Enterprise risk management framework
Establishing an enterprise risk management framework will give your organization a structure for your risk management efforts, delivering greater consistency and reliability. It enables you to get a clear picture of the risks you face.
But an ERM framework doesn’t exist in a vacuum. Instead, it’s a guide for how to put your ERM strategy into action. But what exactly is an ERM strategy, and how does that influence your framework? With a number of enterprise risk management frameworks available, knowing which to choose can be a challenge even after you’ve created a strategy. How do you determine the best ERM framework? And once you’ve made your assessment, how do you implement your chosen framework?
What is enterprise risk management?
Enterprise risk management is an approach for identifying and mitigating risks across the organization that could threaten performance.
It is proactive and forward-looking, rather than reviewing risks that have already happened, as traditional risk management tends to do. Unlike traditional risk management, ERM also looks at the “opportunity” certain risks present rather than focusing on total risk avoidance. This makes ERM a strategic tool for boards, rather than the reactive process traditional risk management can be.
You can read more about enterprise risk management and how it differs from integrated risk management in our article on ERM vs. IRM.
Types of enterprise risk
Organizations face countless different types of risk: financial, cyber, environmental and more. However, some types of enterprise risk are more common than others. Most enterprise risk management strategies should account for the following risk types:
- Strategic risk: These risks would directly interfere with an organization’s ability to achieve its strategic objectives.
- Operational risk: These risks arise during day-to-day activities, including weaknesses in processes, policies or systems.
- Compliance risk: As the name implies, these risks happen any time an organization is non-compliant with laws and regulations.
- Financial risk: Companies exist to make money, and financial risks are anything that prevents companies from doing so.
Why is ERM important?
ERM is important because it helps the organization create more value. Though risk is generally something to be avoided, with the right ERM strategy, it can actually be something to embrace. The more risks you can identify, the more you can either mitigate or turn into a value add for the entire organization.
ERM also helps organizations:
- Avoid loss: Organizations that proactively identify risks can address them before they develop into costly threats.
- Make better decisions: ERM zeroes in on the risks most likely to interfere with the strategic objectives. With fewer risks to analyze, data is more accurate and timely, empowering boards to act more strategically.
- Define roles and responsibilities: To effectively manage risk, leadership needs to assign ownership of risks to different people or departments. ERM facilitates greater accountability around risk, making it easier to mitigate.
- Create a culture of compliance: ERM reduces risk by making it an organization-wide initiative. This engages employees at all levels in managing risk, yielding a more compliant culture.
The relationship between strategy and ERM
Enterprise risk management is a methodology, but it’s also a strategy that governs an organization’s view of and response to enterprise risks. At the same time, ERM safeguards the broader corporate strategy and objectives; ERM addresses any risks that may threaten it.
But how exactly does ERM advance risk management from being reactionary to strategic? With the right framework, ERM:
- Identifies risks before they happen
- Creates a holistic view of significant risks
- Assesses risk through the lens of its impact on objectives
- Decreases the occurrence of risks that threaten objectives
In that way, modern organizations can’t achieve their strategic objectives without an equally strategic approach to ERM. Boards should treat ERM like a meteorologist — forecasting the winds that would either help or hinder the organization as it advances to new frontiers.
Elements of an effective enterprise risk management strategy
An enterprise risk management strategy has several different pieces, all of which work together to inform how the organization approaches enterprise risk. As you develop your own ERM strategy, consider:
- What drives revenue: ERM protects revenue against risks. To develop an ERM strategy, you need to understand where that revenue comes from. Is it a product? A set of operations? The strategy you set should secure that value driver.
- The corporate strategy: In addition to what drives revenue now, what is anticipated to drive revenue based on the corporate strategy? The ERM process should account for both.
- Risk identification: The next step is to identify risks that could inhibit the organization from achieving its objectives. Consider both existing and emerging risks that could impact organization performance.
- Components of ERM: There are nine different components an ERM strategy needs. Now that you know what ERM should achieve, consider how that applies to elements ranging from your internal environment to your risk reporting.
- ERM framework: The above elements of your ERM strategy then fold into an ERM framework, which is the game plan organizations can follow to ensure risks don’t develop.
- ERM reporting: Monitoring is key to ERM since even the best strategies will need to evolve over time. Reporting gives the board visibility into ERM performance and informs how the strategy can improve.
- ERM maturity model: Finally, organizations should consider how their ERM will mature. As organizations engage with ERM, they may use new, more comprehensive models that better suit the newfound complexity of their strategy.
What is an enterprise risk management framework?
An enterprise risk management framework puts rigor around your ERM strategy, helping you execute performance-enhancing ERM. It provides structure, consistency and the assurance that you have covered all the necessary issues.
An ERM Framework can help leadership understand, prioritize and act on key risks. It can help those on the ground implement risk-management programs in line with regulatory, organizational and best practice guidelines. It can help to drive a consistent risk-management culture, where the chance of risks “slipping through the cracks” is minimized.
Watch this episode of Inside America's Boardrooms as Catherine Hall, Director with PwC's Governance Insights Center, frames the ERM landscape and offers guidance for boards navigating this ever-evolving space.
How to develop an enterprise risk management framework
What are the components of an ERM framework? There are a few steps to building an enterprise risk management framework.
1. Set up a senior-level steering committee
It’s vital to have senior leadership on board to drive the development of your ERM framework forward. As well as signaling the importance of the project to the rest of the workforce, your committee will play a key role in determining accountabilities and roles within the ERM framework.
2. Ensure everyone has a shared understanding of risk
As with all big topics, understanding and terminology around risk can vary widely within a business. Establishing common terms and a consistent frame of reference is an essential early step.
3. Set out roles and responsibilities
Who will take responsibility for what in your enterprise risk management strategy? There are roles not just for your board and senior leaders; management, business unit leaders and people throughout each function all have a part to play, and you must clearly set out their roles.
ERM is far from being the preserve only of your compliance, risk and internal audit teams — but their expertise will mean they have central roles in the process.
4. Identify your risks
Your business units need to work with your risk management team to build a comprehensive list of your organizational risks. Review your risks, including their severity and likelihood, the internal controls that manage them and your approach to mitigating them.
5. Document your risks and risk appetite
Once you’ve identified the organization’s risks, ensure every business area captures them in a formal statement. And ensure that this documents not just your risks but your approach to dealing with them. Which risks to avoid at all costs, and which risks can you tolerate? Are there risks you should actively take, as the potential opportunity outweighs the threat?
6. Prioritize all your risks
Prioritize the risks you face and put mitigation plans in place for those you cannot avoid.
7. Establish an ERM methodology
This means putting in place consistent and agreed definitions of key terms (does everyone understand the same thing by the word “risk,” for example?), roles, and processes to identify, review, measure and report the risks you face.
Many established ERM frameworks exist (and we look in more detail at these below). Explore whether you can draw on, adopt or adapt an existing framework.
8. Monitor and report on the risks you face
ERM — and implementing an ERM framework — isn’t a “once and done” exercise. It involves continuous monitoring of the risks you face; these will change regularly in today’s volatile world. Therefore, your ERM framework needs to be agile, adaptable and reviewed periodically to make sure it still aligns with the threats your business faces.
Examples: Leading enterprise risk management frameworks
Organizations need to weigh the positives of using a tried-and-tested framework against the potential benefits of developing a customized ERM framework. Using an existing framework enables you to draw on the experience of others, so it’s worth exploring some current examples of enterprise risk management frameworks.
What is the best enterprise risk management framework? A number of ERM frameworks exist, including:
The Casualty Actuarial Society (CAS) ERM framework
Along with the Society of Actuaries (SOA) and the Canadian Institute of Actuaries (CIA), the Casualty Actuarial Society (CAS) sponsors a risk management website. The site includes resources companies can access on ERM, including an ERM framework.
The COSO ERM Integrated framework
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) ERM framework is titled Enterprise Risk Management—Integrating with Strategy and Performance. The COSO enterprise risk management framework incorporates guidelines from the Sarbanes-Oxley Act (SOX), and as such, the purpose of the COSO enterprise risk management framework is aligned closely with the needs of businesses that need to comply with SOX; financial institutions, banks and other large corporations in the scope of SOX regulation.
The ISO 31000 ERM framework
The ISO 31000:2018 Risk Management framework is an international standard built by the International Organization for Standardization (ISO). It is a cyclical framework that delivers risk management guidelines and principles.
ISO reviews the framework every five years to keep pace with changes in the risk landscape. The organization can customize it using it, making it relevant across sectors and organization sizes.
The NIST ERM framework
The National Institute of Standards and Technology (NIST) framework focuses on cybersecurity, aimed at organizations doing business with U.S. government agencies.
The COBIT ERM framework
The COBIT ERM framework was designed by the Information Systems Audit and Control Association (ISACA) to join the dots between technical and strategic risks, recognizing that technology risks now pervade all areas of organizations and are not confined to the IT department.
The RIMS Risk Maturity Model® ERM framework
The Risk Management Society’s RIMS Risk Maturity Model® provides standardized criteria by which organizations can benchmark risk management strategies, assess the maturity of their risk mitigation programs and identify strengths, weaknesses and next steps.
Frequency of enterprise risk management framework review
How often is the enterprise risk management framework reviewed? As we noted above, the environment in which you carry out risk management is constantly evolving. In a volatile world, you must regularly revisit your approach to risk to ensure it positions you firmly to counter emerging threats.
The same is true of your enterprise risk management framework. As noted above, some of the ERM framework examples are reviewed on a set timeframe. Whether you adopt or draw from existing frameworks or create your own bespoke ERM framework, regular reviews of your framework’s process, structure, and steps are essential.
Evolve your business with enterprise risk management
Enterprise risk management is a journey, not a destination. You assess your objectives, identify risks and implement an ERM strategy, one that will grow along with your organization. You’ll then put an ERM framework in place to guide the day-to-day execution of ERM practices. This, too, will grow over time.
Though it’s true that any ERM strategy has to start somewhere, spreadsheets and documents won’t always be enough to provide the security modern businesses need. Enterprise Risk Management from Diligent, also part of the Diligent One Platform, has the tools to evolve your business and ERM. It showcases strategic risk, detects emerging risks so you can quickly take action and makes ERM more efficient — all of which are key to optimizing your performance no matter how the risk landscape changes.
