Enterprise Risk Management ("ERM") is gaining importance especially after the recent global financial crisis. Public Listed Companies ("PLCs"), Government Linked Companies ("GLC"), and other large private organisations are starting to take a deeper interest in implementing ERM effectively in their organisations. Even the rating agencies have now increased their weightage or included an ERM element in evaluating the rating of an organisation.

In Malaysia, the Best Practice AA1 of the Malaysian Code of Corporate Governance requires the Board of Directors to explicitly assume the responsibility of identifying principal risks and ensuring implementation of appropriate systems to manage these risks. While the first part of identifying risks may have been implemented well in the PLCs, the second part of managing risks has been either ignored or informally carried out by a majority of the PLCs. Stakeholders today are also not only looking at key risks identified but also seeking answers on how these risks are managed by organisations.

We have all heard about the importance of an effective ERM Framework and how crucial it is to an organisation's success. However, understanding of all the key elements of ERM is varied across the organisations in Malaysia. One of the most common flaws and wrong perceptions of ERM is that ERM is a risk assessment process and some organisations are of the view that by completing the risk assessment process, they have completed the implementation of ERM in their organisations. Some others even feel that by acquiring risk application software, they would have implemented ERM in their organisation.

We could have an excellent system to identify key risks of an organisation, however, if we do not subsequently develop risk action plans to manage the risks, we could still neglect the organisation exposures to risks that are beyond its acceptable risk appetite. The lack of emphasis on the implementation of risk action plans may have triggered off some organisation failures in the recent global financial crisis.

As shown in the diagram below, risk assessment is only one component of the ERM Framework:

One of the main elements of risk management that is seldom talked about and often overlooked is the Risk Action Planning process (which comprises Risk Action Implementation and Risk Action Monitoring Processes). Lack of understanding of what constitutes a comprehensive ERM Framework including how to establish and implement effective Risk Action Implementation and Risk Action Monitoring processes is one of the main reasons why there is lack of focus and emphasis on Risk Action Planning.

Risk Action Implementation and the Risk Action Monitoring processes are critical tools as specific action plans are developed and closely monitored in a structured manner to manage the organisation's key risks within the acceptable risk appetite. Otherwise, in certain cases, plans prepared to manage risks are just like empty wish lists or idealisms that would not materialise with any concrete results. A robust Risk Action Planning process also allows an organisation to strategically focus on critical action plans on a timely basis and ensures accountability by the Management team as well as the Board of Directors.

Continues ERM Monitoring & Communication process, which is also often always ignored or not carried out, is another key element of ERM Framework which involves the establishment of key risk indicators, periodic re-assessment and review of the risk profiles and ratings to reduce surprises from unexpected risks exposures.

In conclusion, a comprehensive ERM Framework should not exclude the importance of Risk Action Planning to manage key risks in a structured manner and to avoid surprises.

Coverage in The Edge for Bursa Malaysia's Evening Talk