Enterprise Risk Management

Zeroing in on key contributors to risk

Identifying both risks and rewards supports strategic thinking

By Michael J. Moody, MBA, ARM

Over the past few years, enterprise risk management (ERM) has captured the attention of many corporate executives. ERM goes beyond traditional risk management, with its focus on insurable risk, to contemplate all of the risks to which an organization is exposed. 

Given the challenge of identifying and managing every risk exposure, many risk managers and chief risk officers who use ERM have begun to zero in on the top 10 or 12 major risks that their organization is facing, and then develop strategies to address those risks. 

An important difference between traditional risk management and ERM is that, once an entity has identified its key exposures, it then must determine if each potential event represents a risk or a reward. 

Events can have a positive or negative impact, or both. ERM recognizes that these uncertainties exist and dictates that risk managers develop strategies to deal with both a positive and a negative outcome. This greatly expands the scope of involvement of risk management in the corporation's strategic planning process. This single distinction may well be the most important difference between traditional corporate risk management and ERM.  

The integrated ERM framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) places events into categories that are considered either internal or external. The external categories are economy, natural environment, political, social, and technological. Internal categories include factors related to choices that management makes, such as infrastructure, personnel, processes, and technology. 

The going gets tough 

Identifying and classifying risks is the first step in an ERM program. It creates a solid foundation for the steps that follow, in which risks are prioritized and plans are developed to manage them.

Once the risk manager has identified all of the risks facing the organization and classified them as external or internal, the next step in the ERM process is to narrow the list down to the 10 or 12 most important risks. The most popular method is interactive group workshops. 

The workshop provides a forum for unit managers to offer their input concerning the likelihood and severity of each potential risk. Because it takes a holistic approach, the workshop is superior to risk assessment methods that treat each business unit as a separate silo.  A workshop in which all unit managers share their concerns and observations is much more likely than the silo approach to reveal systemic risks and subtle interactions.  The workshop setting also allows the unit managers to visualize the interconnectivity of the risks and assign a priority to each risk.

There should be no confusion about the fact that simply identifying the risk does not constitute an ERM program. It is merely the first and remains one of the most important steps in the risk management process. An organization still needs to complete the other aspects of the ERM process. However, it all begins with a sound foundation that is based on a thorough risk identification procedure.   

The fortunes of risk management have run the gamut, from the highs of increased focus on ERM to its failures during the 2008 financial meltdown. As ERM continues to evolve, corporate executives and their boards of directors are becoming aware that it is impossible to manage every single risk to which a corporation is exposed. This underlines the importance of building consensus on the dozen or so major risks facing an organization and then developing strategies to manage those risks. This approach is becoming the top priority in many ERM programs.

As this trend continues, it is essential for boards of directors to ensure compliance with regulatory requirements and for the corporation to achieve the goals of a robust ERM initiative.

The author

Michael J. Moody, MBA, ARM, is the retired managing director of Strategic Risk Financing, Inc. (SuRF), a firm that was established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enter­prise risk management by providing current, objective information about the concept, the structures being used, and the players involved.