Enterprise risk management 101
What do we mean by enterprise risk management, and how is it different to managing everyday risk in business operations?
​
Here, we look at enterprise risk management, the different types of enterprise risk, risk management software, and how it all fits into the GRC framework.
What is enterprise risk management (ERM)?
Enterprise risk management (ERM) is the process by which organisations minimise risk on its capital and earnings. An ERM process involves planning, organising, directing and controlling your company’s activities when it comes to things like financial risk, strategic risk, operational risk, and risks associated with accidental losses.
​
To break it down, a strong enterprise risk management process or program uses what’s happened in the past (through auditing, evaluation and self-assessment), reviews what’s happening in the company right now, and applies all those findings to develop an approach to the future that manages and minimises risk.
​
A strong ERM program incorporates strategy, goals and objectives, like those ideated within corporate governance and environmental management frameworks.
What does enterprise risk management look like?
Put simply, enterprise risk management involves asking and attempting to answer the question of: “What are the major risks that could stop our company from achieving its goals?”
​
So, the steps to take in implementing ERM start with identifying and mitigating risk within your company. It’s crucial to understand your organisation from a holistic perspective, identifying strategic goals of top-level management. Once these goals are identified, the process by which the goals are achieved can be monitored and reported on from a risk management perspective.
​
In smaller companies, ERM is usually the role of executive management, but as your organisation grows and becomes increasingly more complex, an effective and dedicated ERM team is crucial for long-term success and sustainability. An ERM team can then communicate risk management processes and practices, prioritise and highlight information for decision-makers, and ensure a smooth ERM process.
​
Enterprise risk management is growing in popularity and interest with the globalisation of the corporate workforce. Industry and government regulatory bodies are more closely scrutinising risk management policy and procedures. But how does enterprise risk management differ from more traditional risk management?
How is ERM different from traditional risk management?
Traditionally, risk management in an organisation is the responsibility of business unit leaders. For example, the head of technology and IT is responsible for managing risk related to any IT operations, the head of finance is responsible for mitigating risks related to financing and cash flow, and so on. This is often called a silo or stove-pipe approach to risk management.
​
What has been identified in more recent times is that there are limitations to traditional risk management, such as:
​
-
Risks can go undetected by management if they fall ‘between’ different organisation areas of responsibility.
-
Some risks might affect different areas in different ways; for example, the head of finance might identify a risk related to cash flow, without realising the effect this risk could also have on other areas of the business.
-
Similarly, the way that risk is managed might have a flow-on effect to other areas, without that risk being identified.
-
Risk management can become internally focused, with management teams losing sight of external risk or risks that can emerge from outside the business.
Enterprise risk management has been identified as a valuable strategic tool for mitigating the potential problems of traditional risk management, providing your company with a more holistic, overarching perspective and approach to strategic planning.
ERM takes a top-down, enterprise view of all significant risks that could impact a business. This portfolio view of risk means that ERM is becoming more proactively embraced as a business process to enhance risk management and achieve goals.
Benefits of enterprise risk management
ERM can be an important strategic tool for business leaders, with an effective enterprise risk management process giving you crucial insight into risks that could affect strategic planning.
Other benefits of enterprise risk management include:
​
-
As management becomes more aware of risk, that knowledge can be applied to design strategies and processes to navigate the risks identified at all levels of the business.
-
Identifying risk leads to better preparation for minimising risk.
-
Proactively mitigating risk gives your company a competitive advantage, reducing the likelihood of being negatively impacted by future risk.
-
A more risk-focused company culture leads to effective communication and risk-management policies between and within different parts of the business, improving risk management across the board.
-
Your company can implement standardised risk reporting and measurement.
-
A stronger focus on risk related to achieving business objectives can lead to more efficient use of resources.
-
Highly regulated and proactive organisations are more attractive to investors.
Implementing an ERM framework
For best practices, ERM should incorporate compliance and should work towards your company’s objectives. Here are some key steps:
​
-
Identify and prioritise all company processes and their potential related risks – these can be hazard risks (threat to life, health or property), financial risks, strategic risks and operational risks.
-
Develop a blueprint of all risks – current and potential – and create strategies to offset the risks.
-
Create an action plan to resolve the current risks identified.
-
Continue to monitor and measure these risks, developing the necessary policies and procedures to minimise and mitigate risk in company activities.
-
Consider enterprise risk management software solutions to digitise this information and automate processes of risk management.
Some of the common enterprise risk management frameworks include:
​
-
ISO 31000 for risk management
-
NIST Risk Management Framework
-
Committee of Sponsoring Organisations of the Treadway Commission (COSO).
The increasing need for enterprise risk management within organisations has led to the development of ERM software solutions and programs to help companies operate more efficiently and effectively. In 2004, the James Lind Alliance (JLA) research team analysed risk in types of companies with a 30% or higher decline in market value, finding that 61% of occurrences was due to strategic risk, 40% operational risk and 9% financial risk.
What is enterprise risk management software?
The benefits of a strong ERM process lie within its ability to be active, continuously updated and improved. It’s no use developing an ERM strategy and letting it stand, unchanged: the process must be dynamic, consistently identifying and managing risk.
​
That’s where ERM software comes in. ERM software solutions are designed to identify, assess, manage and monitor risks to the viability of your company. This helps remove some of the limitations of traditional risk management, and also the limitation of a management team to individually and collectively identify risk within their organisation.
Key components of an ERM platform
Key components of an enterprise risk management platform
An ERM platform or software can increase awareness of business risks across your entire company, internally and externally, helping management teams with strategic decisions and planning. Your ERM platform can also improve compliance with regulatory and internal compliance mandates, ensuring a strong GRC approach to business.
​
To incorporate an ERM platform, your company should already have efficient and well-established practices in place, like a strong corporate governance model, a strategy that incorporates internal policies and standards for security and risk concerns, and a procedure for internal and external risk threat identification.
-
Planned and strategic business and IT objectives; for example, risk identification for companies moving to cloud storage.
-
Assessment of risk tolerance related to culture and governance when pursuing your company’s strategic goals.
-
Internal corporate governance models that can identify team structure, how decisions are made and the controls implemented.
-
Internal standards and external regulation and compliance, and how this factors into risk management and decision-making.
-
Measurement and reporting tools that provide consistent output for stakeholders and well-communicated information to all levels of management.