Understanding Enterprise Risk Management (ERM) | Whitepapers.online

Published on 20 Feb 2021


2020 made it clear, we need Enterprise Risk Management (ERM)

Unpredictability is inherent in all industries. The Covid-19 pandemic and restrictions imposed because of it are a good example of how unforeseen dangers, hazards and developments can impact a business and interrupt its regular operations. Enterprise Risk Management is a type of business strategy where organizations create a plan to identify, asses and address such unexpected developments.

The year 2020 has made it clear that organization must have robust ERM strategies in place so that they can adapt quickly to unexpected changes and continue to move towards their business objective. In this article. We will look more closely at:

  • Enterprise Risk Management
  • Approaches for an ERM Framework
  • The Advantages of ERM                

A Closer Look at Enterprise Risk Management

ERM require organizations to identify what risks their operations face and to make a strategic plan regarding the severity of these risks as well as which ones to actively manage. The strategy must then be communicated to all relevant stakeholders, shareholders and investors. Typically, the strategy is communicated as part of the annual reports. ERM is sued in a variety of industries like finance, public health, aviation etc.

The idea of managing risk is not new. Organizations have been mitigating risk for decades. The most common methods used to address risk factors is the purchase of insurance. Property insurance is used to address any losses that results from physical damage to a company’s property through fire, theft, earthquakes etc. Malpractice insurance protects against lawsuits or claims of damage. While liability insurance is sued to protect against claims against injury or damage. These are not the only factors that can put a business’s regular operations at risk. The failure of a particular technology or machine, breakdown of the raw material supply chain, changes in regulations or compliance requirements are also factors that pose risk.

Approaches for an Enterprise Risk Management Framework

There are several different approaches that organizations can use to build their ERM framework. Some of these approaches are defined below:

1. Avoidance:

In this type of approach, the organization will choose to cease or exit the activities that are giving rise to a business’s operations. For example, a business may choose not to expand into a new country because of risks associated with political instability in the region.

2. Reduction:


Organizations with this approach will implement measures to reduce the chances of the risk bearing fruit. For example, if there is a risk of an organization’s data being compromised, the business can mitigate that risk by reducing the number of people who can access said data.


3. Alternative Actions:

Business may choose to take an alternative route to achieve their objective and minimize or bypass the potential risk. For instance, if there are risks associated with the use of a particular software, a business may choose to use another system entirely.

4. Insure:

As described above, insurance can be used to protect a business from a portion of the damage that can result from a risk.

5. Accept:

If a cost vs benefit analysis demonstrates that it is in the businesses best interest to take on the risk, a business many choose to do so. For instance, there are risks associated with the political stability of a region but there is a good supply of an essential raw material required by an organization in the same region. In such a case the business many choose to accept the risk and continue operations.

There are three types of known ERM frameworks:

  1. Casualty Actuarial Society framework
  2. COSO ERM framework
  3. RIMS Risk Maturity Model

Depending on what the organization wants their ERM strategy to achieve, an appropriate framework can be chosen.

See Also: Guide to Building A Remote Global Team 

Advantages of ERM


It is important to understand that risk management is not just about mitigating risks but also about seizing opportunities. When creating their ERM initiatives, companies should focus not only on the downsides of risk but on the potential benefits as well.

The conventional approach to risk management made companies focus on the negatives, for example they would asses and determine potential losses from currency fluctuations or changes in interest rates. They would examine disruptions that might be cause due a data breach or cyberattack. When talking about seizing opportunities, companies should also consider the potential upsides of managing risk effectively. For example, recognizing that a country’s political representatives are friendly to a business’s industry and choosing to expand into that region.

Opportunities may also arise from a company deciding to move, renovate or service their physical assets in order to prevent breakdowns or loss in productivity down the line. ERM can help organizations prevent disasters and minimize fall out through effective planning.

Companies must also recognize that their public image is an asset of great value. With proper risk assessment and management, organizations can ensure that they maintain a positive public image despite unexpected occurrences like natural disasters or large-scale equipment failure.

Three basic steps of Enterprise Risk Management


Risk management can be broken down into three simple steps. Despite the industry they belong to all organizations will need to follow these three steps in order to create an effective ERM strategy:


1. Risk Identification 

The first step to create a ERM strategy is to identify what risks an organization faces from both its internal as well as external environment. Organizations should think of risk in two parts: trigger and affect. The trigger is the event or happening while the affect is the consequence that results due to the event. For instance, the explosion of a gas container is a trigger. The damage caused by the resulting fire is the affect.

The best way for an organization to identify internal risks is to rely on the expertise of their team. No body knows an organization better than the people that work for it. Businesses should make use of their senior member who have good knowledge of the business’s operations to identify vulnerabilities and potential issues. History is a great teacher, looking at similar project that a business has completed and adverse events from the past is also a good way to identify risks. Companies should engage the services of a qualified and experienced Risk Manager in order to understand external risks to their business operations.

2. Risk Assessment

Not all risks are equal. A risk is not a guarantee. There are probabilities of a trigger event taking place and the affect that might result from it. Organizations should asses what are the biggest risks that it faces, what are the probabilities of a trigger event taking place and what would be the affect of such an occurrence. This information should be used to prioritize risks as per which events are most likely to happen and which would have the most devastating impact. Businesses should then plan and distribute resource to mitigate these risks.

3. Risk Management

Once the organization has identified its most likely and most impactful risks, it must manage them. Risk management can take the form of safety policies, investment in equipment, changing processes etc. For example, if one of the risks identified is a fire at a production facility, the best way to manage that risk might be through investment in fire suppression equipment.