Basics of Enterprise Risk

Management (ERM): How to Get

Started

Organizations exist to create value for their

stakeholders. By setting objectives, developing
strategies, following through and continuously
improving processes, value is created.

That’s the ideal situation, at least. In reality, it’s not

always as simple as making a plan and sticking to it.
There’s always the risk that certain events could affect
the success of these plans.

It’s the job of management to make adequate

preparations to ensure that systems are in place to
continue hitting objectives, even when the beast of
unforeseen circumstance rears its head.

Enterprise risk management (ERM) is a direct solution

to these kinds of uncertainties, allowing management to
oversee the continual creation of value on a complete,
integrated, organization-wide level.

By utilizing an effective ERM system, you can rest

assured that the organization will see a consistently high
success rate in terms of hitting objectives and KPIs.

Stakeholders of all kinds, from customers, suppliers,

government and regulatory bodies are all increasingly
interested in how businesses are implementing ERM. A
well-implemented ERM system could set the
foundation for many high-quality, long-term client
relationships.

Equally, not having a proper system for enterprise risk

management could mean your business is perceived as
less competent, and could even result in loss of clients
and damage to brand image.

In this post, I’ll discuss:

Introduction to and basics of enterprise risk

management
Benefits of a well-implemented ERM system
Core ideas of ERM
Examples of different ERM approaches
The enterprise risk management process
Implementing ERM
Automating ERM

To begin with, I’ll start by breaking down the full scope

of an ERM system, and some basic definitions.

What is enterprise risk management

(ERM)?

Enterprise risk management, often shortened to ERM, is

a type of process management strategy that seeks to
identify, understand, and prepare for the kinds of
dangers, hazards, and other potential deviations from
standard operating procedures that could be perceived
as risks.

“The culture, capabilities, and practices, integrated

with strategy-setting and performance, that
organizations rely on to manage risk in creating,
preserving, and realizing value.” – The Committee
of Sponsoring Organizations of the Treadway
Commission (COSO), from Enterprise Risk
Management – Integrating with Strategy and
Performance

As well as identifying risks, the practice of enterprise

risk management also involves making preparations for
dealing with these risks and deciding prioritization over
multiple active or potential risks.

Plans, policies, and procedures for risk management

should be made available as widely as possible;
shareholders, stakeholders, investors, and other relevant
interested parties should all have clear, direct access as
part of documented information or regular reports.

ERM is utilized in all industries, from construction,

finance, aviation, healthcare, energy, and marketing.

The International Standardization Organization (ISO)

defines risk management as:

“coordinated activities to direct and control an

organization with regard to risk … [a] systematic
application of policies, procedures and practices to
the activities of communicating and consulting,
establishing the context and assessing, treating,
monitoring, reviewing, recording and reporting
risk.” – ISO 31000 – Risk Management Guidelines

Risk management is not a new concept; historically,

companies would manage risk with insurance policies.
Liability, malpractice, loss or injury, property insurance,
natural disasters – different policies to “manage”
different risks relating to different business activities.

In recent years, as standards for risk management have

become more established and seen widespread
adoption, risk management has become more akin to a
business process management framework. That is to
say, ERM systems will typically focus more on control
of internal processes, using principles of continuous
improvement, internal audits, compliance with
standards – seeking to minimize controlled risk as much
as possible, as well as setting up preventative measures
for risks and hazards outside the scope of control of
business processes.

Let’s look at some of the benefits of successfully

implementing an ERM program.

Benefits of a well-implemented ERM

program

It’s important that relevant interested parties understand

the rationale for implementing ERM; that way the
whole organization can be aligned towards a singular
common objective, and adoption will be streamlined.
Making sure everyone understands the value and
reasoning behind adopting an ERM system is one of the
first steps to successful implementation.

Let’s look at some recent studies.

A 2008 Deloitte survey asked a group of participants to

identify the benefits of ERM in terms of how they felt
benefits had already been experienced, and how they
thought benefits would manifest in the future.

Deloitte survey results: ERM benefits experienced

34%: ERM created a risk-aware culture.

29%: We can now identify and manage cross-
enterprise risks.
26%: ERM provided integrated management
reporting.
26%: ERM enabled a focus on the most
important risks.
25%: ERM reduced vulnerability to adverse
events
25%: ERM enhanced risk response decisions.

Deloitte survey results: ERM benefits expected in the

future

49%: Ability to link growth, risk, and return.

44%: Ability to align risk appetite and strategy.
44%: Ability to provide integrated responses to
multiple risks.
42%: Help to minimize operational surprises and
losses.
39%: Help to seize opportunities.

When devising initiatives for ERM implementation,

companies should try not to focus too much on the
negatives; risk management can and should be seen as
an opportunity for process improvement.

Traditional approaches to risk management tend to

focus heavily on the down-sides, such as how much
money could be lost, the extent of damage done in a
cyber-attack.

To focus on the potential for process improvement

means utilizing risk management as an opportunity to
gain competitive advantages.

It also means processes can be improved and optimized,

so that the end result is not only (for example)
circumvention of potential disaster down the road, but
near-term benefits and immediate benefits as a result of
process changes.

Enterprise risk management: Core areas

Today, risk management has taken on a broader role,

covering four core areas:

1. Hazard risk management

To assess hazards, risk managers follow these five

steps:

1. Identify exposures to risk

2. Assess the frequency and severity of these
exposures
3. Identify alternative approaches (including
process improvements)
4. Choose an alternative and implement it
5. Monitor the implementation and adjust as needed

This process is focused on both preventative and crisis

risk management.

While not specifically relating to any one framework of

ERM, the example below clearly illustrates the
relationship between risk, hazard, and exposure:

Source

2. Internal control

This is another way of saying the meta-processes that

companies use to make sure internal processes are being
followed.

Internal control processes are also used to improve

process efficiency in areas such as reporting,
conformity, and general process effectiveness.

Larger organizations, especially those in highly

regulated industries, will often have elaborate and
expansive systems of internal control.

3. Internal audits

Simply put, internal audits are used to make sure

internal controls are working properly. This is different
to risk management – it’s another meta-level process
that looks instead at the cost, efficiency, and
effectiveness of the ERM processes.

Internal audits are concerned with how the risks are

actually being managed in practice, and how this
evidentiality sits in-line with the documented policies
and procedures of the ERM.

Teams of internal auditors will look at operating

activities, consistency, and compliance. Results of the
audit including weaknesses and recommendations are
typically given in the form of an audit report.

4. Regulatory compliance

Certain rules and regulations must be followed by

companies; this area of enterprise risk management
concerns efforts to make sure these requirements are
met.

For example, government bodies may issue

requirements for site safety, environmental policy,
social responsibility, or financial reporting.

Companies will typically have a specialized compliance

unit or officer who interprets these requirements, giving
advice, training, and recommendations for
conformance.

Examples of ERM approaches

Over the years, various frameworks for ERM have been

established. Each of them describes a different approach
for the identification, analysis, response, and general
management of risks and opportunities.

Here are a few of the most prominent ERM approaches:

ISO 31000

ISO 31000 refers to a family of standards for risk

management, defined by The International Organization
for Standardization.

As well as the wider family of standards, ISO 31000

also refers to a specific standard within that family. ISO
31000:2018 is the most recent version at the time of
writing.

ISO 31000:2018 for risk management provides a set of

guidelines for organizations to manage risk. It is not a
set of requirements, and as such cannot be certified to,
unlike other ISO standards like ISO 9001.

Other standards in the family include IEC/FDIS 31010

– Risk Assessment Techniques, which provides
guidance on specific techniques for risk management.

CAS

The Casualty Actuary Society (CAS) is a society of

professionals trained in the discipline of actuarial
science, specializing in property and casualty insurance.

In 2003, the society’s Enterprise Risk Management

Committee defined ERM using two concepts: risk type,
and risk management processes.

Of ERM they said the following:

“…the discipline by which an organization in any

industry assesses, controls, exploits, finances, and
monitors risks from all sources for the purpose of
increasing the organization’s short- and long-term
value to its stakeholders.” – CAS ERM Committee,
from Overview of Enterprise Risk Management

Examples of risk type include:

Hazards: e.g. natural disasters and property

damage
Financial risks: e.g. asset, securities, or fiat
currency risk
Strategic risks: e.g. business competition and
trends
Operational risks: e.g. customer satisfaction,
brand integrity, reputation, product faults and
failure

Risk management process:

1. Establish context: internal and external scope of

the organization, and the scope of the ERM
system
2. Identify risks: As they relate to the organization’s
objectives; these should be well-documented and
include the corresponding potential for gaining
competitive advantage as a result of process
improvement
3. Analyze severity risks: For each of the risks
identified, assess (and if possible, quantify) the
severity of each risk
4. Integrate risks: Based on the results of previous
risk analysis, aggregate all risk distributions and
align the analysis with the determined impact on
KPIs
5. Prioritizing risks: Determine a ranked order of
prioritization for each of the risks identified
6. Risk management strategies: This involves
strategies for resolving and exploiting risks
identified
7. Monitoring and reviewing results: The
continuous improvement of the risk management
process by way of monitoring and assessment of
the risk environment; basically what works and
what doesn’t, and figuring out how to improve
the process

COSO

COSO is a joint US initiative established in 1985 to

prevent corporate fraud. Their recently published
Enterprise Risk Management: Integrating with Strategy
and Performance (2017 Edition), states:

“Enterprise risk management is not a function or

department. It is the culture, capabilities, and
practices that organizations integrate with strategy-
setting and apply when they carry out that strategy,
with a purpose of managing risk in creating,
preserving, and realizing value.” – Enterprise Risk
Management: Integrating with Strategy and
Performance

The same publication goes on to organize the

framework into the following five components:

1. Governance and culture:

Enterprise risk management cannot succeed unless the
organization seeks to fully integrate it within the culture
of their workplace.

This pertains to the ethics behind worker

responsibilities, codes of conduct, and the proper
comprehension of risks, as well as all associated
management programs and solutions.

2. Strategy and objective-setting:

A fundamental part of ERM is making sure the risk
management strategies align with core objectives and
broader business strategies.

Business objectives are the basis for planning and

implementing strategies, while simultaneously serving
as a launch-pad for identifying, assessing, and
responding to risks.

3. Performance:
Assessing how certain risks will impact the
performance of key processes is important for risk
prioritization.

In this context, risks are prioritized in order of their

severity.

Following this, risk responses are selected based on an

assessment of the potential for risk that has been
identified. Results of this part of the process are
typically reported to key stakeholders.

4. Review and revision:

By reviewing the performance of risk management
processes, organizations can determine how well the
ERM program is working, including whether or not
changes are needed.

5. Information, communication, and reporting:

ERM is not a single checklist or a fixed set of steps; it is
an ongoing process of collecting and assessing
information from internal and external sources, across
all parts of an organization.

The five components above are supported by an

additional set of principles. These principles are wide-
ranging, covering everything from corporate leadership
of the ERM program to risk monitoring methods.

Each of the principles are short and succinct; here they

are, as they appear in Enterprise Risk Management:
Integrating with Strategy and Performance (2017
Edition):

Organizations can use these principles as a clear

reference point for contextualizing and evidencing their
efforts to understand and strive for an enterprise risk
management program that is firmly aligned with its
strategy and business objectives.

Enterprise risk management process

The process (or cycle) of enterprise risk management

has five main parts:

Objectives
Identification
Assessment
Response
Monitoring

1. Setting objectives and aligning ERM with

business strategy

At the heart of the COSO ERM framework is the idea

of using enterprise risk management to succeed in
realizing its business objectives.

ERM alone will not realize business objectives; rather

the fruits of the ERM program are vital for strategizing
to achieve and exceed those business objectives.

Using an ERM framework helps to ensure that a

business is able to align objectives with mission, vision,
and core values.

2. Identification and documentation of risks

Risks are to be considered as anything that could

potentially impact successful achievement of business
goals. All risks should be clearly identified and well-
documented.

That includes everything from larger, more significant

risks, all the way down to smaller risks on the level of
individual projects or processes.

In order to successfully identify risks, a clearly defined

process is required to systematically assess each area of
operation.

3. Assessment of documented risks

Simply identifying risks is not enough; impact of the

risk should be understood, as well as probability, within
an estimated time-frame.

Once significant risks have been adequately

documented, the next task is to assess them in terms of
their likelihood and estimated significance.

Sometimes, it’s difficult or impossible to accurately

predict the probability or time-frame of certain risks, for
example natural disasters. Nonetheless, this exercise
should be performed to the best of the organization’s
ability, and across all levels.

This task is especially important to make sure that all

documented risks have substantial credibility. Off-the-
cuff suggestions recorded in group brainstorming
sessions might have sounded good at the time, but they
need to stand up to further scrutiny. Qualitative and
predictive analysis will help sort the risks by order of
significance.

Various methods exist for assessment of documented

risks, from simple qualitative approaches like the
prioritization matrix, to more in-depth mathematical
models.

The point of this task is to help management determine

which risks deserve the most immediate attention.

Another option is to create a heat map of risk

significance. The goal of a heat map is to support the
results of a risk assessment with an illustration to
supplement an active dialogue on how the results
compare with an organization’s current risk appetite and
determine urgent solutions that might need
implementing.

Below is a simplified example of a post-risk

prioritization review heat map which excludes lower
priority risks, where impact is quantitative (e.g.
financial losses) and likelihood is probability of
occurrence within a given time period. The graph is
adapted from AICPA’s Enterprise Risk Management:
Guidance for Practical Implementation and Assessment
(2018):

4. Risk response

Risk response is intended to figure out how to respond

to the high-priority risks.

The responsibility falls to management to carefully

review the probabilities and estimated impacts of each
risk, and to consider all associated costs and benefits in
developing an appropriate risk response strategy.

Risk response falls into four categories of its own:

Avoidance
As the name clearly suggests, this type of risk response
involves simply “walking away” from the risk.

For example, a company might decide to relocate based

on risks resulting from certain geo-political tension, or
completely abandoning a product or service that is
proving to be particularly risky.

Often it will be too late to avoid risks, because the

damage has been done and the costs incurred.

That’s why preventative measures and adequate

analysis of potential risks are so important – to keep the
avoidance response on the table.

Reduction
Often, risks can be reduced in a number of different
ways.

Diversifying a product line may reduce the risk that

changing trends or seasonal buying poses, employing
multiple stop-gaps for fault tolerance like offline
backups and multiple operations centers will reduce the
risk posed by natural disasters, automating certain tasks
in a process will reduce the risk of human error, and so
on.

Simple tweaks to standard operating procedures, even

seemingly mundane changes like making sure
employees are properly informed on company policies
can sometimes result in significant reduction of risk.

Sharing
Risk “sharing” is the principle of purchasing insurance
to hedge or offset their risks.

To use a financial example, the concept of short calls

and long puts allow investors to hedge their bets on
price movements.

Joint venture agreements can also mean businesses

share potential risks and rewards.

Basically, risk sharing is the idea of having a portion of

the risk offloaded onto another party with the
understanding that you’re substituting the perceived
“value” of that risk for a more tangible monetary cost.

Acceptance
To accept a risk is to take no action.

Rather than buying an insurance policy, a business may

decide to “self-insure”. This might take the form of