Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potential for harm that may interfere with an organization’s operations and objectives and/or lead to losses.
What Is ERM and How It Works
ERM is a firm-wide strategy to identify and prepare for hazards in a company’s finances, operations, and objectives. ERM allows managers to shape the firm’s overall risk position by mandating certain business segments engage with or disengage from particular activities.
Traditional risk management, which leaves decision-making in the hands of division heads, can lead to siloed evaluations that do not account for other divisions. ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence. It also often involves making the risk plan of action available to all stakeholders as part of an annual report.
Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM. ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground.
Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm. While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.
ERM-friendly firms may be attractive to investors because they signal more stable investments.
There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise.
Management selects a risk response strategy for specific risks identified and analyzed, which may include:
- Avoidance: exiting the activities giving rise to risk
- Reduction: taking action to reduce the likelihood or impact related to the risk
- Alternative Actions: deciding and considering other feasible steps to minimize risks
- Share or Insure: transferring or sharing a portion of the risk, to finance it
- Accept: no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
Some of the most widely used ERM frameworks are:
Casualty Actuarial Society (CAS) Framework
In 2003, the Casualty Actuarial Society (CAS) defined ERM as “the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”
|Liability torts, Property damage, Natural catastrophe
|Market risk (interest rate changes), Credit risk (default), Liquidity risk (cash flow)
|Fraud/Theft/Corruption/Errors/Systems failure/Business interruption
- Establishing the context
- Identifying risks
- Analyzing risks
- Evaluating risks
- Treating risks
- Monitoring risks
- Communicating risks
Committee of Sponsoring Organizations (COSO) Framework
The Committee of Sponsoring Organizations (COSO) is a joint initiative of five private sector organizations dedicated to providing thought leadership on enterprise risk management. COSO published its original framework on enterprise risk management in 2004 and updated it in 2017. The COSO framework defines ERM as “the culture, capabilities, and practices integrated with strategy-setting and performance that organizations rely on to manage risk in creating preserving, and realizing value.”
- Governance and culture
- Strategy and objective-setting
- Review and revision
- Information, communication, and reporting
- Risk, strategy, and objective integration
- Risk identification and assessment
- Risk response and execution
The COSO framework also provides a set of principles and examples for each component to help organizations implement ERM effectively.
Benefits of ERM
Successful ERM strategies can mitigate operational, financial, security, compliance, legal, and many other types of risks. Some of the benefits of ERM include:
- Aligning risk appetite and strategy: ERM helps managers evaluate the risk-reward trade-offs of their strategic choices and align them with the organization’s risk appetite.
- Enhancing risk response decisions: ERM provides a framework for selecting among alternative risk responses, such as avoiding, reducing, sharing, or accepting risks.
- Reducing operational surprises and losses: ERM enables organizations to identify and manage potential events that may affect their objectives before they become crises.
- Identifying and managing multiple and cross-enterprise risks: ERM facilitates a comprehensive and integrated view of the interrelated risks across the organization and how they may affect each other.
- Seizing opportunities: ERM helps managers recognize opportunities where the upside potential outweighs the downside risk.
- Improving capital allocation: ERM provides a basis for more efficient allocation of capital and resources based on risk-adjusted returns.
Challenges of ERM
Despite its benefits, ERM also faces some challenges in its implementation and practice. Some of the challenges include:
- Lack of clear ownership and accountability: ERM requires clear roles and responsibilities for risk management at different levels of the organization, as well as effective communication and coordination among them.
- Resistance to change: ERM may encounter resistance from managers or employees who are used to traditional risk management approaches or who perceive ERM as a threat to their autonomy or authority.
- Complexity and uncertainty: ERM involves dealing with complex and uncertain situations that may require sophisticated tools and techniques to analyze and evaluate risks.
- Cost and resource constraints: ERM may require significant investment in time, money, and human resources to develop and maintain an effective system.
- Balancing compliance and value creation: ERM should not be seen as merely a compliance exercise, but rather as a strategic tool for creating value for the organization.
In conclusion, Enterprise risk management is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potential for harm that may interfere with an organization’s operations and objectives and/or lead to losses.
ERM has various frameworks that guide its implementation and practice, such as the CAS framework and the COSO framework. ERM can provide many benefits for organizations, such as aligning risk appetite and strategy, enhancing risk response decisions, reducing operational surprises and losses, identifying and managing multiple and cross-enterprise risks, seizing opportunities, and improving capital allocation.
However, ERM also faces some challenges, such as a lack of clear ownership and accountability, resistance to change, complexity and uncertainty, cost and resource constraints, and balancing compliance and value creation.
ERM is an evolving discipline that requires continuous improvement and adaptation to changing environments. Organizations that adopt ERM can gain a competitive advantage by managing risks effectively.
Frequently Asked Questions (F&Q)
What are the 4 components of enterprise risk management?
The 4 components of enterprise risk management are:
- Risk identification: the process of identifying the sources and types of risks that may affect the organization.
- Risk analysis: the process of assessing the likelihood and impact of the risks, and prioritizing them based on their severity.
- Risk response: the process of selecting and implementing the appropriate strategies to avoid, reduce, transfer, or accept the risks.
- Risk control: the process of monitoring and reviewing the risks and the effectiveness of the risk response strategies.
What are the key concepts of enterprise risk management?
Some of the key concepts of enterprise risk management are:
- Risk: the effect of uncertainty on objectives, which can be positive or negative
Risk appetite: the amount and type of risk that the organization is willing to take to achieve its objectives
- Risk identification: the process of finding, recognizing, and describing the risks that may affect the organization
- Risk analysis: the process of understanding the nature, sources, and causes of the risks, and estimating the likelihood and impact of the risks
- Risk evaluation: the process of comparing the results of risk analysis with the risk criteria to determine the significance and priority of the risks
- Risk treatment: the process of selecting and implementing the appropriate strategies to modify the risks, such as avoiding, reducing, sharing, or accepting them
- Risk monitoring: the process of tracking, reviewing, and reporting on the performance and effectiveness of risk management activities and controls
- Risk communication: the process of exchanging information and views among stakeholders about risk management issues and outcomes
Who is responsible for ERM?
The responsibility for ERM is shared among different levels and roles within the organization but ultimately rests with the Board of Directors. Some of the key roles and responsibilities for ERM are:
- Board of Directors: The Board of Directors is responsible for setting the tone and culture of risk management within the organization and ensuring that the ERM process is properly implemented and managed. They are also responsible for approving the risk appetite, overseeing the risk governance structure, and reviewing the risk reports and performance.
- Chief Executive Officer: The CEO is responsible for leading the ERM process and ensuring that it is aligned with the organization’s vision, mission, and strategy. They are also responsible for communicating the risk appetite, promoting a risk-aware culture, and allocating resources for risk management.
- Chief Risk Officer: The CRO is responsible for designing, implementing, and coordinating the ERM process across the organization. They are also responsible for identifying, assessing, and reporting on the key risks, developing and monitoring the risk response strategies, and providing guidance and support to other managers on risk management issues.
- Other Executives and Managers: Other executives and managers are responsible for integrating risk management into their daily operations and decision-making. They are also responsible for identifying, assessing, and managing the risks within their areas of responsibility, implementing the risk response strategies, and reporting on the risk status and performance.