(b). A framework serves as a guide and provides an overview of different interconnected activities
within an organisation to achieve its targets. The enterprise risk management movement has
prompted companies to consider their exposure to all categories of risks. Companies that
implement enterprise wide risk management framework must be careful to ensure that they
coordinate their risk management activities across all categories of risks. They are most likely to
face some if not all of the following challenges in attempts to implement the ERM framework.
Organisations face a major challenge in identifying and describing the risks in a risk inventory.
This is an essential element of ERM which involves analysis, planning and tracking of new risks,
constantly reviewing existing risks, monitoring trigger conditions for contingency plans and
monitoring residual risks, as well as reviewing the execution of risk responses while evaluating
their effectiveness. The process employs techniques which include variance and trend analysis
(Robust 2013).
Enterprise-wide risk management also requires changes to organisation, business processes, and
staffing. It centralizes risk management decision making to optimize the allocation of investment
to various risk mitigation activities. Many companies have created the position of a chief risk
officer, who reports to the chief executive officer, to oversee the management of risk across the
enterprise. The shift in decision-making authority from line functions to the chief risk officer is
likely to have political implications that should not be underestimated. New business processes
must also be designed and implemented to manage the flow of information and decisions among
the various risk management groups and the chief risk officer.
Resources are always scarce. Organisations face an uphill task in employee training and
development if they entertain hopes of implementing ERM framework. Training and development
is essential element for ERM to be fully integrated within the organisation. With increasingly
advanced technology, it is extremely important for organisations to provide training to their
employees because organisations sell services that incorporate new procedures, often based on
technology, and aimed at providing greater benefits to the client which brings greater profit to the
organisation (Heap 1995).
Establishing a common risk language has proved to be a critical challenge for ERM to be
successful within organisations. There is a strong need to have a risk-aware culture at all levels as
peoples’ perception to risk varies between different levels in most organisations. A health and
safety manager of an international architectural firm views risk culture differently. The reason
being that there is a gap between the top management and the employees working at lower levels
in terms of understanding the overall risk management. Some members within the same
organisation may not fully recognise the fact that health and safety is everybody’s responsibility.
It could be a result of how health and safety managers have managed it in the past where it is
possible that employees were not notified that it is everybody’s responsibility to think about safety
at the work place.
Describing the entity's risk appetite, risks the organisation is prepared to take, across the workforce
is a challenge which requires for an appropriate risk culture within the organisation. This is a
journey rather than an instant solution. It requires molding the behaviors, beliefs, and values of
employees. However, in order to achieve it, the senior management plays a vital role in leading by
example to develop this culture by setting the tone from the top both through actions and through
effective communication
Implementing a risk-ranking methodology to prioritize risks within and across functions; Risk
strategy is no doubt another important element which is sometimes not very well addressed by the
organisations as most of the organisations fail to design a broader risk management strategy.
Another challenge is developing action plans to ensure the risks are appropriately managed. A
proper strategic risk management action plan should consider how risk assessment and
management can be integrated into strategy execution processes. The Kaplan and Norton’s strategy
execution model describes a number of stages for strategy execution and provides a useful
framework.to identify where risk management can be done. These are, develop the strategy,
translate the strategy, identify the desired future state of the organisation’s risk culture, identify
the current risk management culture and define the roadmap to close the gap between the current
and desired states. It also says allocate the appropriate resources, implement the roadmap and
monitor its success. If it was not successful, choose an alternative and repeat the process.
Other challenges of implementing the enterprise wide risk management framework include
establishing a risk committee to coordinate activities of the risk functions, establishing ownership
for particular risks and responses, demonstrating the cost-benefit of the risk management effort,
developing consolidated reporting for various stakeholders as well as ensuring efficient risk
coverage by internal auditors.
Appropriate capability for risk control, monitoring and reporting is explained by lack of
technology which is another major challenge faced by organisations trying to implement a proper
ERM based system within the organisations, technology plays an important role as it has always
been seen as an essential component for organisations to run successfully. According to
Ramamoorti and Weidenmier (2006), technology helps to provide timely data that will assist with
the identification, analysis and response to risks. The organisational changes and the speed created
by technology forces auditors to recognise and monitor how it impacts risk management.
Therefore, technology is an asset for organisations trying to manage risk.