To manage risk proactively and successfully in your organization, you probably already take an enterprise risk management (ERM) approach. But if you fail to dedicate sufficient time and attention to all the components of ERM, you’re in danger of neglecting some of the critical challenges you should be tackling.
Here, we examine the nine components of enterprise risk management and how you should approach them.
What is Enterprise Risk Management?
The COSO 2013 Framework defines ERM as “The culture, capabilities, and practices, integrated with strategy-setting and its performance that organisations rely on to manage risk in creating, preserving, and realising value.”
Investopedia defines it as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”
Enterprise risk management differs from traditional risk management in its scope, encompassing the entire organization rather than one process or team, its approach (forward-looking rather than reflective) and its ability to adapt to a changing landscape; the former is typically more agile and fluid, incorporating ERM tools and technology to keep up with the evolving risk landscape. On the other hand, the latter – traditional risk management – is more static.
What Risks Does an Enterprise Risk Management Framework Address?
An enterprise risk management framework focuses on three core areas of risk; operations risk, financial risk and strategic risk. Here we look at each of these components of corporate risk management in more detail:
Operations Risk Management
The international capital framework generated by the Basel II Accords defines operations risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or external events,” including legal liabilities. Examples of operations risk might include the potential damage caused by employee turnover, management oversight or poor IT design. Managing operational risks requires identifying risks in all operations through surveys, workshops and a risk assessment framework. Once this is in place, a robust and organization-wide corporate governance structure must be implemented to manage operational risks.
Financial Risk Management
ERM became obligatory after the legendary financial scandals perpetrated by leaders of companies like Enron and WorldCom. The US Congress introduced the Sarbanes-Oxley Act of 2002, which required internal control systems at publicly traded companies.
Financial risks emerge from the effects of markets on an entity’s assets and include risks to credit, price and liquidity. Since these risks, unlike operations risks, these risks can, to a certain extent, be projected and planned for, so they’re considered speculative risks. It’s usually the job of the CFO and their department to be on top of them.
Strategic Risk Management
Looking at strategic risk requires you to step back from the granular detail of your business operations and finances to its future growth and development. It could be put this way: while ERM strategies in operations and finances will help you do things right, strategic risk management focuses more on getting your entity to do the right things. Strategic risks threaten your operations’ “big picture” and future plans.
The company with the best budgeting and the most efficient operations will go bust if no one wants its products. Turnover and redundancy of products are a natural part of the business cycle; enterprise risk management can help you handle strategic risks.
Exploring the Components of an Effective Enterprise Risk Management Framework
What are the significant components of enterprise risk management? As with any management framework, there are many different ERM framework components, with different bodies and experts including different ERM components within their definitions.
One of the best-known ERM frameworks was introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in 1992.
Although the inclusion of guidelines from the Sarbanes-Oxley Act (SOX) aligns the COSO framework with financial institutions and other large corporations in the scope of SOX regulation, the transferability of the COSO ERM framework components means it is used across a range of sectors worldwide.
And although COSO guidance is non-mandatory, its ability to deliver a framework companies can use to assess and improve their controls and processes means it has been highly influential.
9 Components of a Comprehensive ERM Framework
- Organizational culture/internal environment: Risk management doesn’t happen in a vacuum; what COSO calls your internal environment, including the organization’s attitude to risk, will drive your ERM approach. This is the first of the key ERM framework components you need to consider.
- Objective setting: You need to know your ERM goals: are you aiming for total risk avoidance, or can you tolerate certain risks? Are some areas of your organization that will take more work than others to bring into an ERM framework? Understanding your goals and challenges is the crucial next step.
- Risk identification (sometimes referred to as “framing the risk” or “event identification”): Identifying internal and external events that could affect the achievement of your objectives. This is another one of the COSO ERM components, and COSO points out that these could be positive or negative; explore the opportunities and risks.
- Risk assessment and measurement: Assessing the risks you face is one of the essential components of corporate risk management. You need to determine their likelihood, severity and your ability to respond.
- Risk response, or risk mitigation: Identifying actions to take in line with your corporate tolerance and appetite for risk
- Control activities: Determining appropriate internal controls to monitor and test your approach. This series of checks and balances is designed to identify any out-of-tolerance activity or results.
- Internal communication to drive buy-in: Building an ERM framework requires support from across your organization – communicating your objectives and strategy is one of the core ERM components.
- Risk reporting and monitoring: Determine what this will look like and who will be responsible for it. The audit function will be accountable in many organizations, particularly larger ones.
- Risk governance: Building an ERM framework demands ongoing refinement to ensure you take on board lessons learned and finesse controls and governance processes in synergy.
Get the Most Out of Your ERM Strategy With the Right Tools and Technology
Enterprise risk management strategies have many benefits; it’s no surprise that increasingly organizations understand and embrace ERM. But to achieve these benefits, your ERM framework has to be implemented and monitored at the highest levels of your entity. These practices are legally required and can be your main line of defense against financial and reputational damage.
Understanding the various ERM framework components is vital to delivering the risk mitigation strategy you need.
Diligent’s comprehensive enterprise risk management software accelerates your ERM performance, enabling you to identify, monitor and manage risks across your entire organization. Compliance and reporting are made easy, increasing board and stakeholder confidence in your ability to tackle risk strategically. Find out more about Diligent Enterprise Risk Management.