presentation on enterprise risk management

A delicate balance between risk and reward

Benefits and challenges to enterprise risk management

What are the benefits of enterprise risk management.

A rigorous, thoughtfully developed enterprise risk management (ERM) program can help avoid financial losses, reputational damage, compliance failures, and legal liability. It also improves business decision-making because it provides more complete information on the risks a company faces. As a result, an ERM program can strengthen corporate governance and oversight and reduce instances of fraud.

Enterprise risk management (ERM) also boosts internal communication and interdepartmental cooperation. The regular risk reports that a firm’s ERM team delivers to upper management include a list or “matrix” of the risks, how these risks are being prepared for or mitigated, and how the risks are being prioritized. This information is crucial for management decision-making and guidance regarding risk response and preparation.

An enterprise risk management (ERM) program can help a company’s operations and profitability in numerous ways. It can uncover areas where a company is vulnerable to theft or embezzlement. It can be useful in discovering markets and product areas to enter or to avoid. ERM also can strengthen a business’s supply chain by identifying areas where that chain might be weak. An example would be the recent semiconductor shortage, which slowed production for many companies. All this can result in better management of strategic risks that could lead to new opportunities (such as acquisitions and new products) or dangers (such as new competitors and disruptive technologies).

What are the challenges of enterprise risk management?

Despite all the advantages of enterprise risk management (ERM), getting a program established is by no means a slam dunk. For most companies, ERM requires culture, process, or system changes that can be costly, time-consuming, and disruptive. ERM can be particularly costly to businesses that have limited resources. As a result, it may be difficult for supporters of an effective ERM program to get buy-in from upper management.

Company leaders may believe that the investments of time, talent, technology, and capital needed to implement an enterprise risk management (ERM) initiative don’t pencil out, and that those costs exceed the potential benefits. They may argue that it’s difficult to project a program’s effectiveness, including a legal project management tool , because it involves assessing the probability and impact of risk events that may or may not occur. Establishing metrics is often one of the most significant challenges an ERM initiative wrestles with. In addition, ERM also could result in organizations becoming reliant on particular digital technology tools, which could be a risk in itself.

If a company does go forward with establishing an enterprise risk management (ERM) program, there are other risks it will need to anticipate. It makes perfect sense that the risks an enterprise will seek to manage will be those that the company has already faced or is currently facing. But the most potentially dangerous risks are those that it hasn’t encountered. The recent pandemic is a particularly notable example. How many companies not only anticipated the pandemic but also had metrics in place to measure its effect on the business’s customers, employees, and other stakeholders? And how could the potential costs of mitigating the risks associated with the coronavirus have been determined?

Best practices for enterprise risk management

Companies need to consider both the benefits and challenges of enterprise risk management as they craft their own enterprise risk management (ERM) program. This can help them determine the best practices they should follow.

The components of enterprise risk management (ERM) discussed earlier reflect many of the best practices of an effective ERM initiative. Clearly, such a program needs to identify, assess, and prioritize all risks an enterprise might face. It needs to develop consistent action plans that eliminate or reduce the most significant risks, as well as processes to continuously monitor risk and risk-related metrics–and then enforce risk management policies.

For this to succeed, a company should also develop a culture that includes open communication about risk and risk management throughout the organization. It should also assign risk management responsibilities to appropriate employees. And it should determine whether there are ways to automate risk management processes.

Final words

In an unpredictable, fast-changing business environment, an enterprise risk management (ERM) initiative is essential. An ERM program includes assessment, prioritizing, and mitigation of any potential risk to a company’s future health and success. And wherever necessary, it solicits the participation and input of all stakeholders—senior management, board of directors, employees, and customers.

The benefits of a well-crafted risk management strategy include thorough regulatory compliance, a clearer sense of how strategic risks can help or hurt a business, and improved decision-making about operations, opportunities, and future planning. It’s not stated too strongly to say that an enterprise risk management program could mean the difference between maintaining a successful business—or going out of business entirely.

• Fraud Waste & Abuse
• Preventing Fraud
• Risk and Fraud

Join our community

Sign up for industry-leading insights, updates, and all things AI @ Thomson Reuters.

The growing importance of adverse media searches

False positives and false negatives: How best to leverage adverse media searches in the battle against financial crime.

Charting a path forward with AI adoption in compliance: Reducing uncertainty and embracing change

Industry experts discuss the best examples of AI being used for compliance, the key risks, what this means for compliance analysts, and how leaders can make themselves and regulators comfortable with putting AI to use.

Mitigate risk, detect fraudulent activity, and streamline investigations

In today’s digital world, risk and fraud detection is even more important than ever before

Related posts

How AI can increase well-being by reducing risks

What is a risk assessment matrix?

First-mover advantage: The future of generative AI use in corporate risk & fraud

More answers.

Does your law department need a contract lifecycle management system?

In the legal client experience, make it personal

Unlock the power of client collaboration tools and capitalize on a challenging legal market

• ERM Resource Center
• Full Resource Center Archive
• ERM Fundamentals
• ERM Leadership and Governance
• ERM and Strategy
• Risk Identification and Assessment
• Risk Appetite and Response
• Risk Monitoring and Communications
• ERM Frameworks and Best Practices
• ERM Expert Insights
• Emerging Risks
• ERM Roundtable Summit
• Training and Events
• Advanced ERM
• ERM in Higher Ed
• ERM in Non-Profits
• ERM Fellows
• ERM Custom Training
• Master of Management, Risk & Analytics
• Master of Accounting, ERM Concentration
• ERM Initiative Team
• ERM Advisory Board
• Contact ERM

What is Enterprise Risk Management (ERM)?

Leaders of organizations must manage risks in order for the entity to stay in business. In fact, most would say that managing risks is just a normal part of running a business. So, if risk management is already occurring in these organizations, what’s the point of “enterprise risk management” (also known as “ERM”)?

Let’s Start by Looking at Traditional Risk Management

Business leaders manage risks as part of their day-to-day tasks as they have done for decades. Calls for entities to embrace enterprise risk management aren’t suggesting that organizations haven’t been managing risks. Instead, proponents of ERM are suggesting that there may be benefits from thinking differently about how the enterprise manages risks affecting the business.

Traditionally, organizations manage risks by placing responsibilities on business unit leaders to manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is responsible for managing risks related to the organization’s information technology (IT) operations, the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating Officer is responsible for managing production and distribution, and the Chief Marketing Officer is responsible for sales and customer relationships, and so on. Each of these functional leaders is charged with managing risks related to their key areas of responsibility. This traditional approach to risk management is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing risks within their silo as shown in Figure 1 below.

Figure 1 – Traditional Approach to Risk Management 

Limitations with Traditional Approaches to Risk Management

While assigning functional subject matter experts responsibility for managing risks related to their business unit makes good sense, this traditional approach to risk management has limitations, which may mean there are significant risks on the horizon that may go undetected by management and that might affect the organization. Let’s explore a few of those limitations.

Limitation #1: There may be risks that “fall between the silos” that none of the silo leaders can see. Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in the business. As a result, a risk may be on the horizon that does not capture the attention of any of the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event. For example, none of the silo leaders may be paying attention to demographic shifts occurring in the marketplace whereby population shifts towards large urban areas are happening at a faster pace than anticipated. Unfortunately, this oversight may drastically impact the strategy of a retail organization that continues to look for real estate locations in outlying suburbs or more rural areas surrounding smaller cities.

Limitation #2: Some risks affect multiple silos in different ways. So, while a silo leader might recognize a potential risk, he or she may not realize the significance of that risk to other aspects of the business. A risk that seems relatively innocuous for one business unit, might actually have a significant cumulative effect on the organization if it were to occur and impact several business functions simultaneously. For example, the head of compliance may be aware of new proposed regulations that will apply to businesses operating in Brazil. Unfortunately, the head of compliance discounts these potential regulatory changes given the fact that the company currently only does business in North America and Europe. What the head of compliance doesn’t understand is that a key element of the strategic plan involves entering into joint venture partnerships with entities doing business in Brazil and Argentina, and the heads of strategic planning and operations are not aware of these proposed compliance regulations.

Limitation #3: Third, in a traditional approach to risk management, individual silo owners may not understand how an individual response to a particular risk might impact other aspects of a business. In that situation, a silo owner might rationally make a decision to respond in a particular manner to a certain risk affecting his or her silo, but in doing so that response may trigger a significant risk in another part of the business. For example, in response to growing concerns about cyber risks, the IT function may tighten IT security protocols but in doing so, employees and customers find the new protocols confusing and frustrating, which may lead to costly “work-arounds” or even the loss of business.

Limitation #4: So often the focus of traditional risk management has an internal lens to identifying and responding to risks. That is, management focuses on risks related to internal operations inside the walls of the organization with minimal focus on risks that might emerge externally from outside the business. For example, an entity may not be monitoring a competitor’s move to develop a new technology that has the potential to significantly disrupt how products are used by consumers.

Limitation #5: Despite the fact that most business leaders understand the fundamental connection of “risk and return”, business leaders sometimes struggle to connect their efforts in risk management to strategic planning. For example, the development and execution of the entity’s strategic plan may not give adequate consideration to risks because the leaders of traditional risk management functions within the organization have not been involved in the strategic planning process. New strategies may lead to new risks not considered by traditional silos of risk management.

What’s the impact of these limitations? There can be a wide array of risks on the horizon that management’s traditional approach to risk management fails to see, as illustrated by Figure 2. Unfortunately, some organizations fail to recognize these limitations in their approach to risk management before it is too late.

Figure 2 – Currently Unknown, But Knowable Risks Overlooked by Traditional Risk Management

Effective Enterprise Risk Management (ERM) Should be a Valued Strategic Tool

Over the last decade or so, a number of business leaders have recognized these potential risk management shortcomings and have begun to embrace the concept of enterprise risk management as a way to strengthen their organization’s risk oversight. They have realized that waiting until the risk event occurs is too late for effectively addressing significant risks and they have proactively embraced ERM as a business process to enhance how they manage risks to the enterprise.

The objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the strategic objectives of the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business.

An effective ERM process should be an important strategic tool for leaders of the business. Insights about risks emerging from the ERM process should be an important input to the organization’s strategic plan. As management and the board become more knowledgeable about potential risks on the horizon they can use that intelligence to design strategies to nimbly navigate risks that might emerge and derail their strategic success. Proactively thinking about risks should provide competitive advantage by reducing the likelihood that risks may emerge that might derail important strategic initiatives for the business and that kind of proactive thinking about risks should also increase the odds that the entity is better prepared to minimize the impact of a risk event should it occur. 

As illustrated by Figure 3, the ERM process should inform management about risks on the horizon that might impact the success of core business drivers and new strategic initiatives.

Figure 3 – ERM Should Inform Strategy of the Business

Elements of an ERM Process

Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process. Unfortunately, some view ERM as a project that has a beginning and an end. While the initial launch of an ERM process might require aspects of project management, the benefits of ERM are only realized when management thinks of ERM as a process that must be active and alive, with ongoing updates and improvements.

The diagram in Figure 4 illustrates the core elements of an ERM process. Before looking at the details, it is important to focus on the oval shape to the figure and the arrows that connect the individual components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model.

Figure 4 – Elements of an ERM Process

ERM Starts with What Drives Value for the Entity

Because ERM seeks to provide information about risks affecting the organization’s achievement of its core objectives, it is important to apply a strategic lens to the identification, assessment, and management of risks on the horizon. An effective starting point of an ERM process begins with gaining an understanding of what currently drives value for the business and what’s in the strategic plan that represents new value drivers for the business. To ensure that the ERM process is helping management keep an eye on internal or external events that might trigger risk opportunities or threats to the business, a strategically integrated ERM process begins with a rich understanding of what’s most important for the business’ short-term and long-term success.

Let’s consider a public-traded company. A primary objective for most publically traded companies is to grow shareholder value. In that context, ERM should begin by considering what currently drives shareholder value for the business (e.g., what are the entity’s key products, what gives the entity a competitive advantage, what are the unique operations that allow the entity to deliver products and services, etc.). These core value drivers might be thought of as the entity’s current “crown jewels”. In addition to thinking about the entity’s crown jewels, ERM also begins with an understanding of the organization’s plans for growing value through new strategic initiatives outlined in the strategic plan (e.g., launch of a new product, pursuit of the acquisition of a competitor, or expansion of online offerings etc.). You might find our thought paper, Integration of ERM with Strategy , helpful given it contains three case study illustrations of how organizations have successfully integrated their ERM efforts with their value creating initiatives.

With this rich understanding of the current and future drivers of value for the enterprise, management is now in a position to move through the ERM process by next having management focus on identifying risks that might impact the continued success of each of the key value drivers. How might risks emerge that impact a “crown jewel” or how might risks emerge that impede the successful launch of a new strategic initiative? Using this strategic lens as the foundation for identifying risks helps keep management’s ERM focus on risks that are most important to the short-term and long-term viability of the enterprise. This is illustrated by Figure 5.

Figure 5 – Apply Strategic Lens to Identify Risks

The Focus is on All Types of Risks

Sometimes the emphasis on identifying risks to the core value drives and new strategic initiatives causes some to erroneously conclude that ERM is only focused on “strategic risks” and not concerned with operational, compliance, or reporting risks. That’s not the case. Rather, when deploying a strategic lens as the point of focus to identify risks, the goal is to think about any kind of risk – strategic, operational, compliance, reporting, or whatever kind of risk – that might impact the strategic success of the enterprise. As a result, when ERM is focused on identifying, assessing, managing, and monitoring risks to the viability of the enterprise, the ERM process is positioned to be an important strategic tool where risk management and strategy leadership are integrated. It also helps remove management’s “silo-blinders” from the risk management process by encouraging management to individually and collectively think of any and all types of risks that might impact the entity’s strategic success.

Output of an ERM Process

The goal of an ERM process is to generate an understanding of the top risks that management collectively believes are the current most critical risks to the strategic success of the enterprise. Most organizations prioritize what management believes to be the top 10 (or so) risks to the enterprise (see our thought paper, Survey of Risk Assessment Practices , that highlights a number of different approaches organizations take to prioritize their most important risks on the horizon). Generally, the presentation of the top 10 risks to the board focuses on key risk themes, with more granular details monitored by management. For example, a key risk theme for a business might be the attraction and retention of key employees. That risk issue may be discussed by the board of directors at a high level, while management focuses on the unique challenges of attracting and retaining talent in specific areas of the organization (e.g., IT, sales, operations, etc.).

With knowledge of the most significant risks on the horizon for the entity, management then seeks to evaluate whether the current manner in which the entity is managing those risks is sufficient and effective. In some cases, management may determine that they and the board are willing to accept a risk while for other risks they seek to respond in ways to reduce or avoid the potential risk exposure. When thinking about responses to risks, it is important to think about both responses to prevent a risk from occurring and responses to minimize the impact should the risk event occur. An effective tool for helping frame thinking about responses to a risk is known as a “Bow-Tie Analysis”, which is illustrated by Figure 6. The left side of the “knot” (which is the risk event) helps management think about actions management might take to lower the probability of a risk occurring. The right side of the “knot” helps management think about actions that could be taken to lower the impact of a risk event should it not be prevented (take a look at our article, The Bow-Tie Analysis: A Multipurpose ERM Tool).

Figure 6 – Bow-Tie Tool for Developing Responses to Risks

Monitoring and Communicating Top Risks with Key Risk Indicators (KRIs)

While the core output of an ERM process is the prioritization of an entity’s most important risks and how the entity is managing those risks, an ERM process also emphasizes the importance of keeping a close eye on those risks through the use of key risk indicators (KRIs). Organizations are increasingly enhancing their management dashboard systems through the inclusion of key risk indicators (KRIs) linked to each of the entity’s top risks identified through an ERM process. These KRI metrics help management and the board keep an eye on risk trends over time. Check out our thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management , issued in partnership with COSO for techniques to develop effective KRIs.

Leadership of ERM

Given the goal of ERM is to create a top-down, enterprise view of risks to the entity, responsibility for setting the tone and leadership for ERM resides with executive management and the board of directors. They are the ones who have the enterprise view of the organization and they are viewed as being ultimately responsible for understanding, managing, and monitoring the most significant risks affecting the enterprise.

Top management is responsible for designing and implementing the enterprise risk management process for the organization. They are the ones to determine what process should be in place and how it should function, and they are the ones tasked with keeping the process active and alive. The board of director’s role is to provide risk oversight by (1) understanding and approving management’s ERM process and (2) overseeing the risks identified by the ERM process to ensure management’s risk-taking actions are within the stakeholders’ appetite for risk taking. (Check out our thought paper, Strengthening Enterprise Risk Management for Strategic Advantage , issued in partnership with COSO, that focuses on areas where the board of directors and management can work together to improve the board’s risk oversight responsibilities and ultimately enhance the entity’s strategic value).

Given the speed of change in the global business environment, the volume and complexity of risks affecting an enterprise are increasing at a rapid pace. At the same time, expectations for more effective risk oversight by boards of directors and senior executives are growing. Together these suggest that organizations may need to take a serious look at whether the risk management approach being used is capable of proactively versus reactively managing the risks affecting their overall strategic success. Enterprise risk management (ERM) is becoming a widely embraced business paradigm for accomplishing more effective risk oversight.

Interested in Learning More About ERM?

As business leaders realize the objectives of ERM and seek to enhance their risk management processes to achieve these objectives, they often are seeking additional information about tactical approaches for effectively doing so in a cost-effective manner. The ERM Initiative in the Poole College of Management at North Carolina State University may be a helpful resource through the articles, thought papers, and other resources archived on its website or through its ERM Roundtable and Executive Education offerings . Each year, we survey organizations about the current state of their ERM related practices. Check out our most recent report, The State of Risk Oversight Report: An Overview of Enterprise Risk Management Practices.

Original Article Source:  “What is Enterprise Risk Management?”

• Board Communication
• Board Risk Oversight
• Risk Assessment
• Strategic Risk
• Briefs and Insights
• Tools and Templates

More From Enterprise Risk Management Initiative

Report: executive perspectives on top risks for 2024 and a decade later, integrating erm with other risk and assurance functions, balancing erm’s focus on operational risks and emerging risks.

• Search Search Please fill out this field.

What Is ERM?

• Understanding ERM
• A Holistic Approach to Risk
• Components of ERM
• How to Implement ERM Practices
• Pros and Cons of ERM
• Types of Risk That ERM Addresses

Ideal Entities for ERM Systems

Erm vs. erp, erm vs. crm, example of erm, the bottom line.

• Business Essentials

Enterprise Risk Management (ERM): What It Is and How It Works

Adam Hayes, Ph.D., CFA, is a financial writer with 15+ years Wall Street experience as a derivatives trader. Besides his extensive derivative trading expertise, Adam is an expert in economics and behavioral finance. Adam received his master's in economics from The New School for Social Research and his Ph.D. from the University of Wisconsin-Madison in sociology. He is a CFA charterholder as well as holding FINRA Series 7, 55 & 63 licenses. He currently researches and teaches economic sociology and the social studies of finance at the Hebrew University in Jerusalem.

Michela Buttignol / Investopedia

What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses.

Key Takeaways

• Enterprise risk management (ERM) is a firm-wide strategy to identify and prepare for hazards with a company’s finances, operations, and objectives.
• ERM allows managers to shape the firm’s overall risk position by mandating that certain business segments engage with or disengage from particular activities.
• Traditional risk management, which leaves decision making in the hands of division heads, can lead to siloed evaluations that do not account for other divisions.
• The COSO framework for enterprise risk management identifies eight core components of developing ERM practices.
• Successful ERM strategies can mitigate operational, financial, security, compliance, legal, and many other types of risks.

Understanding Enterprise Risk Management (ERM)

Enterprise risk management takes a holistic approach and calls for management-level decision making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

ERM, therefore, can work to minimize firm-wide risk as well as identify unique firm-wide opportunities. Communicating and coordinating between different business units are key for ERM to succeed, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

ERM-friendly firms may be attractive to investors because they signal more stable investments.

A Holistic Approach to Risk Management

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM.

ERM looks at each business unit as a “portfolio” within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling its own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO) , for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation.

The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX) , and reviews factors that could hurt  investments or a company’s business units. The CRO’s mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts.

Components of Enterprise Risk Management

The COSO enterprise risk management framework identifies eight core components that define how a company should approach creating its ERM practices.

Internal Environment

A company’s internal environment is the atmosphere and corporate culture within the company set by its employees. This sets the precedence of what the company’s risk appetite is and what management’s philosophy is regarding incurring risk. The internal environment may be set by upper management or the board and communicated throughout an organization, though it is often reflected through the actions of all employees.

Objective Setting

As a company determines its purpose, it must set objectives that support the mission and goals of a company. These objectives must then be aligned with a company’s risk appetite. For example, an ambitious company that has set far-reaching strategic plans must be aware that there may be internal risks or external risks associated with these lofty goals. In response, a company can align the measures to be taken with what it wants to accomplish, such as hiring additional regulatory staff for expansion areas it is currently unfamiliar with.

Event Identification

Positive events may have a great impact on a company. On the other hand, negative events may have detrimental outcomes on a company’s ability to continue to operate. ERM guidance recommends that companies identify important areas of the business and associated events that may have dire outcomes. These high-risk events may pose risks to operations (e.g., natural disasters that force offices to temporarily close) or strategic (e.g., government regulation outlaws the company’s primary product line).

Risk Assessment

In addition to being aware of what may happen, the ERM framework details the step of assessing risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (e.g., a natural disaster yields an office unusable) but also residual risks (e.g., employees may not feel safe returning to the office). Though difficult, the ERM framework encourages companies to consider quantifying risks by assessing the percent change of occurrence as well as the dollar impact.

Risk Response

A company can respond to risk in the following four ways:

• The company can avoid risk. This results in the company leaving the activity that causes the risk, as the company would rather forgo the benefits of the activity than incur the risk. An example of risk avoidance is a company shutting down a product line and discontinuing selling a specific good.
• The company can reduce risk. This results in the company staying engaged in the activity but putting forth effort in minimizing the likelihood or magnitude of the risk. An example of risk reduction is a company keeping the product line above open but investing more in quality control or consumer education on how to properly use the product.
• The company can share risk. This results in the company moving forward as-is with the current risk profile of the activity. However, the company leverages an independent third party to share in the potential loss in exchange for a fee. An example of risk sharing is purchasing an insurance policy.
• The company can accept risk. This results in the company analyzing the potential outcomes and determining whether it is financially worth pursuing mitigating practices. An example of risk acceptance is the company keeping open the product line with no changes to operations and risk sharing.

Control Activities

Control activities are the actions taken by a company to create policies and procedures to ensure management carries out operations while mitigating risk. Control activities, often referred to as internal controls , are broken into two different types of processes:

• Preventative control activities are in place to stop an activity from happening. These controls aim to mitigate risk by disallowing certain events from happening. An example of preventative control is a keypad or physical lock preventing all employees from entering a sensitive area.
• Detective control activities are in place to recognize when a risky action has taken place. Although the event is allowed to happen (or was not supposed to happen but still did), detective controls may alert management to ensure appropriate follow-up steps occur. An example of a detective control is an alarm for a room.

Information and Communication

Information systems should be able to capture data useful to management to better understand a company’s risk profile and risk management. This means not granting exceptions for departments outperforming others; all aspects of a company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets.

A company can turn to an internal committee or an external auditor to review its policies and practices. This may include reviewing what is actually performed compared with what policy documents suggest. This may also entail getting feedback, analyzing company data, and informing management of unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM environment and pivot as needed.

The Committee of Sponsoring Organizations (COSO) board originally published the ERM framework in 2004, then an updated version was published in 2017. The publication has been widely used since.

How to Implement Enterprise Risk Management Practices

ERM practices will vary based on a company’s size, risk preferences, and business objectives. Below are best practices that most companies can use to implement ERM strategies.

• Define risk philosophy . Before implementing any practices, a company must identify how it feels about risk and what its strategy around risk will be. This should involve strategic discussions between management and an analysis of a company’s entire risk profile.
• Create action plans . With a company’s risk philosophy in hand, it is time to create an action plan. This defines the steps a company must take to protect its assets and plans to protect the future of the organization after a risk assessment has been performed.
• Be creative . When considering risks, ERM entails thinking broadly about the problems a company may face. Though far-fetched, it is in a company’s best interest to think of as many challenges it may face and how it will respond (or decide to not respond) should the event happen.
• Communicate priorities . A company may determine that several high-importance risks are critical to mitigate for the continuation of the company. These priorities should be communicated and broadly understood as the risks that should not be incurred under any circumstance. Alternatively, a company may wish to communicate the plans if the event were to occur.
• Assign responsibilities . When an action plan has been devised, specific employees should be identified to carry out specific parts of the plan. This may include delegating tasks to specific positions should employees leave the company. This not only allows for all action items to be worked on but also will hold members responsible for their area(s) of risk.
• Maintain flexibility . As companies and risks evolve, a company must design ERM practices to be adaptable. The risks a company faces one day may be different the next; the company must be able to carry its current plan while still making plans for new, future risks.
• Leverage technology . ERM digital platforms may host, summarize, and track many of the risks of a company. Technology can also be used to implement internal controls or gather data on how performance is tracking to ERM practices.
• Continually monitor . Once ERM practices are in place, a company must ensure the practices are adhered to. This means tracking progress toward goals, ensuring certain risks are being mitigated, and employees are performing tasks as expected.
• Use metrics . As part of monitoring ERM practices, a company should develop a series of metrics to quantifiably gauge whether it is meeting targets. Often referred to as SMART goals, these metrics keep a company accountable on whether it met objectives or not.

As a company implements ERM practices, it is widely advised to continually gather feedback from all employees. Everyone will have a different perspective of what might not be working or what could be done better.

Advantages and Disadvantages of Enterprise Risk Management

ERM sets the organization-wide expectations around a company’s culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources, as well as greater customer service knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summarizes the risks a company faces, the actions being taken, and the information needed for decision making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management.

ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant processes, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into.

Disadvantages

As a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware of that may have more detrimental impacts. In this manner, some may consider ERM as reactive, as companies can only forecast risk based on what they have prior experience with.

ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance that a company forecasts the occurrence of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require the resources of the company to be successful. Though the company will benefit from protecting its assets, a company must detract time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM, as financial risks that do not occur must simply be projected.

ERM Practices

May make a company more prepared for risks and uncertainties

May leave employees more satisfied with the future state of the company

May result in greater customer service, as companies are prepared for certain situations

May result in efficient reporting to upper management that enhances decision making

May lead to more efficient company-wide operations

May not accurately identify the risks a company is likely to experience

May not accurately assess the financial impact or likelihood of an outcome

Often requires time investment from a company to be successful

Often requires capital investment from a company to be successful

What Types of Risk Does Enterprise Risk Management Address?

ERM can help devise plans for almost any type of business risk. Business risk threatens a company’s ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:

• Compliance risk threatens a company due to a violation of external law or requirement. An example of compliance risk is a company’s inability to produce timely financial statements in accordance with applicable accounting rules, such as generally accepted accounting principles (GAAP).
• Legal risk threatens a company should the company face a lawsuit or penalty for contractual, dispute, or regulatory issues. An example of legal risk is a billing dispute with a major customer.
• Strategic risk threatens a company’s long-term plan. For example, new market participants in the future may supplant the company as the lowest-cost provider of a good.
• Operational risk threatens the day-to-day activities required for the company to operate. An example of operational risk is a natural disaster that damages a company’s warehouse where inventory is stored.
• Security risk threatens the company’s assets if physical or digital assets are misappropriated. An example of security risk is insufficient controls overseeing sensitive client information stored on network servers.
• Financial risk threatens the debt or financial standing of a company. An example of financial risk is translation losses by holding foreign currency.

ERM is particularly well-suited for large corporations operating in complex and diverse environments. These companies often face a bunch of risks across different business units, regions, and functions. ERM helps large corporations systematically identify, assess, and manage risks at both the operational and strategic levels.

ERM can also be specifically useful in certain industries. For example, ERM is great for financial institutions such as banks, insurance companies, and investment firms. These companies operate within highly regulated and volatile markets. These institutions face so many of the risks discussed above. By integrating ERM into their operations, financial institutions can strengthen risk management practices, optimize capital allocation, and enhance their resilience to economic downturns.

Last, it's worth calling out multinational corporations and global enterprises as ideal entities. These companies benefit from ERM because of their expansive operations across multiple countries and jurisdictions. These companies encounter diverse risks related to geopolitical instability, currency fluctuations, supply chain disruptions , and regulatory compliance in varying regions. By implementing ERM frameworks, global enterprises can better track and maintain these risks, especially if their entity has higher risks in certain areas, departments, or business units.

ERM is primarily concerned with identifying, assessing, managing, and mitigating risks across an organization. On the other hand, enterprise resource planning (ERP) tools focus on integrating and optimizing core business processes. The primary purpose of ERP systems is to streamline operations across finance, manufacturing, sales, and marketing (amongst others). ERM addresses risks across various functions and departments within an organization. ERP systems are generally more specific in their scope. They tend to focus on more granular operational efficiencies instead of bigger-picture, comprehensive risks.

Implementing ERM tools requires collaboration among key stakeholders like risk managers, compliance officers, executives, and board members. These stakeholders work together to establish risk management frameworks. ERP implementations may be more geared towards collaboration among IT teams, department heads, and end-users . In addition to having a heavy part to play in operations, a primary component of ERP systems is the potentially live, interconnected play between data. For this reason, as opposed to an ERM tool, ERP systems may have a more technical demand to them.

Last, risk management strategies in ERM are designed to support long-term sustainability, protect organizational assets, and minimize potential disruptions. ERP systems align with an organization's strategic goals by improving productivity, reducing costs, and providing real-time insights into business operation opportunities. In a sense, ERM and ERP systems may counteract each other. For instance, an ERP system may signal growth and efficiency opportunities to expand in a specific new market; an ERM may signal that a new market is too great of a risk to consider.

Customer relationship management (CRM) systems are centered around managing interactions with customers and prospects. It leverages technology and processes to organize, automate, and synchronize sales, marketing, customer service, and support activities. The primary aim of CRM is to improve relationships with customers , streamline business processes, and increase profitability by understanding and meeting customer needs effectively.

Like an ERM, a CRM system consolidates data. However, the nature of the data is entirely different. While ERMs track and monitor risks, CRMs care most about customer data, interactions, and insights that enable the company to enhance customer engagement and satisfaction. CRM implementation is crucial for sales teams, marketing departments , customer service representatives, and executives who rely on customer data to drive sales growth and improve overall business performance. Alternatively, ERMs are more useful for operational teams like risk, insurance, operations, or finance.

An ERM focuses on comprehensive risk management across all facets of an organization. This tends to be inward-looking, though it can also incorporate external market forces. A CRM, alternatively, is much more outward-facing. While it will consider current processes and resources within a company, a CRM exists to monitor what is going on outside of the company with a company's arguably most important resource (i.e. its customers).

ExxonMobil is a robust example of how ERM is implemented in a large multinational corporation operating in the oil and gas industry. ERM at ExxonMobil is a structured approach that spans all levels of the organization, aiming to identify, assess, manage, and mitigate risks that could impact its business operations and overall performance. Information on ExxonMobil's ERM strategy is on the company's website.

ExxonMobil's framework integrates five core elements: organizing and aggregating risks, rigorous risk identification practices, a prioritization method, systems and processes for risk management, and comprehensive risk governance. This multi-layered approach includes defined roles and responsibilities for risk owners, functional experts, and independent verifiers. The goal is that each type of risk is actively managed and aligned with corporate requirements and processes.

Prior to initiating new developments, the company employs advanced data and computer modeling to assess potential environmental, socioeconomic, and health risks associated with construction and operations. Engaging with communities through public meetings and collaborating with regulators ensures transparent communication and compliance with regulatory standards, both of which can minimize risks in the future.

This rigorous process guided by an integrated ERM also enables ExxonMobil to implement tailored measures to prevent, minimize, or mitigate environmental impacts. These different types of risks could range from changing weather patterns to sea level rise, seismic activity, or geological conditions. ExxonMobil's environmental assessments with its ERM are conducted for both offshore and onshore facilities to deploy protective measures effectively and uphold operational safety.

ERM is a company’s approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks that its business faces.

Why Is ERM Important?

ERM is important because it helps prevent losses or unexpected negative outcomes. ERM is also important because it helps a company set the plans in place to strategically approach risk and garner employee buy-in.

What Are the 3 Types of Enterprise Risk?

ERM often summarizes the risks a company faces into operational, financial, and strategic risks. Operational risks impact day-to-day operations, while strategic risks impact long-term plans. Financial risks impact the general financial standing and health of a company.

What Are the 8 Components of ERM?

The COSO framework for ERM identifies eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. These eight core components drive a company’s ERM practices.

What Is the Difference Between Risk Management and Enterprise Risk Management?

Risk management has traditionally been used to describe the practices and policies surrounding a specific risk that a company faces. More modern risk management has introduced ERM, a comprehensive, company-wide approach to view risk holistically for the entire company.

As a company makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management, a company-wide, top-down approach to assessing risk and devising plans. The ultimate goal of ERM is to protect a company’s assets and operations while having strategies in place should certain unfortunate events occur.

North Carolina State University, Poole College of Management, Enterprise Risk Management Initiative. “ What Is Enterprise Risk Management (ERM)? ”

COSO. “ Guidance: Enterprise Risk Management .”

ExxonMobil. " Risk Management ."

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

Enterprise Risk Management Overview PowerPoint Presentation Slides

This complete deck is oriented to make sure you do not lag in your presentations. Our creatively crafted slides come with apt research and planning. This exclusive deck with twenty four slides is here to help you to strategize, plan, analyse, or segment the topic with clear understanding and apprehension. Utilize ready to use presentation slides on Enterprise Risk Management Overview Powerpoint Presentation Slides with all sorts of editable templates, charts and graphs, overviews, analysis templates. It is usable for marking important decisions and covering critical issues. Display and present all possible kinds of underlying nuances, progress factors for an all inclusive presentation for the teams. This presentation deck can be used by all professionals, managers, individuals, internal external teams involved in any company organization. Read less

Recommended

More related content, what's hot, what's hot ( 20 ), similar to enterprise risk management overview powerpoint presentation slides, similar to enterprise risk management overview powerpoint presentation slides ( 20 ), more from slideteam, more from slideteam ( 20 ), recently uploaded, recently uploaded ( 20 ).

• 1. Enterprise Risk Management Overview Your Company Name 1
• 2. 2 Risk Management- Introduction Identification of Risks Assessment of Risks Prioritization of Risks Resources Minimize MonitorControl Maximize Probability and / or impact of unfortunate events Realization of opportunities This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This is a framework showing the outcome risk management for firm which involves minimizing, monitoring controlling unfavorab events and maximizin the opportunities
• 3. Types of Risks (1/2) 3 Regulatory Socio- Political Demand Economical Environment External Risks Enablers • People • Financial • Technology • Infrastructure Operational • Access to Services • Processes • Business Interruption • Emergency response Strategic • Governance • Strategic Planning • Ethics & Values • Stakeholder Relations Internal Risks Listed below are various types of internal and external risks. You can add/ delete the risk types as per your requirements This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 4. Types of Risks (2/2) 4 Strategic • Demand shortfall • Customer Retention • Integration problems • Pricing Pressure • Regulation • R&D • Industry or sector downturn • JV or partner losses Operational • Cost overrun • Operating controls • Poor capacity management • Supply chain issues • Employee issues incl. fraud • Bribery & Corruption • Regulation • Commodity prices Hazard • Macroeconomic • Political issues • Legal issues • Terrorism • Natural disasters Financial • Debt & Interest Rates • Poor financial management • Asset issues • Goodwill & amortisation • Accounting problems Below are four broad categories of risk and the various factors associated with the same. You can modify them as per your needs This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 5. 5 Risk Categories Product Design Product Performance Design Text 1 Text 2 System/ Software Data Accuracy Security Text 1 Text 2 Manufacturing Assembly Tools Text 1 Text 2 All Other Consumer Service Environment Text 1 Text 2 Project Management Product Cost Team Work Text 1 Text 2 Quality Quality System Sigma Levels Text 1 Text 2 We have mentioned the six broad categories of risk and few factors associated with them. You can alter them as per your requirements This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 6. 6 Identify The Risk Categories Risk Category Financial Financial Operational Operational Strategic Strategic Risk Sub-Category Funding Capacity Capacity Availability Customer Retention Demand Shortfall Likelihood 2 3 3 4 5 5 3 2 2 1 3 4 3 4 1 2 3 5 4 3 3 5 2 2 5 3 5 4 3 3 Risk Level Profitable Growth Low Price Develop new product Leverage Technology Risk Score By Risk Category This slide is 100% editable. Adapt it to your needs and capture your audience's attention. Once you have listed down the risk categories. Identify the level of risk associated with each one of them
• 7. 7 Stakeholders Risk Appetite Forming Risk Appetite Likelihood Impact Low Medium High LowMediumHigh Exceeding Risk Appetite Within Risk Appetite This slide is 100% editable. Adapt it to your needs and capture your audience's attention. Obtain an estimate of the risk appetite of the shareholders with the help of the below bar graph. This will help in assessing the acceptable risk level
• 8. 8 Risk Tolerance (1/2) Ordinal Scale (example) Very Low Low Moderate High Very High Cardinal Scale (example) 0.7 0.2 0.1 0.9 0.5 Cost Insignificant increase <10% cost increase 10- 20% cost increase 20- 25% cost increase > 25% cost increase Schedule Insignificant fall in schedule <7% schedule slippage 7-10% schedule slippage 10-15% schedule slippage 15-20% schedule slippage Scope Decrease Minor areas of scope affected Major areas of scope affected Reduction Unacceptable Project end item is Useless Quality Barely noticeable Degradation Only demanding applications are Affected Reduction requires Approval Reduction Unacceptable Project end item is Unusable This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 9. Risk Tolerance (2/2) 9 Below is a heat map showing the risk tolerance limit of the stakeholders, where the redline shows the boundary between risks that are acceptable & those that are not Likelihood Impact Loss of key Managers IT Problems Loss of key Partnerships Supplier Default Business continuity problems Product or Service Quality Poor Project Management • This slide is 100% editable. Adapt it to your needs and capture your audience's attention. • This slide is 100% editable. Adapt it to your needs and capture your audience's attention. • This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 10. 10 Risk Assessment Plan 01 02 03 04 05 06 07 Activity Steps Potential Hazards/ Risks Risk Rating Risk Control Measures Risk Rating Person Responsible Time Frame List the steps required to perform the activity in the sequence they are carried out Against each activity step list the hazards that could cause emission of refrigerant & describe the risk these hazards pose • Rare • Unlikely • Likely • Almost Certain Describe the identified Risk control measures • Rare • Unlikely • Likely • Almost Certain Document the name of the person responsible for implementing risk controls Document when step 3 was conducted & when step 6 is planned Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Text Here Business Name: ABN:
• 11. 11 Enterprise Risk Management Overview Icons Slide
• 12. 12 Coffee Break Presentation will continue in 15 minutes 10:00 am to 10:15 am This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 13. Additional Slides 13
• 14. 14 Column Chart Product 01 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. Product 02 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. 0 10 20 30 40 50 60 70 80 90 100 Q1 Q2 Q3 Q4
• 15. 15 Clustered Chart Product 01 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. Product 02 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. 0 20 40 60 80 100 120 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
• 16. 16 Area Chart Product 01 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. Product 02 This graph/chart is linked to excel, and changes automatically based on data. Just left click on it and select “Edit Data”. 0 10 20 30 40 50 60 70 80 90 100 DecNovOctSepAugJulJunMayAprMarFebJan
• 17. Our Mission 17 Vision This slide is 100% editable. Adapt it to your needs and capture your audience's attention. Mission This slide is 100% editable. Adapt it to your needs and capture your audience's attention. Goals This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 18. Our Team 18 Graphic Designer John Smith This slide is 100% editable. Adapt it to your needs and capture your audience's attention. Sofia Banks General Manager This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 19. 19 Magnifying Glass This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 20. 20 Timeline 01 02 03 04 05 06 2014 2015 2016 2017 2018 2019 This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 21. Financial 21 Minimum This slide is 100% editable. Adapt it to your needs and capture your audience's attention. 45% Medium This slide is 100% editable. Adapt it to your needs and capture your audience's attention. 75% Maximum This slide is 100% editable. Adapt it to your needs and capture your audience's attention. 95%
• 22. 22 Comparison 50% 30% 20% 50% 50% 80% 80% 80% Men Women This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 23. 23 Idea Generation This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention. This slide is 100% editable. Adapt it to your needs and capture your audience's attention.
• 24. Thank You 24 Address # street number, city, state Contact Numbers 0123456789 Email Address [email protected]

• My presentations

Auth with social network:

Download presentation

We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!

Presentation is loading. Please wait.

ENTERPRISE RISK MANAGEMENT

Published by Shannon Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "ENTERPRISE RISK MANAGEMENT"— Presentation transcript:

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Applying COSO’s Enterprise Risk Management — Integrated Framework

Lisanne Sison Director ERM Bickmore

Chapter 10 Accounting Information Systems and Internal Controls

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Control and Accounting Information Systems

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Manulife Financial Corporation operates as John Hancock in the United States, and Manulife in other parts of the world. Enterprise Risk Management in Life.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.

Pwc Performance Measurement Frameworks Acumen Fund - Discussion Document June 16, 2008 *connectedthinking.

The Risk Intelligent Enterprise

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Risk Assessment Frameworks

Board responsibility for internal control and risk management by Kiattisak Jelatianranat Chairman, The Institute of Internal Auditors of Thailand Director,

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

About project

© 2024 SlidePlayer.com Inc. All rights reserved.

• Preferences

Enterprise Risk Management (ERM) - PowerPoint PPT Presentation

Enterprise Risk Management (ERM)

Continuous risk assessment, evaluation and management ... traditional risk management efforts tend to focus on measurable risks while ill ... – powerpoint ppt presentation.

• Presented At
• Managing Risk Mission Possible
• Terri Sahli, Risk Manager
• State Of Oregon
• October 23, 2006
• ERM Definitions
• Traditional Risk Management v. ERM
• ERM Objectives Benefits
• ERM Framework Process
• ERM Risk Identification
• Interdependencies Systems Thinking
• ERM Tools, Techniques, Strategies
• ERM Implementation
• A disciplined approach aligning strategy, processes, people, technology and knowledge to manage uncertainties as the enterprise creates value. (KPMG)
• The identification and assessment of collective risks that affect value, and the formulation and implementation of a company wide strategy to maximize that value. (AON)
• The effort to find an integrated optimal way of managing risk by balancing financing techniques with organizational practices and processes. (Marsh)
• EWRM is a structured and disciplined approach it aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. (Arthur Andersen 2000)
• Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO)
• ERM is a disciplined and integrated approach that supports the alignment of strategy, process, people, and technology and allows corporations to identify, prioritize and effectively manage their critical risk. By understanding all risks in an integrated framework, companies can execute proper strategies to successfully achieve their objectives and to meet their performance goals. (Unidentified) (Sahlis favorite)
• Limited strategic scope or influence
• Narrowly focused
• No systematic understanding of correlation and interdependencies among risks
• Risk mitigation and risk financing siloed
• Inconsistent risk reporting
• Infrequent, ad hoc risk assessment
• Ambiguous ownership of some types of risk lack of role definition
• Closed communication
• Functionally driven
• Supports strategy and planning
• Broadly focused
• Correlation and interdependencies analyzed and understood
• Risk mitigation and risk financing coordinated
• Concise, consolidated reporting
• Continuous risk assessment, evaluation and management
• Assigned ownership with accountability defined roles and responsibilities
• Open communication
• Process driven
• Value based
• In a decentralized environment, responsibility for managing various risks may be assigned to the business or functional area with the perceived exposure.
• Insurable risk Risk Management
• Interest rate risk Treasurer
• Litigation management risk Department of Justice
• Traditional risk management efforts tend to focus on measurable risks while ill-defined or ambiguous strategic or operational risks, such as brand or reputation, may be acknowledged but ignored.
• How do you measure loss of reputation?
• ERM is an approach that requires the tearing down of walls between the management of strategic, operational, financial and hazard risks, and adoption of a single, comprehensive risk oversight structure.
• ERM is a holistic, integrated approach that requires systems thinking and an understanding of the interrelationship among component parts of a system.
• ERM helps break down the risk silos
• Within the state
• Within your agency
• Within your program
• Common language and common tools essential to begin the non-siloed discussion
• Perception that Enron, WorldCom, Global Crossing would not have happened had risks been more transparent.
• Need for risk transparency
• Performance pressures
• Better use of capital (taxpayer dollars)
• ERM tool development advancing rapidly
• Competitive advantage
• Better use of taxpayer dollars
• Competitive advantage preferred place to live and work
• Reduced budget volatility
• Lower cost of risk transfer
• Risks explicitly considered in decision making
• Avoid surprises and predictable failures
• Align risk exposures and mitigation programs
• Institute more rigorous risk measurement
• Integrate ERM into the strategic planning process
• Increased management confidence
• Improved risk transparency
• Risk appetite and risk tolerance are aligned with strategy
• Improved risk v. reward quantifications and performance measurements
• Risk priced transactions
• Improved resource and allocation
• Optimized costs and efficiencies
• Reduced earnings volatility
• Early notification of risk patterns
• Ability to anticipate and communicate uncertainties
• Mission Vision Statement
• Objectives Strategies
• Organizational Structure
• Roles Responsibilities
• Policies Procedures
• Tools Techniques
• Common language
• Overlays existing framework
• Integrated into, not isolated from, the organization
• Risk identification
• Risk analysis
• Formulation of risk management strategies and solutions
• Implementation of strategies and solutions
• Measure, monitor, and report
• Integration
• The process is the same. We are simply expanding the risks we identify and analyze.
• Will focus on insurable risks
• Third parties (general public)
• Will focus on systemic risks (systems thinking)
• Hazard/insurable risks
• Operational risks
• Financial risks
• Strategic risks
• What could go wrong
• Systems Thinking
• Operational risks arising out of your daily operations
• supply chain, human resource, IT security, culture, weather, regulation
• Financial risks arising around use of money
• credit risk, interest rate risk, cash-flow/budget management, economic up/down turns
• Strategic risks arising out of business/policy decisions
• reorganization decisions, customer/constituency base changes, changes in service offerings
• Your turn lets identify
• ERM is a holistic, integrated approach that requires systems thinking and an understanding of the interrelationship among component parts of a system
• Consider the interdependencies
• Upstream and downstream risks
• At the core of siloed risk management is the lack of correlation of risks (interdependencies and interrelationships) and concomitantly, a failure to effectively and efficiently integrate risk management strategies.
• Intense Focus on Single Objective or Risk
• Failure to Consider Corollary Risks
• Failure to Consider Interdependency Risks
• Unintended Consequences (the big oops)
• Hazard theft of laptop with unsecured confidential bank account information
• Operational employees not trained in information security practices password protection
• Financial bank accounts drained of millions of dollars before accounts can be identified and frozen
• Strategic loss of vendors cant pay bills
• Tools and techniques will vary by entity and must be compatible with the entitys risk
• Tools techniques
• Key risk indicators
• Individual self assessments or facilitated group assessments
• Scenario analysis
• Risk mapping using frequency and severity
• Statistical analysis/probabilistic modeling
• Acquire/exploit
• Barriers to successful implementation
• Lack of quantification of soft risks
• Lack of framework and strategic plan
• Just another audit or flavor of the day
• Lack of visibility and support from leadership
• Project v. process view
• Competing priorities
• Lack of needed processes and appropriate measurements
• Lack of consensus on benefits
• Insufficient resources (people and technology)
• Organizational resistance to change
• Factors for successful implementation
• Leadership and executive sponsorship
• Establishment of a vision
• Phased work plan with realistic goals and time frames
• Dedicated cross functional teams
• Managed expectations
• Quick early visible wins
• Integration into all planning
• Financial services sector
• Insurance and banking
• Energy sector
• Utilities, energy gas
• Public sector
• ERM is traditional risk management
• on steroids
• ERM can begin within a single agency
• not the entire entity
• ERM can be FUN
• as well as hard work
• ERM is Mission Possible

PowerShow.com is a leading presentation sharing website. It has millions of presentations already uploaded and available with 1,000s more being uploaded by its users every day. Whatever your area of interest, here you’ll be able to find and view presentations you’ll love and possibly download. And, best of all, it is completely free and easy to use.

You might even have a presentation you’d like to share with others. If so, just upload it to PowerShow.com. We’ll convert it to an HTML5 slideshow that includes all the media types you’ve already added: audio, video, music, pictures, animations and transition effects. Then you can share it with your target audience as well as PowerShow.com’s millions of monthly visitors. And, again, it’s all free.

About the Developers

PowerShow.com is brought to you by  CrystalGraphics , the award-winning developer and market-leading publisher of rich-media enhancement products for presentations. Our product offerings include millions of PowerPoint templates, diagrams, animated 3D characters and more.

Enterprise Risk Management

Dec 20, 2019

310 likes | 464 Views

Enterprise Risk Management. Modeling Corporate Risk – An Opportunity Christopher (Kip) Bohn. The Present State of ERM. Most companies currently reside here on the continuum. Value/Risk Optimization. Stakeholder Value. Risk Specialization. Risk Management Integration. Enterprise Risk

Share Presentation

Presentation Transcript

Enterprise Risk Management Modeling Corporate Risk – An Opportunity Christopher (Kip) Bohn

The Present State of ERM Most companies currently reside here on the continuum Value/Risk Optimization Stakeholder Value Risk Specialization Risk Management Integration Enterprise Risk Awareness RM IS Audit Ethics HR Ops. Risk Management Sophistication

Present State of ERM • Corporate CRO’s, CFO’s, RMs, etc. interested in ERM • Many are looking to COSO for guidance • One of the first frameworks on the market • Provides transparency • Develops framework for meeting financial disclosure requirements • Promotes better decision-making, enhances capital allocation • Supports regulatory and compliance initiatives • Creates a formal link between operational, financial and strategic decision-making within the organization

Present State of ERM • COSO’s key components to ERM (abridged) • COSO’s Application Techniques Document • 112 page document, 8 sections • 22 pages (20%) dedicated to quantification/assessment of key risks • Quantitative methods include probabilistic (3 pages), non-probabilistic, and benchmarking techniques

Present State of ERM • Probability-based techniques per COSO • “Measure the likelihood and impact of a range of outcomes based on distributional assumptions of the behavior of events” • “Include “at-risk” models (including value at risk, cash flow at risk, and earnings at risk), assessment of loss events, and back-testing” • “Generally non-normal distributions” • “Require collection of operational loss data categorized by root cause of the loss” • “Preliminary loss distributions developed and refined to take into account the organization’s risk responses”

Opportunity for the CAS • Actuaries are in the business of assessing, measuring and estimating risk • The added value that actuaries bring is their ability to provide • An objective & independent view of risk • A view that can incorporate both company specific and industry trends • Estimates of risk that are rooted in actuarial science (both science and art) • Experience dealing with uncertainty/risk • Actuaries currently focusing on insurance industry (Nov/Dec Contingencies) • Basel operational risk modeling gaining interest • Consider expanding scope beyond insurance & banking

Actuarial Modeling • Historically casualty risk modeling • Focused on standard casualty risks • Broke loss process into two components • Frequency (# of claims) distribution • Severity (size of claim) distribution • Benefit of historical loss industry loss data (in general) being readily available • Main mitigation under consideration is P&C insurance • Easy to model impact • Retentions, limits, aggregates, etc.

Actuarial Modeling • Next Generation • Considers universe of risks beyond those traditionally insurable • Many times, traditional coverage not available • Modeling mitigation can be more complex • Loss process likely more complicated than frequency & severity • Data availability may be limited • Creativity in querying universe of available data • Need for professional judgment • Consideration of upside potential of risk

Quantitative Modeling Methodology

Quantitative Modeling Methodology • Determine desired outputs, key performance indicators • Identify key activities or exposures at risk • Identify key events that could impact key activities or exposures at risk • Identify the potential consequences of the events (dollars, time, reputation, etc.) • Flowchart risk process - modular approach

Quantitative Modeling Methodology • Convert process flow of key risks into stochastic model (stochastic=dynamic and is the opposite of deterministic/fixed) • Build in probability distributions associated with events and consequences • Capture key performance indicators (losses, financial stats, net present values, etc.) • Consider correlation and causation

Quantitative Modeling Methodology • Required inputs driven by risk process and desired model output • Identify quantitative internal and external data sources • Identify qualitative data sources including those personnel who are most familiar with risk process • Determine appropriate probability distributions for events and consequences • Investigate correlation where appropriate

Quantitative Modeling Methodology • Combine modules to consider potential correlation (all or subset of identified risks) • Run Monte Carlo Simulation (e.g. 25K iterations) • Check results for reasonableness • Result is a distribution of potential outcomes that can estimate various statistics such as mean, standard deviation, etc.

Quantitative Modeling Methodology • Build in current and alternative mitigation strategies • Compare different strategies • Analyze risk/return (cost/benefit) of competing strategies • Consider expected value and distribution of modeled key performance indicators • Results aid in the capital allocation decision process by shedding light on expected cost and associated risk

Quantitative Modeling Methodology • Risk process, distributions, key performance indicators, etc. can change over time • As mitigation strategies are implemented, list of key risks that should be modeled may change • New risks may emerge in the future • Improvement of risk model through additional modules and refined risk process, inputs, parameters, etc

Case Study • Biotech firm identifies manufacturing process as a key risk to the company • Concerned with • Impact due to disruptions from sole source suppliers • CAT risk to various locations critical to manufacturing process • Operational risks such as breakdowns at key steps in manufacturing process • Compliance risks

Case Study • Interested in building a model that could • Consider all identified key risks • Ability to turn off certain identified risks to understand impacts • Ability to measure risk/reward trade-off of various mitigation strategies • Diversify locations • Pre-qualify additional suppliers • Hold more safety stock at various stages • Black-box • Considers all risks (not just identified key risks) • Parameters updated daily • Can be run by the Treasurer’s admin assistant

Case Study • Begin with a high level draft of their operations • Based on initial conversations with Risk Management • Publicly available information

Case Study • Conduct interviews with key “risk owners” to refine view of operations • Better understanding of manufacturing process • Ideas an insights on mechanics of final model

Case Study • Construct model • Used Excel and @Risk as base • Due to complexity, need for database software to house results • Separate module for each step in the process • Dependencies between modules • Differing units of measure for each module – need for conversion • Build in • Loss events • Consequences • Some loss events impacted all operational modules (e.g. CAT) • Mitigation

Case Study • Meet with risk owners again • Walk through mechanics • Obtain buy-in • Identify parameters for distributions • For some risks, data to back up distributions available • For others, proxy parameters and professional judgment of risk owners relied upon • Run models • Do results make sense • Sensitivity test parameters

Case Study • Modeling to understand the companies current risk profile is of interest • Does risk fall within risk bearing capacity and appetite constraints • What are key drivers of overall risks • More interesting question is cost/benefit of alternative mitigation strategies • Avoid, mitigate, mitigate & transfer or transfer • Insurance, captives, safety stock, prequalification, etc. • Helps to define management’s understanding of risk and their own appetite

Case Study • 2005 represents the 4th iteration • First, second and third versions of the model were not as complex • Started with much simpler views of the manufacturing process • Every year gained more understanding • Able to build on prior year’s model • Identified prior logic that no longer made sense • Always looking forward • In 2005, identified a number of items on the wish list for 2006 • Need to begin investigating alternative modeling platforms

Conclusion • ERM is gaining interest • Insurance companies • Financial institutions • All industries • ERM is both quantitative and qualitative process • Actuaries understanding of risk can add tremendous value to the quantitative aspects of ERM • CAS Centennial goal • Participation in the quantification of operational, hazard and financial risks will also enable actuaries to develop new mitigation products for the market • Opportunity for strategic leadership role

• More by User

Enterprise Risk Management. Roadmap. Definition &amp; Background Framework Benefits Challenges Future Action Points. Definition. “An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”

1.02k views • 24 slides

Enterprise Risk Management. Stephen P. D’Arcy Fellow of the Casualty Actuarial Society Professor of Finance University of Illinois UNSW Actuarial Studies Research Seminar 3 July 2007 Sydney, Australia. What is ERM?.

1.48k views • 30 slides

ENTERPRISE RISK MANAGEMENT

ENTERPRISE RISK MANAGEMENT. Purpose. Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance Develop or benchmark ERM process. Relevance. Every entity strives to add value in the face of uncertainty

1.34k views • 57 slides

ENTERPRISE RISK MANAGEMENT. By CA. Rajkumar S Adukia B.Com(Hons.) FCA, ACS, MBA, AICWA, LLB , Dip IFRS(UK) DLL&amp; LW [email protected] www.carajkumarradukia.c om 09820061049/09323061049. What is ERM?. ENTERPRISE (E). GOALS (ORGANIZATION). RISK (R). EVENTS (OUTCOME).

3.78k views • 98 slides

Enterprise Risk Management. Jyotin Mehta Chief Internal Auditor - Voltas Limited October 16, 2013. Risk awareness……. CAN’T MANAGE WHAT YOU DON’T SEE !. No Risk …. No Gain!. What is Risk? . Risk, in traditional terms, is viewed as a ‘negative’.

1.1k views • 41 slides

Enterprise Risk Management. Catastrophic Event. Serious Injury/ Death. Major Funding Reduction. Environmental Event. Major Infrastructure Failure. Radiation Incident. Major Budget Overrun. High. Managed at enterprise level. Major Technical Component Failure. Major Labor

200 views • 1 slides

Enterprise Risk Management. Introduction (Part 1). John Glenn, MBCI Enterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – [email protected] http://JohnGlennMBCI.com. Overview. Enterprise Risk Management (ERM) also is known as Business Continuity

675 views • 30 slides

Enterprise Risk Management. A “How To” Guide for using the Washington State ERM Tool. Introductions. Who is the biggest risk taker you know?. Place Your Bets!. What can we learn from a couple of cards? ‘Risk appetite’ varies At play At home In the community At work

444 views • 23 slides

Enterprise risk management

Enterprise risk management. Bobby Singh, Director, Information Security &amp; Risk Management, Rogers Communications Inc. Moderator: Illena Armstrong, editor-in-chief, SC Magazine. Objectives of this session. Understand current risk challenges and roadblocks affecting risk management

630 views • 38 slides

Enterprise Risk Management. ASSE Using Risk Principles March 24 th , 2005. James Lam President phone: 781.772.1961 Email: [email protected] Website: www.jameslam.com. Our president, James Lam, has spent 20 years in risk management. Professional President, James Lam &amp; Associates

646 views • 34 slides

Enterprise Risk Management. Risk Assessment &amp; Goal Setting Matrix. Introduction to Speaker. Doug Spight Safety Officer, City of Longmont, Colorado. Today’s Agenda. City of Longmont History Review of ERM Launching ERM at City of Longmont Overview of Self Assessment Worksheet (attachment)

474 views • 27 slides

Enterprise Risk Management. Catalyst Corporate Credit Union 2012 Economic Forum October 23, 2012. 1. Your Speaker. David A. Reed Attorney at Law [email protected] (703) 675-9578 Reed &amp; Jolly, PLLC Fairfax, VA.

427 views • 28 slides

ENTERPRISE RISK MANAGEMENT. June 2008. ERM AT TD. TD as a regulated financial institution is a strong advocate and practitioner of ERM. Regulators, such as OSFI (Canada), FSA (UK), SEC (USA) demand financial institutions employ advanced risk management practices.

404 views • 10 slides

Enterprise Risk Management. Board of Trustees Oversight Discussion September 17, 2014. Suggested goals for the board session. Review, provide feedback and oversight of the enterprise risk management strategy.

435 views • 28 slides

Enterprise Risk Management. Wayne L. Brannan, CPHRM, CBCP, CHSP, ARM Director, Risk Management The Medical University of South Carolina. What is Enterprise Risk Management?. The COSO* Definition:

1.18k views • 23 slides

ENTERPRISE RISK MANAGEMENT. MCCI – BLOEMFONTEIN 29 OCTOBER 2013.

497 views • 29 slides

Enterprise Risk Management. A.V. Vedpuriswar. June 12, 2014. Objectives. Understanding risk Getting the big picture Taking a holistic view Recognising human infallibilities Being clear about our priorities. Acknowledgements.

818 views • 64 slides

Enterprise Risk Management. September, 2008 Michael E. Angelina, ACAS, MAAA Endurance Specialty Holdings Ltd. Initial Thoughts. Enterprise Risk Management New fad or a step into a new frontier ERM due to its name is thought to be defensive Manage risks to protect downside

152 views • 10 slides

Enterprise Risk Management. Midwestern Actuarial Forum Chicago, IL March 26, 2002. André Lefebvre, FCAS, MAAA. Agenda. Description of Enterprise Risk Management Process CAS Activities Questions &amp; Answers. Changes in the Business World.

231 views • 21 slides

604 views • 57 slides

Enterprise Risk Management (ERM) systems identify and set controls over the multitude of risks your organisation faces each day. These risks include physical damage caused by environmental factors; cybercrime; system fails and blackouts; economic stressors; industry, sector and marketplace disruptions; compliance and governance challenges. https://parapet.com/Solutions/EnterpriseRiskManagement

257 views • 14 slides