Enterprise Risk Management Practices in Nigeria

By: Samuel Temitope Apanisile B.Sc., MFP, CIPM, ACIMFA, ACCB, Enterprise Risk Management CP
National Coordinator of Nigeria – Enterprise Risk Management A Global


Nigeria is not exempted from the current volatility, uncertainty, complexity and ambiguity in the world today. It needs a holistic and structured approach of running and managing ventures (public agencies, private corporations and their projects).

The risk management of everything cannot be over emphasized in Nigeria especially with the consequences of deficit economy that we are currently experiencing. Interestingly, a lot of unintended consequences have been experienced in the past based on our government policies.

We just elected and sworn in a new president in Nigeria. It is highly advised that His Excellency’s cabinet understands how to guide against unintended consequences of government policies , when the cure is more deadly than the disease). Risk management is clearly an important factor in ensuring ventures, business, and project success at all levels.

But how can an organization, private or public, tell whether its risk management is good enough? It seems that many banks and insurance companies are establishing Enterprise Risk Management departments merely because of regulatory reasons. Energy and manufacturing companies see health and hafety department as their mirror of enterprise risk management, while IT and telecommunication companies see system audit, revenue assurance and security management as their pillar of Enterprise Risk Management.

I shall evaluate Enterprise Risk Management practices in Nigeria organizations through the lights of the risk practice maturity model that provide a framework to benchmark capability and compare existing approaches with best practice through the four levels of increasing risk capability: Naive, Novice, Normalized, and Natural.

Take note that “organization” in this article comprises of private and public establishments. Now, let’s enumerate the capabilities in turns:

  1. The Naive risk organization is unaware of the need for risk management, and has no structured approach to dealing with uncertainty. Management processes are repetitive and reactive, with little or no attempt to learn from the past or to prepare for future threats or opportunities.
  2. The Novice risk organization has begun to experiment with risk management, usually through a small number of nominated individuals, but it has no formal or structured generic processes in place. Although aware of the potential benefits of managing risk, the Novice organization has not effectively implemented risk processes and is not gaining the full benefits.
  3. In the Normalized risk organization, risk management is built into routine business practice. Generic risk processes are formalized and widespread, and the benefits are understood at all levels of the organization, although they may not be fully achieved in all cases.
  4. The Natural risk organization has a risk-aware culture, with a proactive approach to risk management in all aspects of the business. Risk information is actively used to improve business processes and gain competitive advantage. An integrated multi-level risk process is used to manage opportunities as well as threats.
Each of these practice maturity levels can be defined using four attributes of Culture, Process, Experience and Application to evaluate Enterprise Risk Management practices in Nigeria:
  1. At Level 1 “Naive”: 60% of Nigeria organizations’ culture is resistant to change and the need for risk management is not recognized. There are no risk processes, no experience of using risk management and no application to projects or the business.
  2. The culture of the Level 2 “Novice”: organization tends to see risk management as an overhead and is not fully convinced of its benefits. Processes are ad hoc and their effectiveness depends on the limited experience of a few key individuals who have little formal training. Risk management application is inconsistent and patchy. Another 31% of Nigeria organizations fall under this category.
  3. Level 3 organizations, or “Normalized”: risk management is embedded into their operation. These organizations have a culture that recognizes the existence of risk and they expect to reap benefits from managing it. Generic and formal processes are in place with the necessary resources available, and staffs have adequate experience and expertise to undertake effective risk management. Application is routine and consistent. We have 9% of Nigeria Enterprise Risk Management establishments that fall under this category.
  4. At Level 4 “Natural”: Now, you don’t need to be surprised that no private or public organization in Nigeria has a risk-aware culture that drives the organization into proactive risk management, seeking to gain full advantage from its uncertain environment. No private or public organization in Nigeria has best-practice processes that are implemented at all levels of the business, with regular updating, active feedback and learning. No private or public organization in Nigeria has all its staff appropriately managing risk processes, let alone application which is supposed to be widespread and second-nature across all areas in the organizations, though I stand to be corrected.

On a closing note, The Ibrahim Index of African Governance (IIAG) ranked Nigeria as 37th in 2014 considering Safety & Rule of Law, Participation & Human Rights, Sustainable Economic Opportunity and Human Development categories. Interestingly, all these categories and pillars can be at risk anytime. Hence, risk management is too important for us to do it poorly whether at the continent level, country or organizational levels.

We need to assess and monitor our risk management capability, compare ourselves with best practice, identify areas of shortcoming that require improvement, and keep developing. Risk maturity models like RMM provide a valuable framework for such assessments. They can help organizations to benchmark risk management capability, design a structured path to improvement, and measure progress towards the goal of enhanced risk management effectiveness.

The interesting thing is that you cannot practice Enterprise Risk Management without people. I see enterprise risk management as the art of thinking for the 21st century and especially for Nigerians. I personally think that everyone needs to add risk to their job titles. We want to make everyone in Nigeria an architect of strategic change, since that is the political slogan of the new Buhari government.

To summarize the whole thought, risk management implementation is desired to bring improvement in following areas:

  1. Financial Outcomes, e.g. higher profits, decreasing waste, simplifying bureaucracy.
  2. Marketplace Outcomes, e.g. enhancing market share, driving competitive advantage, increasing customer service & satisfaction, delivering better customer value, implementing new product/service, developing strategic alliances or partnerships.
  3. Employee Outcomes, e.g. changing the employee culture, enhancing safety.
  4. Society Outcomes, e.g. protecting and enhancing the environment, growing social reputation, increasing commitment toward community, contributing to solve global issues.
  5. As noted earlier, most large public companies in Nigeria have implemented Enterprise Risk Management. In some cases, the reasons involve government regulations, rating agencies, or stock exchanges requirement. Others have executed risk management strategy simply because it makes tremendous sense. Afterall, Enterprise Risk Management is all about culture. When strategy and culture meet, culture always wins.

In the end, the essence of enterprise risk management is to understand and improve the way organization works.