What Is Enterprise Risk Management

Over the years, organizations have evolved their risk management techniques to identify and better prepare to face operational and strategic risks. This evolution has shifted the focus from traditional risk management, where decision-making lies more on the department heads, to a more unified approach where risk is handled from the top-down, a technique commonly referred to as Enterprise Risk Management (ERM).

With ERM, top organization’s leadership makes executive decisions concerning risk management optimized for the entire organization, and such choices may or may not directly benefit particular departments. In other words, risk management decisions and actions may compromise or favor a few departments but will benefit the entire organization in the long run.

ERM brings together various functions within the organization such as legal, HR, insurance, compliance, cybersecurity, IT, customer service, quality assurance, audit, accounting, marketing, etc. That means risk evaluations don’t operate in siloes and are rather interconnected within departments, and all the managers are involved. 

Components of ERM 

ERM standards and best practices are still evolving, but we already have industry groups that maintain and update guidance for organizations and ERM professionals. The Committee of Sponsoring-Organizations of the Treadway-Commission (COSO) and the International Organizations for Standardization (ISO) are the two bodies that help businesses adopt the proper ERM framework for their respective industries.

The COSO governing framework, in particular, establishes five critical components of ERM, which include:

  • Governance & Culture – risk management and oversight require all-stakeholder buy-in and should start from the top-down.
  • Strategy & goal-setting – Seek to align the company’s risk appetite with business strategy.
  • Performance –Identify “deal-breaker” risks that may come in the way of achieving business goals. It also assesses these risks in order of severity and determines the proper response to each, i.e., transfer, mitigate, avoid or accept.
  • Review & Revision – Constantly review your ERM program’s performance and make changes where necessary.
  • Information, Communication & Reporting – All departments within the organization should share information and collaborate for proper decision-making and execution of risk management activities.

Traditional Risk Management vs. Enterprise Risk Management 

The basic or traditional way of handling risks differs to a greater extent from Enterprise Risk Management Practices. Here, risk management spans the entire organization, and all the decisions involve the c-suite and board leadership. Similarly, ERM analyzes risks and their triggers and the cumulative effects it has on the organization. This allows for holistic decision-making and better allocation of resources. On the other hand, traditional risk management evaluates risks on a one-by-one basis, especially within specific departments, and decision-making doesn’t consider the other functions within the organization. This approach may expose the firm to bigger risks and may not be sustainable in the long run. Below are the other differences between the two: 

  • Traditional risk management mainly focuses on insurable risks. However, ERM goes beyond insurable risks, including non-insurable risks, e.g., damage to company reputation.
  • ERM, unlike traditional risk management, evaluates potential risks beyond the obvious view of loss prevention. This multi-dimensional assessment allows organizations to prioritize resources to mitigate the right risks with the speed and accuracy they deserve.
  • ERM takes a proactive and continuous approach to risk management while the traditional version of it is more reactive, often waiting for an event so it can respond to it.
  • Traditional risk management follows a predefined set of standards that restricts the organization to a scripted playbook, which has been seen to stall processes and minimize value delivered to the organization. On the other hand, ERM focuses more on enabling organizational success and requires a vast knowledge of the technical processes around ERM and a combination of soft skills.
  • Traditional risk management leans more on avoiding or mitigating risks. However, ERM seeks to improve organizational performance by taking smart risks and making it a cultural element woven into the business strategy. 

Why ERM is Important 

There are several reasons why ERM is essential for modern-day organizations. First, ERM considers each business function as a portfolio, meaning it seeks to understand how risks to these business functions interact. This approach to risk assessment allows the organization to identify risk factors that aren’t visible from an individualized perspective.

Effective communication, which is a vital aspect for ERM success, allows the various departments to minimize operational differences and spot unique opportunities. The unified risk decision-making can also eliminate redundant processes, which improves efficiency by ensuring the proper allocation of resources.

Last but not least is that ERM results in effective coordination of compliance and regulatory matters and is key to organizational resilience. ERM typically involves identification, monitoring, and mitigation processes across the entire firm, and data obtained from industry-wide reporting can help reduce the cost and effort of reviews and audits. 

Final Thoughts 

Most industries from IT, health care, education, manufacturing to financial services, and insurance have already adopted ERM frameworks to control their operational and strategic processes. That said, adopting and implementing an ERM framework requires lots of advance planning, but it’s a critical undertaking that every organization must consider to effectively manage risks and enjoy a competitive advantage.

Adam Hansen