Updated, March 2019
Protiviti’s Jim DeLoach provides a definition of ERM and explains why it is important in his first article of his new column, Making Enterprise Risk Management Work.
Enterprise risk management (ERM) is an enigma. Many executives say they do it, yet gather 10 of them in a room and they can’t agree on what it is. The reality is companies think they are implementing ERM, but they really aren’t. What we see in practice often demonstrates a very limiting view of ERM, from maintaining a list of risks (“enterprise list management”) to summarizing risk responses, leaving many corporate leaders underwhelmed with its value contributed in view of the speed of business and ever-changing economic environment.
This isn’t just our opinion. Last year, North Carolina State University issued its “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition,” which concluded that risk management processes are relatively immature and ad hoc. In addition, Standards & Poor’s (S&P) issued a report on how non-financial companies are managing risk based on its reviews, declaring that the state of development of ERM in non-financial companies is at a relatively immature stage.
In its immature state, ERM adds limited value because it often leaves management with a list of risks and very little insight as to what to do next. In its various forms, ERM may increase risk awareness with management, the board of directors and others, but it will not be effective in driving decisions because it typically isn’t integrated with the enterprise’s decision-making processes. As a result, risk is often an afterthought to strategy and risk management is an appendage to performance management.
So what is ERM? The Committee of Sponsoring Organizations (COSO) points out that ERM, among other things:
- Is an ongoing process
- Is applied in strategy setting and across the enterprise
- Is designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
- Provides reasonable assurance regarding the achievement of business objectives
ISO 31000 states that risk management is an integral part of organizational processes as well as a part of decision making.
While these and other frameworks provide valuable insight in defining ERM, we believe ERM can be summed up as follows:
ERM is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment.
Why is ERM important? Events over recent years have pointed to five realities that every CEO and board face:
- The time may come – sooner than we may expect – when the fundamentals of the business are about to change. Risk management is about securing “early mover” positioning in the marketplace. Management of strategic uncertainties requires an understanding of the key assumptions underlying the strategy and monitoring changes in the business environment to ensure that these assumptions remain valid over time.
- It is not what we know that matters; it is what we don’t know that makes the difference. The question should be: Is our approach to assessing risk identifying emerging risks and telling us something we don’t know?
- Most businesses are boundary-less. A strategic perspective applied to operational risks suggests the need for an end-to-end extended enterprise view of the value chain, requiring consideration of upstream and downstream relationships. What happens if any critical component of this chain were lost for an indeterminate period of time?
- Sooner or later, there will be a crisis that will test your company. Even the most effective risk management cannot prevent this exposure. Yet companies spend a lot of time guessing at probabilities and ignoring the speed of impact, the persistence of impact over time and the organization’s response readiness.
- Management and directors are struggling with delineating between risk management and risk oversight. The risk oversight playbook is evolving. CEOs fear an overlay and non-value-added activity that is out of sync with the rhythm of the business. It makes sense to start both risk management and risk oversight at the same place – with the formulation of strategy, including an understanding of the key assumptions underlying the strategy.
These five realities are forcing management and their boards to take a fresh look at risk and crisis management. An effectively functioning ERM process is important because it can help them address these new realities.