The Institute of Enterprise Risk Practitioners (IERP®) is the world’s first and leading certification institute for Enterprise Risk Management (ERM).

Image Alt

IERP® International Institute of Enterprise Risk Practitioners

  /  Thought Leadership   /  Distinguishing Between ERM and ORM Approaches

Distinguishing Between ERM and ORM Approaches

On May 4, over 20 professionals from across industries attended a Tea Talk session at the IERP® International Secretariat. Our keynote speaker for this session was Mr. Ramesh Pillai, Chairman of the Board of Governors of the IERP® and Group Managing Director of Friday Concepts, an ERM, GRC, and BCM boutique consultancy. Speaking on distinguishing between Enterprise Risk Management (ERM) and Operational Risk Management (ORM) approaches, he aimed to dispel common misconceptions of the two related but different approaches.

He noted that more attention has been placed on Operational Risk as of late as a result of geopolitical volatility and technological disruptions. The possible escalation of conflict and the deterioration of interstate ties, for example, are genuine concerns that would have far-reaching effects across the interconnected global economy. With a large range of risk factors to consider, an organization can face up to thousands of risks at a time, most of which are constantly changing and need to be re-evaluated as such. In such an environment, it is essential that risk management moves from a siloed approach towards a more integrated and dynamic one.

ERM as a Strategic Management Tool

Though ORM is practiced enterprise-wide, its practice and implementation is limited to Operational risk matters and issues – with little or no direct linkage to an organisation’s strategy – and with an emphasis on controls and eliminating risk. Conversely, Pillai emphasised that ERM is a strategic management tool that needs to be applied enterprise-wide while also creating connections between all stakeholders.

Thus, the ERM framework doesn’t start with controls; it starts with the vision, mission, strategies and goals of an organisation. At the same time, however, there is often a disconnect between vision/ mission and strategy/ risk management. This is a missed opportunity as a clearly-articulated vision or mission, along with strategic objectives that line up with it, can be a useful starting point to ensure that top management down to daily operations are on the same page and will be better placed to manipulate risk and, hence, returns.

Value Creation vs. Value Preservation

From Pillai’s perspective, the aim of risk management should be to create value in line with those objectives, using a proactive approach to find new streams of revenue via opportunistic risk, in turn ensuring business sustainability; that is the basis of the ERM framework.

In essence, whilst ERM is proactive, ORM is protective. While ERM seeks to optimise risk, ORM seeks to eliminate or minimise risk. In ERM, it can be a reasonable step to attempt to increase risk, so that there will be higher return; in ORM, there is no such thing as a return on risk. ORM, as an essential but limited framework, should be integrated as part of an overall ERM strategy.

Other Key Takeaways: Fraud Management and Cyber-security

During Q&A, participants were particularly engaged with the topic of fraud management, a key function of ORM. Pillai drew on his past experience to point out that while whistle blowing is the best method for detecting fraud, there must be the appropriate culture in place that allows employees to report on wrongdoing without fear of repercussions on their personal or professional life. This is not the case, for example, if organisations lack the policies or processes to ensure anonymity in reporting or provide certain protections. Overall, a culture rooted in integrity will also be conducive to efficient risk management.

Another key discussion point was on cyber-security. Pillai stressed that cyber-security is the top risk for the current business landscape. Rapid advances in technology allow for ever-greater risks related to cyber-attacks and data-theft, and implementing cyber-defenses and performing scenario tests are now a necessity to anticipate and mitigate potential disasters.

In this age of uncertainty and constant innovation, the proactive and offensive nature of the ERM approach is well-suited for organisations seeking to thrive, not just survive.

As Pillai put it, “You should disrupt yourself before a competitor or the economy disrupts you.”

Learn how an Enterprise Risk Manager (ERM®) certification can give you and your organization a competitive edge in an unpredictable global economy or check out the IERP® 360° Certification Framework.

    Name (required)

    Email Address (required, business email address only)

    Mobile Number (required)

    Company (required)

    Designation (required)

    Preferred Contact Method: (required)

    CallEmail

    What is the biggest challenge in your job/industry

    Which modules are you interested in? (required)

    Managing ESGMechanics of ESGEnterprise Risk Management

    Message

      Name (required)

      Email Address (required, business email address only)

      Mobile Number (required)

      Company (required)

      Designation (required)

      Preferred Contact Method: (required)

      CallEmail

      What is the biggest challenge in your job/industry

      Message

        Name (required)

        Email Address (required, business email address only)

        Mobile Number (required)

        Company (required)

        Designation (required)

        Preferred Contact Method: (required)

        CallEmail

        What is the biggest challenge in your job/industry

        Which modules are you interested in? (required)

        Evaluating Risk and Internal ControlCorporate GovernanceEstablishing a Cybersecurity FrameworkEnterprise Risk Management

        Message

          Name (required)

          Email Address (required, business email address only)

          Mobile Number (required)

          Company (required)

          Designation (required)

          Preferred Contact Method: (required)

          CallEmail

          What is the biggest challenge in your job/industry

          Message

            Name (required)

            Email Address (required, business email address only)

            Mobile Number (required)

            Company (required)

            Designation (required)

            Preferred Contact Method: (required)

            CallEmail

            What is the biggest challenge in your job/industry

            Which modules are you interested in? (required)

            Digital Risk Management and DisruptionMechanics of CyberSecurityEnterprise Risk Management

            Message

            User registration

            Reset Password