Enterprise risk management. An organization is created to achieve desirable outcomes defined by the specific needs and interests of the shareholders. Value creation and shareholders’ wealth maximization are the key objectives of an organization.
Enterprise Risk Management (ERM)
An organization creates value by transforming various inputs into new outputs. Shareholders of an organization delegates authority to a governing body to take charge and run the affairs of the organization on their behalf. Shareholders are interested in profits and wealth maximization and expect to realize their goals effectively, sustainably, and ethically through an appropriate governing body.
Enterprise risk management is the primary responsibility of the Board of Directors and the management of the organization. However, each employee is required to ensure that enterprise risk management practices are also implemented in the organization. This starts by deploying enterprise risk management capabilities to select and refine a strategy.
This process will help management to gain a better understanding of how the explicit consideration of risk may impact the choice of strategy. ERM adds perspective to the strengths and weaknesses of a strategy as conditions change and how well a strategy fits with the organization’s mission and vision. It gives management more confidence that they have explored various strategies and considered the input of those in their company who will implement the chosen strategy. Once the strategy has been set, enterprise risk management provides an effective means of management to carry out its responsibilities, knowing that the organization is aware of and controlling risks that might impact the strategy.
ERM Purpose
Applying risk management in organizations helps to create trust and instill confidence among stakeholders in the current environment. This demands a closer examination of how risk is actively addressed and managed.
The board of directors within an entity with a single board delegates authority to management to design and implement practices that support the achievement of strategy and business objectives. In turn, management defines roles and responsibilities for the overall entity and its operating units. Management also defines roles, responsibilities, and accountabilities of individuals, teams, divisions, and functions aligned to strategy and business objectives.
In an entity with a dual-board structure, a supervisory board focuses on longer-term decisions and strategies affecting the business. A management board is charged with overseeing day-to-day operations, including the oversight and delegation of authority among senior management. As with a single-board governance structure, senior management defines roles and responsibilities for the overall entity and its operating units.
Key roles typically include individuals in a management role who have the authority and responsibility to make decisions and oversee business practices to achieve strategic and business objectives. The chief risk officer is often responsible for providing expertise and coordinating risk considerations within the management team. Other personnel understand the entity’s standards of conduct, the business objectives in their area of responsibility, and related enterprise risk management practices at their respective entity levels.
Management delegates responsibility and tasks to enable personnel to make decisions. Periodically, management may revisit its structures by reducing or adding layers of management, delegating responsibility and tasks to lower levels, or partnering with other entities.
Clearly defining authority is important, as it empowers people to act as needed in each role and puts limits on authority.
There are several situations where risk-based decisions are enhanced by management. These include: when management delegates are responsible only to the extent required to achieve the entity’s strategy and business objectives (for example, the review and approval of new products involves the business and support functions, separate from the sales team); when management specifies transactions requiring review and approval (for example, management may have the authority to approve acquisitions); and when management considers new and emerging risks as part of decision-making (for example, a new business partner is not taken on without exercising due diligence).
What Benefits Does ERM Provide?
Greater awareness of the risks confronting the organization, as well as the ability to respond effectively
Increased confidence in the achievement of strategic goals
Compliance with legal, regulatory, and reporting requirements has been improved.
Increased operational efficiency and effectiveness
Questions To Consider When Implementing ERM
What are the primary elements or drivers of our business strategy?
What internal factors or events might obstruct or derail each of these components?
What external events could obstruct or derail each component?
Do we have the necessary systems and processes in place to deal with these internal and external risks?
Final Thoughts
Enterprise risk management (ERM) is the process of identifying and methodically addressing potential events that pose risks to achieving strategic objectives or opportunities for competitive advantage.
Risk management is an essential component of any organization’s strategic management and should be integrated into daily operations. The Committee of Sponsoring Organizations of the Treadway Commission COSO ‘ERM – Integrated Framework’ and the guidance developed by Airmic and the Institute of Risk Management IRM – ‘A structured approach to ERM and the requirements of ISO 31000’ are two widely referenced frameworks.