Revision as of 15:42, 6 March 2022

Abstract

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business.Indeed, many large firms dealt with growth by assigning more and more responsibility to heads of individual business units, with the CEO and other top managers uninvolved in those daily operations. However, as companies grow and take on multiple divisions or business segments, this approach can lead to inefficiency and amplification or misrecognition of risk. In this case, each division of a firm becomes its own "silo." They are unable to see the risk exposures of other divisions, how their risk exposures interact with other units, and how different exposures across units interact as a whole. So, while a division manager may recognize potential risk, they may not realize (nor even be able to realize) the significance of that risk to other aspects of the business. ¨

Definition

^[1]Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses. ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. It not only calls for corporations to identify all the risks they face and to decide which risks to manage actively (as other forms of risk management may), but it allows top managers to make executive decisions regarding risk management that may or may not be in the particular interest of a certain segment—but which optimizes for the firm as a whole. This is because risks can be siloed in individual business units that do not or cannot see the bigger risk picture. It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM . Two primary forces – global orientation and business complexity – provoked ERM into existence. In response, five aspects of risk have been increasingly addressed: strategy, accountability, identification, ranking, and mitigation. From the outset, ERM was intended and anticipated to rise in significance beyond the CFO to the top executive – and on into the boardroom – where it would join the highest strategic concerns. A new executive – Chief Risk Officer – was even christened to carry the ERM torch.

Origins

The origin of ERM is significant. Historically, Risk Management had been focused primarily on financing rather than controlling risk. This was sufficiently short-sighted that it gradually became evident to clients that risk involved aspects of management concern greater than financially surviving accidental losses. Strategic and operational parameters involved risks that required foresight and control. Stakeholders were demanding that the Board of Directors take an active role in managing risk. So ERM was born in the financial services industry as an extension and expansion of its classical financing approach to risk. Two primary forces – global orientation and business complexity – provoked ERM into existence. In response, five aspects of risk have been increasingly addressed: strategy, accountability, identification, ranking, and mitigation. From the outset, ERM was intended and anticipated to rise in significance beyond the CFO to the top executive – and on into the boardroom – where it would join the highest strategic concerns. A new executive – Chief Risk Officer – was even christened to carry the ERM torch.

Chief Risk Officer

^[2] A Chief Risk Officer (CRO) is a corporate executive responsible for identifying, analyzing, and mitigating internal and external risks. The position of chief risk officer is constantly evolving. As companies adopt new technologies, the CRO must govern information security, protect against fraud, and guard intellectual property. The types of threats the CRO usually keeps watch for can be grouped into regulatory, competitive, and technical categories. As noted, companies must ensure they are in compliance with regulatory rules and fulfilling their obligations on reporting accurately to government agencies. CROs must also check for procedural issues within their companies that may create exposure to a threat or liability. For example, if a company handles sensitive data from a third party, such as personal health information, there may be layers of security that the company is required to maintain to ensure that data is kept confidential. If there are lapses in that security—such as when an employee allows an unauthorized person, even within the company, to have access to a company computer that contains such data—it can be a form of exposure that a CRO must address. Unauthorized access to sensitive data may also constitute a competitive risk if there is the potential for rival organizations to use such information to take away clients or otherwise damage the public image of the company.

ERM Framework

^[3] Enterprise Risk Management—Integrating with Strategy and Performance clarifies the importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions. The Framework itself is a set of principles organized into five interrelated components:

1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk manage-ment. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

4. Review and Revision: By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

ERM Weakness Points

^[4]As an article in Risk Management Reports observed, “ While businesses have made progress in implementing enterprise risk management (ERM) programs, we have seen that such programs have often been ineffective. ERM has not become embedded in corporate strategic thinking and culture. Risk management processes continue to be fragmented and left to functional managers or business units and do not reflect a vision of the firm’s long-term goals. Summarizing ERM to date, it consists of methods and processes used by organizations to manage risks and seize opportunities influencing achievement of their objectives. Like all such innovative initiatives, ERM has been evolving – with contributions from many sources. In this evolution process has been delighted 5 main weakness points that could and must be overcome in order to consolidate this always-in-progress tool.

1. ERM Lacks the Framework it Touts

The expansion of traditional Risk Management beyond financial concerns – and denoting it as Enterprise Risk Management – was haphazard, almost random in nature. Obviously, the intent was to consolidate all activities, functions, and interests within a corporation so that their risks might be integrated, examined, and managed as a unit. The idea was admirable. But the very singularity it was seeking is missing – because it has no universal rationale or mechanism to attain it. ERM lacks the framework it touts. It has no defined process that assures TOTAL management of risk. Instead, it’s “bits and pieces” -- often focused on the sensational and obvious while ignoring the mundane and routine. The goal of ERM is to address risk in all areas of the enterprise.“Enterprise” turns out to be elusive rather than descriptive. ERM in one organization may not even resemble ERM in another. What is needed? Application of the systems approach – that global, holistic, all-encompassing, universal technique used successfully in high-risk space endeavors. That approach clearly defines the boundary of concern – so that there is no ambiguity about what is and what is not the entity for which risk is being managed. Once that is accomplished, its known inputs and desired outputs are established, a functional platform for identifying every conceivable risk is constructed, and risk scenarios are written. Until ERM becomes systematic, it will suffer misunderstanding,false exploitation, fragmentation, and confused reaction.

2. ERM is Reactive instead of Proactive

History certainly reveals a wealth of risks needing to be managed. However, those risks are only a portion of those that management must address if an organization is to protect and create value for its stakeholders -- including owners, employees, customers, regulators, and society overall. Risks that have yet to be revealed or experienced may be more consequential than the obvious ones that most organizations traditionally manage. There is no recognized and endorsed ERM process for foreseeing and identifying risks prior to experiencing their associated losses. This deficiency forces ERM to be reactive instead of proactive – waiting for a loss before implementing countermeasures against it. Reactionary management is always inefficient and impulsive – as well as expensive. ERM should be proactive, but it’s not. It’s usually reactive. Because it has no method or process for identifying risks that have not yet happened, it is destined to remain reactive. The sad fact is that – by being reactive – every loss is much more costly than if it had been foreseen and controlled.

3. ERM Discards the Wisdom of Insiders

Insurers and risk consultants in financial institutions have always convinced most client executives that they know how best to manage risk. So those executives have fallen victim to engaging experts from the outside to tell them what they already know -- while still remaining vulnerable to risks the outsiders know nothing about. Most critically, the wisdom required to manage and control risk is right within the enterprise itself. The key is to have a technique that extracts and organizes that wisdom. Traditionally, risk management has been a profitable business – primarily because it was performed by insurers on behalf of the insured. But risks really weren’t managed. They were financed. So it follows logically that the early recruits and participants in ERM came from the financial end of the risk management spectrum – rather than the control end. Their influence and earmarks cannot be denied.Yet, as the scope of risk concern broadened under ERM to include control of risk, it became obvious that risk management knowledge and expertise required was not available from the outside financial experts who had historically provided it. This is not to say that outside financial consultants cannot augment the internal wisdom of a client enterprise regarding management of risk. But the shortcoming is that they typically limit their involvement to a few mid- or high-level client managers with financial interests. Risks can only be impacted or reduced by those in control of the scene wherein they occur – and it is those very people who are rarely involved in the ERM process even though they have the greatest knowledge and understanding of those risks. ERM discards the wisdom of insiders.

4. ERM Doesn’t Calculate Mitigation Costs

Every identified risk attracts management attention – in one of two ways. If it is defined only in terms of its severity and likelihood, unanimity of concern about it is generally universal but inconsequential. Why? Because there is no consequence involved. Everyone agrees that the risk exists. But it is simply a moral concern – but not a management one. However, if a third dimension – mitigation cost – is assigned to that risk, decision -makers are forced to address it. It becomes consequential. It cannot be ignored. Questions arise – about all three dimensions because, taken collectively, that risk can now be placed in an array of management significance or consequence. Executives become accountable for its management. As a general rule, ERM measures risk in only two dimensions – severity and likelihood. With little doubt, this short-sighted approach almost guarantees that management will not get involved in addressing it. It may become assigned to a list or a group of similar risks or be classified within a zone of interest. But without a mitigation price tag, management will ignore it. Ignoring mitigation cost assures ignored risk.

5. ERM Fails to Rank Risks

There are never enough resources in any organization to mitigate every identified risk. So allocating resources to manage risk is a prime concern for executives. On what basis then can an executive determine the necessity for investment to control risk? How can one risk be justified as more important than another? When and how can a decision-maker feel justified in allocating limited resources to competing candidates for risk control – particularly when great diversity in complexity, function, or cost among them exists? Compounding this dilemma is the possibility that risk identification itself may even be manipulated to favor or influence resource allocation decisions. Should an executive desire to have the organization publicly appear more risk responsible, he could limit or divert the function of risk identification – ordering that certain types of known risk not be acknowledged and documented. Such a risk ranking will always remain dynamic, not static -- not only because the world is always changing but because risk identification is an ongoing activity. New risks can be expected to be identified on an ongoing basis. Further, as risk mitigation takes place, there is constant re-ordering of the ranking that reflects the impact of risks that have been controlled.

Annotated Bibliography

References

1. ↑ Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp "Enterprise Risk Management"
2. ↑ Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer"
3. ↑ https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
4. ↑ Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"