Enterprise Risk Management (ERM): What It Is, How It Works

Enterprise Risk Management (ERM): What It Is, How It Works

What Is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a strategic approach that considers risk management holistically, focusing on the entirety of a company or organisation. Employing a top-down strategy, it endeavours to recognise, evaluate, and ready itself for potential losses, threats, perils, and any other factors that could potentially disrupt the operations and goals of an organisation or result in losses.

Understanding Enterprise Risk Management

Enterprise Risk Management adopts a comprehensive approach, necessitating management-level decision-making that may not align with the perspectives of individual business units or segments. Therefore, instead of each unit managing its own risks, there’s an emphasis on comprehensive oversight across the entire firm.

ERM often involves disclosing the risk management plan to all stakeholders as part of an annual report. Various industries, including aviation, construction, energy, finance, insurance, international development, and public health have embraced ERM methodologies.

ERM serves to mitigate overall firmwide risks while also identifying unique opportunities across the organisation. Successful ERM hinges on effective communication and coordination among diverse business units, as decisions made by top management may conflict with local assessments.

Companies implementing ERM usually maintain a specialised team dedicated to overseeing the firm’s risk management strategies. Although ERM standards and best practices are still evolving, they have been formalised through The Committee of Sponsoring Organizations (COSO), an industry body responsible for maintaining and updating guidance for companies and ERM professionals.

Companies that embrace ERM could be appealing to investors due to the indication of greater stability in their investment prospects.

Holistic Risk Management

Businesses encounter a wide array of risks and potential threats. Before, companies managed their risk exposures by allowing individual divisions to handle their own operations. However, the concept of enterprise risk management necessitates that corporations comprehensively identify all potential risks they may encounter.

Furthermore, it involves management making deliberate choices regarding which risks to actively address. Unlike compartmentalising risks within different sections of a company, ERM enables a holistic view that encompasses the entire organisational landscape.

ERM views each business unit as a component of a larger portfolio within the company and aims to comprehend how risks affecting individual units interact and intersect. Also, it has the capacity to recognise latent risk factors that might remain unnoticed by any single unit.

For years, companies have managed risks in a traditional manner, where each business unit assessed and managed its own risks before eventually reporting to the CEO at a later stage. However, there has been a recent acknowledgment of the necessity for a more comprehensive approach.

From an ERM perspective, the role of a Chief Risk Officer (CRO) becomes essential. The CRO, a corporate executive, is tasked with identifying, evaluating, and mitigating internal and external risks that have an impact on the entire corporation.

Moreover, the CRO ensures the company’s adherence to government regulations and scrutinises factors that could potentially harm investments or various business units. The specific mandate of the CRO is determined collaboratively with top management, the board of directors, and other stakeholders.

Components of Enterprise Risk Management

The COSO enterprise risk management framework outlines eight fundamental components that delineate the approach a company should take when developing its ERM strategies.

Company Environment

The internal environment of a company encompasses the ambiance and corporate ethos established by its workforce. It sets the standards for the company’s risk tolerance and reflects management’s approach to embracing risks.

This environment can be shaped by top-level executives or the board and disseminated across the organisation, yet it predominantly manifests through all employees.

Establishing Objectives

When a company defines its purpose, it should establish objectives that complement the company’s mission. These objectives should be aligned with the company’s tolerance for risk.

For instance, a company with ambitious strategic plans should acknowledge the potential for both internal and external risks linked to these extensive objectives. Therefore, the company can align its actions with its objectives, like recruiting more regulatory personnel for expansion into unfamiliar territories.

Recognising Events

Positive events can significantly influence a company, whereas negative ones can severely impede its operations.

ERM guidance advises companies to identify crucial facets of their business and foresee events that could have severe repercussions. These high-risk events might jeopardise operations (i.e. temporary office closures due to natural disasters) or strategic aspects (i.e. government regulations banning a company’s main product line).

Risk Assessment

Apart from acknowledging potential outcomes, the ERM framework delineates the process of evaluating risk through comprehending the probability and financial impact associated with them. This encompasses not only the immediate risk, such as an office rendered unusable due to a natural disaster, but also residual risks, such as concerns about employee safety upon returning to the office.

Despite its complexity, the ERM framework urges companies to consider quantifying risks by gauging both the percentage change of occurrence and the monetary impact.

Response to Risk

Here are ways in which a company can address risk:

  • Risk avoidance involves the company withdrawing from activities that pose a risk, foregoing potential benefits to steer clear of the risk. For instance, a company might cease selling a particular product line to eliminate associated risks.
  • Risk reduction entails the company actively engaging in the activity while taking measures to minimise the possibility or impact of the risk. For example, a company might invest more in quality control or educate consumers on the proper usage of a product while continuing to sell it.
  • Risk sharing involves the company proceeding with the existing risk profile but involving an external party to share the potential losses in return for a fee. Purchasing an insurance policy is an example of risk-sharing.
  • Risk acceptance involves the company assessing potential outcomes and determining if it’s financially viable to implement mitigation strategies. For instance, a company may choose to maintain its product line without changing operations and opt for risk-sharing approaches.

Control Activities

Control activities are the measures implemented by a company to establish protocols and guidelines, ensuring effective management of operations while minimising risks. These internal controls consist of two distinct categories:

  • Preventive control measures are designed to stop specific activities from occurring, aiming to reduce risks by prohibiting certain events. For instance, a keypad or physical lock preventing unauthorised access to a sensitive area.
  • Detective control measures are implemented to identify and acknowledge instances where a risky action has happened. Even though the event might have taken place, intentionally or unintentionally, detective controls serve to alert management, enabling appropriate follow-up actions. An example of a detective control is an alarm system installed in a room to signal unauthorised entry or activities.

Data and Communication

To enhance a company’s understanding of its risk profile and risk management, information systems must effectively gather data. This involves avoiding exceptions for departments that excel over others; consistent monitoring of all facets of the company is essential.

Moreover, certain data should be analysed and shared with employees when it pertains to risk mitigation. Engaging with employees through communication is more likely to foster support for processes aimed at protecting the company’s assets.

Supervision

A company has the option to use an internal committee or an external auditor for evaluating its policies and procedures. This evaluation involves comparing actual practices with what is outlined in policy documents. It also involves collecting feedback, analysing corporate data, and alerting management about vulnerable risks. Companies must remain prepared to evaluate their ERM setting and adapt accordingly.

How to Implement ERM Practices

ERM approaches will differ depending on a company’s size, risk inclinations, and business goals. The following are recommended strategies that most companies can adopt to execute ERM effectively.

  • Establish risk philosophy. Before initiating any strategies, it’s crucial for a company to ascertain its stance on risk and craft a comprehensive strategy. This involves strategic deliberations among management and an exhaustive analysis of the company’s entire risk landscape.
  • Formulate action plans. Armed with a defined risk philosophy, the next step is to develop action plans that outline measures to safeguard assets and fortify the organisation’s future post a thorough risk assessment.
  • Encourage creativity. ERM necessitates a broad consideration of potential challenges a company might encounter. While some scenarios may seem improbable, it’s prudent for a company to contemplate various challenges it might face and determine its responses (or decisions to refrain from responding) should these events occur.
  • Communicate priorities. Identifying critical risks that demand mitigation for the company’s sustainability is essential. These priorities should be communicated clearly and comprehensively understood as risks that should be avoided at all costs. Alternatively, the company might opt to communicate contingency plans should such events transpire.
  • Allocate responsibilities. Once an action plan is devised, specific individuals should be assigned roles to execute distinct parts of the plan. This could involve delegating responsibilities to specific roles in case employees depart. This not only ensures the execution of action items but also holds members accountable for their designated areas of risk.
  • Embrace adaptability. ERM practices need to be designed with adaptability in mind as companies and risks constantly evolve. A company must be capable of adhering to its current plan while concurrently strategising for new and forthcoming risks.
  • Harness technology. Utilising ERM digital platforms can assist in hosting, summarising, and tracking a company’s risks. Technology can also aid in implementing internal controls and gathering data to assess how performance aligns with ERM practices.
  • Continuously monitor. After establishing ERM practices, it’s imperative for a company to ensure adherence. This involves monitoring progress towards goals, verifying the mitigation of specific risks, and confirming that employees are executing tasks as outlined.
  • Employ metrics. Developing a set of measurable metrics is crucial in monitoring ERM practices effectively. Often referred to as SMART goals, these metrics help hold the company accountable for meeting objectives.

Advantages of ERM

ERM establishes comprehensive cultural norms within an organisation. This involves fostering transparency on discussions of potential risks a company encounters and devising strategies to mitigate them. It minimises unforeseen risks and provides clear guidance on addressing specific events.

Moreover, this approach can enhance employee satisfaction by assuring them of existing plans to protect company assets. It also bolsters customer service by equipping staff on how to handle situations in the event of risks.

ERM practices are usually condensed into a standardised risk assessment report presented to top-tier management. This outlines a company’s risks, ongoing actions, and crucial information for informed decision-making. This streamlines time efficiency for upper management.

Furthermore, ERM could significantly enhance the overall resourcefulness of a company. It may streamline processes, optimise staff utilisation, diminish instances of theft, and boost profitability by identifying viable market entries.

Disadvantages of ERM

As a company develops its ERM protocols, it’s inclined to focus on familiar risks it has encountered before. So, ERM’s effectiveness in recognising potential future risks, which might be unknown and could potentially have more severe consequences, is limited. Some view ERM as reactive because it relies on forecasting risks based solely on prior experiences.

ERM also heavily depends on managerial estimations and inputs, which can be exceedingly challenging to predict accurately. For instance, if a company had improbably foreseen the emergence of the COVID-19 pandemic, accurately gauging the fiscal impact of business shutdowns or shifts in consumer spending would have been a formidable task. Evaluating the costs associated with ERM mitigation efforts could also be challenging.

The implementation of ERM practices demands significant time and resources from a company to achieve success. While safeguarding assets is beneficial, it necessitates diverting the time and attention of staff and potentially making capital investments to execute ERM strategies. Furthermore, quantifying the success of ERM can be problematic, as projecting financial risks that do not materialise becomes the primary metric.

What Types of Risks Does Enterprise Risk Management Address?

ERM is adept at formulating strategies to address a wide spectrum of business risks, which pose a significant threat to a company’s sustainability. These risks can be categorised into various types, each of which is elaborated below:

  • Compliance Risk. This jeopardises a company when it fails to adhere to external laws or regulations. For instance, a company might face compliance risk if it cannot generate timely financial reports in line with established accounting standards like GAAP.
  • Legal Risk. This endangers a company when it faces potential lawsuits or penalties due to contractual disputes or regulatory non-compliance. An example of legal risk could involve a billing disagreement with a customer.
  • Strategic Risk. This undermines a company’s long-term plans, potentially allowing new market entrants to surpass the company as the primary low-cost provider.
  • Operational Risk. This threatens a company’s day-to-day activities necessary for its operations. An instance of operational risk might be a natural calamity damaging a warehouse where inventory is stored.
  • Security Risk. This puts a company’s assets at risk, whether physical or digital, through unauthorised access or misappropriation. An example of security risk could be insufficient controls to protect sensitive client data stored on network servers.
  • Financial Risk. This threatens a company’s financial stability or indebtedness. For instance, a company might face financial risk due to losses incurred from holding foreign currency that experiences translation losses.

Summary

While producing, marketing, and distributing goods to customers, companies encounter numerous risks from different channels. To enhance preparedness against these risks, businesses are adopting Enterprise Risk Management — an all-encompassing strategy that evaluates risks comprehensively and formulates corresponding plans. ERM’s main objective is protecting a company’s assets and operations while establishing contingency strategies for potential adverse events.

DISCLAIMER: This article is for informational purposes only and is not meant as official business advice. AVANTE PARTNERS has no business relationships with any company.

Contact us

Need some more information or have a quick question? We’d love to hear from you!
Get in touch with us today.

A Three-Phase Plan For Businesses Thriving In Major Disruptions

When your business hits a rocky road, make an informed decision with the help of Avante Partners. Download our guide today!