Enterprise Risk Management
Line 31: | Line 31: | ||
'''2. Strategy and Objective-Setting:''' Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk. | '''2. Strategy and Objective-Setting:''' Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk. | ||
− | |||
'''3. Performance:''' Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders. | '''3. Performance:''' Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders. | ||
Line 38: | Line 37: | ||
'''5. Information, Communication, and Reporting:''' Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. | '''5. Information, Communication, and Reporting:''' Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. | ||
+ | |||
+ | |||
=== The Stakeholders === | === The Stakeholders === |
Revision as of 13:27, 20 February 2022
Abstract
Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business.Indeed, many large firms dealt with growth by assigning more and more responsibility to heads of individual business units, with the CEO and other top managers uninvolved in those daily operations. However, as companies grow and take on multiple divisions or business segments, this approach can lead to inefficiency and amplification or misrecognition of risk. In this case, each division of a firm becomes its own "silo." They are unable to see the risk exposures of other divisions, how their risk exposures interact with other units, and how different exposures across units interact as a whole. So, while a division manager may recognize potential risk, they may not realize (nor even be able to realize) the significance of that risk to other aspects of the business. ¨
Definition
Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses. ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. It not only calls for corporations to identify all the risks they face and to decide which risks to manage actively (as other forms of risk management may), but it allows top managers to make executive decisions regarding risk management that may or may not be in the particular interest of a certain segment—but which optimizes for the firm as a whole. This is because risks can be siloed in individual business units that do not or cannot see the bigger risk picture. It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM . Two primary forces – global orientation and business complexity – provoked ERM into existence. In response, five aspects of risk have been increasingly addressed: strategy, accountability, identification, ranking, and mitigation. From the outset, ERM was intended and anticipated to rise in significance beyond the CFO to the top executive – and on into the boardroom – where it would join the highest strategic concerns. A new executive – Chief Risk Officer – was even christened to carry the ERM torch.
Contents |
Origins
The origin of ERM is significant. Historically, Risk Management had been focused primarily on financing rather than controlling risk. This was sufficiently short-sighted that it gradually became evident to clients that risk involved aspects of management concern greater than financially surviving accidental losses. Strategic and operational parameters involved risks that required foresight and control. Stakeholders were demanding that the Board of Directors take an active role in managing risk. So ERM was born in the financial services industry as an extension and expansion of its classical financing approach to risk. Two primary forces – global orientation and business complexity – provoked ERM into existence. In response, five aspects of risk have been increasingly addressed: strategy, accountability, identification, ranking, and mitigation. From the outset, ERM was intended and anticipated to rise in significance beyond the CFO to the top executive – and on into the boardroom – where it would join the highest strategic concerns. A new executive – Chief Risk Officer – was even christened to carry the ERM torch.
Chief Risk Officer
A Chief Risk Officer (CRO) is a corporate executive responsible for identifying, analyzing, and mitigating internal and external risks. The position of chief risk officer is constantly evolving. As companies adopt new technologies, the CRO must govern information security, protect against fraud, and guard intellectual property. The types of threats the CRO usually keeps watch for can be grouped into regulatory, competitive, and technical categories. As noted, companies must ensure they are in compliance with regulatory rules and fulfilling their obligations on reporting accurately to government agencies.
CROs must also check for procedural issues within their companies that may create exposure to a threat or liability. For example, if a company handles sensitive data from a third party, such as personal health information, there may be layers of security that the company is required to maintain to ensure that data is kept confidential. If there are lapses in that security—such as when an employee allows an unauthorized person, even within the company, to have access to a company computer that contains such data—it can be a form of exposure that a CRO must address. Unauthorized access to sensitive data may also constitute a competitive risk if there is the potential for rival organizations to use such information to take away clients or otherwise damage the public image of the company.
ERM Framework
Enterprise Risk Management—Integrating with Strategy and Performance clarifies the importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions. The Framework itself is a set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk manage-ment. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.