Integrated Enterprise Risk Management, ERM Framework

Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster both physical and figurative that may interfere with an organization’s operations and objectives.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization’s objectives (threats and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

According to Thomas Stanton of Johns Hopkins University, the point of enterprise risk management is not to create more bureaucracy, but to facilitate discussion on what the really big risks are.

The discipline not only calls for corporations to identify all the risks they face and to decide which risks to manage actively, but it also involves making that plan of action available to all stakeholders, shareholders and potential investors, as part of their annual reports. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all utilize ERM.

Companies have been managing risk for years. Historically, they’ve done this by buying insurance: property insurance for literal, detrimental losses due to fires, thefts, and natural disasters; and liability insurance and malpractice insurance to deal with lawsuits and claims of damage, loss, or injury. But another key element in ERM is a business risk that is, obstacles associated with technology (particularly technological failures), company supply chains, and expansion and the costs and financing of the same.

More recently, companies have managed such risks through the capital markets with derivative instruments that help them manage the ups and downs of moment-to-moment movements in currencies, interest rates, commodity prices, and equities. From a mathematical point of view, all of these risks or “exposures” have been reasonably easy to measure, with resulting profits and losses going straight to the bottom line.

Modern businesses, however, face a much more diverse collection of obstacles and potential dangers. How companies manage the risks that defy easy measurements or a framework for management also falls under the ERM umbrella. These potentials for exposure include crucial risks such as reputation, day-to-day operational procedures, legal and human resources management, financial, the risk of failure of internal controls systems related to the Sarbanes-Oxley Act of 2002 (SOX), and overall governance.

ERM frameworks defined

There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

• Avoidance: exiting the activities giving rise to risk
• Reduction: taking action to reduce the likelihood or impact related to the risk
• Alternative Actions: deciding and considering other feasible steps to minimize risks
• Share or Insure: transferring or sharing a portion of the risk, to finance it
• Accept: no action is taken, due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.” The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. The risk types and examples include:

Hazard risk

Liability torts, Property damage, Natural catastrophe

Financial risk

Pricing risk, Asset risk, Currency risk, Liquidity risk

Operational risk

Customer satisfaction, Product failure, Integrity, Reputational risk; Internal Poaching; Knowledge drain

Strategic risks

Competition, Social trend, Capital availability

The risk management process involves:

• Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
• Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage.
• Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
• Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics.
• Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
• Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
• Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components – additional components highlighted – are:

• Authority and pledge to the ERM
• RISK Management policy
• Mixer of ERM in the institution
• Risk Assessment
• Risk Response
• communication and reporting
• Information and Communication
• Monitoring

The four objectives categories, additional components highlighted are:

• Strategy: high-level goals, aligned with and supporting the organization’s mission
• Operations: effective and efficient use of resources
• Financial Reporting: Reliability of operational and financial reporting
• Compliance: Compliance with applicable laws and regulations