What is risk in erm?

Process

Enterprise risk management (ERM) is the process of identifying and addressing methodically the potential events that represent risks to the achievement of strategic objectives, or to opportunities to gain competitive advantage.

Risk management is an essential element of the strategic management of any organisation and should be embedded in the ongoing activities of the business. Two widely referenced frameworks include the Committee of Sponsoring Organizations of the Treadway Commission COSO ‘ERM – Integrated Framework’; and the guidance developed by Airmic and the Institute of Risk Management IRM – ‘A structured approach to ERM and the requirements of ISO 31000’.

The fundamental elements of ERM are the assessment of significant risks and the implementation of suitable risk responses. Risk responses include: acceptance or tolerance of a risk; avoidance or termination of a risk; risk transfer or sharing via insurance, a joint venture or other arrangement; and reduction or mitigation of risk via internal control procedures or other risk prevention activities.

Other important ERM concepts include the risk philosophy or risk strategy, risk culture and risk appetite. These are expressions of the attitude to risk in the organisation, and of the amount of risk that the organisation is willing to take. These are important elements of governance responsibility.

Management responsibilities include the risk architecture or infrastructure, documentation of procedures or risk management protocols, training, monitoring and reporting on risks and risk management activities.

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses.

Enterprise risk management takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM.

ERM looks at each business unit as a "portfolio" within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling their own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation. The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company's business units. The CRO's mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

The COSO enterprise risk management framework identifies eight core components that define how a company should approach creating its ERM practices.

A company's internal environment is the atmosphere and corporate culture within the company set by its employees. This sets the precedence of what the company's risk appetite is and what management's philosophy is regarding incurring risk. The internal environment may be set by upper management or the board and communicated throughout an organization, though it is often reflected through the actions of all employees.

As a company determines its purpose, it must set objectives that support the mission and goals of a company. These objectives must then be aligned with a company's risk appetite. For example, an ambitious company that has set far-reaching strategic plans must be aware there may be internal risks or external risks associated with these lofty goals. In response, a company can align the measures to be taken with what it wants to accomplish such as hiring additional regulatory staff for expansion areas it is currently unfamiliar with.

Positive events may have a great impact on a company. On the other hand, negative events may have detrimental outcomes on a company's ability to continue to operate. ERM guidance recommends that companies identify important areas of the business and associated events that may have dire outcomes. These high risk events may pose risks to operations (i.e. natural disasters that force offices to temporarily close) or strategic (i.e. government regulation outlaws the company's primary product line).

In addition to being aware of what may happen, the ERM framework details the step of assessing risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (i.e. a natural disaster yields an office unusable) but residual risks (i.e. employees may not feel safe returning to the office). Though difficult, the ERM framework encourages companies to consider quantifying risks by assessing the percent change of occurrence as well as the dollar impact.

A company can respond to risk in the following four ways:

Control activities are the actions taken by a company to create policies and procedures to ensure management carries out operations while mitigating risk. Control activities, often referred to as internal controls, are broken into two different types of processes:

Information systems should be able to capture data useful to management to better understand a company's risk profile and management of risk. This means not granting exceptions for departments outperforming others; all aspects of a company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets.

A company can turn to an internal committee or an external auditor to review its policies and practices. This may include reviewing what is actually performed compared to what policy documents suggest. This may also entail getting feedback, analyzing company data, and informing management of unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM environment and pivot as needed.

ERM practices will vary based on a company's size, risk preferences, and business objectives. Below are best practices most companies can use to implement ERM strategies.

ERM sets the organizational-wide expectations around a company's culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources as well as greater customer service knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summaries the risks a company faces, the actions being taken, and information needed for decision-making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management

ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant process, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into.

As a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware that may have more detrimental impacts. In this manner, some may consider ERM as reactive as companies can only forecast risk based on what they have prior experience on.

ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance a company forecast the occurance of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require resources of the company to be successful. Though the company will benefit from protecting its assets, a company must detract time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM as financial risks that do not occur must simply be projected.

ERM can help devise plans for almost any type of business risk. Business risk threatens a company's ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:

No matter what your business goals are, enterprise risk management can help you achieve them. Although every company practices risk management in some way, a formal ERM process puts methodologies and practices in place so you can systematically increase your chances of success. In the absence of risk management, a company is more likely to make poor decisions, be less prepared, and struggle to consistently meet their business goals.

If one thing has become abundantly clear over the past two years, it’s that companies have no choice but to plan for the unexpected. Companies have been severely tested by a range of issues, including insufficient employee protections, supply chain deficiencies, and financial unpredictability, underscoring the need for agile, flexible, data-driven ERM.

For example, security is always a concern, but it took on a new and refocused urgency as businesses enforced work-from-home mandates. The sudden move left many companies scrambling to adapt their onsite protocols to offsite equivalents that would continue to protect the business and its employees from a wide range of concerns including insider threats and financial fraud, while addressing data privacy, IP protection, cash preservation, and statutory compliance.

While most companies focus on innovation and growth, only resilient companies are successful over time because their business strategies also address risk and preparedness. The best business plans are those that can quickly pivot in response to evolving markets, business models, and regulations. For example, companies with modern risk management systems that include automated audits and security monitoring can continue to perform those tasks remotely—even across international borders. This enable them to operate smoothly despite travel restrictions, and it drives a level of efficiency and cost savings that they will benefit from long after the crisis is resolved.

• ● Brainstorming.
• ● Event inventories and loss event data.
• ● Interviews and self-assessment.
• ● Facilitated workshops.
• ● SWOT analysis.
• ● Risk questionnaires and risk surveys.
• ● Scenario analysis.
• ● Using technology.