Enterprise Risk Management

Let’s look at enterprise risk management, the different types of enterprise risk, risk management software, and how it all fits into the GRC framework.
 

What is enterprise risk management (ERM)?

Enterprise risk management (ERM) is the process by which organizations minimize risk on its capital and earnings. An ERM process involves planning, organizing, directing and controlling your company’s activities when it comes to things like financial risk, strategic risk, operational risk, and risks associated with accidental losses. 

To break it down, a strong enterprise risk management process or program uses what’s happened in the past (through auditing, evaluation and self-assessment), reviews what’s happening in the company right now, and applies all those findings to develop an approach to the future that manages and minimizes risk. 

A strong ERM program incorporates strategy, goals and objectives, like those ideated within corporate governance and environmental management frameworks. 

What does enterprise risk management look like?

Put simply, enterprise risk management involves asking and attempting to answer the question of: “What are the major risks that could stop our company from achieving its goals?”

So, the steps to take in implementing ERM start with identifying and mitigating risk within your company. It’s crucial to understand your organization from a holistic perspective, identifying strategic goals of top-level management. Once these goals are identified, the process by which the goals are achieved can be monitored and reported on from a risk management perspective. 

In smaller companies, ERM is usually the role of executive management, but as your organization grows and becomes increasingly more complex, an effective and dedicated ERM team is crucial for long-term success and sustainability. An ERM team can then communicate risk management processes and practices, prioritize and highlight information for decision-makers, and ensure a smooth ERM process.

Enterprise risk management is growing in popularity and interest with the globalization of the corporate workforce. Industry and government regulatory bodies are more closely scrutinizing risk management policy and procedures. But how does enterprise risk management differ from more traditional risk management?
 

How is enterprise risk management different from traditional risk management?

Traditionally, risk management in an organization is the responsibility of business unit leaders. For example, the head of technology and IT is responsible for managing risk related to any IT operations, the head of finance is responsible for mitigating risks related to financing and cash flow, and so on. This is often called a silo or stove-pipe approach to risk management. 

What has been identified in more recent times is that there are limitations to traditional risk management, such as:

• Risks can go undetected by management if they fall ‘between’ different organization areas of responsibility. 
• Some risks might affect different areas in different ways; for example, the head of finance might identify a risk related to cash flow, without realizing the effect this risk could also have on other areas of the business.
• Similarly, the way that risk is managed might have a flow-on effect to other areas, without that risk being identified.
• Risk management can become internally focused, with management teams losing sight of external risk or risks that can emerge from outside the business.

Enterprise risk management has been identified as a valuable strategic tool for mitigating the potential problems of traditional risk management, providing your company with a more holistic, overarching perspective and approach to strategic planning. ERM takes a top-down, enterprise view of all significant risks that could impact a business. This portfolio view of risk means that ERM is becoming more proactively embraced as a business process to enhance risk management and achieve goals.

Benefits of enterprise risk management

ERM can be an important strategic tool for business leaders, with an effective enterprise risk management process giving you crucial insight into risks that could affect strategic planning. 

Other benefits of enterprise risk management include:

• As management becomes more aware of risk, that knowledge can be applied to design strategies and processes to navigate the risks identified at all levels of the business.
• Identifying risk leads to better preparation for minimizing risk.
• Proactively mitigating risk gives your company a competitive advantage, reducing the likelihood of being negatively impacted by future risk.
• A more risk-focused company culture leads to effective communication and risk-management policies between and within different parts of the business, improving risk management across the board.
• Your company can implement standardized risk reporting and measurement.
• A stronger focus on risk related to achieving business objectives can lead to more efficient use of resources.
• Highly regulated and proactive organizations are more attractive to investors.

Implementing an enterprise risk management framework 

For best practices, ERM should incorporate compliance and should work towards your company’s objectives.

Here are some key steps:

1. Identify and prioritize all company processes and their potential related risks – these can be hazard risks (threat to life, health or property), financial risks, strategic risks and operational risks.
2. Develop a blueprint of all risks – current and potential – and create strategies to offset the risks.
3. Create an action plan to resolve the current risks identified.
4. Continue to monitor and measure these risks, developing the necessary policies and procedures to minimize and mitigate risk in company activities. 
5. Consider enterprise risk management software solutions to digitize this information and automate processes of risk management.

Some of the common enterprise risk management frameworks include:

• ISO 31000 for risk management
• NIST Risk Management Framework
• Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The increasing need for enterprise risk management within organizations has led to the development of ERM software solutions and programs to help companies operate more efficiently and effectively. In 2004, the James Lind Alliance (JLA) research team analyzed risk in types of companies with a 30% or higher decline in market value, finding that 61% of occurrences was due to strategic risk, 40% operational risk and 9% financial risk. 

What is enterprise risk management software?

The benefits of a strong ERM process lie within its ability to be active, continuously updated and improved. It’s no use developing an ERM strategy and letting it stand, unchanged: the process must be dynamic, consistently identifying and managing risk. 

That’s where ERM software comes in. ERM software solutions are designed to identify, assess, manage and monitor risks to the viability of your company. This helps remove some of the limitations of traditional risk management, and also the limitation of a management team to individually and collectively identify risk within their organization.