enterprise risk management (ERM)
Enterprise risk management is the process of planning, organizing, directing and controlling the activities of an organization to minimize the deleterious effects of risk on its capital and earnings. Enterprise risk management includes financial risks, strategic risks, operational risks and risks associated with accidental losses.
External factors are fueling the heightened interest in ERM. Industry and government regulatory bodies, as well as investors, are more closely scrutinizing enterprises' risk management policies and procedures. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk management processes in their organizations.
Why is enterprise risk management important?
An ERM program can help increase awareness of business risks across an entire organization, instill confidence in strategic objectives, improve compliance with regulatory and internal compliance mandates and enhance operational efficiency through more consistent applications of processes and controls.
Enterprises can benefit by shifting their corporate culture from a focus on meeting IT compliance obligations to targeting overall risk reduction, which relies heavily on visibility into the overall security of the organization.
This article is part of
What is risk management and why is it important?
- Which also includes:
- governance, risk management and compliance (GRC)
- risk avoidance
- risk map (risk heat map)
Organizations building a strategic ERM program must have some well-established practices already in place, such as the following:
- a governance model that includes senior management and organizational elements like security, risk assessment and management, compliance, IT operations, legal and any other important business stakeholder areas;
- a strategy that incorporates internal policies and standards for all security and risk concerns as well as operational focal areas like system configuration; and
- a procedure that includes internal and external risk threat and vulnerability management to monitor adversaries and risk exposure factors that can potentially influence the risks to the enterprise and its assets.
ERM is a continuous work in progress that needs to grow and evolve, so be willing to regularly revisit, revise and update all elements of the program.
What are the components of enterprise risk management?
- Business and IT objectives. An organization's planned strategic initiatives must be included in all risk analysis and decision-making. A migration into cloud services, for example, definitively changes many controls and risk paradigms.
- Risk appetite. To maintain business continuity, an enterprise needs to assess its tolerance in pursuit of strategic goals.
- Culture and governance. Some types of organizations are generally risk-averse, while others promote risk cultures to pursue strategic initiatives. Additionally, internal governance models and collaborative team structures will differ widely across enterprises, affecting the way decisions are made and controls implemented.
- Compliance and control requirements. Internal standards and external regulatory and compliance requirements must be factored into risk and control decisions.
- Measurement and reporting. All ERM programs need to provide timely and consistent output to a cross section of stakeholders, ranging from corporate executives to operations professionals. The metrics used to measure progress as well as the reporting mechanisms and styles are important considerations.
What are the benefits of enterprise risk management?
- By creating a more risk-focused culture, integrating risk evaluation into business and IT practices is a good way to improve risk management across the board.
- Enterprises can implement more standardized risk reporting that helps with long-term metrics and measurement.
- Organizations can improve focus and increase their perspective on risk in a variety of categories.
- Greater focus on risk associated with business objectives may lead to more efficient use of resources -- for example, application of limited endpoint security licenses to the most exposed and critical systems.
- Highly regulated organizations can improve the coordination of regulatory and compliance issues across a diverse set of business objectives.
What are the challenges of enterprise risk management?
- Capital and operational expenditures often increase initially since ERM programs can require specialized and expensive software and services.
- ERM initiatives increase emphasis on governance, requiring business units to invest a significant amount of time and cost.
- Consensus agreement on risk severity and metrics across all units of an enterprise can be difficult and contentious.
ERM implementation best practices
- Define the program's scope. Identify and prioritize critical business processes and their related risks.
- Develop a blueprint. Use risk heat maps to determine which threats could jeopardize business objectives and critical strategies, share that information and set controls to offset these risks.
- Devise an action plan. Create a risk treatment plan to pinpoint unacceptable risks and resolve risk gaps.
- Digitally transform. Use AI and other advanced technologies to automate inefficient and ineffective manual processes.
- Monitor and measure. Establish risk profiles and key risk indicators to identify control deficiencies and evaluate how the ERM program is progressing, how it deviates from corporate policies and the number of risk incidents.
Enterprise risk management frameworks come in many flavors. For some companies, adherence to ERM frameworks might be mandated by compliance and regulatory requirements. For other businesses, these frameworks may be useful in shaping and defining ERM in its early stages of development and implementation. Some of the more common frameworks include ISO 31000 for risk management, the NIST Risk Management Framework and COSO (Committee of Sponsoring Organizations of the Treadway Commission).