Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital and earnings and provides an integrated or holistic approach to understand and manage all of the risks that an organization faces. Its primary purpose is to improve the quality of decision-making. It provides management visibility to recognize the interdependency of risks, thereby decreasing the likelihood of its occurrence. Organizations face many types of risks. These risks include:
- Strategic risks – Strategic risk is your organisation’s response to these uncertainties and opportunities. It involves a clear understanding of corporate strategy, the risks in adopting it, the risks in executing it and their ability to adopt market changes.
- Financial risk – Financial risk is an term for multiple types of risk associated with financing, including financial transactions that include company loans in risk of default Risk is a term often used to imply downside risk, meaning the uncertainty of a return and the potential for financial loss.
- Regulatory risks – Regulatory risks involve an organization’s compliance with corporate sustainability, trade, financial reporting, and other legal and regulatory requirements.
- Operational risks – Operational risks that involve the people, processes and technology that are needed to carry out an organization’s strategic objectives. These risks would include how well information technology systems function or the effectiveness of information security to perfect confidential data.
Let’s discuss the five phases of risk management
- Risk Planning – The goals, objectives, strategies, scope, and parameters for activity of the organization to which the risk management process is being applied should be established.
- Risk Identification – In this phase we identify the prospect risk that can happen with its causes and impact on the business.
- Risk Analysis – Risk analysis involves consideration of the sources of risk, their positive and negative consequences, and the likelihood that those consequences may occur. Factors that affect consequences and likelihood may be identified. Risk is analysed by combining consequences and their likelihood.
- Risk Response – The purpose of risk response is to make decisions based on the risk analysis about which risks need to be addressed, and there associated priorities. Risk response involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. The objectives of the organization and the extent of business objectives should be considered
- Risk Monitoring – Risk monitor is to monitor the effectiveness and completeness of the response actions, take corrective action and communicate the status of the risks.
The benefits of this approach include:
- Managing risks as a system will help an organization improve its situational awareness, which in turn will allow it to respond to risks more pro-actively and lead to fewer surprises
- An organization will also have a better chance to achieve its strategic goals if it understands the underlying causes of potential failure.
- It will be able to create better value from resources by eliminating the need to respond to unexpected crises. This will give an organization more time to pursue other (value creating) work.
- An organization will need to define and communicate its tolerance for risk (specifically the willingness to incur a loss in pursuit of its business objectives).Without a definition, managers will not know which risks are too large and which are too small to address.
- Information about risks must flow seamlessly and blamelessly across an organization to the management teams. Risk information has sometimes been perceived to be bad news instead of a call for action, which likely has caused some managers to filter or hide information.
- An organization’s managers and employees must value risk information, which typically requires a cultural mind-set for change so a healthy risk communication culture ca take hold, ERM practitioners say.
- In addition, responsibility for risks should be assigned to those managers who can best oversee them. Risk without responsibility is a recipe for organizational disaster.