In today's dynamic business environment, risk management has emerged as a critical function for organisations aiming to achieve sustainable growth and maintain a competitive edge. At Metyis, we believe in harnessing the power of risk for sustainable growth, improved operating efficiency, and a strengthened competitive advantage.
There is a clear tendency for companies to include such functions at the very core of the business, being normally directly supervised by either the CEO/CFO or External Supervisory Boards. Enterprise Risk Management, or ERM, involves identifying, assessing, and mitigating risks that could potentially impact an organisation's objectives. By proactively managing risks, businesses can not only protect their assets but also create quantifiable value with direct impact on the company’s P&L.
This article aims to highlight the importance of Enterprise Risk Management as a source of quantifiable value creation. It will explore how effective risk management practices can lead to measurable benefits, such as cost savings, improved efficiency, enhanced reputation, and ultimately as a lever for corporate transformation.
Understanding enterprise risk management and the risk natures in play
Risk management is the process of identifying, assessing, and controlling threats to an organisation's capital and earnings. These threats, or risks, could stem from various sources, including financial uncertainties, legal liabilities, strategic management errors, accidents, and natural disasters. The scope of risk management encompasses a wide range of activities, from risk identification and assessment to the implementation of risk mitigation strategies.
The concept of risk management has evolved significantly over time. Initially, it was primarily focused on financial risks and insurance. However, with the increasing complexity of the business environment, the scope of risk management has expanded to include operational, strategic, and reputational risks. Today, risk management is a comprehensive discipline that integrates all aspects of an organisation's operations.
At Metyis we have a deep understanding of the critical risk natures that affect an organisation, which need to be reviewed and incorporated within defined ERM evaluation and monitoring processes:
Operational
Stems from failures in processes, systems, people, or external factors that affect daily operations. Inefficiencies, errors, or disruptions that impact the delivery of products or services.
Market
Subcomponent of financial risk that involves fluctuations in market prices, which can affect the value of the company’s financial assets, such as increasing commodity prices, and its ability to generate revenue.
Legal & Compliance
Arising from changes in the political or regulatory environment, associated with failing to comply with laws, regulations, internal policies, or contracts.
Financial
Related to the organisation’s financial health, including its ability to properly manage income, expenses, assets, and liabilities. Can affect both short- and long-term financial stability and profitability.
Strategic
Affects the organisation's ability to achieve its long-term strategic objectives. Usually arise from key decisions about the organisation's direction, expansion, innovation, or competitiveness related to new business lines, products, and services.
Human
Risks related to people management in the organisation, including talent availability, motivation, behaviour or organisational culture, which can affect productivity and operational efficiency.
Safety & Security
Related to the physical security of the organisation's assets, people, and facilities. This includes threats of violence, theft, sabotage, or natural disasters that endanger physical integrity.
Technology
Arising from the use, implementation, or failure of technologies within the organisation. As companies become more reliant on technology, technology risks have become more critical.
Cybersecurity
Related to the potential for unauthorised access, damage, or theft of data, networks, or systems due to cyberattacks, vulnerabilities, or failures in information security practices.
Reputational
Risks that can damage the organisation’s reputation and public image, affecting its relationships with customers, investors, employees, or the general public.
Social & Environmental
Resulting from environmental factors, such as climate change, pollution, or depletion of natural resources, which can affect the organisation’s operations or long-term sustainability.
ERM functions are evolving from more compliance and reporting units to organisational transformation and value creation functions. Within this context, clear guidelines and mitigating actions are directly contributing to enhancing companies' operations and shielding them from negative externalities caused by the market and industry in which they operate.
This reflects a shift in how we view ERM functions, moving from a non-integrated, business continuity-focused model to an integrated, value creation-driven model to ensure reliability, simplicity, and efficiency.
Graphic 1 – ERM operating model evolution
Our own methodology and proven path towards effective ERM
Through our deep experience, we have been able to craft our own methodological framework, combining best industry practices and methodologies, including ISO 31000 and COSO, directing the company towards Business Continuity Assurance, Value Creation, and Transformation.
Our methodological approach to risk management is designed to ensure comprehensive coverage and integration across five key dimensions: Governance & Culture, Strategy & Value Creation, Performance & Transformation, Review & Revision, and Information Communication & Reporting. Each dimension plays a crucial role in fostering a robust risk management framework that supports sustainable growth and competitive advantage aligned with a company’s vision and strategic objectives.
By engaging the board in risk oversight, defining clear operational structures, and attracting capable personnel committed to core values, we establish a strong foundation for effective risk management. Integrating risk management into strategic planning is essential for aligning risk considerations with the organisation's objectives. By analysing the business context, defining risk appetite, and setting measurable goals, we ensure that risk management is embedded in the organisation's strategy. This proactive approach helps identify and prioritise risks that could impact performance, allowing for the development of appropriate mitigation strategies. Continuous improvement is achieved through regular assessment of changes in the internal and external environment, ensuring that risk management practices remain relevant and effective.
Effective communication and reporting of risk information are vital for supporting informed decision-making. Leveraging information technology, we ensure that stakeholders are kept informed about risk, culture, and performance. This structured approach enables organisations to create quantifiable value through effective risk mitigation and strategic planning. By integrating these dimensions into the overall business framework, organisations can achieve sustainable growth and maintain a competitive edge.
1. Governance & Culture
Establishes governance and a risk-awareness culture, involving board oversight, clear structures, and retaining capable personnel.
Dimensions
Exercises board risk oversight
Establishes operating structures
Defines desired culture
Demonstrates commitment to core values
Attracts, develops, and retains capable individuals
2. Strategy & Value Creation
Integrates risk management into planning by analysing context, defining risk appetite, and setting measurable objectives.
Dimensions
Analyses business context
Defines risk appetite
Evaluates alternative strategies
Formulates strategic objectives
3. Performance & Strategy
Focuses on identifying, assessing prioritising risks with appropriate strategies.
Dimensions
Identifies risk
Assesses severity of risk
Prioritises risks
Implements risk responses
Develops a portfolio view
4. Review & Revision
Emphasises continuous improvement by assessing changes and reviewing risk performance.
Dimensions
Assesses substantial change
Reviews risk and performance.
Pursues improvement in enterprise risk management.
5. Information Communication & Reporting
Communicates information throughout the entity to support comprehensive reporting.
Dimensions
Leverages information systems
Communicates risk information
Reports on risk, culture, and performance
The role of risk management in value creation
The first step in risk management is identifying potential risks that could affect the organisation. This involves a thorough analysis of the internal and external environment. Once risks are identified, they are assessed based on their likelihood and potential impact. This assessment helps prioritise risks and allocate resources effectively. At Metyis, we have a distinctive path towards identifying and assessing each of the identified risks with a 4-step methodological approach to estimate Risk Exposure Level, from risk enrichment and RPN estimation to risk matrix formulation.
Graphic 2 – 4-step methodological approach to estimate Risk Exposure Level
Various strategies can be employed to mitigate risks. These include direct impact mitigation, through direct changes at the organisational level, on company operations, and pre-established ways of working; diversification, which spreads risk across different areas; hedging, which protects against price fluctuations; and insurance, which transfers risk to a third party. Implementing these strategies can help reduce the potential negative impact of risks.
Our approach covers mitigation measures used to reassess net and residual risks, which have been integrated into the transformation plan, creating a unified roadmap for execution.
Graphic 3 – Our approach to risk mitigation
Effective risk management leads to several quantifiable benefits. For instance, by mitigating financial risks, organisations can achieve cost savings and protect their bottom line. Operational risks, when managed effectively, can lead to improved efficiency and productivity. Additionally, managing reputational risks can enhance an organisation's brand value and stakeholder trust.
The impact of risk management
In summary, risk management is a critical function that can lead to quantifiable value creation. By identifying, assessing, and mitigating risks, organisations can achieve cost savings, improve efficiency, and enhance their reputation. At Metyis, we have the necessary skills and capabilities to accompany your organisation towards full ERM design, deployment, and adoption with a robust methodology and an experienced team of consultants.
Three key elements are considered in the design of the ERM model to ensure effective integration of risk management into daily operations, supported by a governance framework based on the three lines of defence.
1. Processes, Policies & Tools
A streamlined and supervised risk management cycle, powered by the ERM model, enhances data visualisation and modelling capabilities. It relies on a centralised risk matrix, automated data collection, and standardised steps for the identification-to-mitigation process.
2. People & Capabilities
A results-oriented specialised hybrid team is formed by combining diverse skills and expertise to achieve organisational goals. Measurable results are delivered, cross-functional collaboration is fostered, and agile methodologies are adopted for flexibility.
3. Governance & Metrics
Proactive governance with three lines of defence is structured with risk ownership at the operational level, supported by the second line of management and the third-line audit. Data and metrics are used to improve transparency and continuously improve process efficiency.
The future of risk management looks promising, with advancements in technology providing new tools and techniques for managing risks. As organisations continue to navigate an increasingly complex business environment, effective risk management will remain essential to ensure business continuity on the one hand and for value creation and inside-out transformation.
Businesses are encouraged to adopt robust ERM practices to achieve desired financial growth and create quantifiable value with direct linkage to a company’s P&L. By doing so, they can protect their assets, enhance their operations, and build a strong foundation for future success. We believe in ensuring business continuity and asset preservation in the short-term and create value in the mid-term by deploying a reliable risk model designed to capture transformation levels aligned with strategic objectives.
About the authors behind the article
Francisco Ruiz is a Partner based in Barcelona. Miguel Donetch is a Strategy & Execution Principal based in Madrid.