How ERM and concentric circles can help manage crisis-related risk

The past two years may have been the most important time for enterprise risk management (ERM) since its origin as a concept in the 1990s.

First, the COVID-19 pandemic created a public health crisis that was accompanied by unprecedented challenges for business across the globe. Now, more than two years into a pandemic that hasn't ended, Russia's invasion of Ukraine has the potential to create additional dire economic consequences.

Risk management experts say organisations with a well-executed ERM programme that's fully integrated into strategy have been much better prepared to handle risks related to these crises as they emerged.

A well-developed ERM programme, for example, would have provided an organisation strategies to mitigate potential rises in fuel prices, as Russia is one of the world's largest petroleum exporters. The region's importance in the supply chain for certain precious metals also would have been considered well before the invasion began.

"I really believe in trying to help companies get better at managing the risk," said Paul Walker, CPA, Ph.D., who leads the Center for Excellence in ERM at St. John's University's Tobin College of Business in New York. "I think it can make a big difference."

Walker said that before working on the economic and strategic concerns related to a disruptive event, organisational leaders should consider the impact on their people. With the pandemic, this often meant developing and implementing health and safety protocols and providing resources for mental health.

Safety and mental wellbeing also are top-of-mind related to Ukraine and Russia. For example, Ukraine, in particular, is home to a large technology workforce that serves companies throughout the world on an outsourced basis, and companies are working to support those workers amidst the crisis.

"First, wherever you are, you are worried about the people," Walker said.

After that most important consideration, Walker said, an appropriate ERM programme will consider potential impacts to the organisation in concentric circles, with the business at the centre. The circle closest to centre focuses on the balance sheet, income statement, and revenue based in Ukraine, Russia, and the surrounding countries.

If an organisation has operations that might have a considerable impact on revenue in those countries, it may need to move to mitigate the risk to the operations and revenue.

The next circle, a bit farther out from the centre, considers operations or supply chain inputs in the surrounding countries as well as in Russia and Ukraine.

"You think about those operations in that area, but then you've got to expand it to their immediate neighbours. How will that impact the surrounding countries, whether it's your operations, your supply chains, sales, inflation, business continuity?" Walker said.

Farther out from the centre, another circle will consider partnerships with companies that are sanctioned.

"Maybe you're doing business with someone that's going to get sanctioned, and you didn't realise it or think about it," Walker said. "All of a sudden, you've got new risk, probably, that you hadn't thought of before."

The outermost circle would consider the impact that crisis-induced economic challenges will have on an organisation. These include inflation, interest-rate effects, and availability of capital. The crisis also has the potential to dampen economic enthusiasm and sentiment, with a corresponding reduction in spending that could lead to another downturn. Walker said that for some companies, their biggest risk may be the economy.

It's not enough to manage risks on their own, however. Organisations also need to consider how risks are connected. An example of connected risks is fuel and transportation costs. Rising fuel prices may affect how much a manufacturer pays for energy to heat and power its factory. But if transportation is outsourced, rising fuel prices will affect that cost because the transit provider will have to pay more.

A useful tool for thinking about emerging risks is the popular ERM framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Principle 15 of the framework suggests that an organisation should identify and assess changes that may substantially affect business strategy and business objectives. Principle 17 states that an organisation should pursue improvement of ERM.

With this in mind, an organisation's risks change as the environment changes. And the crisis-level events of the past two years confirm the need to constantly consider emerging risks as an organisation seeks to keep its ERM process effective. Continuous monitoring in a proactive manner allows an organisation to update its strategy quickly and effectively.

For example, a well-functioning ERM process would have recognised the troop build-up on Ukraine's border and helped an organisation prepare for the potential disruptions that could be associated with an invasion. These would have included risks to fuel availability and prices; supply chain challenges related to food and precious metals; and cyber risks.

"If you don't have the emerging risk process, if COVID didn't make you want to build one, or Ukraine doesn't, I don't know what's going to make you want to build one," Walker said. "But at some point you want to say that we've got to get more ahead of some of these things."

— To comment on this article or to suggest an idea for another article, contact Ken Tysiac at Kenneth.Tysiac@aicpa-cima.com.