What is Enterprise Risk Management?
by Andrew Smart
Enterprise Risk Management (ERM) can be defined as a holistic, integrated, portfolio approach to risk management that focuses on consistently managing risks regardless of type, across the enterprise. The purpose of ERM is to improve the firms’ ability to deliver its objectives and sustainably create shareholder value.
It is frequently seen as an umbrella approach that sits above other risk types to provide an overview of the enterprise’s risk profile. However, it is important to highlight the emphasis on ‘delivering objectives’ and ‘creating shareholder value’ within the definition above, for this is the real purpose and value of ERM.
Too often when implemented, ERM becomes about creating a consolidated ‘Top 20’ risks to present to the Board and Regulators solely for comfort that the firm is managing its risks. This approach undermines the potential value Enterprise Risk Management can bring.
The focus on ‘delivering objectives’ and ‘creating shareholder value’ is supported by the two most widely deployed risk management standards The Committee of Sponsoring Organisations of the Treadway Commission (COSO) and ISO 31000.
The COSO Enterprise Risk Management standards (2004) defined ERM as, “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Significantly, in 2017, COSO published a revised framework which defines ERM as; “not a function or department. It is the culture, capabilities, and practices that organisations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realising value.” This reflects the importance for firms to focus on ‘delivering objectives’ and ‘creating shareholder value’ through their ERM approach.
ERM is more than a risk listing. It requires more than taking an inventory of all the risks within the organisation. It is broader and involves actively managing risk through practices put in place by management.
The ISO 31000 Risk Management standard defines risk as, the “effect of uncertainty on objectives” with the following note that an effect is a deviation from the expected. It can be positive, negative, or both, and can address, create or result in opportunities and threats. Objectives can have different aspects and categories and can be applied at different levels.
So, when your firm embarks on its Enterprise Risk Management journey, ensure that ‘delivering objectives’ and ‘creating shareholder value’ is the focus. Start by asking the question; what are we trying to achieve and what could stop us? Not, what are our risks?