IF YOU FAIL TO PLAN, YOU ARE PLANNING TO FAIL. When catastrophe comes calling, do you have a plan of action chalked out, ready and tested? It may sound like a no-brainer sales pitch from an overzealous insurance salesman, but judging by the lack of disaster recovery planning activity up until the recent past—corporations are clearly guilty of ignoring the unthinkable.

In the past, disaster recovery planning was quite a straightforward exercise. Companies accounted for their risks by buying liability insurance and then crossed their collective fingers and hoped nothing happened. And nothing usually did. But as the stakes got higher and the odds grew shorter it was time to sit up and take notice. It was getting quickly obvious that without a concerted effort to identify and quantify the risks, and to control and transfer it, companies could potentially spiral out of business as soon as the first disaster strikes. An enterprise-wide action plan to deal with contingencies is now de rigueur for any organization—regardless of its size, location, or nature of business.

Although Enterprise Risk Management (ERM) is a relatively new entrant to join the ranks of management acronyms, risk management as a management practice is nothing new. What is actually new is the organized body of knowledge that has started forming around risk management. Since the 1950s when the American Management Association started organizing seminars on the subject, it has been the insurance industry that has been drumming up all the noise in this field. For instance the Insurance Institute of America created the Associate in Risk Management program in the mid-60s and has since attempted to expand in non-insurance-specific fields as well.

Where Insurers Fear To Tread
But the fact, that the insurance industry is essentially spearheading most of the significant development in this field, has a built-in disadvantage. It pays scant attention to most of the risks that do not have any insurance product to support. Take the act of war or a nuclear explosion for example. Insurers are not exactly falling over each other to cover such risks. But these risks remain anyway, and are no less important (though less probable) to a company than a fire or a flood. So if insurance is not the answer, then there has to be other ways to manage these risks. The practice of ERM provides the tools to do just this.

ERM includes a whole set of processes (such as Business Continuity Planning, Disaster Recovery Planning, and Contingency Planning) that help companies focus on their risks and identify ways to manage these risks. By utilizing the concept of risk optimization and inherent-value, a company’s ERM strategy approaches risk systematically, and treats them on a portfolio basis as opposed to a case-by-case (individual risk) basis. Without an enterprise-wide coordinated effort to manage risk, the interdependencies and relationships of various business risks could potentially be overlooked, resulting in a patchwork of safeguards that overcorrect certain situations while ignoring others.

Categorizing Risk
Risk can be categorized as Pure vs. Speculative risk, and Fundamental vs. Particular risk. Pure risk involves situations where the possible outcomes are either loss or no loss (example—possibility of a break-in into the company’s e-mail system). Speculative risks on the other hand, are situations where a profit or a loss are both possible (example—introducing a new product to the market). Note that pure risk has no upside potential. Fundamental risks are risks at a macro level, which affects a large section of the populace (example—War), whereas particular risk affects only an individual organization (example—loss of a firm’s leader). It is crucial that risk, regardless of whether it is pure, speculative, fundamental, or individual, has to be managed. The classic ERM roadmap to managing risk takes an organization through a series of six distinct steps—Identify, Measure, Prioritize, Assume, Transfer, and Monitor.

The Roadmap to Risk Management
Identify risk: This involves a thorough examination of a firm’s business and operational landscape and mapping out each and every external as well as internal risk that the firm faces. Anything short of this would only serve as a starting point, to be expanded as the firm learns more about its risks.
Measure Risk: Statistical techniques (such as Monte Carlo simulation, which randomly generates values for uncertain variables over and over again to simulate a statistical model) are popular methods in assigning estimated values to all aspects of risk. The advantages of such a quantitative assessment of risk are twofold. One, it provides senior managers with a better perspective of each individual risk factor. Two, it presents an overall view of the combined risk, which helps management arrive at a logically coherent risk mitigation plan.
Prioritize Risk: Measuring individual risks inevitably leads us to prioritizing them. Ranking individual risks and grouping them as high, medium, or low risks would help firms focus on what matters most.
Assume Risk: There is a certain amount of risk every organization can afford to assume. Some thrive on surviving on the edge whereas others do not have the stomach for anything more than the minimal risk. It all depends on the organization’s business practices, its financial position, and a whole slew of other variables. Once a firm’s risk tolerance is identified, a decision can be made as to the degree to which it is ready to assume risk.
Transfer Risk: Risk transfer is just that—your firm’s risk is (for an appropriate premium) transferred to another entity. While global insurance companies are the coming up with increasingly effective plans to achieve this, even internal risk transfers within a firm are effective mechanisms to counter risk.
Monitor Risk: Eternal vigilance is the secret to managing individual and portfolio risk on an ongoing basis. In an environment where risk factors seem to multiply year after year, an effective ERM program is one that is re-evaluated on a regular basis and continuously kept up to the standards that the market demands.

The End Justifies the Means
If all these actions sound like incredibly imaginative ways to fritter away hard-earned cash, think again. A recent study termed “Measures that Matter” by Cap Gemini Ernst & Young revealed that while valuing companies, investors have lately started paying a lot more attention to non-financial measures in an effort to gauge a company’s overall readiness in facing uncertainty. What this implies is that if companies are lax in implementing effective risk management processes (or if they are perceived as such), then the effects will be evident in how the company is valued in the stock market. So if enhancing shareholder value is a primary objective of a firm’s governing body (as it should be), then investments made in building a robust ERM practice is just that—an investment.