Unraveling the secrets of ERM

Font Size
Rochelle C. Dichaves

Taxwise Or Otherwise

If we liken businesses to machines, risk management would probably be those cogs scattered throughout that are so tiny one cannot help but overlook them during maintenance. And yet, when even one of them breaks, the machine would continue to run but at the cost of rapid deterioration. Eventually, when it stops running, only then do we realize how critical these small bits of metal are to the machine.

Risk management is an interesting conundrum. The challenge of managing risk is like clearing a maze with no end in sight — as soon as you think that you’ve found the correct path, you find yourself back at the multiple, twisting crossroads where you started. Thus, the cycle continues all over again. Such is the landscape in which businesses currently find themselves.

There have been great improvements though. Where traditional risk management only focuses on managing risks with performance, the new COSO ERM framework takes this concept even further at the onset of strategy formulation. This helps in ensuring a smoother trajectory towards the goals to maximize business profits and to enhance corporate performance.

What comes to mind when you hear the term “risk?” The regular person would most probably think of these words: dangers, crises, and disasters. Corporate boards and managers, on the other hand, would probably think of strategy, operations, technology, legal, finance, regulatory compliance — anything that may cause business profits to drop or anything that could prevent the achievement of goals that were originally set by management.

ERM concepts do not only apply to a workplace setting. Look at this (rather oversimplified) overview of child rearing in a typical household:

• Governance and Culture. Parents can be likened to the Board, the ones at the top who set the tone, which would shape the child’s behavior.

• Strategy and Objectives. At this stage, the parents have an idea of the objectives that the child needs to become successful. They chart a winning strategy in order for this to happen, debating the pros and cons of each decision they make, such as which school to send their child to and the amount of resources that they need.

• Performance. Parents would carefully consider the possible risks that could affect the results and determine the appropriate actions to take. For example, if the child’s progress is lacking, the parents may arrange for additional tuition.

• Review and Revision. Regularly, parents would monitor the child’s learning and development (such as through games, tests and report cards). This would allow them to determine if additional changes to the “game plan” are required, as well as appropriate corrections.

• Information, Communication, and Reporting. Parents would continuously interact with other stakeholders involved in the child’s development such as relatives and teachers to guide the child’s growth.

Risk management is something that is actually ingrained in the human psyche. We all have a corresponding “fight-or-flight reaction” to any perceived risk to our well-being. Our instincts immediately warn us as soon as we perceive something wrong with our environment. We then decide if we should stay and fight, or if we need to run. This is ERM in its purest, basest form.

Businesses require more intricate and comprehensive tactics to ensure the proper achievement of goals and objectives. Philippine businesses need to ensure that threats to business strategy and performance are being handled in an efficiently and effectively.

As a risk management professional, an observation is that the powers and responsibility for risk management are often than not too concentrated and reliant on the directives issued out by the Risk Oversight Committee (ROC) and by extension, the Risk Management Department (RMD). This is something that organizations should act upon with great speed — while it is true that (as watchdogs) the ROC and the RMD should take the lead in matters involving risk, effective risk management is a collective responsibility of all the units of the organization. It entails active collaboration between the organization’s front line units (i.e. operations) and the other lines of defense (i.e. risk, internal audit, and compliance). The actual units themselves have a more comprehensive view of the risks that affect organizational performance.

With the new COSO ERM framework, organizations have the opportunity to think about how they can ready themselves to confront the threats to the viability of their business strategies. At PwC, we have identified five specific trends that are reshaping the world: rapid urbanization; climate change and resource scarcity; shifts in global economic power; demographic and social change; and technological breakthroughs. All these require consideration from strategic formulation down to execution. For businesses to flourish, management should continuously assess such risks and have the ability to deploy the appropriate strategies and tools to minimize their adverse effects to operations.

Now that we’ve gained a clearer understanding of Enterprise Risk Management and how it relates to businesses (and one’s personal life), where is the way forward? How do we leverage ERM to make businesses grow? Having the right policies, procedures, and tools have a large impact on the effectiveness of risk management processes; the starting point, really, is to incorporate them into day-to-day operations by weaving it into the very heart of our conversations at the office.

Management should consider potential risks to the organization at all steps of the decision making process. This would facilitate the development of strategies that result in the continued resilience of the organization. Otherwise, it might find itself overtaken by competitors who able to navigate in trying times.

All of us need to do the right thing. Everyone must be willing to bring up issues to be considered to the table, no matter how small, especially if it would have an impact on business.

The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. The content is for general information purposes only, and should not be used as a substitute for specific advice.


Rochelle C. Dichaves is a senior associate with the Risk Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.

+63 (2) 845-2728 local 2121