How Key ERM Processes And Activities Can Protect Your Business

How Key ERM Processes And Activities Can Protect Your Business


Enterprise risk management (ERM) enables business to effectively deal with uncertainty, associated risk and opportunity to enhance capacity and build value, and is crucial to an organisation’s continued growth and success. This can only be achieved if all three elements of risks – threat, uncertainty and opportunity – are recognised and managed accordingly.

An organisation should adopt a strategic, consistent and structured approach to ERM to achieve an appropriate balance between realising opportunities for gains and minimising losses.

1. Communication and consultation

For the ERM process to be effectively integrated into business operations, a business must establish internal communication and reporting mechanisms to encourage risk accountability and ownership. Management must also embed a culture of risk awareness at all levels.

2. Risk identification

This starts with understanding your business’s goals, objectives and strategy. During the risk identification process, external factors like social, technological, economic, environmental and political should be considered.

3. Risk assessment

A business must develop an understanding of the potential impact risks may have should they occur. Risk assessments assess the potential impact and likelihood of occurrence, and then combined to produce an inherent risk rating.

Impact refers to the extent a risk event might affect the organisation, and impact assessment criteria may include financial, regulatory, reputational, stakeholder, customer, environmental, health, safety and operational fields.

Likelihood represents the possibility that a given event will occur. This can be expressed using qualitative terms (almost certain, likely, probable, possible, unlikely) as a percentage of the probability or as a frequency.

4. Control identification and assessment

Controls mitigate gross risks to a level that is acceptable. They may either be a single control activity capable of mitigating the risk, or a number of control activities in combination that mitigate risk to an acceptable level.

To facilitate risk assessment the following can be used to assess current control effectiveness:

  • Design adequacy (adequate or inadequate control): This step assesses if the control addresses the underlying condition or cause and whether the cost of implementing is reasonable for the resulting risk reduction.
  • Implementation effectiveness (effective or ineffective control): This step determines if the control functions like it should via implementation and execution. For example, an inherent risk assessed as ‘4-Likely’ or ‘3-Moderate’ impact rating will have its controls re-assessed. If a control reduces likelihood of the event to a ‘2-Possible’ rating, the risk exposure is reduced from an inherent ‘High’ to ‘Moderate’ risk rating.

5. Key risk indicators

KRIs can be a key tool in identifying risk before it materialises, and an effective detection tool for monitoring performance against risk appetite.

KRIs for each of an organisation’s top risks must be mapped, measured at specific pre-defined frequency intervals, measured against defined thresholds analysis, able to generate values that are measurable at a point in time, indicate a potential change to likelihood and/or impact of a specific risk, and able to generate meaningful management information; specifically trending of the risk exposure.

6. Monitoring and reporting

This process tracks the current status of the risk profile, detects changes in risk context and ensures controls are adequate in both design and operation. Risk reporting ensures that relevant board and management structures are informed of key risks, and that appropriate actions are being taken.

Sasria SOC Limited
Formed in 1979, Sasria is a short-term insurance company wholly owned by the state and reporting to National Treasury to provide insurance cover for political risks and non-political perils like strikes or labour disturbances. As a state-owned company, Sasria has a specific strategic mandate that is prescribed and informed by the Reinsurance of Damages and Losses Act of 1989, the Conversion of Sasria Act of 1998, and continuous engagement with National Treasury.