Enterprise Risk Management Best Practices
Enterprise risk management (ERM) is a structured approach to identify and manage risks associated with running a business, and it can apply to businesses of any size. The top-down approach of the enterprise risk management process means that risks are managed across the entire organization, taking into account business objectives and strategy.
The implementation of ERM programs continues to show strong growth globally, due to factors such as data breaches and escalating cybersecurity threats. According to a recent report, the global ERM market is expected to grow nearly 9% per year through 2029.
By establishing a strong ERM program, organizations can better understand their risks to improve decision-making as well as prioritize initiatives that are aimed at mitigating risks that will support organizational goals.
What Is Enterprise Risk Management?
Enterprise risk management is a methodology that manages risk from the perspective of the entire organization. In the past, companies have managed risks within their business units or divisions, which can lead to missed information or flawed mitigation plans because of the often siloed nature of individual business units.
ERM is closely tied to an organization's goals and the strategies with which it plans to achieve those goals. This ensures that risk management decisions are performed at the highest levels of the organization, and those decisions can then be made available to stakeholders.
Enterprise Risk Management Standards
While senior leadership is ultimately responsible for managing risks to the organization, they need to go a step further by engaging the board and stakeholders about using ERM to gain a competitive advantage. To support this culture of compliance, many publicly traded companies, financial and accounting firms, and non-profits leverage the COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM framework.
First published in 2004 and subsequently updated in 2017, this framework has gained broad acceptance by organizations to manage risk. The framework consists of five components:
Governance and Culture
Governance reinforces the importance of ERM by establishing oversight responsibilities. This sets the tone of the organization, as governance is driven from the top down— from the board of directors down to rank-and-file employees. By demonstrating board and senior leadership oversight, the organization will be showing a commitment to effectively build a culture where risk is understood and compliance is a key aspect of the business strategy.
Strategy and Objective-Setting
Enterprise risk management and objective-setting are discussed together when strategically planning. As corporate objectives are discussed (those objectives that support corporate goals), the appetite for risk will be determined, and objectives should be aligned with the appetite for risk. The strategy that is put into practice will serve as the basis for identifying, assessing and responding to risks.
Performance
Performance relates to how effectively your organization can achieve its objectives and goals. Risks that may impact work to achieve corporate goals must be identified and assessed. These risks will be prioritized by both impact and severity. Senior leadership then chooses the most appropriate response and approves the use of resources (people and budget) to mitigate and manage the risks.
Review and Revision
The organization should regularly review how the enterprise risk management process is functioning. Recommended changes, if any, should be made to senior leadership promptly, along with the resources that will be required to make any changes. A plan will be drafted and approved that includes the timeline for implementing any changes, with progress regularly communicated.
Information, Communication and Reporting
Enterprise risk management requires that organizations obtain and share information to better understand their risk profile and adapt to any new risks. Some of this information should be communicated to all employees, if related to mitigating risks. By encouraging communication across the organization, you are more likely to achieve a culture of compliance.
Enterprise Risk Management Procedures
Several components should be taken into account to implement an effective enterprise risk management program.
Internal Environment
The company culture and values play a major role in maintaining a successful ERM program. The internal environment is comprised of policies, procedures, codes of conduct and how teams engage each other. A well-defined structure is essential to making sure all potential risks are identified and mitigated. Consider appointing a chief risk officer (CRO), who is held accountable for all aspects of the ERM program, to oversee the risk management program, including reporting directly to the board of directors.
Objective Setting
As objectives are set, as well as the goals and strategy for meeting those goals, senior management should understand and document the risks they will accept and the risks they will not accept. This is a good time to discuss what type of framework will be used to manage risk—it can be one already in use or an industry standard like COSO. It is also a good time to talk about key risk indicators (KRIs) that the organization can use to measure the performance of the ERM function.
Risk Identification
Identifying risks is a continuous process, where the organization examines its business processes, policies and procedures to identify new risks and update the risk register with any changes to potential risks and impacts. It is also important that all internal and external events or conditions be taken into account and changes to potential risks be updated and communicated.
Risk Assessment and Scoring
Once risks are identified, they need to be assessed, scored and prioritized. A simple way of applying a score is by ranking the likelihood (1=low, 2=medium and 3=high) and impact (1=no impact, 2=moderate impact and 3=critical impact) to obtain a score. Color coding can also add to the visual depiction, with lower scores being green, moderate scores being yellow, and critical scores being red.
Risk Response
Once risks have been assessed, scored and documented, business stakeholders can next determine the proper response plans. This typically determines how the risk will be treated. Here are the most common ways to treat a risk:
Risk avoidance: This may mean not going forward with a decision or an activity that leads to a risk being realized.
Risk mitigation: Mitigation is limiting the likelihood or impact of the risk through policies, processes or an IT project.
Risk acceptance: The organization chooses to accept the risk.
Risk transference: The organization transfers the risk to a third party.
Control Activities
The next component, control activities, defines and implements controls, or updates existing controls that address the risk to support corporate objectives and goals. Controls are typically either preventative to prevent a risk from occurring or detective to respond to an event after it takes place.
Monitoring
Monitoring the performance of the ERM program is an ongoing activity. At this stage, updates are made to improve the program, where benchmarks, such as the accuracy of risk maturity levels or the accuracy of risk identification and scoring, can then be used to measure the accuracy of any changes.
Communication and Transparency
The last component of any strong ERM program is ensuring proper communication, which leads to transparency. Communication should take place with all employees and relevant stakeholders, with feedback going right back to senior leadership. Proper communication will help to lead a culture of compliance.
Enterprise Risk Management Templates
Enterprise risk management templates help organizations standardize certain ERM processes to ensure consistency and clear communication to stakeholders. Below are two common templates:
Risk Register
The risk register is a table or spreadsheet that provides a summary view of all risks to the organization. This enterprise risk management tool organizes and communicates risks in a single view, allowing for easier consumption by managers and executive leadership. Here are a few typical columns:
- Risk description
- Likelihood
- Impact
- Action plan
- Owner
Risk Assessment Matrix
A risk assessment matrix is a visual tool that depicts all potential risks that may impact the organization. Usually viewed as a table, the matrix is made up of two intersecting axes, with the likelihood of the risk occurring on one axis and the impact the risk event may have on the other. Where risks lie will determine their color coding, with risks that are both likely and have a potentially critical impact being red, with less likely risks with lower impacts going from red to yellow to green.
Enterprise Risk Management Best Practices
Enterprise risk management programs and practices will vary depending on the type and size of the organization. However, all organizations can benefit from some best practices. The following are several to consider:
Think broadly about risks. When discussing any risk to the organization, make sure to have a broad representation of voices to weigh in on potential impacts and the challenges that will be faced in responding.
Define the risk philosophy. Don't just say your approach to enterprise risk management; write it down. A company should define how it feels about risk and the strategies that will be used to manage all risks to the organization.
Assign responsibility. Name people to own aspects of the ERM process, from the overall process owner to action plan owners, as well as those responsible for reporting to executive management. Make ownership a part of their individual goals.
Communicate regularly. Communicate critical and likely risks, as well as the plans that will be followed should the event occur. Consider sharing material that is presented to the board of directors and senior leadership with employees to show the importance of your organization's ERM program.
Learn more about enterprise risk management by exploring these related resources on KnowledgeLeader: