What is it?
Enterprise risk management (ERM) is the process of identifying and addressing methodically the potential events that represent risks to the achievement of strategic objectives, or to opportunities to gain competitive advantage.
Risk management is an essential element of the strategic management of any organisation and should be embedded in the ongoing activities of the business. Two widely referenced frameworks include the Committee of Sponsoring Organizations of the Treadway Commission COSO ‘ERM – Integrated Framework’; and the guidance developed by Airmic and the Institute of Risk Management IRM – ‘A structured approach to ERM and the requirements of ISO 31000’.
The fundamental elements of ERM are the assessment of significant risks and the implementation of suitable risk responses. Risk responses include: acceptance or tolerance of a risk; avoidance or termination of a risk; risk transfer or sharing via insurance, a joint venture or other arrangement; and reduction or mitigation of risk via internal control procedures or other risk prevention activities.
Other important ERM concepts include the risk philosophy or risk strategy, risk culture and risk appetite. These are expressions of the attitude to risk in the organisation, and of the amount of risk that the organisation is willing to take. These are important elements of governance responsibility.
Management responsibilities include the risk architecture or infrastructure, documentation of procedures or risk management protocols, training, monitoring and reporting on risks and risk management activities.
Source: How to Communicate Risks Using Heat Maps, CGMA
What benefits does ERM provide?
- Greater awareness about the risks facing the organisation and the ability to respond effectively
- Enhanced confidence about the achievement of strategic objectives
- Improved compliance with legal, regulatory and reporting requirements
- Increased efficiency and effectiveness of operations
Questions to consider when Implementing ERM
- What are the main components or drivers of our business strategy?
- What internal factors or events could impede or derail each of these components?
- What external events could impede or derail each of the components?
- Do we have the right systems and processes in place to address these internal and external risks?
|Actions to take / Dos||Actions to Avoid / Don'ts|
Gemini Motor Sports
A hypothetical illustration from a CGMA case study: How to evaluate enterprise risk management maturity.
Gemini Motor Sports (GMS), a public company headquartered in Brazil, manufactures on-road and off-road recreational vehicles for sale through a dealer network in Brazil and Canada. GMS Chief Financial Officer (CFO) David Cruz was charged with overseeing the development of the initial ERM framework for the company.
In the first year of implementation, the ERM team met with senior management, and identified and prioritised a number of crucial risks that had been disruptive to GMS. Their initial presentation to the audit committee was criticised for being a rehash of past problems, and not useful to the board as they discussed the strategic direction of GMS.
In the second year of the programme, after seeking ERM training for the team, Cruz focused more attention on potential events that managers thought might affect the business. He asked them to assess the likelihood and potential impact of the identified risks.
The resulting report was well received. However, the audit committee chair suggested that the next step be an evaluation of the risk management process and the degree of its integration with the strategic management process of the organisation, leading to the use of the CGMA Risk Management Maturity tool.