What is Enterprise Risk Management?
Enterprise risk management (ERM) deals with risks and opportunities to create or preserve value. It is defined as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition reflects certain fundamental concepts. ERM is:
• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied instrategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of
• Designed to identify potential events affecting the entity and manage risk within its risk appetite
• Able to provide reasonable assurance to an entity's management and board
• Geared to the achievement of objectives in one or more separatebut overlapping categories – it is a means to an end, not an end in itself.
This definition is purposefully broad for several reasons. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across types of organizations, industries and sectors. It focuses directly on achievement of objectives established by a particularentity. And, the definition provides a basis for defining ERM effectiveness, discussed later in this chapter. The fundamental concepts outlined above are discussed in the following paragraphs.
ERM is not static, but rather a continuous or iterative interplay of actions that permeate an entity. These actions are pervasive and inherent in the way management runs the business.
ERMis different from the perspective of some observers who view it as something added on to an entity's activities. That is not to say effective ERM does not require incremental effort, as it may. In considering credit and currency risks, for example, incremental effort may be required to develop required models and make necessary analyses and calculations. However, these ERM mechanisms areintertwined with an entity's operating activities and exist for fundamental business reasons. ERM is most effective when these mechanisms are built into the entity's infrastructure and are part of the essence of the enterprise. By building in ERM, an entity can directly affect its ability to implement its strategy and achieve its mission or vision.
ERM has important implications for cost containment,especially in the highly competitive marketplaces many companies face. Adding new procedures separate from existing ones adds costs. By focusing on existing operations and their contribution to effective ERM, and integrating risk management into basic operating activities, an enterprise can avoid unnecessary procedures and costs. And, a practice of building ERM into the fabric of operationshelps identify new opportunities for management to seize in growing the business.
Effected by People
ERM is effected by an entity’s board of directors, management and other personnel. It is accomplished by the people of an organization, by what they do and say. People establish the entity's mission, strategy and objectives, and put ERM mechanisms in place.
Similarly, ERM affects people'sactions. ERM recognizes that people do not always understand, communicate or perform consistently. Each individual brings to the workplace a unique background and technical ability, and has different needs and priorities.
These realities affect, and are affected by, ERM. Each person has a unique point of reference, which influences how he or she identifies, assesses and responds to risk. ERM...