coso enterprise risk management erm hazards iso 31000 occupational health and safety oh&s risk management risk management framework risk management process risk management processes risk mitigation risk prioritization risks Safety

Basics of Enterprise Risk Management (ERM): How to Get Started | Process Street

Organizations exist to create worth for his or her stakeholders. By setting aims, creating methods, following by way of and constantly enhancing processes, value is created.

That’s the perfect state of affairs, at the least. In actuality, it’s not all the time as simple as making a plan and sticking to it. There’s all the time the danger that certain events might have an effect on the success of these plans.

It’s the job of management to make sufficient preparations to be sure that techniques are in place to continue hitting goals, even when the beast of unforeseen circumstance rears its head.

Enterprise danger administration (ERM) is a direct answer to these sorts of uncertainties, allowing administration to oversee the continuous creation of worth on an entire, integrated, organization-wide degree.

By utilizing an effective ERM system, you’ll be able to relaxation assured that the organization will see a persistently excessive success price in phrases of hitting aims and KPIs.

Stakeholders of all types, from clients, suppliers, government and regulatory our bodies are all more and more occupied with how businesses are implementing ERM. A well-implemented ERM system might set the inspiration for many high-quality, long-term shopper relationships.

Equally, not having a proper system for enterprise danger management might mean your corporation is perceived as much less competent, and could even end in loss of shoppers and injury to brand image.

In this publish, I’ll talk about:

  • Introduction to and basics of enterprise danger administration
  • Benefits of a well-implemented ERM system
  • Core concepts of ERM
  • Examples of totally different ERM approaches
  • The enterprise danger administration process
  • Implementing ERM
  • Automating ERM

To start with, I’ll begin by breaking down the complete scope of an ERM system, and a few primary definitions.

What is enterprise danger administration (ERM)?

Enterprise danger administration, typically shortened to ERM, is a kind of course of administration strategy that seeks to determine, perceive, and prepare for the sorts of risks, hazards, and different potential deviations from normal working procedures that could possibly be perceived as risks.

“The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” – The Committee of Sponsoring Organizations of the Treadway Fee (COSO), from Enterprise Risk Management – Integrating with Strategy and Efficiency

In addition to figuring out risks, the apply of enterprise danger administration also includes making preparations for coping with these risks and deciding prioritization over a number of lively or potential risks.

Plans, insurance policies, and procedures for danger management must be made out there as extensively as potential; shareholders, stakeholders, buyers, and different relevant parties should all have clear, direct access as half of documented info or regular reviews.

ERM is utilized in all industries, from development, finance, aviation, healthcare, power, and advertising.

The International Standardization Group (ISO) defines danger administration as:

“coordinated activities to direct and control an organization with regard to risk … [a] systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.” – ISO 31000 – Risk Management Tips

Risk management is just not a brand new concept; historically, corporations would handle danger with insurance insurance policies. Legal responsibility, malpractice, loss or damage, property insurance, natural disasters – totally different insurance policies to “manage” totally different risks relating to totally different enterprise activities.

In recent times, as standards for danger administration have grow to be more established and seen widespread adoption, danger management has turn out to be extra akin to a business course of management framework. That’s to say, ERM techniques will sometimes focus more on management of inner processes, using rules of steady enchancment, inner audits, compliance with requirements – looking for to reduce managed danger as much as potential, in addition to establishing preventative measures for risks and hazards outdoors the scope of management of enterprise processes.

Let’s take a look at some of the benefits of successfully implementing an ERM program.

Advantages of a well-implemented ERM program

It’s essential that related interested parties perceive the rationale for implementing ERM; that method the entire group might be aligned in the direction of a singular widespread goal, and adoption will probably be streamlined. Ensuring everyone understands the worth and reasoning behind adopting an ERM system is one of the primary steps to profitable implementation.

Let’s take a look at some current research.

A 2008 Deloitte survey asked a gaggle of individuals to determine the advantages of ERM in terms of how they felt advantages had already been experienced, and the way they thought benefits would manifest in the future.

Deloitte survey results: ERM benefits skilled

  • 34%: ERM created a risk-aware culture.
  • 29%: We will now determine and handle cross-enterprise dangers.
  • 26%: ERM offered integrated management reporting.
  • 26%: ERM enabled a concentrate on crucial dangers.
  • 25%: ERM lowered vulnerability to hostile occasions
  • 25%: ERM enhanced danger response selections.

Deloitte survey results: ERM benefits anticipated in the future

  • 49%: Capability to hyperlink progress, danger, and return.
  • 44%: Capability to align danger appetite and technique.
  • 44%: Potential to present built-in responses to multiple dangers.
  • 42%: Assist to reduce operational surprises and losses.
  • 39%: Assist to seize opportunities.

When devising initiatives for ERM implementation, corporations ought to attempt not to focus an excessive amount of on the negatives; danger administration can and ought to be seen as a chance for course of improvement.

Traditional approaches to danger management tend to focus heavily on the down-sides, corresponding to how a lot cash could possibly be misplaced, the extent of injury accomplished in a cyber-attack.

To give attention to the potential for course of improvement means using danger management as a chance to achieve competitive advantages.

It also means processes could be improved and optimized, in order that the top outcome is just not solely (for instance) circumvention of potential catastrophe down the street, but near-term benefits and speedy advantages in consequence of course of modifications.

Enterprise danger administration: Core areas

Immediately, danger management has taken on a broader position, masking 4 core areas:

1. Hazard danger administration

To evaluate hazards, danger managers comply with these five steps:

  1. Determine exposures to danger
  2. Assess the frequency and severity of these exposures
  3. Determine various approaches (together with course of improvements)
  4. Select an alternate and implement it
  5. Monitor the implementation and regulate as needed

This course of is concentrated on each preventative and disaster danger management.

While not particularly relating to anybody framework of ERM, the instance under clearly illustrates the relationship between danger, hazard, and publicity:

risk management frameworkSupply

2. Inner control

This is one other means of saying the meta-processes that corporations use to ensure that inner processes are being followed.

Inner management processes are additionally used to improve process effectivity in areas akin to reporting, conformity, and common course of effectiveness.

Bigger organizations, especially these in extremely regulated industries, will typically have elaborate and expansive techniques of inner management.

three. Inner audits

Merely put, inner audits are used to be sure that inner controls are working correctly. That is totally different to danger administration – it’s another meta-level process that looks as an alternative on the value, effectivity, and effectiveness of the ERM processes.

Inner audits are concerned with how the dangers are literally being managed in apply, and how this evidentiality sits in-line with the documented policies and procedures of the ERM.

Teams of inner auditors will take a look at operating activities, consistency, and compliance. Outcomes of the audit together with weaknesses and proposals are sometimes given within the type of an audit report.

4. Regulatory compliance

Certain rules and laws have to be followed by corporations; this area of enterprise danger administration considerations efforts to make certain these necessities are met.

For example, authorities bodies might challenge requirements for website security, environmental policy, social duty, or financial reporting.

Corporations will sometimes have a specialised compliance unit or officer who interprets these requirements, giving advice, training, and proposals for conformance.

Examples of ERM approaches

Through the years, numerous frameworks for ERM have been established. Each of them describes a unique strategy for the identification, evaluation, response, and basic management of dangers and opportunities.

Listed here are a number of of probably the most outstanding ERM approaches:

ISO 31000

ISO 31000 refers to a household of requirements for danger management, outlined by The Worldwide Group for Standardization.

As well as the wider household of requirements, ISO 31000 also refers to a selected commonplace within that family. ISO 31000:2018 is the newest version on the time of writing.

ISO 31000:2018 for danger administration offers a set of tips for organizations to manage danger. It isn’t a set of requirements, and as such cannot be licensed to, in contrast to different ISO requirements like ISO 9001.

Different standards within the household embrace IEC/FDIS 31010 – Risk Assessment Methods, which supplies steerage on particular methods for danger management.


The Casualty Actuary Society (CAS) is a society of professionals educated in the discipline of actuarial science, specializing in property and casualty insurance coverage.

In 2003, the society’s Enterprise Risk Management Committee outlined ERM using two concepts: danger sort, and danger management processes.

Of ERM they stated the following:

“…the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.” – CAS ERM Committee, from Overview of Enterprise Risk Management

Examples of danger sort embrace:

  • Hazards: e.g. pure disasters and property injury
  • Financial risks: e.g. asset, securities, or fiat foreign money danger
  • Strategic risks: e.g. business competition and tendencies
  • Operational risks: e.g. buyer satisfaction, model integrity, status, product faults and failure

Risk administration course of:

  1. Establish context: inner and exterior scope of the organization, and the scope of the ERM system
  2. Determine dangers: As they relate to the group’s aims; these must be well-documented and embrace the corresponding potential for gaining competitive advantage in consequence of course of enchancment
  3. Analyze severity dangers: For each of the dangers identified, assess (and if attainable, quantify) the severity of each danger
  4. Combine dangers: Based mostly on the results of earlier danger evaluation, combination all danger distributions and align the analysis with the decided impression on KPIs
  5. Prioritizing dangers: Decide a ranked order of prioritization for each of the risks recognized
  6. Risk management strategies: This includes methods for resolving and exploiting dangers identified
  7. Monitoring and reviewing outcomes: The continuous enchancment of the danger administration course of by method of monitoring and assessment of the danger setting; principally what works and what doesn’t, and figuring out how to enhance the process


COSO is a joint US initiative established in 1985 to forestall company fraud. Their lately revealed Enterprise Risk Management: Integrating with Strategy and Performance (2017 Edition), states:

“Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.” – Enterprise Risk Management: Integrating with Technique and Performance

The identical publication goes on to manage the framework into the next five elements:

risk management framework

1. Governance and tradition:
Enterprise danger administration can’t succeed until the organization seeks to absolutely integrate it inside the culture of their office.

This pertains to the ethics behind worker duties, codes of conduct, and the right comprehension of dangers, in addition to all associated administration packages and solutions.

2. Strategy and objective-setting:
A elementary half of ERM is ensuring the danger management methods align with core aims and broader enterprise strategies.

Enterprise aims are the idea for planning and implementing strategies, whereas concurrently serving as a launch-pad for figuring out, assessing, and responding to risks.

3. Efficiency:
Assessing how certain dangers will impression the performance of key processes is necessary for danger prioritization.

In this context, dangers are prioritized in order of their severity.

Following this, danger responses are chosen based mostly on an assessment of the potential for danger that has been identified. Outcomes of this part of the method are sometimes reported to key stakeholders.

four. Evaluate and revision:
By reviewing the efficiency of danger administration processes, organizations can decide how nicely the ERM program is working, together with whether or not modifications are wanted.

5. Info, communication, and reporting:
ERM just isn’t a single checklist or a hard and fast set of steps; it’s an ongoing course of of amassing and assessing info from inner and external sources, throughout all elements of a corporation.

The 5 elements above are supported by a further set of rules. These rules are wide-ranging, overlaying every little thing from company leadership of the ERM program to danger monitoring methods.

Every of the rules are brief and succinct; here they’re, as they seem in Enterprise Risk Management: Integrating with Technique and Efficiency (2017 Version):

risk management framework

Organizations can use these rules as a clear reference point for contextualizing and evidencing their efforts to perceive and attempt for an enterprise danger administration program that’s firmly aligned with its technique and business goals.

Enterprise danger management course of

The method (or cycle) of enterprise danger management has 5 fundamental elements:

  • Goals
  • Identification
  • Assessment
  • Response
  • Monitoring

1. Setting aims and aligning ERM with enterprise strategy

On the coronary heart of the COSO ERM framework is the thought of using enterprise danger administration to achieve realizing its business aims.

ERM alone won’t understand business goals; fairly the fruits of the ERM program are very important for strategizing to obtain and exceed those enterprise goals.

Using an ERM framework helps to be sure that a business is in a position to align aims with mission, vision, and core values.

2. Identification and documentation of risks

Dangers are to be thought-about as anything that would probably impression profitable achievement of business objectives. All dangers ought to be clearly recognized and well-documented.

That includes every thing from larger, extra vital dangers, all the best way down to smaller risks on the extent of individual tasks or processes.

So as to successfully determine risks, a clearly outlined process is required to systematically assess every space of operation.

3. Assessment of documented risks

Simply figuring out dangers isn’t sufficient; impression of the danger ought to be understood, in addition to chance, within an estimated time frame.

Once vital risks have been adequately documented, the subsequent process is to assess them in terms of their probability and estimated significance.

Typically, it’s troublesome or unimaginable to precisely predict the chance or time frame of certain dangers, for instance pure disasters. Nonetheless, this exercise must be performed to one of the best of the organization’s capability, and throughout all ranges.

This process is particularly essential to be sure that all documented dangers have substantial credibility. Off-the-cuff options recorded in group brainstorming periods may need sounded good at the time, however they need to rise up to further scrutiny. Qualitative and predictive evaluation will assist type the dangers by order of significance.

Numerous methods exist for assessment of documented risks, from easy qualitative approaches like the prioritization matrix, to extra in-depth mathematical models.

The point of this process is to assist management decide which dangers deserve probably the most fast consideration.

An alternative choice is to create a heat map of danger significance. The aim of a warmth map is to help the results of a danger evaluation with an illustration to supplement an lively dialogue on how the results examine with a corporation’s present danger urge for food and determine pressing solutions which may need implementing.

Under is a simplified example of a post-risk prioritization assessment heat map which excludes decrease priority dangers, the place influence is quantitative (e.g. monetary losses) and chances are chance of prevalence within a given time period. The graph is tailored from AICPA’s Enterprise Risk Management: Steerage for Sensible Implementation and Evaluation (2018):

risk management framework

4. Risk response

Risk response is meant to work out how to respond to the high-priority risks.

The duty falls to administration to rigorously assessment the possibilities and estimated impacts of every danger, and to think about all associated costs and benefits in creating an applicable danger response strategy.

Risk response falls into four classes of its own:

Because the identify clearly suggests, this sort of danger response includes merely “walking away” from the danger.

For example, a company may determine to relocate based mostly on dangers resulting from certain geo-political pressure, or utterly abandoning a services or products that is proving to be notably dangerous.

Typically it is going to be too late to keep away from dangers, as a result of the injury has been completed and the costs incurred.

That’s why preventative measures and satisfactory evaluation of potential risks are so necessary – to maintain the avoidance response on the table.

Typically, risks may be decreased in a number of alternative ways.

Diversifying a product line might scale back the danger that changing tendencies or seasonal shopping for poses, using multiple stop-gaps for fault tolerance like offline backups and multiple operations centers will scale back the danger posed by pure disasters, automating sure tasks in a course of will scale back the danger of human error, and so forth.

Simple tweaks to normal operating procedures, even seemingly mundane modifications like ensuring staff are properly informed on company policies can typically end in vital reduction of danger.

Risk “sharing” is the precept of purchasing insurance to hedge or offset their risks.

To make use of a financial instance, the idea of brief calls and lengthy places permit buyers to hedge their bets on worth movements.

Joint venture agreements may also mean companies share potential dangers and rewards.

Principally, danger sharing is the thought of having a portion of the danger offloaded onto one other get together with the understanding that you simply’re substituting the perceived “value” of that danger for a extra tangible monetary value.

To simply accept a danger is to take no action.

Fairly than shopping for an insurance coverage, a business might determine to “self-insure”. This may take the shape of placing apart assets to cope with certain dangers, should they manifest.

5. Risk monitoring

Identifying dangers isn’t something that’s executed as soon as – like continuous improvement, it’s an ongoing process.

The context through which certain risks are identified is consistently changing, and as such risks need to be monitored to regularly decide the significance they symbolize.

Typically, altering circumstances might lead to the danger turning into even higher. A transparent instance of this is geopolitical unrest. Organizations need proper methods in place to monitor and reply to modifications in circumstances and adequately decide if recognized dangers still pose a menace.

Case of the Russian frozen chickens: A lesson in enterprise danger management

To complement your understanding of enterprise danger management, I have tailored a case from John J Hampton’s Fundamentals of Enterprise Risk Management: How Prime Corporations Assess Risk, Handle Publicity, and Seize Opportunity.

The case examines four features of danger identified in pursuit of a danger alternative related to the export of a cargo of frozen chickens from Virginia and North Carolina to St. Petersburg, Russia.

The corporate deliberate to load a quantity of 60-80 pound packing containers on pallets for an ocean voyage. Besides, the port of St. Petersburg had no shoreside refrigeration to permit quick unloading of an costly reefer vessel.

Expropriation danger

If the ship wasted too lengthy docked in St Petersburg waiting for containers to offload the cargo, it might incur vital charges for delayed operations.

One answer can be to construct a warehouse, but the danger supervisor identified an expropriation danger.

A case from the mid-1990s was cited: a European-invested Lodge in St. Petersburg incurred hefty fines after the Russian authorities discovered it was using a overseas bank account to deal with greenback transactions. The end result was the expropriation of the lodge premises by the Russian government.

Whereas the danger manager knew she might acquire reimbursement insurance from a U.S. government agency, the identified expropriation danger didn’t seem to be the reply.

Subsequently, the company opted to seek a robust Russian associate with high-level authorities connections and permit the associate to accept the appropriation and storage publicity.

Lesson discovered: Investigate all options for danger reduction. Don’t assume that the apparent strategy is the perfect reply!

Credit danger

Up to now so good; the corporate had a robust Russian companion. This was additionally dangerous news, as it created a credit danger.

How might the U.S. company be certain that the Russian associate paid in a well timed manner? It wasn’t reasonable to ask for an up-front cost, neither was it affordable to acquire a letter of credit score guaranteeing future cost.

Because it transpired, the Russian companion was not in a position to pay for the primary cargo cargo until 30 days after receiving it. To cope with this drawback of credit score exposure, an agreement was made that the Russian companion would pay for one cargo earlier than it acquired a subsequent.

This mitigated exposure to credit score danger as a result of the stream of income from a collection of cargo shipments was significantly larger than a default cost on a single cargo.

If the Russian companion didn’t pay by day 45 after receipt of a cargo, the ship carrying the subsequent cargo can be diverted from Russia to a northern European port.

Lesson discovered: Give other events incentives to help your organization mitigate danger.

Bodily security danger

Once the Russian companion accepted the hen in St. Petersburg, the cargo was transported by rail to Moscow, Yekaterinburg, and beyond by way of locked refrigeration containers loaded onto flat railcars.

On the fifth journey, one of the containers was discovered to be empty when it arrived in Moscow after the three-day trip from St. Petersburg. The shipment had been stolen.

At this point, the associate was dealing with a bodily security danger.

Two viable strategies have been recognized:

  1. Purchase insurance coverage
  2. Door-to-door container placement in order that the doors couldn’t be opened if the locks have been damaged

The first strategy was dismissed shortly. Who would insure a cargo with an already-existing high probability of loss? Premiums can be prohibitively excessive.

The second strategy was chosen.

This proved efficient for a time; nevertheless, the story was not over. A number of journeys later, one other container arrived empty.

Realizing that someone had a crane on a siding when the practice stopped in the center of the night time, the Russian associate thought-about what else ought to be tried.

Finally, the problem was solved by putting a boxcar on the back of the practice. The automotive had fitted heaters and cots, carrying guards armed with Kalashnikovs. Every time the practice stopped, the guards stepped out to shield the containers.

Lesson discovered: Typically it’s value sticking with a danger administration technique, tweaking and fine-tuning the answer until the problem is solved. Not every little thing will work out-of-the-box.

Upside of Risk

While the security state of affairs on Russian railroads has improved significantly because the 1990s, this story additionally identifies the upside of danger.

As soon as the cargo was being protected by armed guards, the Russian companion had the chance to supply insurance providers to third parties to shield their cargoes as well as the frozen chickens.

The loss incurred from managing the danger with the paid armed guards and rear boxcar would, in that case, be offset by the arrogance that the practice would experience no losses, and the additional income from the insurance providers provided.

Lesson discovered: Risk administration doesn’t end with the mitigation of danger – all the time search for an upside!

Manage your dangers with automation

It’s also possible to examine the potential for automating elements of your ERM system.

A lot of the implementation of an ERM system is a one-time course of, but simply as many if not more of the duties concerned within the continuous upkeep and enchancment of an ERM system might be repetitive guide work.

For instance, many repetitive duties for evaluation and revision of danger contexts may have to be accomplished time and again. Processes may be long, complicated issues, and the very course of of finishing up an ERM implementation carries dangers of its own!

For example, human error is an enormous cause of process failure.

By automating these guide tasks, you’re decreasing the potential for human error to happen.

Process Street is a business course of management software program designed to remove guide work from your day by day duties.

We’ve got an enormous library of pre-made templates, all of which are free to use.

Take a look at this webinar for an introduction on how to use Process Street for enterprise danger administration:

When you discovered this text helpful, you is perhaps desirous about these assets:

Don’t overlook to join a free Process Street account! It takes lower than 2 minutes.

How do you strategy enterprise danger administration? Do you employ any particular frameworks, tools, or approaches? Let us know within the comments under!