within the organisation including strategic, operational, regulatory, financial and reputational. As an example, a strategic objective at the executive level may be to achieve a certain percentage of market share based on number of residential clients whereas at an operational level this may translate to an objective of a certain occupancy rate for a particular region or location.