In business, enterprise risk management (ERM) is a discipline using methods and processes to identify and manage a full spectrum of risk to achieve an organization’s objectives. Objectives that usually requires several groups to work together. The following is a basic overview of what risk management is, as well as its framework.
From a holistic view, ERM requires an internal risk management culture emphasizing the importance of managing risk as part of each person’s daily activities at all levels of an organization. The goal of creating a risk management culture is to create an environment where everyone in the organization instinctively looks for risks and considers their impact when making effective operational decisions.
The key to a successful risk management is a structured process and approach.
The ERM framework is grounded using five key principles:
- Identify risk
- Assess the potential impact of the risk (analyze)
- Develop strategies to mitigate the identified risk (action)
- Implement the strategies
- Review and adapt as appropriate
The objective of risk identification is to develop a consistent and sustainable approach to identifying the risks faced by your organization – both internal and external – and generally involves various groups within your organization. To help with identification, you may want to include those with expert knowledge of the various departments to ensure representation of all the significant functions, such as health and safety, infrastructure, HR, accounting, operations, or planning and development. Lending quite well to risk identification is the use of questionnaires and checklists. Brainstorming and interviewing key stakeholders are also valuable techniques. It is important to understand that unidentified risks can pose a major threat to achieving strategic priorities and goals.
The next step is to assess the potential impact of the identified risks. How much control and to what degree does your organization have over the identified risk, and what is the cost impact? What is your organization’s risk appetite? Risk appetite is often defined as the amount of risk an entity is willing to accept in pursuit of value.
The third key principle relates to developing strategies to mitigate the identified risks. These mitigation strategies can generally be divided into four categories:
- Avoidance – refrain from the activity in its entirety
- Reduction – reduce the probability or consequence (or both)
- Transfer – reduce the probability or consequence by transferring part or all the risk
- Acceptance – take no action
Once the risk mitigation strategy has been chosen, the next step is to implement the strategy. However, it is important to note the impact these decisions may have on stakeholders, policy, internal processes, and procedures (just to name a few). If an organization chooses to reduce the probability or consequence of risk, it is vital to provide training to give personnel the knowledge and the necessary skills to adapt to the change.
The fifth principle in the framework is to review and adapt. Asking a few questions will provide some insight: Has the chosen strategy to mitigate the risk been effective and the desired results been attained? Have there been unintended or unfavourable consequences? Was the best strategy to mitigate the risk chosen?
For any questions or more information, please contact our risk management team: