According to the National Association of Corporate Directors ("NACD"), "there are number of things that Boards need to do as the number and magnitude of business risks increase." The NACD supports the proposition that Boards need greater awareness of risk and a more disciplined board review of enterprise risk management ("ERM"), which is different from traditional risk management.
How does traditional risk management differ from enterprise risk management? Let's take a look at some basics:
| Traditional Risk Management | Enterprise Risk Management |
| Segmented / Departmentalized | Holistic approach |
| Each department/business unit/silo deals with own risk | Emanates from the "top" – typically the Board of Directors |
| Little or no knowledge of overall organizational risks | Broad perspective on overall organizational risks |
| Focus is on preventing loss within the business unit (tactical) | Focus is on lowering risk, increasing sustainability and providing savings/value across the entire organization (strategic) |
| Manages uncertainties around physical and financial assets | Assesses entire asset portfolio including intangibles such as customers, employees, suppliers, innovative processes, proprietary systems |
| Solutions to mitigating risk based on each silo's expertise and decision-making skills | Solutions to mitigating risk based on strategy-setting across the entire organization |
Realistically, no single group or person in the company has a grasp of the exposure that the entire organization faces. Admittedly, the best expertise to address the risks within a particular area of responsibility resides within that department. However, this traditional bottom-up approach to risk management relies too heavily on communicating upward and will likely create performance variabilities as well as new risks in other departments.
ERM, however, elevates risk management to a strategic organizational level. The Committee of Sponsoring Organizations of the Treadway Commission ("COSO") defines ERM as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Easier said than done. Of course, implementing ERM is challenging. So how does a company get started? An important tool for implementing an ERM process is the development of a risk identification framework. Here are two initial, key steps to help identify an organization's exposure to uncertainty:
These two steps are an excellent beginning for establishing the company's appetite for risk which, in turn, will assist the company in establishing risk treatment and mitigation, followed by risk monitoring, risk reporting and continuous improvement within an organization. All of these elements facilitate improved governance by the Board and help the Board manage the risks demanding Board attention – such as governance risks, critical enterprise risks, Board-approval risks, business management risks, emerging/non-traditional risks.
The NACD further suggests following 8 key practices for organizational risk management:
- Clarify the roles of the board, committees, and management.
- Understand the company's risk profile.
- Define the company's risk appetite.
- Integrate strategy, risk, and performance discussions.
- Ensure transparent and dynamic risk reporting.
- Reinforce clear accountability for risk.
- Verify that mitigation reduces risk exposure.
- Assess risk culture.
The payoff with an ERM process is lower risk, financial savings, improved sustainability, and increased investor or stakeholder confidence. But is ERM for everyone?
Regardless of size, every organization faces risks, takes risks, and responds to risks. Most organizations can stand to improve the oversight, control and discipline of risk management as the company – and the world – evolves. Taking a progressive, holistic approach will help any company oversee and manage its risks more effectively.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.