What is enterprise risk management? Enterprise risk management or ERM is defined as the culture, capabilities, and practices integrated with strategy-setting and objectives that organizations rely on to manage risk in creating, preserving, and realizing value.
What Is Enterprise Risk Management?
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission or COSO published Enterprise Risk Management – Integrated Framework. The purpose of the publication was to help organizations better protect and enhance stakeholder value. Its underlying philosophy was that “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”
Since its publication, the COSO Framework has been used successfully around the world, across industries, and in organizations of all types and sizes to identify risks, manage those risks within a defined risk appetite, and support the achievement of objectives. Yet, while many have applied the framework in practice, it has the potential to be used more extensively. It would benefit from examining certain aspects with more depth and clarity and by providing greater insight into the links between strategy, risk, and performance.
In response, the updated Framework in this publication: more clearly connects enterprise risk management with a multitude of stakeholder expectations; positions risk in the context of an organization’s performance, rather than as the subject of an isolated exercise; and enables organizations to better anticipate risk to be able to tackle it more effectively, with an understanding that change creates opportunities, not simply the potential for crises. This update also answers the call for a stronger emphasis on how enterprise risk management informs strategy and its performance.
Enterprise risk management is not static or an adjunct to a business. Instead, it is continually applied to the entire scope of activities as well as special projects and new initiatives. It is part of management decisions at all levels of the entity.
The practices used in enterprise risk management are applied from the highest levels of an entity and flow down through divisions, business units, and functions. The practices are intended to help people within the entity better understand its strategy, what business objectives have been set, what risks exist, what the acceptable amount of risk is, how risk impacts performance, and how they are expected to manage risk. In turn, this understanding supports decision-making at all levels and helps to reduce organizational bias.
As it has typically been practiced, enterprise risk management has helped many organizations identify, assess, and manage risks to their strategy. However, the most significant causes of value destruction are embedded in the possibility of the strategy not supporting the entity’s mission and vision and the implications of the strategy.
Enterprise risk management also enhances strategy selection. Choosing a strategy calls for structured decision–making that analyses risk and aligns resources with the mission and vision of the organization
All organizations need to set a strategy and periodically adjust it while remaining aware of ever-changing opportunities for creating value and the challenges that will occur in pursuit of that value. To do that, they need the best possible framework for optimizing strategy and performance. That’s where enterprise risk management comes into play.
Enterprise Risk Management Affects Strategy
“Strategy” refers to an organization’s plan to achieve its mission and vision and to apply its core values. A well-defined strategy drives the efficient allocation of resources and effective decision-making. It also provides a plan for establishing business objectives. Enterprise risk management does not create the entity’s strategy but influences its development. An organization that incorporates enterprise risk management practices into a strategy provides management with risk information. This allows it to consider alternative strategies and, ultimately, implement a chosen strategy.
Several internal control concepts are incorporated into enterprise risk management. “Internal control” refers to the method implemented by an entity to provide reasonable assurance that objectives will be met. Internal control helps the organization identify and analyze the risks to achieve those objectives and manage risks. It allows management to stay focused on the entity’s operations and pursue its performance targets while complying with relevant laws and regulations.
ERM takes a comprehensive approach and necessitates management-level decisions that may not be appropriate for a single business unit or segment. As a result, rather than each business unit being responsible for its own risk management, firm-wide surveillance takes precedence. For example, if a risk manager at an investment bank notices that two trading desks in different areas of the firm have similar exposures to the same risk, the risk manager may force the less important of the two to eliminate that position. This choice is made with the entire company in mind (not with the specific trading desk).