What is Enterprise Risk Management (ERM)
Enterprise risk management (ERM) is a process used by organizations to identify, assess, and prioritize potential risks to their overall operation. It is a comprehensive approach to risk management that involves all levels of an organization, including the board of directors, senior management, and front-line employees. It includes both internal and external risks, and covers a wide range of potential hazards, including financial, operational, legal, and reputational risks.
The goal of ERM is to minimize the impact of potential risks on an organization’s ability to meet its objectives, while maximizing the opportunities to achieve its goals.
The Importance of Enterprise Risk Management
ERM is crucial for organizations of all sizes and industries, as it helps them to minimize the impact of risks on their operations and achieve their goals. Organizations that implement ERM are more likely to have a better understanding of their risks and to make informed decisions about how to manage them. For example, a company that implements ERM can proactively identify and mitigate risks associated with supply chain disruptions, product launches, and cybersecurity threats. Thats how the role of Enterprise Risk Management can help the company achieve its financial and operational objectives, as well as enhance or protect its reputation.
It is important to note that ERM is not a one-time process, but rather an ongoing effort to identify, assess, and manage risks. The ERM process is iterative and flexible, so it can adapt to changes in the organization and its environment.
Importnace of Enterprise Risk Management
Different Frameworks for Enterprise Risk Management
To ensure that ERM practices are effective and systematic, organizations can use established frameworks such as ISO 31000 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as guidance. In this article, we will explore the key elements and benefits of these two frameworks for ERM.
I. ISO 31000: A Global Framework for ERM
ISO 31000 is an international standard for ERM that provides organizations with a comprehensive framework for managing risks effectively. The standard defines ERM as
“a process, composed of interrelated policies, procedures, and practices, carried out by an organization’s board of directors, management, and other personnel, applied in a systematic and ongoing manner, to identify potential events that may affect the organization, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of its objectives.”
Here are the six key components of ERM as per ISO 31000:
- Establishing the context: This involves defining the risk management objectives, scope, and criteria for the organization. It also involves considering the external and internal factors that could impact the risk management process.
- Identifying risks: This involves identifying potential risks that could impact the organization’s objectives. This can include risks related to operations, financial performance, reputation, and other areas.
- Analyzing risks: This involves evaluating the likelihood and impact of the identified risks and determining their significance. This can help organizations prioritize the risks that require the most attention.
- Evaluating risks: This involves considering the risks in the context of the organization’s risk tolerance and risk appetite and deciding on an appropriate response to each risk.
- Treating risks: This involves implementing strategies to manage risks effectively. This can include mitigating risks, transferring risks, or accepting risks.
- Monitoring and reviewing: This involves monitoring the effectiveness of the risk management process and making any necessary adjustments. This can include regularly reviewing risk management policies and procedures and conducting internal audits.
In addition to the risk management process, ISO 31000 also provides guidance on other important aspects of ERM, such as risk culture, risk communication, and risk leadership. By adopting the principles and practices outlined in ISO 31000, organizations can ensure that their ERM practices are systematic, integrated, and effective.
II. COSO: A Comprehensive Framework for ERM
COSO is a widely recognized framework for ERM that provides organizations with a comprehensive and integrated approach to risk management. Here are the five components of ERM as per the COSO framework:
- Internal environment: This involves establishing the tone at the top for risk management and establishing a culture of risk management throughout the organization.
- Objective setting: This involves defining the organization’s objectives and ensuring that risk management is integrated into the goal-setting process.
- Event identification: This involves identifying potential risks that could impact the organization’s objectives.
- Risk assessment: This involves evaluating the likelihood and impact of the identified risks and determining their significance.
- Risk response: This involves deciding on an appropriate response to each risk, which can include mitigating risks, transferring risks, or accepting risks.
COSO provides organizations with a comprehensive and integrated approach to risk management that is designed to help organizations achieve their objectives effectively and efficiently.
COSO Risk Management framework also provides organizations with a common language and framework for risk management, which can help to increase the consistency and effectiveness of risk management practices across the organization and promote greater collaboration.
Is it mandatory to follow ISO 31000 or COSO:
There is no mandatory requirement to follow ISO 31000 or COSO. Both ISO 31000 and COSO are frameworks for Enterprise Risk Management (ERM) that provide guidelines and best practices for organizations to effectively identify, assess, and manage risks. However, their adoption is voluntary, and organizations can choose to use one, both, or neither of these frameworks depending on their specific needs and circumstances
It is worth noting that some organizations may choose to adopt ISO 31000 or COSO as part of their compliance with regulatory requirements or to demonstrate their commitment to effective risk management practices.
Additionally, some industries may have specific requirements or standards that recommend the use of one of these frameworks. However, this is not a legal requirement and organizations are free to choose the framework that works best for them.
Types of Risk:
ERM is a firm-wide strategy intents to manage a company’s finances, operations, and objectives from various uncertainties and risks. Those uncertainties and risks may trigger from different areas, and it is essential to understand these risks to implement effective mitigation strategies. Here are the five most common types of risks are discussed below.
- Strategic Risk: Strategic risk refers to the potential failure of a company’s strategic ambiton or overall business strategy. This risk can arise from changes in market conditions, shifts in customer preferences, competition, chnages in regulatory landscape or a failure to effectively execute the company’s strategy. To mitigate this risk, organizations need to regularly review and update their strategies and be proactive in monitoring external factors that may impact their success. Regular assessments of the company’s risk exposure and taking steps to adjust the strategy as needed can help mitigate this risk.
- Operational Risk: Operational risk refers to the risk of loss due to inadequate or failed internal processes, systems, or human error. This type of risk can arise from a range of factors, including equipment failure, cyber attacks, data breaches, or employee errors. To mitigate this risk, organizations need to implement robust internal controls and procedures, conduct regular risk assessments, and provide training and education for employees. This helps to ensure that operations are running smoothly and that the risk of loss due to internal factors is minimized.
- Compliance Risk: Compliance risk refers to the risk of non-compliance with laws, regulations, and industry standards. This type of risk can result in fines, penalties, and reputational damage for organizations. To mitigate this risk, organizations need to conduct regular compliance audits, implement policies and procedures to ensure compliance, and provide training for employees on the company’s compliance policies. Regular monitoring of compliance requirements and staying up-to-date on changes to laws and regulations can help organizations minimize this risk.
- Reputation Risk: Reputation risk refers to the risk of damage to a company’s reputation due to negative publicity or other factors. This type of risk can arise from a variety of sources, including negative media coverage, social media, or negative customer feedback. To mitigate this risk, organizations need to regularly monitor media and social media for potential reputational risks and develop a crisis communication plan. Building strong relationships with stakeholders and maintaining a positive reputation can also help mitigate this risk.
- Health Safety & Security Risk: This refers to potential dangers or hazards that can affect the well being of people in different value chain of an organisation. Some examples of this risk are disease outbreaks, workplace accident, theft, cyber attack or physival security breaches etc. As mitigation actions, organisations can implent preventive measures like providing relevant trainings and personal protection equipment, implementing security systems with protocols and regular monitoring.
Understanding the various types of risks that organizations face and implementing effective mitigation strategies can help minimize potential losses and capitalize on new opportunities.
Regular monitoring, review, and updating of risk management strategies can help organizations stay ahead of potential risks and maintain a competitive edge in their industry.
Enterprise Risk Management Process
Here are six key steps of ERM process, which are in line with established Risk Management Framework as outlined below.
Step 1: Risk Identification
The first step in the ERM process is to identify all potential risks that could impact the organization. This includes both internal and external risks. Internal risks may include things like operational inefficiencies or employee misconduct, while external risks may include things like market changes or natural disasters.
Organizations can use various methods to identify risks, including brainstorming sessions, focus groups, and risk assessments. In addition, organizations may also use data analytics and artificial intelligence to identify potential risks that may have been missed through traditional risk identification methods.
Step 2: Risk Assessment
Once risks have been identified, they should be assessed in terms of their likelihood and potential impact. This will help the organization prioritize which risks need to be addressed first. The assessment should also consider the interrelatedness of risks and the potential for multiple risks to occur simultaneously.
In addition to considering the likelihood and impact of risks, organizations should also assess the potential consequences of not taking action to mitigate risks. This can help organizations make informed decisions about which risks to prioritize and how best to mitigate them.
Step 3: Risk Mitigation
After risks have been assessed, the organization should develop strategies to mitigate them. This may include things like implementing new policies and procedures, increasing monitoring and oversight, or purchasing insurance. The mitigation strategies should be designed to effectively address the risks and minimize their potential impact on the organization.
Step 4: Monitoring and Review
ERM is not a one-time process; it should be ongoing. Organizations should continuously monitor for new risks and review existing risks to ensure that mitigation strategies are still effective. In addition, organizations should regularly review their risk management processes to ensure that they are still effective and to identify areas for improvement.
Step 5: Communication and Collaboration
ERM should be a collaborative effort across the organization. Different departments and employees may have unique insights into potential risks. Communication and collaboration can help identify risks that may have been missed and also can help to ensure that all employees are aware of potential risks and understand their role in mitigating them.
In addition to collaborating within the organization, organizations should also engage with stakeholders, such as customers, shareholders, and regulators, to ensure that they are aware of potential risks and understand the organization’s risk management strategies.
Step 6: Integration with Overall Strategy
ERM should be incorporated into the overall strategy of the organization. This means that risks should be considered in all decision making and that the organization’s risk management strategies should be aligned with its overall goals and objectives.
To ensure the best outcome, ERM process may vary from industry to industry or even from organisation to organisation. For example, some organisation may choose to have dedicated ERM function and some may go for more decentralised process with a shared role of Risk Manager. These two models lead to different processes to manage enterprise risk.
However, in both models, by following a systematic process to identify, assess, and mitigate risks, organizations can minimize the negative impact of risks on their overall performance and ensure their continued success in the future.
Challenges in ERM and mitigation
There are several challenges in enterprise risk management that organizations may face. Here are the five major challenges in managing enterprise risk.
- Identifying and assessing risks: Organizations may struggle to identify all potential risks and accurately assess their likelihood and potential impact.
- Prioritizing risks: Once risks have been identified and assessed, organizations must prioritize them in order to effectively allocate resources and implement risk management strategies.
- Communicating and reporting on risks: Organizations must effectively communicate and report on risks to stakeholders, including management, employees, and shareholders.
- Coordinating risk management activities: Organizations must coordinate risk management activities across different departments and business units to ensure consistency and effectiveness.
- Adapting to changes: Organizations must be able to adapt their risk management strategies as their business and external environment changes.
To overcome these challenges, organizations can implement following five measures:
- Establish a risk management framework: Organizations can establish a risk management framework that outlines a process for identifying, assessing, prioritizing, and managing risks.
- Conduct regular risk assessments: Organizations can conduct regular risk assessments to identify and assess new and evolving risks.
- Communicate and report on risks: Organizations can establish clear lines of communication and reporting mechanisms for risks and risk management activities.
- Coordinate risk management activities: Organizations can establish a central risk management team or function to coordinate activities across different departments and business units.
- Continuously monitor and automate: Organizations can implement automated solutions such as GRC software to streamline and automate risk management activities. Organizations can continuously monitor and review their risk management strategies to ensure they remain effective and adapt to changes in the business and external environment.
The Way forward
Here are the five key trends and developments involve in the way forward for enterprise risk management (ERM):
- Greater use of technology: As technology advances, organizations are increasingly using data analytics, artificial intelligence, and machine learning to identify and assess risks. This allows for more efficient and accurate risk identification and assessment, and can also help organizations identify risks that may have been missed before.
- Greater focus on emerging risks: Organizations are increasingly recognizing the need to identify and assess emerging risks, such as those related to cyber security, climate change, and geopolitical instability. This requires organizations to be more forward-looking and proactive in their risk management efforts.
- Greater integration with strategic planning: ERM is increasingly being integrated with strategic planning, so that risks are considered in all decision making and the organization’s risk management strategies are aligned with its overall goals and objectives.
- Greater engagement with stakeholders: Organizations are recognizing the need to engage with stakeholders, such as customers, shareholders, and regulators, in order to identify and assess risks. This helps organizations gain a more comprehensive understanding of potential risks and also helps to ensure that stakeholders are aware of potential risks and understand the organization’s risk management strategies.
- Greater collaboration among organizations: As risks become more global and complex, organizations are increasingly recognizing the need to collaborate with other organizations in order to effectively manage risks. This can include sharing information and best practices, forming partnerships, and participating in industry-wide initiatives.
To stay ahead of the curve, companies are encouraged to stay informed of the latest industry developments and best practices, regularly review and update their ERM processes, and to engage and collaborate with other organizations and stakeholders. By doing so, organizations can effectively manage risks and ensure their continued success in the future.
Conclusion
Gary Cohn, the former Chief Economic Advisor to the President of the United States, once stated, “If you don’t invest in risk management, it doesn’t matter what business you’re in, its a risky business. “
Top executives and board members often have their attention fixed on expanding the business and maximizing its profitability. In pursuit of these goals, they allocate significant resources and investments to growth initiatives.
However, a failure to prioritize risk management can result in devastating consequences, including substantial losses and penalties that can erase years of hard-won profits in an instant. History is replete with examples of major corporations facing significant regulatory fines, such as JPMorgan Chase ($17B), Volkswagen ($13B), and BP ($4B), to name a few.
In light of these risks, it is imperative for top management and the Board to balance their focus on growth and profitability with a steadfast commitment to comprehensive and effective risk management practices. Investing in resources both at the decision-making level, such as with a Chief Risk Officer or Chief Risk & Strategy Officer, and the operational level by fortifying the first line of defense, is essential for ensuring the stability and longevity of the organization. Prioritizing risk management allows companies to proactively protect their business and secure sustained growth for the future.
Bonus
- Enterprise risk management examples:
- New or amended regulation, regulatory audits
- Competition, price war
- Technological evolution, cyber security
- Natural disaster, hazards
- Forex fluctuation, credit risks, financial risks
- Cross border war, political unrest
- Enterprise risk management governance should be backed by good practice of ethics and compliance.
- The best practices of Enterprise Risk Management may include
- A policy on ERM approved by Board
- A detail manual to guide enterprise risk management process to all employees
- A dedicated top excutive like Chief Risk Officer (CRO) or Chief Strategy & Risk Officer (CSRO)
- A strong first line of defense like Internal Audit, Legal, ICFR, Industrial Relations, Regulatory Affairs etc
- A risk matrix to reflect top risks based on impact and likelihood
- Strong collaboration with Accounting team for their assessment to consider in financials
- Strong sponsorships from Management and Board
Pingback: Enterprise Risk Management: Implementation & Challenges -
Pingback: 10 Important Things to Know About Emerging Risks -
Pingback: How to create effective line of defence in ERM - The CFO Insight