Enterprise Risk Management

From apppm
Revision as of 14:26, 21 March 2022 by Pietro (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

written & developed by Pietro Boschetto


One of the most serious problems of today's businesses is the differentiation of risk that can be found within the various components of the business: management, operations, marketing, accounting, and finance. Often, in the past, risk was analysed by looking at individual departments, a strategy that allowed many companies to grow by assigning responsibilities to different managers. The problem of risk diversification, however, is precisely linked to corporate growth that does not go hand in hand with mutual control of the various corporate departments. In fact, if we consider relevant business enterprises, we cannot consider an individual risk analysis to be effective because it does not allow us to protect against combinations of events often linked to different business areas. The solution is a new approach that derives from common risk management, but which allows us to analyse a business in its integrity and no longer in its individual parts. Enterprise Risk Management is a new method posed as a solution in this analysis and will be the object of study for this article.


Figure 1: Risk Management fields

Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth.[1]As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions.[2]A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. [3]In spite of the uniqueness of each company, ERM uses standards that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. Trough the most important standards we recognise COSO 2017 – Enterprise Risk Management - Integrated Framework which has been reported on the wiki article as a relevant framework statement for ERM.



Is difficult to define proper origins for Enterprise Risk Management, as an evolution of Risk Management is better to describe the motivations that lead to this new approach. Starting from the late 40s to the early 50s we can identify 2 main fields for importance related to risk management, and this are the management of insurance risks and financial risks. Back in the days, Companies used to affiliate certain types of risks to insurance companies.These transferred risks related to natural catastrophes, accidents, human error and fraud allowed insurance markets to expand, letting them consider also types of commercial risks such as credit risks. The tactic adopted forced managers to consider alternatives to the purchase of insurance. Risk Management represented an Opportunity Cost that companies weren't considering, moreover, allowing the management of risk by a character inside the corporation would have allowed a better analysis as it exploits the internal point of view and subjected to greater engagement. The 70s where characterized by a huge development on the financial risk management in particular considering movements in exchange rates, commodity prices, interest rates and stock prices. The existence of financial derivatives also forced companies to consider more carefully the pricing of risks, how risks could be financed internally, and the value of the additional services supplied by investment banks as a big cake slice. Companies also understood that insurable risks and financial risks could have been managed together, since the coordination of them would have led to a good risk management.The next step in the development of a more holistic approach to risk management came from Contingency planning , which has been a part of corporate policy for many years. Its purpose was to identify those activities that might have been threatened by dangerous events and to have systems in place to cope with these events. Business Management extended the practice of Contingency Planning requiring more internal systems. As a result of the combined work of the Contingency Planning and the Business Management we have Enterprise Risk Management that is historically traced from the 90s. The identification of this new method brought also to the formation of a new figure in the company called Chief Risk Officer in charge of the correct analysis and development of ERM.

Chief Risk Officer

[4] The Chief Risk Officer (CRO) is corporate executive responsible for identifying, analyzing, and mitigating internal and external risks.As ERM is a costant evolution process, CRO follows it. Based on the innovation that nowadays corporations have to pursue expecially on the technology field, the CRO must govern the information security, protect the different stakeholders against frauds, and guard [5] intellectual property, that is basically defined as the inventions patended by the company. [4]We can categorised the types of threats that the CRO usually controls for can be grouped into regulatory, competitive, and technical groups.Corporations must verify that they are in accordance with the rules reporting accurately to government agencies their obbligations. [6] The CRO as an internal stakeholder is responsible for the development of operational risk management and he is in charge of protecting the company from losses resulting from inadequate procedures, systems and policies. [4] Cro stands as the advocate of the law, as an example, considering companies using sensitive data, it is important to safeguard them by continuously updating cookie and policy mechanisms. The management of these protocols is the responsibility of the figure in question, who must collaborate with the IT branch of the company in order to avoid problems such as access to these data by unauthorised persons or, worse still, the sharing of these data. [6]The job position of the CRO is very articulated and has different fields of application. That is why this role is often covered by people with high education level with up to 20 years of experience in accounting, economics, legal or actuarial work, and many have specialised training in risk management.

ERM Framework

[7]As stated in the definition of ERM, the use of standards is quite relevant to ensure proper alignment between all participants in this task. One of the most relevant is COSO, whose name derives from the Committee of Sponsoring Organisations of the Treadway Commission, the group that commissioned the project. By pursuing leadership and developing understandable frameworks to optimise internal management control, COSO deters fraud by improving organisational performance.This document highlights the importance of considering risk in both the strategy-setting process and in driving performance. At the base of this report there are objectives such as improving the alignment between performance and Enterprise Risk Management to understand the impact of risk on performance, but also new ways of looking at risk in order to achieve objectives in a more complex business environment. COSO will also evaluate the importance of evolving technologies, data and analytics to support decision-making.

[7]Before going trought the main framework part is important to clarify that ERM is not properly a function or a department, is way more the culture, capabilities and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value. As a framework we identify 5 different components that must be addressed on a ERM analysis:

1. Governance and Culture: Governance and Culture play a crucial role in a correct Enterprise Risk Management application. In the foreground we must consider the resulting interdependence between directors, senior management, internal and external auditors, and risk owners. A relevant feature that allows the company to map out a good business strategy. [8] By the culture side, ERM influences business decisions and determines how organisations deal with risk. ERM culture is a product of shared values and behaviours that aim to establish predictability and reliability in executing processes for managing risk.

2. Strategy and Objective-Setting:[9] Strategy and objective setting can be defined as the main structural component of ERM framework as it is articulated in different principles which are business context analysis, risk appetite definition, alternative strategies evaluation and business objects formulation. All of this different tasks provide a complete overview of the risk contest and permit to avoid it.

3. Performance: [10] Performance and risk can be defined as 2 sides of the same coin, in fact higher performances are related to higher risk. ERM consider performances as the most suitable proof of the work done providing a real-time feedback capable of highlight which are the most dangerous aspects of risk to consider in order to achieve a better future strategy. The consequence is a selection of the risk response by the organisation that is allowed to get a portfolio view of the amount of risk it has assumed. Key risk stakeholders are in the end able to analyse and develop their strategy.

4. Review and Revision: The review process is another relevant aspect concerning the post ERM application emphasizing what followed the path and what didn't. As a process , ERM is allowed to give wrong predictions, the aim of the revision part is to analyse and report important issues that must be solved in order to obtain the best result and the lower risk.

5. Information, Communication, and Reporting:As already mentioned on the definition, ERM is a method that is constantly evolving,and it requires a communication system that can maintain a certain alignment between all collaborating elements. However, ERM needs not only good communication, but also constant input from external factors that can update the company's strategy as the risk evolves.

Figure 2: Enterprise Risk Management Framework

ERM Weakness Points

Although we may consider ERM as the last frontier for business protection, there are negative aspects of this approach that need to be considered and evaluated. However, it should be pointed out that this method is complicated to apply and that the possible problems that may arise are often linked to production realities that struggle to relate to a holistic approach. The final outcome is an ineffective strategy that can not deal with risk. There are five main weakness points that perfectly define how ERM could become unproductive:

1. ERM Lacks the Framework it Touts

[11] In spite of the use of an appropriate framework capable of standardising the fundamental aspects of ERM, this method often lacks concreteness, becoming elusive and underperforming. The reason is that risk management is ineffective if not applied by different stakeholders within the company. The result is a strategy that may be effective but is fragmented and does not protect against risk.

2. ERM is Reactive instead of Proactive

[11]Perhaps one of the most unfavourable points of Enterprise Risk Management is that it reacts to risk situations rather than anticipating them. Contrary to what one might think, it is unthinkable for ERM to define an alert status without being able to define the risk. This means that a recognised risk makes it possible to operate at a strategic organisational level to limit damage but not to avoid it completely. This reactive rather than proactive approach is the most important limitation of this process, which is not always seen as the optimal solution.

3. ERM Discards the Wisdom of Insiders

[11]ERM needs competent people who can develop it across different management areas and with a relevant background covering different risk inputs and business cases. In spite of the high professionalism of the specialists, those who can really represent a resource and a solution are the employees of the various business areas who are often not consulted. This is why ERM is said to discard the wisdom of insiders: it does not consider figures of the lower organisational ladder who have the deepest knowledge of the risk in question, thus reporting an incorrect risk assessment.

4. ERM Doesn’t Calculate Mitigation Costs

[12]For Mitigation Costs is meant the mitigation of loss that would be payable under a contract or policy.[11] Risk can attract management from two points of view, which are respectively the severity and the probability of occurrence. This means that also for the Enterprise Risk Management we can have an identification of the risk through these two characteristics, but without being able to define how this will concretely impact the business. What is missing is the formalisation of a mitigation cost, how the risk can actually harm the business. ERM therefore makes it possible to assess the possible risks without converting them into damage that can affect a business economically.

5. ERM Fails to Rank Risks

[11] Enterprise risk management makes possible to define risk situations in a business, but without ranking them. The result is the discovery of risk environments without being able to catalogue and order them. If we consider it important to protect the company from the damage that may occur, we must also be able to decide on the least damage, and this is unfortunately not an output of ERM. However, one factor that must be taken into account is the dynamism of risk environments, i.e. the speed with which they can change and therefore be updated in the ranking, which is why, although important, this weakness does not completely condemn ERM.

ERM Continuum

Figure 3: ERM continuum process

ERM needs continuous updating and development as risk environments are constantly changing. Based on this we can recognise three important steps that outline this path:4n

1. In the Comply Stage, there is a phase of developing and applying a strategy to avoid risky situations. After outlining the starting point there is a real review of strategies already in use which can then be improved. Even in the bureaucratic field, there are often revisions of laws that can be adapted to business strategies.

2.The second stage is also defined as the Improving Stage and aims to improve the efficiency of risk control procedures in order to reduce costs through standardisation. The benefits of this stage can be seen throughout the enterprise as monitoring processes are automated, eliminating redundancy in control procedures and optimising time.

3.With the last step called Transform Stage we reach the real Holistic approach that characterises this Risk Management model. It is at this stage that a true definition of risks and opportunities in the various management areas is achieved, all based on policies that consider risk and regulations related to it. The focus of this stage is to improve ERM performance by rationalising and simplifying the control points within the different business areas of the company in order to replace error-prone manual controls.

Figure 4: LEGO

Company Case Example: LEGO Group

[13]Probably one of the most known toys company all around the world , LEGO group, showed how an important journey in ERM can lead to the success of the Company Risk Management. LEGO Started to develop an Enterprise Risk Management approach since the far 2006 proving how much time and dedication takes to develop a good strategy. The project realised in LEGO can be split in 4 different main parts that define the company revolution:

-Traditional management of financial, operational, and other risks

-[14] Monte Carlo simulations to model financial performance volatility through the calculation of the possible outcomes . The technique is used in budget simulations, to assess risk in its credit portfolio, and to consolidate risk exposure.

-Active risk and opportunity planning used to make a business case for new projects before final decisions.

-Company prepares for uncertainty so that long-term strategies remain relevant and resilient under different scenarios.

Figure 5: PAPA model for LEGO group

Following these steps LEGO developed its scenario modeling called PAPA allowing the company to face risk correctly. As an Acronym is important to mention for what meaning stands each letter:

-P-ark as the company parks risks that happen slowly.

-A-dapt as an answer for risks that are certain to occur. E.g. the evolutions in the energy market all around the world.

-P-repare to face risks on low probability to occur that can emerge rapidly.

-A-ct for high-probability risks that must be kept on high monitoring in order to change the strategy . E.g. developments around connectivity, mobile devices and online activity due to the fast change on children behaviour while playing.

One of the features of the ERM model implemented by LEGO is that being high level and qualitative it does not use numerical data making any computer based tools irrelevant. Another feature is that it does not use correlations for the risk consolidation process but rather for the budget. E.g. there is a 60% positive correlation between distribution costs and raw material costs: the risk management department takes six or seven of these correlations also related to currency and uses them for budget models. The final goal for LEGO's ERM is to look at interdependencies in a broader sense and to be able to estimate when a risk situation A occurs, how situation B becomes irrelevant and optimise management time.

Annotated Bibliography

Enterprise Risk Management Integrating with Strategy and Performance,Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control -- Integrated Framework”, Jersey City, NJ: AICPA/COSO (1992), An important statement that highlight the importance of considering risk in both the strategy-setting process and in driving performance, also providing a real framework to work with

Aligning Corporate Governance with Enterprise Risk Management,Paul J. Sobel , CPA, and Kurt F. Reding ,Ph.D., CMA, CPA, This article aim to define how Corporate governance as a top-of-mind priority for boards ofdirectors, management, auditors, and stakeholders is related to how companies are trying to manage risk across the entire enterprise they are rising

Optimized Enterprise Risk Management, C. Abrams, J. von Känel, S. Müller, B. Pfitzmann, S. Ruschka-Taylor, IBM Research GmbHZurich Research Laboratory8803 Rüschlikon Switzerland LIMITED This report present IBM Research's Enterprise Risk Management Framework that addresses risk and compliance management in a strategic, integrated and comprehensive manner

Enterprise Risk Management: Its Origins and Conceptual Foundation, Gerry Dickinson, The Geneva Papers on Risk and Insurance Vol. 26 No. 3 (July 2001) 360±366 This article provides an overview of the history of enterprise risk management, starting with the origins of risk management and developing the reasons why today's enterprises consider a holistic approach

The LEGO group ERM and Monte Carlo Simulations from Project Risks to Corporate Risks Appetite, Baldwin Risk Strategies case study in the remarkable application of Monte Carlo simulations by The LEGO© Group for the purposes of strategic risk management and the establishment of risk appetite by the board of directors


  1. KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/
  2. Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp
  3. Institute of Risk Management, https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/
  4. 4.0 4.1 4.2 Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer"
  5. WIPO World Intellectual Property Organization, https://www.wipo.int/about-ip/en/
  6. 6.0 6.1 Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
  7. 7.0 7.1 COSO framework 2017, https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
  8. Continuity Central.com, https://www.continuitycentral.com/index.php/news/erm-news/6510-building-an-effective-enterprise-risk-management-culture
  9. UniversalCPA, https://www.universalcpareview.com/ask-joey/what-is-the-strategy-and-objective-setting-component-of-erm/
  10. Mike Bourne & Matteo Mura, https://www.tandfonline.com/doi/full/10.1080/09537287.2018.1520319
  11. 11.0 11.1 11.2 11.3 11.4 Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
  12. Law Insider, https://www.lawinsider.com/dictionary/mitigation-costs
  13. Andy Marker, https://www.smartsheet.com/content/enterprise-risk-management-examples
  14. Will Kenton, https://www.investopedia.com/terms/m/montecarlosimulation.asp
Personal tools