As business risks continue to increase, organizations are finding it necessary to implement some sort of formal risk management system. An effective enterprise risk management (ERM) program can help organizations manage their risks and maximize opportunities. Organizations in all types of industries, public and private, have observed a variety of benefits from enhancing their risk management programs.
What is ERM?
A committee of five organizations dedicated to thought leadership around risk management provided a definition of ERM in 2004. The Committee of Sponsoring Organizations (COSO) defined it as:
"… a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives."
In simple terms, ERM is a way to effectively manage risk across the organization through the use of a common risk management framework. This framework can vary widely among organizations but typically involves people, rules, and tools. This means individuals with defined responsibilities use established, repeatable processes (rules), and the appropriate level of technology (tools) to mitigate risk.
Many organizations struggle with implementing ERM and identifying how, and at what level, to integrate it into their organization. Managers often say they are already aware of the risks for their respective areas of the business. In these situations, what value does ERM provide, and how does it enable better perspectives and management of risks and risk data?
Organizations often find that ERM programs provide a combination of both qualitative and quantitative benefits. While there are many benefits to ERM, let's focus on five of them.
Benefit one: creation of a more risk focused culture for the organization
Organizations that have implemented ERM note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed.
As risk discussions develop into a standard part of the overall strategic business processes, operational units often find that addressing risk in a more formal way helps manage their part of the organization as well. Communication and discussion of risk is recognized as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company, and allow better insights and decision making concerning risk at all levels.
Benefit two: standardized risk reporting
ERM supports better structure, reporting, and analysis of risks. Standardized reports that track enterprise risks can improve the focus of directors and executives by providing data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances.
One of the major values of ERM risk reporting is improved, timeliness, conciseness, and flexibility of the risk data. This provides the data needed for improved decision making capabilities within the executive and director levels, and in other layers of management. ERM helps management recognize and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating them in a consolidated format.
Benefit three: improved focus and perspective on risk
ERM develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organizations to changes in their risk profile.
ERM also permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation, acceptance, or avoidance. However, effective ERM processes gives management a framework to evaluate risk as an opportunity to increase competitive positions and exploit certain market and operational conditions.
Benefit four: efficient use of resources
In organizations without ERM, many individuals may be involved with managing and reporting risk across operational units. While developing an ERM program does not replace the need for day to day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.
Benefit five: effective coordination of regulatory and compliance matters
Bond rating agencies, financial statement auditors, and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from ERM programs. Since ERM data involves identifying and monitoring controls and mitigation efforts across the organization, this information can help reduce the effort and cost of such audits and reviews.
Through all of the benefits noted above, ERM can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.