What is enterprise risk management (ERM)?
Enterprise risk management (ERM) is a strategic approach to identifying, assessing, preparing for, and remediating risk. Executed methodically, usually following frameworks, enterprise risk management applies strategically focused processes to reduce potential hazards that could negatively impact an organization’s objectives by causing operational or financial disruption.
Unlike traditional risk management, enterprise risk management:
- Considers risk across internal and external environments, circumstances, stakeholders, and systems.
- Drives risk management processes into all decisions throughout the organization.
- Gives division-level managers the flexibility to implement the applicable processes, while ensuring that they align with overarching strategies.
- Integrates all risk prevention and mitigation activities to address all areas of organizational exposure to risk (e.g., compliance, financial, governance, operational, reporting, reputational, and strategic) across the organization.
- Sees risk management as a competitive advantage.
- Takes a top-down, holistic approach rather than being handled at the division level, creating silos.
Organizations with effective enterprise risk management assign staff to oversee the execution of processes. This includes developing and maintaining core functions, such as:
- Infrastructure or framework
- Procedures and protocols
- Education and training
- Monitoring, measuring, and reporting
Enterprise risk management requires the ongoing assessment of risks and the implementation of suitable risk responses, such as:
- Acceptance or tolerance of a risk
- Avoidance or termination of a risk
- Reduction or mitigation of risk
- Transference of risk or sharing (e.g., with insurance)
Enterprise risk management processes
Enterprise risk management processes vary by the organization using them and the framework’s creator. Typical processes are outlined in these frameworks:
- The Committee of Sponsoring Organizations (COSO)
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by Carnegie Mellon University
- Factor Analysis of Information Risk (FAIR)
- The National Institute of Standards and Technology’s Risk Management Framework (NIST RMF)
- ISO 31000: Risk Management
Elements included in enterprise risk management frameworks include:
- Strategy and objective setting
- Risk identification and categorization based on acceptance levels
- Risk assessment
- Likelihood
- Impact
- Velocity
- Preparedness
- Risk response
- Communication and monitoring
Benefits of enterprise risk management
Six of the most widely realized benefits of enterprise risk management are:
- Ability to respond quickly and effectively
- Awareness of risks facing the organization
- Efficient allocation of resources
- Enhanced overall security
- Improved compliance with legal, regulatory, and reporting requirements
- Increased efficiency and effectiveness of operations
Implementing enterprise risk management
Best practices to consider when implementing enterprise risk management include:
- Define the organization’s risk philosophy.
- Establish a risk strategy and action plans that align with the risk philosophy.
- Be clear about risk-related priorities and communicate them.
- Assign specific responsibilities for executing enterprise risk management plans.
- Maintain flexibility to enable agility when responding to evolving and new risks.
- Continually monitor known risks and indicators of potential risks.
- Measure enterprise risk management program results against KPIs.
Components of enterprise risk management
Enterprise risk management programs commonly follow established frameworks that detail core components. Two widely used enterprise risk management frameworks are:
- ERM – Integrated Framework—from the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- A structured approach to ERM and the requirements of ISO 31000—from Airmic and the Institute of Risk Management IRM
Components of an enterprise risk management framework include the following, which help drive an organization’s program.
Control activities
Often referred to as internal controls, control activities are the policies, processes, and procedures an organization follows to manage and mitigate risk. There are two types of enterprise risk management control activities:
- Detective control activities identify when a risky activity or situation has occurred. This is triggered after the occurrence to alert management and other interested parties and ensure appropriate follow-up actions are taken. Examples of detective control activities are sounding an alarm or broadcasting messages with information about the incident.
- Preventative control activities stop a risky activity or situation from occurring. The objective of a preventative control activity is to proactively stop or mitigate risk before it becomes a material incident. An example of a preventative control is locking and controlling access to a room where sensitive systems or information are located.
Event identification
From an enterprise risk management perspective, only negative or potentially negative events are of concern, as these can disrupt or stop operations. Examples of events that organizations commonly have to consider are:
- natural disasters
- pandemics
- political unrest
- regulatory changes
- terrorist attacks
- technological failures
Information and communication
Information systems should be used to record and share data related to an organization’s risk profile and enterprise risk management program. This data helps optimize programs, identify vulnerabilities, and proactively mitigate risk.
An established communications plan for enterprise risk management helps increase buy-in and the efficacy of programs.
Internal environment evaluation
An organization’s leadership and employees are key to the internal environment, which is also referred to as corporate culture. The internal environment plays a crucial role in establishing the organization’s risk appetite and overall stance regarding handling risks. It is spearheaded by executive management teams and reflected through the actions of all employees.
Monitoring
Enterprise risk management should be subject to internal and external audits to assess performance. This should include a review of all policies, practices, and controls, as well as a review of any incidents.
Objective setting
Organizations are guided by their stated purpose, which is supported by a mission and goals. Once set, these objectives need to be aligned with the organization’s risk thresholds. Enterprise risk management programs and processes ensure that objectives are met within the confines of acceptable risk.
Risk assessment
Beyond raising awareness about potential issues, enterprise risk management should include guidance on how to assess risks and their potential impact on the enterprise. Risk assessments should include the direct risk and the residual effects.
Risk response
When risk is detected or escalates, organizations must be prepared to respond quickly and effectively. Enterprise risk management provides guidance on the processes for risk response, which fall into four categories:
- Avoidance
The organization can avoid risk by ceasing or not starting an activity that causes an unacceptable level of risk. - Reduction
The organization can reduce risk by taking proactive measures to minimize the chance or scale of a potential incident. - Distribution
The organization can share risk by leveraging an independent third-party organization to share the potential loss in exchange for compensation, such as a partnership arrangement or insurance policy. - Acceptance
The company can accept risk. This results in the company analyzing the potential outcomes and determining whether it is financially worth pursuing mitigating practices. An example of risk acceptance is the company keeping a product line with no changes to operations and risk sharing.
Potential enterprise risk management challenges
As a process, enterprise risk management lacks connections between risk and return.
Enterprise risk management and leadership teams often struggle to connect their risk mitigation efforts to strategic initiatives. This makes it difficult to measure return on investment (ROI) and creates gaps in risk visibility.
Enterprise risk management programs are guided by familiar risks.
One difficulty with enterprise risk management is looking past known risks that have occurred or are on the organization’s radar. Many organizations struggle to identify future risks; since they lack experience with them, they are unable to perceive them.
Enterprise risk management programs are resource intensive.
To be successful, enterprise risk management requires a significant amount of time and attention. Many organizations try to stretch existing positions to take on these responsibilities, often to the detriment of people’s primary job functions and/or the enterprise risk management program.
Enterprise risk management programs depend on management’s forecasts.
When enterprise risk management relies too heavily on management forecasts, risks can be over- or underestimated based on the fallibility of forecasting.
Enterprise risk management systems often lack visibility between silos.
Often risks slip between business units and other silos. These hard-to-detect risks can be overlooked by enterprise risk management as they fall outside of standard workflows that identify and establish responsibility for risks.
Enterprise risk management tends to focus on internal risks.
Traditional enterprise risk management efforts focus on identifying and responding to internal risks. This leaves organizations exposed to risks that emerge from outside the organization (e.g., market trends and competitors).
The holistic approach of enterprise risk management can encumber business units.
One of the benefits of enterprise risk management is its holistic approach. However, this can also be a detriment at the business-unit level as high-level umbrella policies and procedures are driven to lower levels of the organization where they may not be appropriate (at best) or can impede workflows (at worst).
Risks that enterprise risk management may score as low for one group may be higher for another.
Some risks affect parts of an organization in different ways. What is not a problem, when initially identified, can become an issue for other areas of an organization or may be amplified as it is overlooked.
Types of risk addressed by enterprise risk management
Enterprise risk management is intended to help organizations understand particular categories of risks, including the following, and implement processes to prevent or mitigate issues.
Compliance risks
Government and industry laws, regulations, and policies require organizations to follow strict rules or face financial, legal, or other penalties, making the risk of noncompliance a serious concern.
A particularly difficult aspect of enterprise risk management related to compliance is the continuously evolving landscape of rules, threats, and vulnerabilities that must be addressed.
Financial risks
There are many financial risks that enterprise risk management must address. Every organization has money flowing in and out; anything that can impact this is considered a risk. Because of its holistic approach, enterprise risk management is well-suited to address financial risks which are caused by factors that span the enterprise.
Health and safety risks
Worksite safety and the overall wellness of employees determine health and safety risks. COVID-19 or a harsh influenza season demonstrate that health risks can materially impact an organization’s operations. Another factor to consider with health and safety risks is mental health, which affects both individuals and the overall morale of employees.
Legal risks
The threat of lawsuits is rightfully is considered a significant risk. The ripple effects of legal issues can cause a variety of problems and expenses—tangible and intangible. Tangible effects of legal risks include costs (e.g., attorneys’ fees, penalties) and staff time (e.g., gathering and organizing related material). Intangible effects of legal risk include reputational damage and low organizational morale.
Operational risks
Despite its best efforts, an organization’s day-to-day operations still face risks posed by unexpected circumstances or accidents. These incidents can have short or long-term operational impacts that materially affect the organization. Operational risks can be caused by failed processes, people, systems, or external events.
Reputational risks
Damage to an organization can have far-reaching effects. Reputational damage can shake confidence in the company or anger employees, customers, partners, investors, and the public at large.
Security risks
Security risks abound, spanning physical (e.g., office buildings and manufacturing facilities) and digital assets (e.g., databases and servers). Security risks are posed by a range of sources, from petty criminals to cybercrime syndicates and from malicious insiders to nation-states. Failure to prevent security risks can have dire financial and operational effects.
Strategic risks
One of the more challenging risks to manage is strategic risk. This is because strategic risks are less tangible and harder to control than other risks. Strategic risks such as competition, new market participation, financial markets, and supply chain issues affect an organization’s long-term plan and success.
Enterprise risk management across the organization
Because enterprise risk management includes the entire organization, it helps instill risk management awareness into the culture. The result is that decisions are made and day-to-day operations are conducted with an eye on potential risks and how to avoid or mitigate them.
Consider the following while preparing to implement enterprise risk management:
- What are the main components or drivers of the organization’s strategy?
- What internal or external factors or events could slow or disrupt tactics for executing this strategy?
- Do existing systems and processes support achieving the stated goals and managing internal and external risks?
Organizations that embrace enterprise risk management realize material benefits. With risk top-of-mind across an organization, many small efforts add up to big results, and high-risk issues are often caught before they become big problems. In addition, enterprise risk management can help identify redundant or inefficient processes, ensure optimal staff use, reduce theft, and increase profitability by improving customer satisfaction and validating market strategies.
