Approaches to Risk Management: Part 3 Enterprise Risk Management (ERM)
In parts 1 (The Basic Concepts) & 2 (Digging Deeper) we gave you the “traditional silo” approach to risk management. Another school of thought we would like to share is ERM – Enterprise Risk Management.
ERM is a framework to identify risk that typically involves identifying particular events or circumstances relevant to the organizations objectives (risk and opportunities) …assessing them in terms of likelihood and magnitude of impact …determining a response strategy …and monitoring progress.
Some of the primary risk functions (departments and committees) in larger organizations that may participate in an ERM program typically include:
- Strategic Planning – it identifies both external threats and competitive opportunities, along with strategic initiatives to address them.
- Compliance & Ethics – monitors compliance with code of conduct and directs fraud investigations.
- Operations Management – ensures the business runs day-to day and that related barriers are surfaced for resolution.
- Accounting /Finance Compliance – directs the Sarbanes-Oxley Section 302 and 404 assessments, which identifies financial reporting risks.
- Insurance – ensures the proper insurance coverage for the organization
- Marketing – understands the target customer to ensure product/service alignment with customer requirements
- Treasury – ensures cash is sufficient to meet business needs, while management risk related to commodity pricing or foreign exchange.
- Law Department – manages litigation and analyzes emerging legal trends that may impact the organization.
- Operational Quality Assurance – verifies operational output is within tolerances.
- Credit – ensures any credit provided to customers is appropriate to their ability to pay.
- Customer Service – ensures customer complaints are handled promptly and root causes are reported to operations for resolution.
- Internal Audit – evaluates the effectiveness of each of the above risk functions and recommends improvement.
Each department of the management team then selects a risk-response strategy for specific risks identified and analyzed, these may include:
- Avoidance: Exiting the activities giving rise to risk
- Reduction: Taking action to reduce the likelihood or impact related to the risk
- Share or insure: Transferring or sharing a portion of the risk, to reduce it
- Accept: No action is taken, due to a cost/benefit decision
Each approach described in this blog post series – “Traditional Silo” and the ERM Model – has its advantages and disadvantages. Each approach, utilized separately, is not fully valid as a comprehensive stand-alone approach.
Every business large or small faces many of the same issues just in different ways and varying degrees. A melded strategy will position company principals to investigate both internal and external risks that can and will affect their business at some point in time. The bottom line is that a well thought out strategy needs to be developed touching upon a wide variety of an organizations business operational issues. Another point to keep in mind is that risk management is an ongoing process…the risks we face today may not necessarily be the ones we face in the future.