Enterprise Risk Management (ERM)

What is it?

Process

Enterprise risk management (ERM) is the process of identifying and addressing methodically the potential events that represent risks to the achievement of strategic objectives, or to opportunities to gain competitive advantage.

Risk management is an essential element of the strategic management of any organisation and should be embedded in the ongoing activities of the business. Two widely referenced frameworks include the Committee of Sponsoring Organizations of the Treadway Commission COSO ‘ERM – Integrated Framework’; and the guidance developed by Airmic and the Institute of Risk Management IRM – ‘A structured approach to ERM and the requirements of ISO 31000’.

The fundamental elements of ERM are the assessment of significant risks and the implementation of suitable risk responses. Risk responses include: acceptance or tolerance of a risk; avoidance or termination of a risk; risk transfer or sharing via insurance, a joint venture or other arrangement; and reduction or mitigation of risk via internal control procedures or other risk prevention activities.

Other important ERM concepts include the risk philosophy or risk strategy, risk culture and risk appetite. These are expressions of the attitude to risk in the organisation, and of the amount of risk that the organisation is willing to take. These are important elements of governance responsibility.

Management responsibilities include the risk architecture or infrastructure, documentation of procedures or risk management protocols, training, monitoring and reporting on risks and risk management activities.

Source: How to Communicate Risks Using Heat Maps, CGMA

What benefits does ERM provide?

• Greater awareness about the risks facing the organisation and the ability to respond effectively
• Enhanced confidence about the achievement of strategic objectives
• Improved compliance with legal, regulatory and reporting requirements
• Increased efficiency and effectiveness of operations

Questions to consider when Implementing ERM

• What are the main components or drivers of our business strategy?
• What internal factors or events could impede or derail each of these components?
• What external events could impede or derail each of the components?
• Do we have the right systems and processes in place to address these internal and external risks?

Actions to take / Dos

Actions to Avoid / Don’ts

• Gain support of top management and the board
• Engage a broad base of managers and employees in the process
• Start with a few key risks and build ERM incrementally
• Use existing knowledge, skills and resources in management, internal audit, compliance etc.
• Embed ERM into the fabric of the organisation
• Take a holistic, portfolio view of risks across the enterprise

• Never treat ERM as a project – ERM is a process
• Don’t get bogged down in details and history – ERM should be strategic and forward-looking
• Avoid relying only on a few key staff – make ERM everyone’s job
• Don’t take a silo or stove-pipe approach to risks. Don’t ignore how risks might impact on other parts of the business
• Avoid obsessing too much about categorising risks – rather than ensuring that the key risks have been identified and mitigation plans developed
• Never assume that the risk register is complete – there will always be ‘unknown unknowns’ and the biggest enemy of effective ERM is complacency

In practice:
Enterprise risk management

Gemini Motor Sports

Download the full case study

A hypothetical illustration from a CGMA case study: How to evaluate enterprise risk management maturity.

Gemini Motor Sports (GMS), a public company headquartered in Brazil, manufactures on-road and off-road recreational vehicles for sale through a dealer network in Brazil and Canada. GMS Chief Financial Officer (CFO) David Cruz was charged with overseeing the development of the initial ERM framework for the company.

In the first year of implementation, the ERM team met with senior management, and identified and prioritised a number of crucial risks that had been disruptive to GMS. Their initial presentation to the audit committee was criticised for being a rehash of past problems, and not useful to the board as they discussed the strategic direction of GMS.

In the second year of the programme, after seeking ERM training for the team, Cruz focused more attention on potential events that managers thought might affect the business. He asked them to assess the likelihood and potential impact of the identified risks.

The resulting report was well received. However, the audit committee chair suggested that the next step be an evaluation of the risk management process and the degree of its integration with the strategic management process of the organisation, leading to the use of the CGMA Risk Management Maturity tool.

Lessons learned

• Broad involvement on the part of board members and employees is essential in determining the risk appetite of a company, and in identifying and prioritising risks.
• Speed of onset and persistence of risks, in addition to impact and likelihood, are important considerations in the prioritisation of risks.
• Ongoing monitoring and concise reporting on key risk exposures are essential for effective risk management.