What is Enterprise Risk Management (ERM)?

Businesses have always needed to address a range of risks, but many have often done so in a somewhat haphazard fashion in individual departments. Such infrequent or fragmented risk management can distract from an organization’s core business activities and could lead to some risks being overlooked altogether.

Enterprise risk management on the other hand is a strategic, holistic approach that enables a business to systematically identify, balance and control its business risks. A well-implemented enterprise risk management program ensures that all types of risks (strategic, operational, financial, compliance, etc.) are consistently addressed.

Enterprise Risk Management: definition and meaning

ERM is a process used by organizations to manage risks and seize opportunities related to the achievement of their objectives. It provides a framework for risk management, which typically involves identifying, as far as possible, particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress.

In recent years, the advent of cyber-attacks and the impact of the COVID pandemic have underlined the shortcomings of traditional fragmented risk assessment methods. ERM has become a crucial aspect of organizational governance and is an ongoing process that requires continuous improvement and adaptation to new risks and opportunities.

Steps and components of Enterprise Risk Management

ERM is not something that should be undertaken on a stand-alone basis but should be aligned and embedded into all organizational activities and decision-making processes. The vast majority of the management system standards such as ISO 9001 (quality), ISO/IEC 27001 (information security), ISO 14001 (environmental) or the many others that companies make use of to improve products, services and reputation and to deliver on its promises include requirements for managing related risks and how this can be done through the management system. For those needing more detailed guidance, this can be found in the ISO 31000 risk management standard.

The modern business environment often obliges companies and organizations to demonstrate that they comply with a specific standard to the satisfaction of customers and internal and external stakeholders. Therefore, effectively managing enterprise risks and proving it through third-party certification has become essential.

The risk management process can be broken down into several key steps:

• Risk Identification: This is the process of detecting and describing risks that could potentially affect the business. It is about recognizing the potential risks that could impact the organization's objectives
• Risk Assessment: Once risks are identified, the next step is determining the likelihood and impact of these risks. This involves evaluating the probability and consequences of each identified risk.
• Risk Response (treatment): Developing actions to enhance opportunities and reduce threats is crucial. This step involves formulating strategies to manage or mitigate the identified risks.
• Control Activities: Implementing mechanisms to ensure risk responses are effectively carried out. This includes the policies and procedures that help ensure the risk responses are effectively implemented.
• Information and Communication: Ensuring relevant risk information is identified, captured, and communicated in a timely manner across the organization. This step is vital for informed decision-making.
• Monitoring and Review: The final step involves continuously observing the risk management processes to ensure it is effective and making adjustments as necessary. This includes the ongoing review of the risk environment and the effectiveness of the response strategies.

Enterprise Risk Management examples

Relevant risks will vary depending upon a company’s business activities, industry, and even geography, for example. Traditional risks common to many could be threats to the competitiveness of products or services or the ability to comply with health and safety regulations. Most companies have to manage stakeholder expectations and cyber-information security is now a threat to the majority, and artificial intelligence is on every agenda in some form or fashion. More peripheral topics, like diversity, equity and Inclusion (DEI) are creeping higher on many companies’ programs. Taking a wider perspective, delivering on environmental, social and governance (ESG) demands and demonstrating performance is weighed heavily by investors and other stakeholders. By implementing a robust enterprise risk management strategy, organizations not only protect themselves from potential threats but also position themselves to seize new opportunities.

Examples of an ERM in action might include a technology firm implementing advanced cybersecurity measures to protect against data breaches and a food producer taking steps to use only sustainably produced raw materials and introducing enhanced food safety measures in its production and across its supply chain to protect consumer health.

ERM tools and solutions

There are various tools and solutions available to support ERM some of which are more complex than others.

A management system compliant with certifiable standards from ISO and other scheme owners can provide a structured approach. In the case of ISO, the ISO 31000 risk management standard is very useful as are other guides and manuals that offer approaches for implementing ERM in line with specific industry standards.

The impact of risks can be presented in a risk matrix with the likelihood of an incident occurring on one axis and its impact severity on the other. Usually, the risk level ranges from low on the lower left moving through moderate, high and very high towards the upper right.

Borrowing from the problem-solving aspect of quality management, the fishbone or Ishikawa diagram, is a tool used in Root Cause Analysis (RCA) to identify the underlying causes of a problem. The diagram is shaped like a fish's skeleton, with the problem at the head and the causes extending to the left as the bones of the fish, categorized into major groups which can include methods, machines, materials, people, measurements and environment. When used in risk management, the fishbone diagram can help to identify potential causes of risks that may impact a project or business. For example, if you are managing a software development project and there is a risk of delays, you can use the diagram to identify potential causes of the delays.

Each of the potential delays would be allocated to one bone of the skeleton and each of these could in turn have branches of their own. For example, one bone may be allocated to people, another to equipment, a third to processes within the organisation or supply chain and maybe another to meeting regulation. The people branch could identify things such as need for training or lack of suitable candidates. The equipment branch may cover a need for new technology or equipment failure. The processes bone might include such things as drawing up manuals, agreeing finance and avoiding impacting on other projects that may need priority. Delays due to regulation can occur because official guidelines impacting the project have not been published or are under review.

Another form of tool is ERM software platforms that provide a flexible modelling framework capable of assessing multiple asset types and managing enterprise risks.

By effectively implementing ERM, organizations not only protect themselves from potential threats but also position themselves to take advantage of new prospects that may arise. Organizations looking to strengthen their skills and knowledge can explore risk management courses to better implement ERM practices and frameworks within their organizations.