Enterprise Risk Management (ERM) is a comprehensive and strategic business discipline that enables organisations to identify, evaluate and address potential risks that could hinder their ability to achieve objectives. Rather than examining risks in isolation, ERM views all forms of risk in a holistic, integrated manner.
Typically, ERM addresses the following risk categories:
- Compliance risk: This arises when an organisation falls foul of external laws or requirements.
- Legal risk: This occurs when a company faces potential lawsuits or penalties for issues related to contracts, disputes or regulation.
- Strategic risk: This can jeopardise a firm’s long-term strategy.
- Operational risk: This affects the routine activities necessary for business operations.
- Security risk: This targets the firm’s assets, potentially causing harm if physical or digital assets are misused.
- Financial risk: This can undermine a company’s financial status or debt position.
Creating a Robust Risk Management Mechanism
The aim of the ERM process is to create a robust mechanism that equips the organisation with the foresight and agility to mitigate potential threats while capitalising on opportunities. This generally involves work to clarify and embed three processes:
- Firstly, creating a risk management culture. This means embedding an understanding of risk at all levels of an organisation. It encourages proactive identification, assessment and mitigation of risks. It’s about ensuring decisions and actions are consistently informed by awareness of potential risks and rewards.
- Secondly, incorporating risk considerations into decision-making processes. This entails evaluating the potential risks alongside benefits before taking any decision. It ensures the choice made is fully informed, balancing the probable risks against potential rewards, and aligning with the organisation’s risk appetite.
- Finally, aligning risk appetite with business strategy, which involves defining the level of risk an organisation is willing to accept in pursuit of its goals. This alignment ensures that strategic decisions, from daily operations to long-term plans, align with the organisation’s defined risk tolerance.
Five Suggested Steps for Establishing an ERM Programme
Step 1: Set Organisational Goals
Initially, the firm must identify its business objectives. While determining these goals, it evaluates existing and potential risks from new income avenues. For instance, a firm concentrating on payment systems might adhere to the Payment Card Industry Data Security Standard to protect credit card details. However, if it decides to boost profits by venturing into healthcare, it needs to reassess its Health Insurance Portability and Accountability Act
Step 2: Evaluate Risks
An essential part of any ERM scheme involves assessing the enterprise’s susceptibilities. Risk evaluation begins by scrutinising assets, including financial, customer, physical, employee, supplier and organisational assets, as these dictate what and how to safeguard. After asset review, a firm should conduct a risk analysis to understand how adversaries can exploit them, or how unpredictable situations could jeopardise them. For instance, a supply chain might contain vulnerabilities that could harm operations or reputation. To bolster risk management, it is important to acknowledge how adversaries (or ill-intentioned attackers) could exploit even the most robust of defences which a firm has established.
Step 3: Decide Risk Acceptance or Risk Avoidance
Following risk evaluation, risk management teams should determine whether to accept or evade the risk. During an IT landscape review, consider the internal controls for accepting or sidestepping risks, based on the risk evaluation and assets. For instance, Amazon Web Services (AWS) is widely viewed as a secure cloud service provider (CSP). Nevertheless, attackers increasingly target AWS, resulting in DDoS attacks and data breaches. Despite recognising AWS-related vulnerabilities, an enterprise may conclude that AWS’s protections surpass the weaknesses, thereby accepting the risks linked to the platform.
Step 4: Chart Internal and External Risks
Organisations should apply the same analysis to mapping internal and external risks. Charting these risks across an enterprise offers valuable insights into potential intersections. For instance, the finance team might possess sophisticated financial forecasts to ascertain suitable cash reserves. However, unexpected shocks such as bankruptcy, shipping delays or elevated materials costs might hit its suppliers. This external risk could influence internal risks to cash flows and reserves. Charting these links and implications enables management teams to better comprehend the origins of risks and devise more effective, efficient solutions.
Step 5: Establish Controls and KRIs
Monitoring risks and metrics for regulatory and framework compliance is crucial, necessitating the implementation of internal controls to manage risks. Key risk indicators (KRIs) can alert managers when risks near unacceptable levels. If KRIs shift into ‘the red zone’, it may suggest a control failure or an underlying risk change, rendering the control ineffective. Controls and KRIs act as an early warning system, notifying managers of areas needing attention within the risk management programme.
Consider Two Key ERM Components
An effective ERM programme requires firstly a dedicated team to design and execute it, and secondly an ERM framework to steer the team. A robust programme involves individuals from diverse functions, including executives, senior management, board members and stakeholders, thereby preventing isolated decision-making. Teams like this often utilise an ERM framework such as one of the following:
- The National Institute of Standards and Technology’s Risk Management Framework (NIST RMF) outlines initial control selection and risk assessment strategies.
- ISO 31000: Risk Management, by the International Organization for Standardization, offers risk management principles, a framework, and a process suitable for any organisation.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by Carnegie Mellon University, is a self-guided, customisable methodology.
- The Committee of Sponsoring Organizations (COSO) offers respected controls and recommends data-backed decisions.
- Factor Analysis of Information Risk (FAIR) presents a shared risk mitigation language to address security gaps.
Using a well-established framework streamlines the complex ERM process, avoids unnecessary risks, minimises losses and enhances competitive advantage. Comprehensive governance and compliance risk management software can guide teams through their chosen framework.
Undoubtedly, ERM constitutes an essential cornerstone for achieving effective corporate governance. It is a sophisticated instrument that enables organisations to transition from a passive, reactive stance to an engaged, proactive approach towards risk management. Instead of being caught in the throes of merely sidestepping risk, businesses with well-implemented ERM systems can intelligently assess and judiciously accept risk based on strategic evaluation and evidence-backed decision making.
But ERM is much more than just a governance tool; it is an organisational philosophy that encourages proactive risk acceptance, breeds resilience, guarantees sustainability and propels value creation. It has an overarching impact on an organisation’s strategic trajectory, with the power to define its future success. Hence, Enterprise Risk Management is not just pivotal but indispensable for businesses striving for growth, stability and success in this era of unprecedented uncertainty and complexity.