Every enterprise faces an array of uncertainties, positive and negative, that could affect operations. A positive uncertainty might be the potential for a product innovation that propels an organization to new heights, while negative uncertainty could be the threat of a competitor stealing the plans for that innovation and producing it first. Each uncertainty is a risk, and the process for successfully navigating these risks consistently is enterprise risk management.
What is the purpose of an ERM framework?
Because risks are so varied, it's not practical to develop procedures for each one of them, but enterprises can implement a playbook through an ERM framework. ISO (International Organization for Standardization) standard 31000 describes an ERM framework as a construct that enables "integrating, designing, implementing, evaluating and improving risk management across the organization." It highlights the need for senior management to set expectations and provide support from the top.
Additional guidance comes from COSO (Committee of Sponsoring Organizations of the Treadway Commission), an initiative that helps organizations improve performance through enhanced internal control, risk management, governance and fraud deterrence. It describes what ERM is not -- not simply an inventory of risks, not an isolated function and not simply a cadre of internal controls. Instead, COSO defines ERM as "the culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value."
Which ERM frameworks are available?
There are several enterprise risk management frameworks that can help provide a starting point.
- COSO ERM Integrated Framework defines essential ERM components, discusses key ERM principles and concepts, suggests a common ERM language and provides clear direction and guidance for enterprise risk management.
- ISO 31000:2018 documents principles, a framework and a process for managing risk to help organizations increase the likelihood of achieving objectives, identify opportunities and threats, and effectively allocate and use resources for risk treatment.
- British Standard (BS) 31100, the risk management code of practice, provides a process for implementing and maintaining the concepts described in BS ISO 31000, including key functions like identify, assess, respond, report and review.
In addition to these frameworks, the Risk and Insurance Management Society provides a Risk Maturity Model (RMM) that helps examine seven attributes of a risk management program and assess the relative maturity of each one on a scale from nonexistent to leadership level. The 2006 edition of the RMM is currently being updated.
What are the components of an ERM framework?
Each framework has a slightly different approach but generally uses the five components described in the Executive Summary of the COSO guide "Enterprise Risk Management -- Integrating with Strategy and Performance" and listed verbatim here:
- Governance and culture. Governance sets the organization's tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors and understanding of risk in the entity.
- Strategy and objective-setting. Enterprise risk management, strategy and objective-setting work together in the strategic planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing and responding to risk.
- Performance. Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Review and revision. By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
- Information, communication and reporting. Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down and across the organization.
ISO points out that a prerequisite is "leadership and commitment." Each of the subsequent processes -- integrating, designing, implementing, evaluating and improving -- depend on leaders establishing a cultural environment that values transparency and accountability. This accountability needs to be pervasive, originating with the board of directors and executive leaders, through business unit management and ultimately to each member of the enterprise.
How is an ERM framework implemented in the enterprise?
After selecting an ERM framework, an organization will tailor a set of processes to fit that enterprise's circumstances. ERM processes generally follow those described in ISO 31000.
1. Communication and consultation. The outcome of risk management is awareness and reporting, so the key first step is to develop the communication processes for risk management. That includes determination of stakeholders -- anyone interested in how the entity accentuates positive risks and minimizes negative ones. This step sets the stage for risk oversight and decision-making at every level.
2. Establishing the context. Every organization operates in a unique environment and must maintain an acceptable level of each type of strategic risk. Strategy supports mission, so internal context considers business objectives, resources and culture and external context includes factors relating to business, social, regulatory, legislative, competitive, financial and political environments.
Senior leaders need to establish risk criteria -- the amount and types of risk the organization is willing to accept relative to objectives. This task represents leadership's risk appetite and risk tolerance, which details how much risk managers may vary from that appetite. These criteria set the bar for all subsequent risk decisions. A COSO guide provides a detailed explanation of risk appetite.
3. Risk identification. Identify actual uncertainties after determining what matters to the enterprise and receiving guidance on what risk conditions are acceptable in pursuit of the mission. Risk scenarios are identified that could have a beneficial or harmful effect on the enterprise's ability to conduct business.
One method helpful in identifying possible risk scenarios is taking a top-down bottom-up approach and looking at risk from all directions. Assess the most important elements that enable enterprise operations. Work with internal and external stakeholders to review the risks that might impede those elements. Determine what types of conditions might occur, such as storms, market fluctuations and cyber attacks, and the impact they may have on critical assets.
The resulting list of potential risks should be maintained in a risk register composed of recorded and updated activity. A helpful resource for this portion of risk assessment is the Carnegie Mellon University OCTAVE Allegro process.
4. Risk analysis. After compiling a list of possible risks, analyze the likelihood that each risk will occur and the resultant consequences. Historically, many entities have used a qualitative approach -- highly likely or low impact -- but many stakeholders have found it helpful to use quantitative risk analysis that yields a more specific likelihood, impact and even frequency of occurrence. Examples of this latter approach are available from the FAIR Institute.
5. Risk evaluation. Determine how to respond to a positive or negative risk.
If a negative risk scenario is within risk appetite and tolerance, then no further action is required. Otherwise, chief risk officers will have to apply controls to reduce the likelihood or impact of a risk event and mitigate the risk to an acceptable level. They may transfer or share some of that risk with another party, such as an insurance policy, that will reduce the impact of a loss. If no options are available, they can look for ways to avoid the risk event.
Options for responding to positive risks are similar -- exploit an opportunity, share ownership to better increase the risk likelihood or benefit, enhance the probability and positive impact, or simply accept the positive event's occurrence.
Risk managers may sometimes ignore risks in the hopes they'll go away or plan to address them later. This implicit acceptance of risk is dangerous. ERM demands transparency and honest reporting.
6. Risk treatment. Apply the agreed upon controls and confirm that they work as planned. Implementation should also ensure that risk controls are effective and don't add any unnecessary burden to stakeholders.
7. Monitoring and review. Ongoing monitoring helps ensure the controls are working as intended and identify opportunities for further improvement. Monitoring activities measure key performance indicators and look for key risk indicators that might trigger the actions defined in the overall risk strategy. As the risk landscape changes and enterprise drivers evolve, risk management can be adjusted through a continuous feedback process to increase opportunities and minimize harmful events.
Enterprises might also establish subsidiary frameworks for certain types of business risks. Carnegie Mellon, for example, describes a set of categories into which various risks are assigned and subsequently aggregated, evaluated and monitored. Categories include mission, reputation, life and health safety, compliance and legal, operational and financial.
To address dozens of different risk types, processes can be implemented simultaneously by different teams. One team, for instance, can identify, analyze and respond to competitive risks while another team handles the same tasks for cybersecurity and currency fluctuations. Each team understands and meets risk and performance expectations specified by senior leadership and works within its own programs to achieve risk objectives.
Risks recorded and reported through risk registers are aggregated and integrated to identify the risks most likely to significantly impact the enterprise's business objectives. Even though the risks are quite disparate, the ERM framework and consistent processes enable common taxonomies and scales that support integration of information into a composite risk picture.
The ERM process looks at the "really big risks, rather than being distracted by little risks," said Thomas Stanton, noted author and adjunct faculty member at Johns Hopkins University, during his 2017 TED Talk on enterprise risk management. ERM, he added, allows risk managers to make sure those at the top of the organization "know what they need to know to make good decisions." To demonstrate that ERM can create new opportunities, Stanton paraphrased a comment by former Citigroup CEO John Reed that cars have brakes not only to stop, but also so they can go fast.
In today's environment, enterprises are under perceived pressure to avoid risks, gain value and do more with limited resources. ISACA's COBIT governance framework describes a process for balancing value with optimized resources and risk. An ERM framework with supporting processes can help companies balance all three elements and provide a pathway to achieving business goals.