What is Enterprise Risk Management?
ERM provides a framework for Risk Management, which usually involves identifying explicit events or circumstances relevant to the organisation's objectives (risks verse opportunities), assessing the probability and magnitude of impact, determining a response strategy, and monitoring progress.
By identifying and planning for risks and opportunities, business enterprises defend the organisations value for his or her stakeholders. Stake holders could range from stock holders, employees, government, customers, lenders, regulators, and the general society.
Risks can arise over time, especially when driven by social trends, for example public attitudes to the following have significantly changed over the generations, Slavery, Smoking, Furs, Spanking, Banking Bonuses and Nuclear Power.
ERM is often described as a risk-based approach to managing an enterprise, integrating ideas of management and employees. ERM has evolved to handle the wants of varied stakeholders, who need to know the broad spectrum of risks facing advanced organisations to make sure they're appropriately managed. Regulators, counter parties and debt rating agencies have increased their scrutiny on the risk management processes of firms.
Enterprise Risk Management (ERM) Frameworks
There are a number of different ERM frameworks that describe an approach for identifying, analysing, responding to, and monitoring risks and opportunities, among the inner and external atmosphere facing the enterprise. Management would typically select a risk response strategy for specific risks identified and analysed, which could include:
Avoidance - Stop the activity that is increasing the risk profile
Reduction - Implement actions to reduce the probability or impact associated with the risk
Alternative Actions - Identify alternate actions and evaluating the outcomes against current risk profiles.
Insure or Distribute Risk - Where risk cannot be avoided you can insure against the risk occurring or distribute the risk with a partner or partners willing to onboard some of the risk.
Accept Risk - Take no action and accept the outcome of the risk
It is expected that management would implement a program of continuous monitoring and a feedback mechanism to ensure they understand their risk profiles at any point in time. This would include meetings with domain experts, identification of current risk state and the state of response or contingency plans.
Components of an Enterprise Risk Management Framework
While the following components do not need to be established in the below order, most of the components will need to be place before an ERM program can be established.
Identify Sponsors for an ERM Program - these might be internal or external. External sponsors would typically be governmental, via regulations, or major business partners concerned about counter party risks.
Define Risk Language Registry - Allows for common definitions to be documented ensuring no confusion from stakeholders.
Establish the Organisations Risk Appetite - This will form the basis of most Risk mitigation decisions and will have a significant impact on management strategy for ongoing risk management.
Identify, Describe and Document the Current Organisation Risks in a Risk Inventory - Allows clear definition of where current risks concerns lie within the organisation.
Implementing a Risk Ranking Methodology - Allows the organisation to prioritise risks across each Risk Function and the entire Enterprise.
Establishing a Risk Committee - Typically led by the Chief Risk Officer (CRO) who will coordinate the activities of each of the Risk Functions.
Assign Responsibility for Explicit Risks - The goal being that each Risk Function will be assigned an explicit risk to manage within the organisation.
Construct a Cost Benefit Analysis - Allows management to justify the return of investment (ROI) by the implementation of the risk management effort.
Review Action Plans from Risk Functions - Allows validation of Risk Function management and mitigation plans to ensure the residual risk is within risk appetite tolerances.
Ensuring Comprehensive Reporting - Allows stakeholders to validate risk management efforts are progressing towards organisational goals and allows continuous monitoring of Risk mitigation efforts.
Ensuring Risk Coverage by Internal Auditors, External Consulting Groups, and Other Evaluating Entities.
Develop an appropriate Information Technology System that allows external parties’ or remote workers access to the internal Enterprise Risk Management Framework.