Enterprise Risk Management, ERM, looks at risk management from the perspective of the entire organisation. It identifies and assesses potential losses, dangers, hazards and other potentially harmful factors that may prevent the organisation from achieving its objectives. Appropriately applied, ERM supports sound decision-making and offers sound risk responses in today’s volatile, dynamic and uncertain business environment. ERM is founded on four pillars: risk identification and assessment; risk response; control activities and monitoring; and information, communication and reporting. All ERM frameworks must encompass these four pillars, to be truly effective organisational strategy.
Applying risk identification and assessment must be done systematically so that firms may clearly understand what their risks are, and manage their risks accordingly. Risks vary; no two companies may have exactly the same, even if they both have similar characteristics or operate in the same industry. The next ERM pillar is how to respond to these risks once they have been identified and assessed. Organisations need to develop risk management plans for risk mitigation. The process of identification and assessment may indicate a need for tighter internal controls, for instance. It may also identify possible opportunities which may be of benefit to the firm.
The third ERM pillar, control activities and monitoring, is concerned with establishing and maintaining internal controls that manage and monitor risks. Information, communication and reporting, the fourth ERM pillar, focuses on establishing clear lines of communication between the firm and its stakeholders, which may include shareholders, employees, customers, suppliers, regulators and communities where the firm operates. Information needs to be verifiable and reliable, to be useful, and reporting must be accurate and timely to support informed decision-making. Additionally, clear communication, data with integrity and timely reporting enhance the organisation’s transparency.
While traditional risk management tends to leave decision-making with individual business units or division heads, this may create a siloed approach that will not be as effective as the integrated approach inherent with ERM, which approaches risk management holistically. How does this work? ERM tends to have a ‘big picture’ view and promotes an understanding of how risks to individual business units are interconnected. This allows it to identify potential risk factors that may not be obvious to individual units; information like this allows management to decide which risks should be actively managed, whilst at the same time allowing each business unit to be responsible for its own risk management.
Communication is key in the integration and successful implementation of ERM. While ERM practices will normally vary based on company size, risk preferences and business objectives, applying this approach allows the firm to optimise risks throughout its structure while identifying opportunities for individual business units and the firm as a whole. Regardless of the type of risk faced, ERM is intended to ensure a firm’s competitiveness, growth and sustainability.
