How do companies manage risk? Crack the E.R.M. code!

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows by the COSO:

Enterprise Risk Management (ERM) is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a foundation for defining enterprise risk management effectiveness.

However, this definition is lacking in two major aspects: Firstly, successful ERM has to be driven and carried by the whole organisation, especially the middle management and secondly, every company that uses ERM has to ensure that a “risk awareness culture” is trained, lived and rewarded within the company.

The ERM framework

Within the context of an aligned company’s mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework can be set into four categories:

Strategic – high-level goals, aligned with and supporting its mission. Strategic risks include, for example, risks from damage to reputation, competition, customer wants, demographic and social trends, or regulatory and political trends.

Operational – effective and efficient use of its resources. Operational Risks include risks from business operations (e.g., human resources, product development, efficiency, channel management, business cycles), empowerment (leadership, change willingness), and IT.

Financial/ Reporting – reliability of reporting. Financial Reporting Risks include, among others, risks from price (e.g., asset value, interest rate, foreign exchange), liquidity (cash flow, call risk, opportunity cost), credit (e.g. rating), basis financial risk (e.g., hedging), and wrong or incomplete reporting (e.g., financial performance).

Hazard/ Compliance – individual errors and compliance with applicable laws and regulations. These risks include, for example, risks from property damage, natural phenomena, business interruption, liability claims, theft and other crime including personal injury.

The categories are distinct, but also overlapping. A particular objective can address different entity needs and may be the direct responsibility of different managers. This categorization also allows distinctions between what can be expected from each category of objectives.

Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity’s control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operational objectives, however, is subject to external events not always within the entity’s control.  Accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.

If you want to learn more about risk management, read “Enterprise Risk Management” by Prof. Dr. Olaf Passenheim.