What is Enterprise Risk Management (ERM)? Definition, Scope, Benefits, Objective, Driver, Frameworks

What is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a strategic approach to identifying, assessing, and managing risks that could impact an organization’s objectives and goals. ERM is a framework that allows organizations to manage risk across their entire enterprise, rather than focusing on specific areas or functions.

ERM can be defined as a process of mitigating the effect of a risk by following various activities such as planning, organising and controlling the activities of the organisation. ERM is defined in different ways by different authorities.

---

Definitions of ERM

According to the Institute of Internal Auditors, enterprise risk management is a structured, consistent, and continuous process across the whole organisation for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.

According to the Committee of Sponsoring Organisations (COSO), ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

From the definitions given above, we can see that ERM has the following advantages:

• It serves as a tool for enhancing the management’s decision-making process, corporate governance and accountability.
  
  
• It helps the management to tackle uncertainties and associated risks in the organisation.
  
  
• It guides the organisation to get to where it wants to go, and avoid pitfalls and surprises along the way (COSO).
  
  
• It is a systematic approach to a historically intuitive exercise (Klein, Mandl and Sencer).

---

Scope of ERM in Organisation

The scope of ERM in an organisation can be briefly explained through the following points:

• It integrates the performance of different departments of the organisation with risk management capabilities.
  
  
• It conveys the organisation’s policy, approach and attitude towards risk management.
  
  
• It sets the scope and application of risk management within the organisation.
  
  
• It defines clearly the roles and responsibilities for managing risks.
  
  
• It develops an approach that is consistent and aligned with relevant standards across the industry. The approach ensures adoption of the best practice for reporting risks.
  
  
• It emphasises the commitment of departments to the periodic review and verification of the framework and its continual improvement.
  
  
• It describes the resources available to assist those with accountability or responsibility for managing risks.
  
  
• It ensures that the departments meet their risk reporting obligations.

Risk is defined and accepted as the effect of uncertainty in an organisation. It can have either a positive or a negative effect on the business objectives of the organisation. Risks define the scope of work for risk management in an organisation.

Some of the highlights of risk management are as follows:

• Risk management includes a set of coordinated activities within an organisation that directs and controls departments with regard to risks.
  
  
• Risk management helps in the realisation of potential opportunities along with the positive and negative impacts of risks.

Risk management is defined as a set of actions performed in an organisation to identify, understand and manage risks. These actions are aimed at controlling risks in order to meet the objectives of the organisation. Risk management is implemented while performing all other daily activities and responsibilities of the organisation.

---

Benefits of Risk Management

Risk management provides the following benefits to an organisation:

• It is an approach to manage the events or opportunities impacting the objectives of an organisation.
  
  
• It supports the management to tackle potential negative effects of risks. It also enables an organisation to take advantage of potential opportunities.
  
  
• It provides opportunity for enhanced planning of processes and improved performance with focus on service delivery.
  
  
• It leads to the development of efficiencies within an organisation so that it can face any uncertainties in the future with confidence.
  
  
• It leads to the growth and development of a positive organisational culture where people are aware of their role in contributing to the overall achievement of the organisation’s objectives.

ERM sets guidelines and processes for implementing a risk management system in an organisation. This is done by analysing the risk portfolio of the organisation. The guidelines are set by keeping in mind the risk appetite of the organisation. The objectives of the organisation are set to meet its long-term strategies.

Objective of ERM

The main objective of ERM is to measure an organisation’s achievement on the following parameters:

• Strategic: This relates to the goals that are aligned with the mission statement and regarded as highly intrinsic to the organisation’s overall vision.
  
  
• Functional: It includes the day-to-day work processes of the organisation.
  
  
• Compliance: It involves the formulation of guidelines for strict adherence to various regulatory laws by the organisation.

---

Components of ERM

There are eight main components of ERM. These components are interrelated to each other. The components can be briefly explained as follows:

• Environment: This is essentially the environment in which the organisation operates and defines the organisation’s culture.
  
  
• Setting of objectives: The management sets the strategic goals and objectives based on the risk appetite of the organisation.
  
  
• Identification of events: It essentially means the activities aimed at identifying events that influence the strategies and objectives of the organisation. These events may affect the organisation’s ability to achieve its objectives.
  
  
• Risk assessment: It includes activities to assess the impact and likelihood of events and a prioritisation of related risks.
  
  
• Risk response: It includes the risk-taking capabilities of the organisation and how it will respond to risks. Organisations may use various strategies to respond to risk. For example, they may choose to avoid the risk, share the risk or mitigate the risk.
  
  
• Control activities: These relate to the policies and procedures of the organisation to address risks.
  
  
• Information and communication: Here, the focus is on information and communication of activities in response to a risk at the right time to the right people.
  
  
• Monitoring: These are activities that are involved in evaluations for effective control of risks.

ERM is an approach to risk management that has evolved significantly in recent times due to the following reasons:

• It covers and protects organisations against most types of risks, be they financial, operational, compliance, governance, strategic, etc.
  
  
• Exposure to risks is managed as an interrelated risk portfolio.
  
  
• Risk evaluation is based on internal and external environments, systems, circumstances and stakeholders.
  
  
• ERM works on the principle that the sum of individual risks in an organisation is not equal to the individual risks across the organisation. The exposure created by combined risks is far more than the individual risks.
  
  
• It provides a structured process for managing all types of risks.
  
  
• It provides competitive advantage for the organisation by effectively managing risks.
  
  
• It treats a risk as an underlying truth to every critical decision taken in the organisation.

Various external factors negatively affecting the performance of an organisation have resulted in increased interest in understanding the concept of ERM. Government regulatory bodies as well as investors are constantly scrutinising the risk factors related to the policies and procedures followed by organisations.

The boards of directors are now required to review and report on the adequacy of risk management processes followed in their organisations. The key is to strike a balance between enhancing profits and managing risk through ERM.

---

Drivers of ERM

ERM provides a risk assessment framework to organisations. It provides them an ability to respond confidently to existing and emerging challenges. ERM shifts an organisation’s focus from a ‘cost/benefit’ line of operations to a ‘risk/reward’ approach.

This approach was conceived by Standard & Poor’s as regulatory and governance requirements of organisations continue to advance with a request for more robust risk assessment practices. Based on the concept formulated by Standard & Poor’s, many organisations have implemented formal enterprise-wide risk management programmes.

There are several drivers of enterprise risk management. We can list them on the basis of the following categories:

Risk Governance

This refers to the mechanism arranged to govern a risk. The following reasons under this mechanism strives the need for ERM:

• Unclear risk accountability due to risk oversight by board members
  
  
• Lack of sharing information related to risk in processes and its management by board members
  
  
• Poor integration of risk management into day-to-day management decision making
  
  
• Too much focus on operational and process-level risks rather than on strategic business activities

Risk Identification and Assessment

This refers to the first step towards risk management that is identification and assessment of the risk. The following reasons under this phase reinforce the need for ERM:

• Need for long-term perspective of risk assessment
  
  
• Need for discouraging short-term outcomes of risk assessment
  
  
• Risk identification to be done by assessing internal and external factors affecting the organisation
  
  
• Need to consider climate change in the process of risk assessment

Risk Quantification/Mitigation

The ultimate objective of the process of risk management is to mitigate risk. The following reasons under this phase reinforce the need for ERM:

• Focus on adequate training of risk quantification/usage of quantification tools
  
  
• Risk at individual level and process-level risks together define the risks faced by organisations. These risks can be handled at portfolio level and by employing a broad range of approaches aimed at risk mitigation.

Risk Monitoring/Reporting

This refers to the last step towards risk management that is monitoring and reporting of the risk. The following reason under this phase reinforces the need for the ERM:

• This requires adequate monitoring and reporting of risks in a way that they are fully aligned with the strategic objectives of the organisation.

The mentioned drivers of risk assessment serve as challenges of risk management. These identified challenges can be overcome through the following combined initiatives summarised below

• Effectiveness in separating the risk process and content
  
  
• Integrating enterprise risk management process into decision making processes by linking objectives, strategies and risks to key risk indicators
  
  
• Developing a strong risk culture for implementing an ERM initiative in an organisation
  
  
• Integration of risk, compliance and governance into a single, enterprise-level effort

---

Benefits of ERM

ERM has a huge impact on the business of an organisation and brings tangible and quantifiable benefits that serve as major driving forces towards meeting the objectives of the organisation.

Some of these benefits can be listed as follows:

• Stable earnings: Stable earnings are the outcome of ERM. They help in identifying and quantifying risks with greater accuracy, resulting in informed and improved decision making and profit for the organisation.
  
  
• Capital volatility: Greater insight into risk profile results in capital volatility, resulting in greater confidence in all stakeholders— particularly shareholders.
  
  
• Upgraded credit ratings: Effective ERM implementation leads to better risk assessment and mitigation, resulting in lower capital requirements. All the factors like better earnings, capital position and improved performance improve the credit ratings of the organisation.
  
  
• Compliance to regulatory requirements: ERM helps in meeting the regulatory requirements, and this facilitates the process of risk measurement and management and improves organisational decision making.
  
  
• Increased shareholder value: The credit ratings determine the organisation’s borrowing capacity. In a way, ERM determines the cost of capital and, consequently, the value of the shareholders.

---

Enterprise Risk Management With 360 Degree Approach

As per the Committee of Sponsoring Organisations (COSO) of the Treadway Commission, ERM is an ongoing process in an entity.

It has the following features:

• Affected by people at every level of organisation
  
  
• Applied in strategy-setting
  
  
• Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
  
  
• Designed to identify potential events affecting the entity and manage risk within its risk appetite
  
  
• Able to provide reasonable assurance to an entity’s management and board
  
  
• Geared to the achievement of objectives in one or more separate but overlapping categories—it is a means to an end, not an end in itself

A 360 Degree Risk Management Model helps in evaluating a model by creating and exploiting opportunities in an organisation. It helps both managers and organisations to:

• Learn and look for new opportunities
  
  
• Recognise and reduce the scope of risks as well as their consequences on a regular basis
  
  
• Increase the competency level of the managers by learning from the previous experiences of dealing with risks

This model comprises people, services and governance. People include stakeholders; services include providing support related to any project, tool or portfolio; and governance can be generalised as a Project Management Office (PMO) that includes Subject Matter Experts (SMEs) in risk.

At the project level, this model helps in evaluating the new risk trends and offering suggestions related to them. Thus, at the project level, this model helps in analysing risks and ways to mitigate or reduce them. Therefore, to deal with these new issues, every enterprise prepares its employees by training them to deal with new changes that would serve as a basis for dealing with risks.

For an enterprise to implement new strategies, it is important to follow Plan-Do-Check-Act (PDCA) cycle (Deming cycle); it is also known as continuous risk management, which applies to business continuity model. It is explained as follows:

• Plan: This activity is concerned with the set of processes that helps in defining goals, objectives, controls and procedures. These help in delivering quality in accordance with the overall procedures and policies of the organisation.
  
  
• Do: In this activity, the policies and procedures related to business continuity and risk management are implemented in the organisation. Numerous activities are planned in an organisation for understanding and strategising the events related to business continuity.
  
  The first step under this activity is to perform Business Impact Analysis (BIA) with respect to risk evaluation. The second step is to select as well as implement a risk mitigation and recovery plan. The third step is to develop plan documentation.
  
  The documents must be written in such a way that they allow repeatable response and recovery performance. The fourth and last step involves imparting training to the employees so that they can initiate programme maintenance by conforming to the set standards and policies.
  
  
• Check: The main goal of this activity is to track and assess the performance against the set standards and policies of the management and report the same to the management. In this activity, internal review is carried out that includes assessing and evaluating the performance of a given programme against the set standards of the organisation.
  
  Thus, it can be said that check activity is concerned with the capability of Business Continuity Programmes (BCPs) and management’s responsibility towards it.
  
  
• Act: In this activity, corrective actions are taken that are based on management review of business continuity policy. In this activity, a list of Corrective and Preventive Actions (CAPA) is maintained that helps in ensuring BCP and collaborate it with expectations and standards of the organisation.

---

Tools & Process to Identify Risk

There are various tools and processes that help in identifying risks and simultaneously planning the right response for the risk. These are given below:

Opportunity-level Processes

These processes help in judging the scope of risk related to the projects that in turn helps in deciding the priority (scheduling) of the projects in an organisation.

Portfolio/program-level Processes

There are numerous activities that help in knowing how different components of a project help in analysing the risks associated with the portfolio. It includes collecting information from internal sources, such as risk assessment sheet, preparing a standard book that promotes assessment of risks, finding best risk solutions depending upon the situation, generating risk assessment report, etc.

Review and Audit

As the names suggest, reviews and audits related to risk assessment are carried out on regular intervals by the senior management and internal auditors. This helps in knowing the effectiveness and responsiveness of the organisation in dealing with the risks.

Moreover, it helps in knowing whether the organisation is capable of successfully implementing the lessons learnt from risk assessment.

Risk Reporting

It is considered to be one of the most important processes while communicating and disseminating information. Moreover, the usefulness of risk reporting depends upon the specifications and details provided.

While preparing a risk report, each risk is viewed from a time scale (short/medium/long term) and the progress of risk is monitored on regular basis. The report also contains the dependency, impact and steps taken to mitigate the risks.

Benefits of 360 Degree to ERM

A 360 degree approach to ERM offers various benefits that are given below:

• Helps in achieving competitive edge and in-depth information
  
  
• Guarantees operational continuity as it helps in identifying the risks in early stages that allows to reduce or avoid any financial loss
  
  
• Increases predictability and brand value
  
  
• Upgrades the quality of products and services
  
  
• Seeks and exploits opportunities that come with risks, however avoiding unnecessary risks

---

Enterprise Risk Management Framework

There are numerous important ERM frameworks that exist internally (within an organisation) and externally (outside an organisation) and which help in identifying, evaluating, reacting and tracking both risks and opportunities.

Senior management chooses the risk response strategy for certain risks, which may include the following:

• Avoidance: Preventing or leaving those activities that are directly related to risks.
  
  
• Reduction: Taking measures that help in mitigating the impact of risks.
  
  
• Alternative actions: Looking for other opportunities that may be taken as steps for minimising risks.
  
  
• Share or insure: Transferring or sharing risks to reduce there effect on business.
  
  
• Accept: Exploiting the risk and seeking opportunity or cost-benefit from it

Casualty Actuarial Society Framework

As adopted by the Casualty Actuarial Society (CAS) Board of Directors, a casualty actuary is a professional skilled in the analysis, evaluation and management of the financial implications of future contingent events primarily with respect to general insurance, including property, casualty, and similar risk exposures. A casualty actuary has practical knowledge of how these various risks interact with each other and the environment in which these risks occur.

According to CAS Committee, ERM is the discipline in which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisation’s short- and long-term value to its stakeholders.

CAS has conceptualised ERM as proceeding across two dimensions, risk type and risk management processes.

Some risk types, conceptualised by CAS, include:

• Hazard risks: Property damage, natural catastrophe, etc.
  
  
• Financial risks: Pricing risk, asset risk, currency risk, liquidity risk, etc.
  
  
• Operational risks: Customer satisfaction, product failure, integrity, reputational risk, internal poaching, knowledge drain, etc.
  
  
• Strategic risks: Competition, social trend, capital availability, etc.

The steps in the risk management process as conceptualised by CAS include:

Establish Context

This step includes external, internal and risk management contexts.

• The external context starts with a definition of the relationship of the enterprise with its environment, including identification of the enterprise’s strengths, weaknesses, opportunities and threats (“SWOT analysis”).
  
  This context setting also identifies the various stakeholders (shareholders, employees, customers, community), as well as the communication policies with these stakeholders.
  
  
• The internal context starts with an understanding of the overall objectives of the enterprise, its strategies to achieve those objectives and its key performance indicators. It also includes the organisation’s oversight and governance structure.
  
  
• The risk management context identifies the risk categories of relevance to the enterprise and the degree of coordination throughout the organisation, including the adoption of common risk metrics.

Identify Risks

This step involves documenting the conditions and events (including “extreme events”) that represent material threats to the enterprise’s achievement of its objectives or represent areas to exploit for competitive advantage.

Analyse/quantify Risks

This step involves calibrating and, wherever possible, creating probability distributions of outcomes for each material risk. This step provides necessary input for subsequent steps, such as integrating and prioritising risks.

Analysis techniques range along a spectrum from qualitative to quantitative, with sensitivity analysis scenario analysis, and/or simulation analysis applied where appropriate.

Integrate Risks

This step involves aggregating all risk distributions, reflecting correlations and portfolio effects, and expressing the results in terms of the impact on the enterprise’s key performance indicators (i.e., the “aggregate risk profile”).

Assess/prioritise Risks

This step involves determining the contribution of each risk to the aggregate risk profile and prioritising accordingly.

Treat/exploit Risks

This step encompasses a number of different strategies including decision to avoid, retain (and finance), reduce, transfer or exploit risk. For hazard risks, the insurance market has been used as a transfer mechanism. Alternative Risk Transfer (ART) markets have developed from these with a goal of striking a balance between risk retention and risk transfer.

With respect to financial risks, the capital markets have exploded over the last several decades to assist companies in dealing with commodity, interest rate and foreign exchange risk. Until recently, companies had no mechanisms to transfer operational or strategic risks and simply had to avoid or retain these risks.

Monitor and Review

This step involves continual gauging of the risk environment and the performance of the risk management strategies. It also provides a context for considering risk that is scalable over a period of time (one quarter, one year, five years). The results of the ongoing reviews are fed back into the context-setting step, and the cycle repeats.

---

COSO ERM Framework

According to COSO of the Treadway Commission, ERM is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The COSO Framework has the following eight components:

Internal Environment

The internal environment of an organisation sets the basis of how risk is viewed and mitigated by the organisational members. The internal environment also includes risk management philosophy and risk appetite, integrity and ethical values, and the environment of the organisation in which it operates.

Objective Setting

Before the management can identify potential events that affect the achievement of the objectives it is important to set the objectives. An effective ERM system must have a process by which the objectives can be set, and the chosen objectives must be supported and aligned with the mission of the organisation and its risk appetite.

Event Identification

The organisation must identify the internal and external events that may affect the achievement of objectives of the organisation. There must also be a clear distinction between the risks and opportunities.

Risk Assessment

For carrying out the analysis of the risks, the organisation considers its likelihood and impact for determining how they should be managed.

Risk Response

It is the duty of the management to select the risk responses (avoiding, accepting, reducing or sharing risk); the management must also develop a set of actions to align the risks in line with the risk appetite of the organisation.

Control Activities

To ensure that the risk responses are implemented effectively, the policies and procedures are established.

Information and Communication

The organisation must identify, capture and communicate the relevant information in a time- bound manner and in a particular form such that it enables the people to carry out their responsibilities.

Monitoring

The process of ERM is monitored. If found necessary, modifications are made to the ERM.

---

RIMS: Risk Maturity Model

According to the Risk and Insurance Management Society (RIMS), ERM is an umbrella framework of content and methodology that detail the requirements for sustainable and effective enterprise risk management.

It is a free assessment tool that is available for risk management experts for developing and upgrading the ERM programmes. It also helps in improving the effectiveness of the programme with its unique features.

The RIMS Risk Maturity Model (RMM) is a framework that consists of the following:

• ISO 31000
• OCEG Red Book
• BS 31100
• COSO
• FERMA
• Solvency II standards

---

Neglect of Risk Management Causes Lehman Bankruptcy

Lehman Brothers Holdings was a global financial services firm dealing in investment banking, private equity, trading, investment management and private banking. It was the fourth largest investment bank in the US before it filed for bankruptcy in 2008.

Troubled Asset Relief Programme (TARP) was created to help banks and financial institutions during the 2008 financial crisis. The risk management practices followed by these banks were examined and in some cases were even blamed for the financial condition.

Lehman Brothers was generating huge profits from mortgage-backed securities, but it neglected the crucial aspect of risk management. This was the view of Mark T. Williams, a lecturer at Boston University, who wrote the book Uncontrolled Risk about the causes that led to the 2008 financial crisis and bankruptcy of Lehman Brothers.

Williams was present at the CFO’s Corporate Performance Management Conference held in Philadelphia in February 2013. According to him, the key for any company is looking at the factors in creating trust, honesty, and integrity – what are the things that can undermine reputation?

Williams told CFO, I would argue that risk management in banking is still not at a level where it needs to be. In regard to other industries, you have to look at yourself. If you are a nuclear energy company with power plants, for example, then you’re in the risk management business.

Lehman Brothers decided to set up its risk management division when it separated from American Express in 1994. It appointed Maureen Miskovic as its first Chief Risk Officer (CRO) in 1996 who had previously held the position of treasurer at Morgan Stanley.

She held this post till 2002. Maureen had also worked at Goldman Sachs and had not only managed risk but had traded mortgage-backed securities, Williams noted. So she was both sides of the coin: perfect for the job.

William added, Just in the last decade we’ve had a huge movement towards CROs. More companies are moving risk to an enterprise-wide level and looking at risk across the whole company. Lehman appointed Madelyn Antoncic in 1999 who had also worked in mortgage trading at Goldman Sachs, to help Miskovic.

Antoncic was a top-notch risk professional, a highly trained quantitative analyst who had extensive experience involving the risks of the more complicated products that Lehman had begun to structure, trade and sell—principally mortgage-backed and asset-backed securities, Williams wrote in his book. By the year 2000, Antoncic had replaced Miskovic as the CRO of Lehman Brothers who was seen as her logical successor.

Antoncic was highly successful in her role as the CRO and was in fact named the Risk Manager of the Year by Risk Magazine in 2006. Since her appointment in September 2002, [Antoncic] has swelled Lehman’s risk management ranks to 170, with 50 new staff added over the course of 2005, Risk reported then.

Lehman Brothers had transformed into “a real estate hedge fund disguised as an investment bank” by the year 2003. Antoncic’s warnings were not heeded by the CEO of Lehman Brothers, Dick Fuld, when she termed the company “too risky”. By the year 2007, the risk posed by mortgage-backed security bets had become abundantly clear. However, Antoncic’ warnings continued to be were ignored by the senior management, and she was fired from her post.

On paper, on the company’s organisational chart, the company had a risk management function, but not in practice, Williams explains. The biggest flaw was that they listened to the risk manager in good times–but the most important time to listen to your risk manager is in bad times.

Risk professionals, he notes, are not there to be like a marketer, saying the company is wonderful and everything will be great, they are there to look at alternative, the low profitability that is occurring. In other words, their job is to give the company a reality check.

Antoncic was replaced by the CFO Chris O’Meara. The new CRO had two important qualifications, Williams said, He was Fuld-Friendly and he had no formal risk management training. A dangerous combination and hardly an adequate counterbalance against oversized risk taking. Lehman Brothers had shown that it promoted a weak risk management culture when it replaced a competent employee with one who did not have the suitable credentials for the job.

In March 2009, Dow Jones hit a 12-year low on the stock market at 6500 points. As a result, trillions of dollars were lost, and around 8 million people lost their means of livelihood, and the US government policymakers came to the realisation that not saving Lehman Brothers was “a disastrous mistake”.