We take business risks in hopes of a positive outcome: Nothing ventured, nothing gained. Of course, the opposite could happen: The risk backfires, and our business takes a loss.
Minimizing losses and maximizing rewards is the essence of enterprise risk management (ERM).
ERM guides business decision-making so that the risks you take are calculated and deliberate, in accord with your enterprise’s objectives, vision, mission, and goals.
An effective ERM process uses a blend of corporate governance, risk management processes and internal controls, and coordinates managers, employees, third-party providers, and other stakeholders to embrace risk taking as a route to growth and opportunity.
Although it’s often confused with integrated risk management (IRM), ERM isn’t quite the same. In fact, ERM, IRM, and GRC differences do exist, albeit subtle. (GRC stands for governance, risk, and compliance.)
Designing and implementing an ERM program isn’t a quick or easy task. Rather, it’s a complex series of steps with which everyone from the board of directors to business interns should be in sync.
Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) offers a comprehensive ERM framework to help you succeed, as does the International Organization for Standardization (ISO). And governance, risk management, and compliance (GRC) software can automate many of your risk management tasks.
This guide offers a comprehensive look at enterprise risk management: what it is, what it isn’t, how to get started, and how to maintain your ERM program.
- The many benefits of ERM, including enhanced regulatory compliance, improved oversight of your organization’s risk exposures, and a secure mindset that enables your business to create exciting opportunities by managing risk instead of avoiding it
- Industry-specific concerns regarding ERM in health, finance, manufacturing, retail, and more
- How to start the ERM process, and steps to follow
- Frameworks for establishing and maintaining an ERM program
- How to use audits to strengthen your ERM program
- Tools and technologies available to help your ERM succeed
As you read, you’ll find links to other resources in case you’d like more information. Read them all, and be an ERM expert by the time you’re finished.
What Is Enterprise Risk Management?
Chances are, many functions or departments in your organization already identify, assess, respond to, and manage their own risks. Enterprise risk management ties these all together into a unified whole, offering a big-picture view of the risks your enterprise faces and developing strategies for turning risks into rewards.
But ERM has a more practical value, as well. In identifying, measuring, and monitoring risks to your overall enterprise, you can be more assured that your business operations, digital technologies, and workflows will run smoothly, without disruptions or intrusions.
COSO defines ERM as a “process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The Risk Management Association ERM Council defines enterprise risk management as “the management capability to manage all business risks in pursuit of acceptable returns.”
To effectively manage all business risks, though, entities need to change their piecemeal approach. The right hand needs to know what the left hand is doing, and vice versa.
ERM combines risk management programs from your various functions or departments into a unified, cohesive whole. Those functions may include
- Human resources
- Quality assurance
- Customer service
- Strategic planning
- Cybersecurity and IT
- Customer service
Who Should Be Concerned about ERM?
Executives including the chief executive officer, chief financial officer, and chief legal officer are responsible for managing risks enterprise-wide. But ERM works best when all of a company’s managers participate. All should understand the importance of ERM.
Indeed, any ERM plan should include feedback from a variety of managers. You should share it throughout your company as well as with third-party vendors. That way, everyone who manages risk understands the strategy and processes to follow in line with the company’s goals.
Why Do We Need Enterprise Risk Management?
Enterprise risk management enhances an organization’s chance for success. Having ERM enables managers and the board to prioritize the most important risks and prepare to deal with them should they materialize (and all need to know the difference between threats, vulnerabilities, and risks). This proactive approach helps keep the business on course toward achieving its goals.
For example, a manufacturer’s procurement office may buy a component that the business needs to manufacture its products from one supplier. But what if the maker of that component were to shut down? The manufacturer had better have a backup plan. Halting production is certainly not among its strategic goals.
With ERM, upper managers and board members can oversee overall risks and manage them so that they don’t become liabilities.
What is the DiffErence between Risk Management and Enterprise Risk Management?
Traditionally, risk management has concerned itself with events and possibilities for which a business could insure itself, such as natural disasters, product defects, labor disputes, and cybersecurity breaches. These types of risk are usually relegated to specific business units or functions to manage, one risk at a time.
Enterprise risk management takes risk management to the highest level. It involves the C-suite and board, and considers not just concrete, insurable risks but less tangible ones, as well, such as the hit a company’s reputation might take if it experienced a large data breach.
Here’s how the blog ERM Insights compares risk management to ERM:
|Traditional risk management||Enterprise risk management|
How Does ERM Reduce Risk?
Risk reduction shouldn’t be ERM’s only goal—not for a company that wants to grow and thrive. Adding value is the ultimate prize. Risk reduction can help add value, but so can embracing “good” risks — those you take in hopes of a positive outcome.
ERM works to reduce or mitigate the bad risks, and the losses they can cause. The way to avoid cloud security breaches, for example, isn’t to avoid the cloud: doing business today demands a public cloud presence. Instead, your enterprise might implement a strong and flexible cloud security program.
ERM offers a strategic, coordinated approach to risk that enables organizations to forge ahead and seize the day when opportunities arise—but to do so methodically, considering the company’s goals (and risk appetite) at every turn. Risk then becomes a recipe not for disaster, but for success.
Which organizations offer guidance on ERM frameworks?
The American Institute of Certified Public Accountants (AICPA) has published Enterprise Risk Management: Guidance for Practical Implementation and Assessment. The US CFO Council’s Enterprise Risk Management Priority Area offers guidance for federal agencies, but can be a valuable resource for private and nonprofit entities, as well.
Key Components of Enterprise Risk Management
The COSO framework establishes five components of ERM. These are
1. Governance and Culture: Managing risk throughout the enterprise requires buy-in from everyone: employees, managers, and contractors. But company culture, which COSO states “pertains to ethical values, desired behaviors, and understanding of risk,” starts at the top—with the executives and board. Their oversight, or governance, is key to ERM. Governance acts as the foundation for your ERM program, so it’s important to assign oversight roles and responsibilities early in the process.
2. Strategy and Objective-Setting: Your organization’s strategic planning should consider ERM, strategy, and objective-setting all together, hand in hand. What’s your risk appetite? How does it align with your business strategy? How do your business objectives help to fulfill your strategy, and guide you as you identify, assess, and respond to risk?
3. Performance: Which risks might interfere with your organization’s ability to adhere to its strategy and achieve its business objectives? You need to identify these “deal breaker” risks and assess their level (high, medium, low), then prioritize them in order of severity. Next, you determine the proper response to each risk—mitigate, transfer, avoid, accept—taking into account your risk appetite. You may share the resulting “portfolio” view of enterprise risks with the board and others in the organization who are concerned with risk.
4. Review and Revision: By reviewing your ERM program’s performance periodically, especially after significant organizational changes, your enterprise can consider how well these five components are functioning and what needs revision.
5. Information, Communication, and Reporting: Management of any kind requires collaboration, and ERM is no exception. You must continually share information regarding risk and risk management throughout your organization, from internal and external sources.
Industry-Specific Risk Concerns
Which risks or types of risk are most pertinent to your industry? Each business sector has its own concerns.
Areas of focus regarding risk management include:
- Information Technology
- Health care
- Financial services
- Manufacturing/supply chain risks
- Globalization, and the need to comply with differing cultures, laws, and environmental regulations around the world
- Decreases in consumer spending
- Brand reputation
- Competition—another side-effect of globalization
- Failures in the supply chain
- Fraud and theft
A New England Journal of Medicine site lists eight health care risk domains:
- Clinical and patient safety
- Human capital
- Legal and regulatory
- Environmental and infrastructure-based hazards
Risks abound in the financial sector, including
- Cybersecurity and resilience
- Fluctuating markets
- Regulatory compliance
- Physical security
- Failure to innovate
- Reputational damage
The audit and consulting firm Deloitte lists these five types of risk to educational institutions:
- Business model risks
- Education delivery
- Revenue generation
- Fluctuating enrollment
- Reputational risks
- Operating model risks, including how to
- Deliver academic programs
- Conduct research
- Make decisions
- Manage relationships with vendors
- Sustain enrollment
- Maintain accreditation status
- Enrollment supply risks
- Regulatory/compliance risks
A sector focused on risk has plenty of its own risks:
- New technologies
- Pricing and product line profit
- Legislation and regulations
- Legacy IT
- Interest rate fluctuations
- Natural catastrophes
- Climate change
Manufacturing/supply chain risks
Compliance Week lists these as the top risks:
- Global trade wars
- Raw materials shortages
- Safety recalls
- Climate change
- Environmental regulations
- Economic uncertainty
- Cargo theft
- Container ship fires
- Border battles
- Drone risk in aviation
We’d also like to add:
- Labor disruption
Enterprise Risk Management Frameworks
To manage enterprise risk effectively, your organization needs a framework. As its name implies, an ERM framework provides a frame, or guidelines, for your ERM strategy and processes. It outlines your approach to managing all the risks your organization faces, from within and without.
An ERM framework is appropriate for every organization, whether large or small—but it is especially important for large, complex enterprises such as hospitals, banks, and factories.
Where do I find the right ERM framework for my enterprise?
Many organizations choose to write their own ERM framework. The Johnson & Johnson company, for example, has made its in-house ERM framework available online for anyone to see.
But you don’t have to reinvent the proverbial wheel: a number of ERM frameworks are ready and waiting for you to use, including
- The Committee of the Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance (ERM 2017)
- The International Organization for Standardization’s ISO 31000:2018, Risk management
- The Casualty Actuarial Society’s ERM Framework
- The Risk Management Society’s (RIMS) Risk Maturity Model
- The Risk Management Association’s Enterprise Risk Management Framework
- North Carolina State University’s Enterprise Risk Management Initiative
How do I develop an enterprise risk management framework?
Many organizations choose to write their own enterprise risk management framework. Developing your own is time-consuming, but it allows you flexibility and a tailored approach to ERM specific to your enterprise.
Steps to developing an ERM framework:
- Designate your team. Establish an ERM team comprising people from departments and functions throughout the organization. Suggestions include cybersecurity, legal, human resources, business, and executive professionals as well any others relevant to your organization and sector.
- Establish a common language. To monitor and manage risks at the enterprise level, everyone in the company needs to speak—or, at least, understand—the same language. Defining risk is a good place to start: a simple definition is, “a threat to the company’s ability to achieve its financial goals.” Next, agree on the other risk management terms to be used, and share them throughout your company.
- Assign responsibilities. For which risk management tasks are the people in various positions responsible? Examples:
- Board of directors and CEO: These are, ultimately, accountable for all risks, and should discuss the company’s risk management procedures and review policies.
- Senior managers: Managers will develop, put into practice, and maintain the framework, including policies and procedures and risk appetite. They will also foster a company culture in which everyone is aware of risks, and will regularly report to the board of directors.
- Business functions: Risk professionals in each business function will perform the risk management tasks: identification, assessment, measurement, monitoring, controlling, and reporting, as well as maintain compliance with policies and procedures.
- Support functions: Supporting players such as legal, finance, and HR support the business units as they write policies and procedures and enforce them.
- Internal audit and compliance: These people make sure the business is compliant with the framework, and that the framework is effective.
- Risk management: Risk management professionals will provide their expertise throughout the development of the ERM framework and may even lead its development.
- Establish your processes. How will your organization identify, assess, measure, monitor, and report risk? Who will be in charge of these tasks?
- Set your appetite. How much risk can your enterprise handle? How daring does it want to be? What’s the appetite for risk in your key business areas? Your formal risk appetite document should state how much the firm is willing to risk and how much it’s willing to lose.
- Identify your risks. Consider every risk to every department and function in the enterprise, and name the activity that exposes the function to each risk. For example, protecting your corporate website could prevent ransomware attacks or malicious attacks against visitors to your site, which in turn could cost you business and reputation. Set inherent risk levels—low, medium, or high without controls—and the annual losses each risk brings about. Assess the quality of internal controls used to rein in each risk, and the “residual” risk level remaining after the controls are applied.
- Prioritize your risks. Using their residual risk levels as your guide, divide enterprise risks into “high,” “medium,” and “low” or some other categories that define which are most urgent or post the greatest threat to your company, and which the least.
- Write response plans. For each risk on your prioritized list, decide how you will respond. Some—if they’re unlikely to become threats, or would cause little harm if they did—can accept or ignore. Others, you might be able to insure against (transfer). And for others, you’ll want an enterprise risk mitigation plan telling you how to reduce their likelihood of becoming threats and to reduce the damage they could cause if they did materialize.
- Write a plan for monitoring risks and reporting. Risk management is not a one-and-done task but an ongoing process.
How do I use and implement an ERM framework?
Once you’ve created your ERM framework or chosen one to use, your work has only just begun. Implementing the framework is a major task requiring lots of advance preparation.
The Institute and Faculty of Actuaries recommends that its members take the following steps before implementing an ERM framework:
1. Study existing risk practices.
- Perform a quick assessment of your organization’s approach to risk, asking questions such as these. If you answer “no” to three or more of these questions, you will want to correct any deficiencies and self-assess again before implementing your ERM framework.
- Does your organization think deeply and broadly enough about uncertainty and take steps to manage it proactively and systematically?
- Is your enterprise using holistic analyses of uncertainty to influence strategy and business development?
- Are you sure that all the most significant threats and opportunities facing your business are being managed effectively?
- Are you confident that your business could survive major external changes?
- Does your board make enough time for understanding risk?
- Does your board give good risk leadership to the organization?
- Do you have an effective central risk function which attempts to “see the whole picture of risk”?
- Is there an adequate system for spotting emerging threats and opportunities in time?
- Is there clear and regular communication about risks throughout the organization, within an appropriate-risk-aware culture, covering both threats and opportunities?
- Is your system of risk governance good enough?
- Conduct a comprehensive survey of your organizational risk practices.
- Prioritize which parts of your enterprise and which risk practices you should improve first to enhance your risk management program.
2. Construct a vision of future risk management.
- Develop a vision for how the organization will look different once ERM has been introduced, including an evaluation of the benefits it will bring.
- Determine which changes are needed to achieve the vision, including any changes necessary to improve the quality or timeliness of the flow of data within the organization.
3. Plan the implementation and seek authorization.
- Set out in detail the steps you’ll need to take to achieve these changes, including, possibly:
- Widen the board’s experience, if needed, by appointing nonexecutive directors from outside the industry.
- Ensure that all board members are fully briefed on ERM concepts.
- Allocate regular time at board meetings for ERM and the supervision of your principal strategic risks.
- Introduce whichever changes are necessary in culture and communications to increase risk awareness.
- Set up a central risk function (or strengthen an existing one), appoint a leader, assign its tasks, and put it to work.
- Adjust your organization’s structure so that your risk function shares ERM conclusions with your corporate strategy and business development departments, with a view to making the business more robust and flexible.
- Improve the methods used for managing risks. Set up systems for developing responses to risks, using a methodical but imaginative and creative approach.
- Establish monitoring systems that focus on risks for which you have not developed an adequate response.
- Review, and improve where necessary, your enterprise’s methods for managing strategic, project and operational risks.
- Establish criteria for determining when project and operational risks become strategic risks that could have a significant impact on the business.
- Study risks that are already embedded in the organization.
- Establish a timetable for setting up a central risk function (or strengthening the existing one) and determine its tasks and reporting lines.
- Establish schedules for other parts of your ERM plan and who will be responsible for achieving them, with clear milestones.
- Determine how everyone is to be trained to new ways of thinking, behaving and communicating, and make realistic estimates of how long this is likely to take and how much it will cost.
- Make realistic estimates of the costs of the implementation project.
- Identify the risks associated with implementing your ERM framework, and use a recognised methodology such as Risk Analysis and Management for Projects (RAMP) to appraise and control them.
- Ensure that the implementation project has full buy-in from the board and the CEO.
- Appoint suitably skilled senior people to lead the implementation process, including a project manager.
- Set up a governance structure for the implementation project.
- Improve reporting systems, so that up-to-date and consistent data is available to all those who control risks.
- Introduce horizon scanning for emerging risks.
- Clarify the responsibilities and ownership of all managers on risk issues.
- Overhaul risk governance systems and ensure that they are properly developed and implemented.
- Begin embedding risk management within the general management of the organization, so that it becomes part of every manager’s way of life. This change, says the IFA, is one of the hardest to achieve, since managers tend to put risk management on the back burner.
- Ensure that you have procedures in place for risk analysis of all major change initiatives before they proceed.
- Set up a crisis management system.
- Have better and more frequent discussions with suppliers and customers about emerging risks.
After you’ve gotten your ERM program humming along, you’ll need to follow up with continuous monitoring to ensure that all systems are always “go.”
Ironically, implementing your ERM framework and program can expose your organization to new risks—as is the case with any significant change. Here are some tips for success:
1. Get not only buy-in, but leadership from the top.
2. Monitor the implementation closely at every step.
3. Consult with managers and other key personnel about the design of important changes and to review the implementation’s progress.
4. Survey employees regularly about the implementation.
5. Be aware of threats to the implementation project including:
a. Rising costs
b. Increases in implementation time
c. Distractions from the business’s operations
d. Doubts about the value of ERM
Maturity Models for Enterprise Risk Management
To determine the quality of your ERM program, the Risk Management Society (RIMS) has developed the Risk Maturity Model (RMM). The RMM “outlines key indicators and activities that compose a sustainable, repeatable and mature enterprise risk management (ERM) program.”
The RMM is a self-test that, based on your enterprise’s score, ranks your ERM program’s maturity level on a scale of 1 to 5:
1. Ad hoc
To determine your maturity level, the model identifies seven key attributes of effective ERM:
- Having an ERM-based process: How embedded is risk management in your company’s culture? Do your C-suite and board support ERM?
- Managing your ERM process: How have you instilled an ERM mindset and methodologies throughout your culture and in your business decisions? Does your risk management program use best practices when identifying, assessing, evaluating, mitigating, and monitoring risks?
- Managing your risk appetite: How aware are your leaders of the tradeoffs between risk and rewards? Does everyone understand who’s accountable for risk and what your organization’s risk tolerances are? How effective is the enterprise at stopping risks from becoming threats?
- Finding the root cause: How well do you identify the source of risks (root cause) rather than just their symptoms and outcomes? Have you classified your risks according to their root causes?
- Uncovering risks: How well and thoroughly have you assessed the risks to your organization? How do you gather information about risks? What is your risk assessment process? Do you examine risk information for trends?
- Managing performance: To what degree do you follow your enterprise visions and strategies? Do you use a risk-based process to plan, communicate, and measure your organization’s core goals?
- Keeping the business resilient and sustainable: Do you use a risk-based methodology to plan operations, manage business continuity, and sustain critical business functions?
Each of these attributes contains competency drivers—25 in all—as well as key readiness indicators that show how prepared you are to reach your ERM goals. You can take the RIMS RMM assessment here.
Benefits of Enterprise Risk Management
The opposite of “managed” risk would be risk that is un-managed. No one wants out-of-control risk.
Being able to run your business with confidence that whatever can go wrong, probably won’t, puts you at the ready to tackle new challenges and opportunities as they arise.
Risk management brings many benefits, some obvious and others less so. From the U.S. Centers for Disease Control and Prevention, American Express, and other sources, here’s a list of benefits of enterprise risk management:
- A overarching view of risk throughout the entire company
- A more risk-aware company culture
- Standardized risk information for strategic decisions
- Insights into cross-functional risks and root causes
- Empowered, engaged, more motivated employees
- More efficient and consistent business operations
- Better security
- Proactive, confident risk management
- Higher credit ratings
- More private company and customer data
- The ability to see and take advantage profitable business opportunities
- Faster responses to emerging risks
- More confidence in the organization’s initiatives and future
- Possibly a higher share price
- Increased profits
Enterprise Risk Management Process
First comes the ERM strategy—the plan that directs the plan in line with the business’s goals. Using the strategy, you create your ERM program, which lays out the process for managing risk enterprise-wide.x`
Your risk management process consists of the steps you must take and the tools needed to carry out the mandates of your ERM framework:
- Objective setting
- Risk identification (risk assessment)
- Risk analysis, which entails ranking your risks and developing mitigation plans for each
- Risk response: accept, avoid, transfer, mitigate
- Risk monitoring
- Review and continual improvement
Risk management roadmap
To help enterprises improve their ERM process, the Global Risk Institute has developed an ERM roadmap. Although it’s designed specifically for the financial sector, using the roadmap can benefit any organization interested in developing and implementing an enterprise risk management program.
Intended as an “educational framework,” the GRI’s roadmap is intended to “explain the methods and processes used by financial services organizations to manage risk and return in the pursuit of business objectives.”
The roadmap aims to help organizations balance their risk-taking against their business objectives and align their ERM goals, plans, and implementation. It lists seven essential components in a successful ERM program, and describes how they are interrelated:
1. Risk appetite—Establish your risk appetite in the context of your
a. Philosophical approach to risk-taking
b. Core principles and values
c. Quantitative targets and limits
d. Key risk indicators and control points
2. Risk identification
a. Define risk types and regulatory expectations.
b. Take a risk inventory, with the list including emerging and residual risks.
c. Categorize your risks.
3. Risk measurement and assessment—The roadmap provides a model for assessing and measuring “interconnected events and operating factors” in the context of your organization’s risk appetite.
4. Risk budgeting and actions
5. Risk governance and control—This module considers
a. Organizational design|
b. Policies, guidelines, and standards
c. Three lines of defense
d. Active monitoring
6. Risk measurement and assessment
7. Risk culture
The Risk Academy offers a risk-management-implementation roadmap as an action plan for non-financial-services organizations with these components:
1. Risk culture
a. Update policies to include responsibility for risk-based decision-making.
b. Update committee charters.
c. Train decision-makers in risk-based thinking.
d. Include risk management in your business training programs.
e. Present risk-related topics in every corporate speech.
f. Include risk management topics on meeting agendas.
g. Present risk competitions at corporate events and in-house.
h. Disclose information about risk-based decision making in the annual report, corporate
i. intranet, and company website.
2. Risk management team
a. Develop quantification skills.
b. Develop “soft” skills.
c. Develop a strong understanding of the nature of the business.
d. Invest in proper modeling tools.
e. Meet and exchange ideas with other risk managers.
3. Risk management preliminary steps
a. Develop a short risk management policy using ISO 31000 principles.
b. Develop a very basic risk management framework document using ISO 31000.
c. Fulfill any other regulatory or shareholder risk management requirements.
d. Develop a high-level risk profile linking key risks to strategic objectives.
4. Risk management actions
a. Review business policies and procedures and identify significant decision points.
b. Add risk analysis to these decision points.
c. Develop risk analysis templates and train decision-makers in how to use them.
d. Reach agreements with internal auditors on risk analysis quality control and decision monitoring.
e. For key decisions:
i. Develop a risk analysis methodology for each decision type.
ii. Perform risk analysis on key decisions or provide tools for doing so to decision-makers.
iii. Develop key risk indicators (KRIs) and monitoring metrics for key decisions.
iv. During planning, change how uncertainties are accounted for by moving away from single-point estimates to ranges.
v. Replace traditional risk scenarios (such as those run by finance) with more sophisticated risk modeling.
vi. Use Monte Carlo simulations to change how you calculate key performance indicators (KPIs) and other performance targets.
vii. Work with human resources to monitor KPIs.
Designing Your Own ERM Roadmap
According to the Association of Certified Fraud Examiners, developing your own action plan for ERM strategy-building and implementation should address these topics:
1. Business objectives and strategy
2. Risk appetite
a. Existing risk profile
b. Attitudes toward risk
c. Risk capacity
d. Risk tolerances
3. Organizational taxonomy (language), governance structure, and culture regarding risk
4. Risk data collection, analysis, and delivery
5. Internal controls
6. Measurement, evaluation, and communication
7. Scenario planning and stress testing
Do I Need Enterprise Risk Management Certification?
In general, certification in ERM isn’t necessary to do enterprise risk management right—as we’ve seen, ample resources exist to help with developing and managing an ERM program.
But being ERM certified can be helpful in certain situations, according to the ERM Insights blog. When deciding whether ERM certification is right for you, consider these factors:
- Your location. Does your country’s culture prize education more than experience?
- Your organization. Does your enterprise expect you to have formal ERM education to manage or audit your ERM program?
- Your professional goals. Do you want to increase your ERM or general risk management knowledge and expertise?
If you answered “yes” to any of these questions, you might want to enroll in an ERM certification course.
What Is an Enterprise Risk Assessment?
An enterprise risk assessment (ERA) carefully considers all the possible problems that the business could face in the future, and how, unchecked, they might affect the organization’s ability to achieve its goals.
The first step in the ERA process is setting those goals, and establishing a common language to discuss risk. Because to achieve your objectives you must first know what they are, and to manage risk throughout the enterprise, you’ll need to have everyone on the same page—and speaking your language.
Once you’ve laid that foundation, you’ll conjure events or scenarios that could occur, and list them along with how likely each is to occur and how great an impact each occurrence might have on the business. Placing these risks on a grid or chart can then help you to see which are your most urgent risks—those you should address first by adding or improving controls or taking other actions.
Implementing Enterprise Risk Management
Risk managers and risk teams may do the work of establishing and running an ERM program, but the responsibility for it goes all the way to the top. The chief executive officer (CEO) is, in the end, responsible for the enterprise risk management program, and their ownership of the program is essential to its success.
In reality, though, the chief risk officer (CRO) will most likely oversee the day-to-day processes of running your ERM program, directing the ERM committee or function. The CRO will also report regularly to the board and audit committee on enterprise risk.
The board of directors’ role is to ask questions of management, to come to understand which risks the enterprise faces and what’s being done about them. The board needs to understand and even shape (or re-shape) the organization’s philosophies about risk, make sure the ERM program is properly designed and viable, provide the resources needed for effective ERM, and understand how the program fits with the company’s business objectives.
Governance and risk management are important parts of an ERM program. The program’s people and processes help make up the overall ERM system along with the tools and technologies used to assess, manage, and monitor enterprise risk. Compliance, which ERM helps companies to achieve, also plays a part in this system.
Governance, risk management, and compliance (GRC) work hand-in-hand for a successful ERM system, which includes the tools and technologies used to do ERM right. The role of these is as follows:
- Governance, which includes the board and its audit committee, establishes the objectives of the business and sets the boundaries for ERM in alignment with those objectives.
- Risk management involves identifying and addressing the obstacles to achieving the business’s objectives.
- Compliance makes sure that the program’s boundaries are set in accordance with rules and regulations, and that ERM occurs within those boundaries.