In today's interconnected global environment, a single event can have serious ripple effects. Taking stock and reacting after the fact may just be too late.

Take the automobile industry, for example, which is facing serious global disruptions to its supply chain after the earthquake and tsunami which hit Japan on March 11. Undoubtedly some of the component suppliers in the chain will go out of business.

Corporate risk therefore has received unprecedented global exposure, with governance organizations, stock exchanges, the media, ratings agencies and stakeholders sharpening their focus on enterprise risk management (ERM) and its role within companies today.

As the leading approach to managing and optimizing risks, ERM determines how much uncertainty is acceptable within an organization, providing businesses with a comprehensive and strategic risk analysis.

By adopting ERM, a business gains the ability to align its risk "appetite" and tolerance with its business strategy. As a result, management can better manage risk "opportunistically"- they can identify events that could have an adverse effect, determine whether the benefits outweigh the risks and develop an action plan to manage them. In other words, proper risk management allows organizations to examine and evaluate opportunities and create value by taking risks carefully.

With risk management making headlines, discussions regarding ERM implementation have gained momentum as boards pressure management to minimize unanticipated surprises and systemic risks, and to make sure that those uncertainties are handled appropriately.

For those considering establishing an ERM program at any level, here are some points to keep in mind:

1. Start at the top. Critical to the development of ERM is program leadership, which should begin at the top of an organization with executive management and cascade down into a company's business units.

2. Develop a manageable "risk universe". Once leadership has been determined, management should conduct an enterprise risk assessment to identify the organization's most critical risks and determine the risk universe. An enterprise risk assessment should examine risk areas including financial risks, legal and regulatory risks, operational risks and strategic risks.

3. Create an action plan that builds on the business' capabilities. After finalizing the risk universe, companies should create an action plan that clearly defines and prioritizes each risk and identifies activities for managing these risks effectively. The key is to keep this effort as simple as possible. A business should first look at its existing business processes, rather than inventing new activities, to create a risk management inventory that identifies functions or processes that are often already in place.

4. Evaluate risk management activities with the business' resources and needs in mind. After evaluating its existing processes, management must then decide how much added capacity - if any - is needed to achieve the business' risk management objectives, by performing a gap analysis of its current and desired capabilities.

Management may also need to weigh the expected costs of improving its capabilities against the benefits, choosing to implement only those activities of most value. This process should be ongoing, whereby changes, threats and potential obstacles are addressed on a regular basis. In addition, even if a program is working well, an organization should continue to review its practices, evaluating what works and what doesn't and making adjustments accordingly.

Whether or not ERM is currently on your business' to-do list, it is important to remember that ERM is achievable when focus and discipline are applied - building on what works, enhancing what is already in place and standardizing wherever possible.

The author is a partner for advisory services at accounting and consulting group Grant Thornton Jingdu Tianhua. The opinions expressed here are entirely his own.

(HK Edition 05/19/2011 page2)