Enterprise Risk Management and GR
No matter how and where your GR team is located in the company, and no matter which name you gave it – it is almost certain that risk management is core of the job. Government Relations owns regulatory risks, most likely in cooperation with other risk management functions like Legal or Regulatory Compliance. What strikes me is how few thoughts are spent on what this really means for GR and how Enterprise Risk Management processes could be leveraged.
What is ERM?
According to Investopedia, Enterprise Risk Management (ERM) is a “methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses.”
The idea of an ERM process is not new. It started — as most modern corporate management ideas — after the second world war as companies expanded globally. Today, most biggish companies have an ERM process in place. In fact, if you are listed at the New York Stock Exchange, its rules require an Audit Committee to “discuss policies with respect to risk assessment and risk management”. There is even an ISO standard for it! (ISO 31000).
While the original focus of such ERM are financial risks, it implies that anything with severe impact on the financial situation of the company is in scope. Quoting Investopedia again: “ERM looks at each business unit as a “portfolio” within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.”
Hence, the list of risks managed via an ERM process might be extremely heterogenous — ranging from currency risks to a major cyber attack and loss of IP or a major incident at a factory. These different risks require completely different responses and ownership in a company, so an ERM process is usually a very high-level template that includes a certain way of reporting on risk developments and response plans in a fixed cadence (usually an annual report to the executive team and the board audit committee).
How does GR fit in?
There are two perspectives on GR and ERM:
First, GR has plenty to contribute to an ERM system in terms of risks that should be covered. In the end, GR functions manage corporate risks — be it risks to market access or financial burdens triggered by regulation. However, it is my impression that very few companies have fully integrated GR risk portfolios into their ERM. My guess — based on anecdotal evidence — is that the main reason is a path dependency: GR functions often start in the public affairs division of a company and are perceived as a handler of external relations without any obvious link to enterprise risks.
Embracing the ERM framework for GR-managed risks gives you an opportunity to connect GR to the overarching risk management process of your company. It goes to the board, so it gets attention. It also provides a framework to quantify risks that GR manages. Given the fact that an ERM includes very heterogenous risks anyhow, it is less of a concern that it is sometimes hard to quantify the impact of GR work (see this article) — but it puts you “on the map”.
Secondly, GR functions could also benefit from the ERM framework as a management system. An ERM framework forces GR functions to think a little harder about their portfolio. What are the actual risks we cover? And how do we manage them? “Observing” is not the same as managing risks — so what is your game plan? Adapting the concept of a risk register might actually structure your internal GR conversations as well as your reporting up the command chain. A couple of elements are of particular importance:
- GR could leverage an ERM framework to describe both risks to describe regulatory risks as cost burdens (how much does it cost to become compliant? How high are compliance costs of a new product / a new market? How costly is non-compliance?) as well as market access risks (does a proposed piece of legislation create a hard market access barrier or shift the playing field?).
- An ERM framework could be a good vehicle to start thinking about geopolitical risks. This would include scenario-based conversations with business units (Supply Chain, HR, Legal and beyond), leading to a more comprehensive mental map of how the tough new world affects the company long-term.
- An ERM framework does not necessarily aim at risk minimization at all costs — it is rather a framework to think strategically about risks: What is the risk appetite of the company? Where is it smarter to take risks rather than try to minimize them?
- An ERM framework requires a clear RACI model: Who is Responsible, Accountable, Consulted, Informed? These are real advantages of a formal ERM system that might help to elevate the GR play and link GR-managed risks to executive ownership and oversight.
- An ERM process includes internal and external risk communication plans. It is hard to over-stress the importance of this part. It starts with the “funny” problem when Sales employees use maps copied from the Internet that show contested territories (think of Taiwan, Tibet, Palestine), but does not end there. Geopolitical developments are not top of mind of many employees — so it’s worthwhile thinking about internal comms efforts to educate about them in the right way.
You can also finally introduce the abbreviation “GRERM” to your company. That alone is worth the effort.
Getting there
If you haven’t done it yet: Check with Finance how enterprise risks are managed. ERM is often implemented with dedicated software systems that include project management capabilities as well as dashboards — if there is none in place, have a look at Smartsheet, e.g.
Have fun! And report back how it goes!