Enterprise Risk Management
Abstract
Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business.Indeed, many large firms dealt with growth by assigning more and more responsibility to heads of individual business units, with the CEO and other top managers uninvolved in those daily operations.
However, as companies grow and take on multiple divisions or business segments, this approach can lead to inefficiency and amplification or misrecognition of risk. In this case, each division of a firm becomes its own "silo." They are unable to see the risk exposures of other divisions, how their risk exposures interact with other units, and how different exposures across units interact as a whole. So, while a division manager may recognize potential risk, they may not realize (nor even be able to realize) the significance of that risk to other aspects of the business. ¨
Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses. ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. It not only calls for corporations to identify all the risks they face and to decide which risks to manage actively (as other forms of risk management may), but it allows top managers to make executive decisions regarding risk management that may or may not be in the particular interest of a certain segment—but which optimizes for the firm as a whole. This is because risks can be siloed in individual business units that do not or cannot see the bigger risk picture. It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM .
Contents |
Introduction
By definition, a risk implies future uncertainty about deviation from expected earnings or expected outcome. Businesses and their patterns are evolving with a high frequency and so is their tendency to incur risks.
The Goal
The main goal of ERM process is to generate an understanding of the top risks that management collectively believes are the current most critical risks to the strategic success of the enterprise. To achieve this result there is relevant framework, job position and stakeholders which must be defined.
The Framework
The Framework itself is a set of principles organized into five interrelated components:
Governance and Culture
Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk manage-ment. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
Strategy and Objective-Setting
Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
Performance
Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
Review and Revision
By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
Information, Communication, and Reporting
Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
