Industries face unique risks regarding compliance and governance issues. As the government imposes more regulations to help consumers, companies must quickly adapt to the increasing number and types of compliance regulations. These can include the following:
Government Regulations: The city, state, and federal governments can all have their own regulations with which companies must comply. For example, manufacturing and transportation companies typically must limit their carbon emissions according to local, state, and federal laws. Noncompliance exposes these companies to major risks concerning their operations and reputations.
International Regulations: Industries that do business globally face additional types of risks and challenges. Some transactions are governed by international agreements, while others are subject to requirements and regulations in the individual countries where a company does business. These restrictions may include language and cultural issues, and noncompliance can pose a huge risk for a company.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 applies to the security of all health information related to individuals. Breaches of protected health information pose an enormous risk to healthcare companies, as well as individual providers. Compliance protocols must be followed to the letter. If they are not, the government can penalize the entire institution.
Financial Regulations: After the recession of 2007-09, Congress enacted many laws intended to prevent a similar financial crisis. These include regulations governing sub-prime mortgages and other risky practices.
A comprehensive ERM policy statement supplies a high-level overview of an organization’s ERM program and guides its members to effective risk management. The board of directors usually approves it, and the statement contains the chief tenets of the organization’s ERM program.
An ERM framework is a useful tool in helping teams visualize the risks and ownership, as well as the responsibility for monitoring and addressing those risks. Creating a framework involves the following: identifying the depth and breadth of the types of risks an organization encounters; pinpointing when and how the company addresses those risks; and determining which part of an organization would be affected and/or responsible. The following is an example of an ERM framework that you can customize to your business’s unique structure and needs.
An enterprise risk management maturity model consists of two axis of desired business outcomes measured against investments and a timeline. Ideally, a strategic organization working on enterprise risk management will see its progress go up and to the right over time. As a company matures, so should its strategic implementation of risk management.
Some companies have done a good job in mitigating risk when dealing with threats. Tylenol faced a crisis in 1982 when an unknown person laced several Chicago-area bottles of the drug with potassium cyanide, resulting in at least seven deaths. The company immediately pulled all its products from retail shelves, restocking them only after creating the now-ubiquitous seal under the lid. Home Depot and Target immediately reached out to customers and the media when they learned credit-card data had been hacked and stolen. There was a clear disconnect between the organization’s goals and risk management on an operational level.
Risk & Governance
+44 (0)20 3393 1214