Enterprise Risk Management (ERM) is an integrated approach to enterprise-wide risk management intended to protect and increase value for all parties with an interest in the organization. The ERM approach engages all levels and departments of a business to identify, evaluate, monitor risks and seize opportunities. Given this scope, ERM may constitute an approach to corporate governance as opposed to an isolated and discrete function of an organization. The approach has support from influential parties and is gaining acceptance in the business community.
Keywords Benchmarking; Internal Auditor; Risk Ranking; Sarbanes-Oxley Act; Stakeholders; Value at Risk
The purpose of an organization can be understood as creating value for all interested parties or stakeholders. These stakeholders are executives, members of the board of directors, shareholders (who many number in the millions), and employees that may number in the thousands; there is much at stake in a business. Risk and reward is a fundamental concept to capital enterprises. Capitalism requires that businesses take risks in their effort to develop and offer valuable products to the markets. As the saying goes, no risk no reward. However, the existence of risk should not to translate to irresponsibility in business affairs or creative paralysis. As the size of business grows, the frequency and magnitude of the impact of the risks faced by companies increases. This fact highlights the need for some approach to risk management. Insurance is a critical important component to minimize the impact of specific events and legal liability. However, enterprise risk management is an active system incorporated into the corporate governance across an entire organization in order to manage and even capitalize on the risk. The consequences of poor governance and lax risk management became headlines with the WorldCom and Enron scandals in the beginning of the twentieth century. These scandals prompted increased government regulation and underscored the value of effectively managing the risk that stakeholders face.
Every organization, regardless of size, faces risk to some extent or another. The severity of risk is often cast in terms probability and impact. That is, the degree of risk is a function of the probability a given event will occur and the severity of the consequences should the event occur. The product of those two factors may be thought of as a risk score. Ideally, a risk with a high probability and high potential damage would be addressed first and with all appropriate care. In practice, this simple idea may become difficult to implement effectively and consistently. To increase overall facility with handling risks, organizations can turn to Enterprise Risk Management (ERM). ERM is a structured and disciplined approach to managing risk that incorporates methods and processes to deal with the risks inherent in the pursuit of its business goals. With an extensive implementation, ERM can serve as both a risk management tool and as method to capitalize on potential opportunities. ERM may also be described as a management technique that employs the concepts of strategic planning, operations management, and internal company controls. The basic functions, or tasks, of ERM are to identify, analyze, evaluate, respond, and monitor risks and opportunities.The Goal
The goal of ERM is to form an integrated and unified approach, or perhaps a holistic approach, that considers all risk. Large organizations typically have several departments that individually identify and manage risks within their particular field of responsibility. In terms of ERM, individual risk areas may sometimes be called "risk functions." The core goal of the ERM is to maximize and coordinate the capabilities of each area in an effort to generate an integrated and unified presentation of risk for stakeholders and to enable the business to more effectively manage risk.Areas of Participation
There are a number of areas within a large organization that participate in ERM programs. Strategic planning efforts identify external threats and weak points and the methods to appropriately address them. Marketing departments seek to ensure that product and services offered are in line with customer needs and desires. The compliance and ethics departments join the ERM to ensure conformity with relevant ethical codes on conduct and to direct fraud investigations. The accounting department identifies financial reporting risks that may arise under the Sarbanes-Oxley Act. The legal department manages ongoing litigation and studies trends in the law that may affect the organization. Insurance is integrated to provide the proper coverage for the businesses operations and interests. The treasury must be sure that risk related to commodity pricing and foreign exchange fluctuations is covered while being certain the organization has the cash on hand to meet on going operations. Quality assurance must monitor output to ensure that it is within tolerance limits. The operations department conducts the daily business and identifies obstacles that may threaten those day to day operations. The credit department makes certain that any credit extended to a customer is in accord with their ability to pay. Customer service ensures that complaints are adequately addressed and the cause for complaint is reported to the operations department. The internal audit department evaluates the effectiveness of each department and recommends improvements. All the functions are incorporated into the ERM structure.The Process
The ERM process begins with risk identification. Risk identification should be both creative, well-structured and extend to all risk whether or not within a company's control. This creative wide-open process may have a tendency to produce a large and unwieldy list. To keep things organized, a computerized risk register is often recommended. Once a list has been created and organized, the cause and effect of each item should be considered and the appropriate experts consulted. Each risk should be assessed to separate minor risks from more serious risks and should be assigned a score. For example, a number from one to ten can be determined for each of the two dimensions: Probability and severity. A zero score may mean a risk almost never happens or is of trivial consequence. On the other hand, a score of ten may mean that a particular risk almost always happens or carries potentially catastrophic consequences. These scores can then be multiplied together to generate a final risk score that can be used to communicate the magnitude of impact posed by a risk and the urgency required. The scores along with a detailed description and evaluation can be placed in a risk register. That risk register creates a record on which...
(The entire section is 2966 words.)