Successfully managing risk is key to running a modern business. However, the traditional way in which many businesses have been managing their risk might be outmoded and counterproductive.
Another way to manage risk that’s been increasing in popularity is enterprise risk management (ERM). In this article, we discuss what enterprise risk management is and how to set up an ERM program at your business.
Defining enterprise risk management
So, what’s enterprise risk management?
Enterprise risk management (ERM) is a methodology that strategically examines risk management from the perspective of the entire firm or organization.
In other words, enterprise risk management is a top-down approach that seeks to identify, evaluate, and prepare for potential losses, dangers, hazards, and other risks that could impact an organization’s operations and goals, potentially leading to losses.
Is enterprise risk management just risk management?
Isn’t that just risk management?
Not at all. Enterprise risk management expands the conventional category of risk itself to define risk as anything that can prevent a company from achieving its objectives.
So, what’s risk management, then?
Risk management is the field concerned broadly with identifying, analyzing, evaluating, and treating loss exposures and monitoring risk controls and financial resources to mitigate the adverse effects of loss.
Within that field, enterprise risk management focuses on enabling management to identify, assess, and manage risks in the face of uncertainty.
Effected by an entity’s board of directors, senior management, and other strategic personnel, enterprise risk management is a process, applied in strategy setting and across the enterprise.
How does enterprise risk management differ from traditional modes of risk management?
The spectacular takeoff of enterprise risk management as a mode of risk management speaks to some of the common frustrations with traditional ways of risk management.
What are those? Well, organizations have typically placed their business unit leaders in charge of managing risk within their domains of expertise.
Makes sense, of course. Who better to manage financial risk than the CFO? Or technology risk than the CTO?
Challenges with traditional risk management practices
This “stove-pipe” approach, however, isn’t without its challenges. The most significant being:
Risks fall between silos
Risks don’t line up neatly within organizational structures. If they did, risk management itself would be far easier. The traditional approach to risk management leaves businesses unprepared to manage risks that fall between siloes.
Risks affect silos differently
More problematic still, risk might impact different business units well, differently. One business unit might be prepared to incur the observed risk, considering it relatively minor, where that same risk might be systemic to another business line.
Risk decisions made without consideration to the whole
When business unit owners make risk decisions for their own unit in a silo, those decisions rarely reference the business as a whole. Indeed, certain risk controls exercised at the departmental level might actually be deleterious to wider organizational goals.
Decisions made without consideration to strategic planning
A similar limitation is that traditional risk management is often divorced from strategic planning. Risk controls might even have the effect of actually introducing new risks that hadn’t previously been considered by traditional siloes.
Decisions made without consideration for external context
Individual business unit owners also tend to focus on internal risks, i.e., risks arising within the walls of the business. However, external risks – from public health to supply chain to severe weather – can have just as much (or more) impact on the business but are too often ignored.
The trend toward enterprise risk management
With the rise of external risk, business leaders have begun to cotton on to the pitfalls inherent in the way they were previously doing risk management. This awareness has caused a trend toward enterprise risk management as a better means of strengthening organizational risk oversight.
To those who have implemented ERM, what have their objectives been?
Well, the goal of ERM is to develop a holistic view of the most salient risks to the company’s most important goals. Following this logic, businesses who’ve implemented ERM have taken a top-down rather than bottom-up approach.
That approach has required management-level decision making and firm-wide surveillance rather than decision-making and responsibility at the individual business unit level. To that end, the broad goals of enterprise risk management include:
- Aligning risk appetite and strategy
- Enhancing risk response decisions
- Reducing operational surprises and losses
- Identifying and managing cross-enterprise risks
- Providing integrated responses to multiple risks
- Seizing opportunities
- Improving deployment of capital
Top of Form
8 elements of enterprise risk management
Building on those goals, enterprise risk management is designed to (1) identify potential events that may affect the business and (2) manage those risks so they remain within the entity’s risk appetite, thereby providing reasonable assurance regarding the achievement of entity objectives.
How are those enterprise risk management goals realized?
A series of components go into enterprise risk management. The COSO Framework, a system used to establish internal controls to be integrated into business processes, lays out the following eight components of enterprise risk management. We cite them, here:
1. Internal environment
Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people. The core of any business is its people – their individual attributes, including integrity, ethical values, and competence – and the environment in which they operate.
2. Objective setting
Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event identification
Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those representing opportunities, and those that may be both. Opportunities are channeled back to management’s strategy or objective-setting processes.
4. Risk assessment
Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact.
5. Risk response
Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risk. From these management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control activities
Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.
7. Information and communication
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.
That information is needed at all levels of an entity for identifying, assessing, and responding to risk. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Personnel receive clear communications regarding their role and responsibilities.
8. Monitoring
The entirety of enterprise risk management is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant. Monitoring is accomplished through ongoing management activities, separate evaluations of enterprise risk management, or a combination of the two.
Enterprise risk management best practices
How do those components get operationalized at an organizational level, though?
Here we are talking about enterprise risk management practice. Per the very terms of ERM, no two businesses can apply enterprise risk management in the same way; their capabilities and needs will just be too different.
However, by looking at the scholarship and anecdotal data, we can tease out a few leading practices for implementing ERM at your business. Those practices include:
Define a risk philosophy
Seems esoteric. But before adopting any practices, a company should determine its overall approach to risk. This will be its risk management strategy.
Developing such a strategy will require discussions between management and the board. It will also necessitate a comprehensive analysis of the company’s risk profile.
Develop action plans
From there, companies must kick into action with a plan. That action plan should be a broad framework of the necessary steps it will take to safeguard assets and ensure the organization’s future following the analysis of the company's risk profile.
The best ERM practitioners allow for different voices during the planning process; that way a wider range of potential challenges are contemplated. This will come in handy in terms of anticipating multiple scenarios (e.g., global pandemic) and planning accordingly.
Communicate priorities
The best part of risk planning is communication. There’s little use in identifying high-priority risks without clearly communicating them so they are broadly understood as risks that must be addressed under any circumstance.
Assign responsibilities
Planning must lead to action, though. To that end, specific employees should be tasked with specific roles to execute aspects of the plan and be held accountable for their assigned areas of risk.
Update plans when necessary
However, the plan shouldn’t remain static. Practices must adapt to the dynamic risk climate.
Leverage digital technology
To manage the risk management lifecycle, risk management software should be deployed. These platforms will help facilitate the implementation of internal controls or the collection of data to assess performance against risk practices (More below).
Continuously monitor
Organizations must follow up on the performances of practices once they are put into action. This involves monitoring progress toward goals, ensuring the mitigation of specific risks, and verifying that employees are fulfilling their duties as expected.
To that end, a company should establish a set of metrics to quantitatively assess whether it’s meeting its objectives.
Digital software to manage risk
A few more words on the importance of digital technology in the management of risk.
Indeed, we find from the data that companies looking to bring automation to the management of potential risks that could cause failures or disruptions to their normal operations do best with centralized resilience workspace software.
These workspaces provide a holistic view of risks, streamline operational risk-related processes, and foster effective stakeholder collaboration and communication.
Key features to look for in digital risk management software
What features to consider, specifically? We recommend the following:
Objectives
Align risk management initiatives with organizational objectives to ensure risks are managed in a way that aligns with your objectives so you can effectively manage threats and capitalize on opportunities.
Risks and Controls library
Get a head start with a pre-existing library of potential operational risks and corresponding control measures, inspired by the best industry practices to save time in recognizing and recording operational risks.
Audits
Gain oversight into the ongoing management of risk controls as they are implemented and maintained in your operational environment, using scheduled audits that personnel can complete from anywhere, on any device.
Reporting
Create custom reports that summarize historical data with charts, recommendations, and sign offs. Export these as PDF or Word documents and share with stakeholders and executives to enable them to make informed decisions, manage threats, and benefit from opportunities.
Obligations
Keep track of your compliance obligations with ease using a centralized register that enables you to monitor breaches and collaborate with your team to ensure compliance throughout your organization.
Risk assessments
Proactively identify, assess, and manage operational risks through a centralized workspace that provides a holistic view of risks, and streamlines risk assessment processes while fostering effective stakeholder collaboration and communication.
Document management
Streamline the risk document management process by leveraging centralized document management functionality to ensure personnel have the right information at their fingertips.
Analytics
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
Finally, the business world is shifting toward a more top-down approach to risk management, deploying a methodology that looks at risk management strategically from the perspective of the entire firm or organization.
Looking for software that can help you develop such an integrated approach to managing risk across your organization and its extended networks? Consider Noggin’s next-gen risk management software.
If you’re keen to take a closer look, request a demo of Noggin!