Enterprise Risk Management (ERM)

Revision as of 00:41, 20 January 2023 by User (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Enterprise Risk Management (ERM) is an organization’s enterprise risk competence—the ability to understand, control, and articulate the nature and level of risks taken in pursuit of business strategies—coupled with accountability for risks taken and activities engaged in, which contributes to increased confidence shown by stakeholders.[1]

Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess and prepare for any dangers, hazards and other potentials for disaster – both physical and figurative – that may interfere with an organization's operations and objectives. Relatively new (it's less than a decade old), the discipline not only calls for corporations to identify all the risks they face and to decide which risks to manage actively; it also involves making that plan of action available to all stakeholders, shareholders and potential investors, as part of their annual reports. Industries as varied as aviation, construction, public health, international development, energy, finance and insurance all utilize ERM.[2]

ERM represents a significant evolution beyond previous approaches to risk management in that it:

  • Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
  • Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual “silos”;
  • Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
  • Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
  • Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
  • Views the effective management of risk as a competitive advantage; and
  • Seeks to embed risk management as a component in all critical decisions throughout the organization.

The History of and the Need for Enterprise Risk Management (ERM)[3]

  • The concept of a holistic approach of risk management traces its roots to the early 1970s when Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process (assessment, control, financing and communication).
  • In the 20th century, risk managers were primarily responsible for managing "pure" risks through the purchase of insurance, though the concept of risk management soon became associated with financial risk management with the use of derivative financial products.
  • There are several checkpoints that have driven the need for enterprise risk management. This includes an increase in:
  • Greater transparency
  • Financial disclosures with more strict reporting and control requirements
  • Security and technology issues
  • Business continuity and disaster preparedness in a post-9/11 world
  • Focus from rating agencies
  • Regulatory compliance
  • Globalization in a continuously competitive environment

The Elements of Enterprise Risk Management[4]
Enterprise risk management, when designed and operating effectively, serves to promote the achievement of an organization’s strategies and goals. For an enterprise risk management framework to be robust and sustainable, the following key elements must be embedded within the framework:

  • Risk Governance: A well-established risk governance structure requires an active and engaged Board of Directors supported by an experienced senior management team and a risk management group that is independent of the business lines. The Board of Directors should ensure that decision-making is aligned with the organization’s strategies, goals and risk appetite. Executive management is responsible for risk management under the oversight of the Board. The business lines should be responsible for both the development and execution of business plans and their alignment with the organization’s risk management framework, and be accountable for the risks they incur.
  • Risk Appetite: Risk appetite is the level of risk that an organization is prepared to accept, before action is deemed necessary to reduce it. Precise measurement of risk appetite is not always possible and will sometimes be defined by a broad statement of approach. Your organization may have an appetite for some types of risk and be averse to others. Regardless, the Board should receive regular updates on the key risks to the organization.
  • Risk Management Techniques: A type of risk management technique commonly used is a risk measurement reporting which aggregate various measures of risk across products and businesses, and is used to ensure compliance with policies, limits and guidelines. They also provide clear statement of the amounts, types and sensitivities of the various risks in the organization’s portfolios. Senior management and the Board use this information to understand the organization’s risk profile.

Why implement ERM?[5]
Traditional risk management approaches tend to be fragmented, compartmentalizing risks into silos. These approaches often limit the focus to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than enhancing enterprise value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in a rapidly changing world. ERM, on the other hand, provides an organization with the process it needs to become more anticipatory and effective at evaluating and managing the uncertainties it faces as it creates sustainable value for stakeholders. ERM helps an organization manage its risks to protect and enhance enterprise value in three ways:

  • First, it focuses on establishing sustainable competitive advantage. ERM helps management overcome silo behavior by aligning and integrating varying views of risk and enabling the enterprise to successfully respond to a changing environment. ERM elevates risk management to a strategic level by broadening the application and focus of the risk management process to all sources of enterprise value, not just physical and financial ones.
  • Second, it optimizes the cost of managing risk. Through ERM, management aggregates risk acceptance and transfer decisions, eliminates redundant activities and determines the level of risk the organization is prepared to accept as it executes its business model.
  • Third, it helps management improve business performance. ERM assists management with reducing unacceptable performance variability and loss exposure by
    • (a) anticipating the impact of major events and
    • (b) developing responses to prevent those events from occurring and manage their impact on the organization if they do occur.

ERM transitions risk management from “avoiding and hedging bets” to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of new opportunities for growth and return. ERM invigorates opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks they are taking on and have the capabilities at hand within the organization to manage those risks. Research over the years, consistently indicates that six of ten senior executives “lack high confidence” that their company’s risk management practices identify and manage all potentially significant business risks. The focus of ERM is on integrating risk management with strategy-setting. The emphasis is on identifying future potential events that can have both positive and negative effects and evaluating effective strategies for managing the organization’s exposure to those future events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity. These contributions redefine the value proposition of risk management to a business.

Questions to consider when Implementing ERM[6]

  • What are the main components or drivers of our business strategy?
  • What internal factors or events could impede or derail each of these components?
  • What external events could impede or derail each of the components?
  • Do we have the right systems and processes in place to address these internal and external risks?

Dos and Donts of ERM
source: CGMA

Systematic Implementation of an ERM Strategy will:[7]

  • Improve decision-making by making the decisions more risk-informed and defensible
  • Enable proactive management of risk rather than reactive actions
  • Provide a comprehensive and holistic view of the organization-wide strengths and weaknesses, as well as external risks
  • Connect leadership to the field by establishing a formal feedback loop and enhancing communications
  • Support strategic planning by identifying risks to the organization's mission and managing the risks associated with executing the plan
  • Link to performance management through the development of performance metrics for risk treatment actions
  • Bring unknowns to light through systematic risk identification and analysis
  • Validate investments and support budget justifications
  • Align with government mandates and best practices, such as ISO 31000, COSO and OMB circulars A-11, A-123, A-50 and A-133

Steps to Implementing Enterprise Risk Management[8]

  • Step 1 – Establish an Enterprise Risk Structure: ERM requires the whole organisation to identify, communicate and proactively manage risk, regardless of position or perspective. Everyone needs to follow a common approach, which includes a consistent policy and process, a single repository for their risks and a common reporting format. However, it is also important to retain existing working practices based on localised risk management perspectives as these reflect the focus of operational risk management. The corporate risk register will look different from the operational risk register, with a more strategic emphasis on risks to business strategy, reputation and so on, rather than more tactical product, contract and project focused risks. The health and safety manager will identify different kinds of risks from the finance manager, while asset risk management and business continuity are disciplines in their own right. ERM brings together risk registers from different disciplines, allowing visibility, communication and central reporting, while maintaining distributed responsibility. In addition to the usual vertical risk registers, such as corporate, business units, departments, programs and projects, the enterprise also needs horizontal, or functional risk registers. These registers allow function and business managers, who are responsible for identifying risks to their own objectives, to identify risks arising from other areas of the organisation.
  • Step 2 – Assign responsibility: Once an appropriate enterprise risk structure is established, assigning responsibility and ownership should be straightforward. Selected nodes in the structure will have specified objectives; each will have an associated manager (executive, functional or business), who will be responsible for achieving those objectives and managing the associated risks. Each node containing a set of risks, along with its owner and leader, is a Risk Management Cluster. Vertical managers take executive responsibility not only for their cluster risk register, but also overall leadership responsibility for the Risk Management Clusters below. Responsibility takes two forms: ownership at the higher level and leadership at the lower level. For example, a program manager will manage his program risks, but also have responsibility for overseeing risk within each of the program’s projects. Budgetary authority (setting and using Management Reserve), approval of risk response actions, communication of risk appetite, management reporting and risk performance measures are defined as part of the Owner and Leader roles. This structure is also used to escalate and delegate risks. Horizontal managers take responsibility for their own functional or business Risk Management Clusters, but also for gathering risks from other areas of the Enterprise Risk Structure related to their discipline. For example, the HR functional manager will be responsible for identifying common skills shortfall risks to bring them under central management. Similarly, the business continuity manager will identify all local risks relating to use of a test facility and manage them under one site management plan.
  • Step 3 – Create an enterprise risk map: Risk budgeting and common sense dictate that risks should reside at their local point of impact, because this is where attention is naturally focused. However, the risk cause, mitigation or exploitation strategy may come from elsewhere in the organisation and often common causes and actions can be identified. In this case, we take a systemic approach, where risks are managed more efficiently when brought together at a higher level. To achieve this, we need to be able to map risks to different parts of the risk management structure. To create an enterprise risk map, you need:
    • a set of global categories to communicate information to the right place
    • the facility to define the relationships between risks (parent, child, sibling etc)
    • scoring systems with consistent common impact types
    • Global categories

Functional and business managers should use these global categories to map risks to common themes, such as strategic or business objectives, functional areas and so on. These categories then provide ways to search and filter on these themes and to bring common risks together under a parent risk. For example, if skills shortage risks are associated with HR, the HR manager can easily call up a register of all the HR risks, regardless of project, contract, asset, etc. across the organisation and manage them collectively. Similarly, the impact of a supplier failing on any one contract may be manageable. But across many contracts could be a major business risk. In which case, the supply chain function needs to bring the risks against this supplier together and to manage the problem centrally. Each Risk Management Cluster will include both global and local categories in a Predict! Group, so that each area of the organisation needs only to review relevant information. Scoring systems are also applied by Risk Management Cluster, with locally meaningful High, Medium and Low thresholds which map automatically when rolled up. For example, a high impact of £150k at project or contract level will appear as low at corporate level. Whereas a £5m risk at a project or contract level may appear as High at the corporate level. Typically, financial and reputation impacts will be common to all clusters, whereas local impacts, such as project schedule, will not be visible higher up.

  • Step 4 – Decision making through enterprise risk reporting: The most important aspect of risk management is carrying out appropriate actions to manage the risks. However, you cannot manage every identified risk, so you need to prioritize and make decisions on where to focus management attention and resources. The decision making process is underpinned by establishing risk appetite against objectives and setting a baseline, both of which should be recorded against each Risk Management Cluster®. Enterprise-wide reporting allows senior managers to review risk exposure and trends across the organisation. This is best achieved through metrics reports, such as the risk histogram. For example, you might want to review the risk to key business objectives by cluster. Or how exposed different contracts and projects are to various suppliers. Furthermore, there is a need to use a common set of reports across the organisation, to avoid time wasted interpreting unfamiliar formats. Such common reports ensure the risk is communicated and well understood by all elements of the organisation, and hence provide timely information on the current risk position and trends, initially top-down, then drilling down to the root cause.
  • Step 5 – Changing culture from local to enterprise At all levels of an organisation, changing the emphasis from ‘risk management’ to ‘managing risks’ is a challenge; however, across the enterprise it is particularly difficult. It requires people to look ahead and take action to avert (or exploit) risk to the benefit of the organisation. It also requires the organisation to encourage and reward this change in emphasis! Unfortunately, problem management (fire-fighting) deals with today’s problems at the expense of future ones. This is generally a far more expensive process as the available remedies are limited. However, if potential problems are identified (as risks) before they arise, you have far more options available to affect a ‘Left Shift: from a costly and overly long process to one better matching the original objectives set! Most organisations have pockets of good risk management, many have a mechanism to report ‘top N’ risks vertically, but very few have started to implement horizontal, functional or business risk management. Both a bottom up and top down approach is required. An ERM initiative should allow good local practices to continue, provided they are in line with enterprise policy and process (establishing each pocket of good risk management as a Risk Management Cluster will provide continuity). From a top-down perspective, functional and business focused risk management needs to be kick started. A risk steering group comprising functional heads and business managers is a good place to start. The benefits of such a group getting together to understand inter-discipline risk helps break down stove-piped processes. This can trigger increasingly relaxed cross-discipline discussions and focus on aligning business and personal objectives that leads to rapid progress on understanding and managing risk. Finally, to ensure that an organisational culture shift is affected, the senior management must be engaged. This engagement is not only aimed at encouraging them to see the benefits of managing risk, but to also help the organisation as a whole see that proactive management of risk (the Left Shift principle) is valued by all.

Common Challenges in Enterprise Risk Management (ERM) Implementation[9]
Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:

  • Identifying executive sponsors for ERM.
  • Establishing a common risk language or glossary.
  • Describing the entity's risk appetite (i.e., risks it will and will not take)
  • Identifying and describing the risks in a "risk inventory".
  • Implementing a risk-ranking methodology to prioritize risks within and across functions.
  • Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions.
  • Establishing ownership for particular risks and responses.
  • Demonstrating the cost-benefit of the risk management effort.
  • Developing action plans to ensure the risks are appropriately managed.
  • Developing consolidated reporting for various stakeholders.
  • Monitoring the results of actions taken to mitigate risk.
  • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
  • Developing a technical ERM framework that enables secure participation by 3rd parties and remote employees.

The Enterprise Risk Management (ERM) Process (See Figure 1.)[10]
Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process. Unfortunately, some view ERM as a project that has a beginning and an end. While the initial launch of an ERM process might require aspects of project management, the benefits of ERM are only realized when management thinks of ERM as a process that must be active and alive, with ongoing updates and improvements. The diagram in Figure 1. illustrates the core elements of an ERM process. Before looking at the details, it is important to focus on the oval shape to the figure and the arrows that connect the individual components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model.

Enterprise Risk Management (ERM) Process
Figure 1. source: NC State University

The goal of an ERM process is to generate an understanding of the top risks that management collectively believes are the current most critical risks to the strategic success of the enterprise. Most organizations prioritize what management believes to be the top 10 (or so) risks to the enterprise. Generally, the presentation of the top 10 risks to the board focuses on key risk themes, with more granular details monitored by management. For example, a key risk theme for a business might be the attraction and retention of key employees. That risk issue may be discussed by the board of directors at a high level, while management focuses on the unique challenges of attracting and retaining talent in specific areas of the organization (e.g., IT, sales, operations, etc.). While the core output of an ERM process is the prioritization of an entity’s most important risks and how the entity is managing those risks, an ERM process also emphasizes the importance of keeping a close eye on those risks through the use of key risk indicators (KRIs). Organizations are increasingly enhancing their management dashboard systems through the inclusion of key risk indicators (KRIs) linked to each of the entity’s top risks identified through an ERM process. These KRI metrics help management and the board keep an eye on risk trends over time.

The Importance of Enterprise Risk Management (ERM)[11]
Events over recent years have pointed to five realities that every CEO and board face. These five realities are forcing management and their boards to take a fresh look at risk and crisis management. An effectively functioning ERM process is important because it can help them address these new realities.

  • 1. The time may come – sooner than we may expect – when the fundamentals of the business are about to change. Risk management is about securing “early mover” positioning in the marketplace. Management of strategic uncertainties requires an understanding of the key assumptions underlying the strategy and monitoring changes in the business environment to ensure that these assumptions remain valid over time.
  • 2. It is not what we know that matters; it is what we don’t know that makes the difference. The question should be: Is our approach to assessing risk identifying emerging risks and telling us something we don’t know?
  • 3. Most businesses are boundary-less. A strategic perspective applied to operational risks suggests the need for an end-to-end extended enterprise view of the value chain, requiring consideration of upstream and downstream relationships. What happens if any critical component of this chain were lost for an indeterminate period of time?
  • 4. Sooner or later, there will be a crisis that will test your company. Even the most effective risk management cannot prevent this exposure. Yet companies spend a lot of time guessing at probabilities and ignoring the speed of impact, the persistence of impact over time and the organization’s response readiness.
  • 5. Management and directors are struggling with delineating between risk management and risk oversight. The risk oversight playbook is evolving. CEOs fear an overlay and non-value-added activity that is out of sync with the rhythm of the business. It makes sense to start both risk management and risk oversight at the same place – with the formulation of strategy, including an understanding of the key assumptions underlying the strategy.

Benefits of Enterprise Risk Management (ERM)[12]
Organizations often find that ERM programs provide a combination of both qualitative and quantitative benefits. While there are many benefits to ERM, let's focus on five of them. Through all of the benefits noted below, ERM can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.

  • Benefit one: creation of a more risk focused culture for the organization

Organizations that have implemented ERM note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed. As risk discussions develop into a standard part of the overall strategic business processes, operational units often find that addressing risk in a more formal way helps manage their part of the organization as well. Communication and discussion of risk is recognized as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company, and allow better insights and decision making concerning risk at all levels.

  • Benefit two: standardized risk reporting

ERM supports better structure, reporting, and analysis of risks. Standardized reports that track enterprise risks can improve the focus of directors and executives by providing data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances. One of the major values of ERM risk reporting is improved, timeliness, conciseness, and flexibility of the risk data. This provides the data needed for improved decision making capabilities within the executive and director levels, and in other layers of management. ERM helps management recognize and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating them in a consolidated format.

  • Benefit three: improved focus and perspective on risk

ERM develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organizations to changes in their risk profile. ERM also permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation, acceptance, or avoidance. However, effective ERM processes gives management a framework to evaluate risk as an opportunity to increase competitive positions and exploit certain market and operational conditions.

  • Benefit four: efficient use of resources

In organizations without ERM, many individuals may be involved with managing and reporting risk across operational units. While developing an ERM program does not replace the need for day to day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.

  • Benefit five: effective coordination of regulatory and compliance matters

Bond rating agencies, financial statement auditors, and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from ERM programs. Since ERM data involves identifying and monitoring controls and mitigation efforts across the organization, this information can help reduce the effort and cost of such audits and reviews.

Weakness of Enterprise Risk Management (ERM)[13]

  • 1. ERM Lacks the Framework it Touts

The expansion of traditional Risk Management beyond financial concerns – and denoting it as Enterprise Risk Management – was haphazard, almost random in nature. Obviously, the intent was to consolidate all activities, functions, and interests within a corporation so that their risks might be integrated, examined, and managed as a unit. It has no defined process that assures TOTAL management of risk. Instead, it’s “bits and pieces” - often focused on the sensational and obvious while ignoring the mundane and routine. The goal of ERM is to address risk in all areas of the enterprise. Consider Enron and Worldcom – companies that spent millions on risk management services that likely never addressed the risks of accounting and financial reporting.“Enterprise” turns out to be elusive rather than descriptive. ERM in one organization may not even resemble ERM in another. What is needed? Application of the systems approach – that global, holistic, all-encompassing, universal technique used successfully in high-risk space endeavors. That approach clearly defines the boundary of concern – so that there is no ambiguity about what is and what is not the entity for which risk is being managed. Once that is accomplished, its known inputs and desired outputs are established, a functional platform for identifying every conceivable risk is constructed, and risk scenarios are written. Until ERM becomes systematic, it will suffer misunderstanding, false exploitation, fragmentation, and confused reaction.

  • 2. ERM is Reactive Instead of Proactive

History certainly reveals a wealth of risks needing to be managed. However, those risks are only a portion of those that management must address if an organization is to protect and create value for its stakeholders - including owners, employees, customers, regulators, and society overall. Risks that have yet to be revealed or experienced may be more consequential than the obvious ones that most organizations traditionally manage. There is no recognized and endorsed ERM process for foreseeing and identifying risks prior to experiencing their associated losses. This deficiency forces ERM to be reactive instead of proactive – waiting for a loss before implementing countermeasures against it. Reactionary management is always inefficient and impulsive – as well as expensive. ERM should be proactive, but it’s not. It’s usually reactive. Because it has no method or process for identifying risks that have not yet happened, it is destined to remain reactive. The sad fact is that – by being reactive – every loss is much more costly than if it had been foreseen and controlled.

  • 3. ERM Discards the Wisdom of Insiders

The third weakness is a sleeper – due to the history of risk management. Insurers and risk consultants in financial institutions have always convinced most client executives that they know how best to manage risk. So those executives have fallen victim to engaging experts from the outside to tell them what they already know - while still remaining vulnerable to risks the outsiders know nothing about. Most critically, the wisdom required to manage and control risk is right within the enterprise itself. The key is to have a technique that extracts and organizes that wisdom. As the scope of risk concern broadened under ERM to include control of risk, it became obvious that risk management knowledge and expertise required was not available from the outside financial experts who had historically provided it. True, there was a base of client knowledge in financial service companies whereby insurance rates could be established for various types of businesses. But that ballgame changes when the spectrum of potential losses widens beyond the insurable. This is not to say that outside financial consultants cannot augment the internal wisdom of a client enterprise regarding management of risk. But the shortcoming is that they typically limit their involvement to a few mid- or high-level client managers with financial interests. Risks can only be impacted or reduced by those in control of the scene wherein they occur – and it is those very people who are rarely involved in the ERM process even though they have the greatest knowledge and understanding of those risks. ERM discards the wisdom of insiders.

  • 4. ERM Doesn’t Calculate Mitigation Costs

Every identified risk attracts management attention – in one of two ways. If it is defined only in terms of its severity and likelihood, unanimity of concern about it is generally universal but inconsequential. Why? Because there is no consequence involved. Everyone agrees that the risk exists. But it is simply a moral concern – but not a management one. However, if a third dimension – mitigation cost – is assigned to that risk, decision makers are forced to address it. It becomes consequential. It cannot be ignored. Questions arise – about all three dimensions because, taken collectively, that risk can now be placed in an array of management significance or consequence. Executives become accountable for its management. As a general rule, ERM measures risk in only two dimensions – severity and likelihood. With little doubt, this short-sighted approach almost guarantees that management will not get involved in addressing it. It may become assigned to a list or a group of similar risks or be classified within a zone of interest. But without a mitigation price tag, management will ignore it. Ignoring mitigation cost assures ignored risk. Executives simply cannot deal with risk until it joins the real world of economics. Cost of mitigation is an absolutely essential third dimension of ERM. Without providing decision-makers with the COST of controlling losses, risk managers will continue to be absent from the boardroom.

  • 5. ERM Fails to Rank Risks

The fifth weakness is well-known to top executives. They have no unambiguous, universal means for determining what identified risks must be controlled or mitigated versus those that may be accepted without any countermeasure investment. Diverse interests and voices within an organization can and do promote risk as vehicles for securing additional resources. Alarmism and sensational appeals for risk mitigation are not unknown – even in the board room. There are never enough resources in any organization to mitigate every identified risk. So allocating resources to manage risk is a prime concern for executives. On what basis then can an executive determine the necessity for investment to control risk? How can one risk be justified as more important than another? When and how can a decision-maker feel justified in allocating limited resources to competing candidates for risk control – particularly when great diversity in complexity, function, or cost among them exists? Compounding this dilemma is the possibility that risk identification itself may even be manipulated to favor or influence resource allocation decisions. Should an executive desire to have the organization publicly appear more risk responsible, he could limit or divert the function of risk identification – ordering that certain types of known risk not be acknowledged and documented. This did occur in the tobacco industry when the risk of nicotine addiction arose. Risk identification is not immune to political or social pressure. The only option for many decision-makers is to spend very limited resources on the current risk du jour. This is a shame – being forced to randomly commit assets to manage risk simply because risks cannot be ranked for costeffectiveness! Should not every executive know the organization’s Number 1 Risk, Number 2 Risk, Number 3 Risk, and so on?

See Also


  1. Definition of Enterprise Risk Management (ERM) RMA
  2. What is Enterprise Risk Management (ERM)? Investopedia
  3. The History of and the Need for Enterprise Risk Management (ERM) CERA
  4. The Elements of Enterprise Risk Management Angela Gillis
  5. Why implement ERM? Protiviti
  6. What are the Questions to consider when Implementing ERM - the Do's and Don'ts of Implementing ERM? CGMA
  7. What does a Systematic Implementation of an ERM Strategy result in? ABS Group
  8. What are the Steps to Implement Enterprise Risk Management RDL
  9. What are the Common Challenges in Enterprise Risk Management (ERM) Implementation? Wikipedia
  10. The Enterprise Risk Management (ERM) Process
  11. Why is Enterprise Risk Management (ERM) important? CCI
  12. What are the Benefits of Enterprise Risk Management (ERM) CLA Connect
  13. Five Weaknesses Of Enterprise Risk Management Omega Inc.

Further Reading

  • Overview of Enterprise Risk Management CAS
  • A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
  • Guide to Enterprise Risk Management
  • 6 tips for successful enterprise risk management BizJournals
  • Challenges in Implementing Enterprise Risk Management (ERM) ACRN
  • The Benefits of Effective Enterprise Risk Management for Insurers Oracle
  • Why enterprise risk management is good for business Smart Business
  • Why is Enterprise Risk Management Important for Preparedness? Carol A. Fox & Michael S. Epstein