(March 2011) – While taking risks is sometimes necessary for making strides in business, managing risk is a critical step. Assessing how much risk you can handle and how to minimize your vulnerability in risk-taking remains an essential component for savvy managers and business owners.

Traditional Risk Management
Traditional risk management methods and methodologies have often utilized a bottom-up approach. The primary focus is to identify a specific asset, such as information, that is critical to the organization and assess the risks that affect it. The approach clearly attempts to fix only a part of the problem. By employing a bottom-up approach, traditional risk management methods tend to ignore the opportunity inherent in every risk.

In contrast, a top-down approach takes the larger, holistic picture into consideration. A risk management method should be able to, at least reasonably, ensure successful avoidance of risk and optimization of opportunity. The need is for a goal-oriented risk management method.

Enterprise Risk Management
Organizations fundamentally must create value for stakeholders. This value can be created, preserver, or eroded by the decisions and choices that an organization’s management makes. To ensure that this value is maximized, the Enterprise Risk Management (ERM) framework helps deal with future uncertainties by reducing downside outcomes and increasing upside outcomes.

The main premise of the ERM framework is to assess the risks faced by an organization’s primary goals and objectives. If an organization institutes countermeasures to address all undue risks and never lose sight of the objectives of the organization, successful risk management then follows in a manner that ensures success in the organization’s pursuit of its mission goals.

The ERM framework essentially proposes that an organization’s focus should not be on minimizing overall risk, but on maximizing the risk-return equation instead. This method enables clear and decisive risk response and helps manage risks across departments, branches, international offices and across the enterprise. The ERM methodology also helps proactively identify issues that could turn into threats.

At the end of an ERM implementation project, an organization’s management will have a portfolio view of the risks they face in the pursuit of their goals and objectives. This view is critical to an organization because it spans across the enterprise as a whole and also considers the fact that risks correlate and interact with each other to affect an organization holistically.

The ERM Framework
The ERM framework consists of eight inter-related components:

Image Source: COSO Enterprise Risk Management Framework

Internal Environment
The internal environment of an organization is the foundation of a successful ERM implementation. The key questions to answer at this stage are:

• What is the organization’s risk philosophy?
• How is risk and control viewed and addressed?
• Can the foundation sustain an ERM framework?

The ethics and integrity of the senior management in an organization are vital drivers of a robust internal environment. It is important to have senior management set the tone to ensure that the message is clearly heard throughout the organization.

A useful tool to periodically assess the internal environment is an internal environment survey. This survey should cover the key areas of leadership and strategy; goals, objectives, and impediments; policies, accountability, and reinforcement; people and communication; and feedback and monitoring. By conducting these surveys from time to time, an organization can obtain a clear picture of whether its internal environment is robust enough to sustain an ERM framework.

Objective Setting
This phase of the ERM implementation involves identifying the main objectives of the organization. The first step is to identify the risk strategy that the organization will use. The next step is to establish a risk appetite. The risk appetite is the amount of risk that the organization’s management is willing to accept in pursuit of the organization’s objectives.

Once a risk appetite is determined, it is important to establish a risk tolerance. The risk tolerance is the amount of variation in the organization’s objectives that is acceptable to the management and the board.

When setting objectives, an organization must be realistic about the objectives that will be pursued. Organizational objectives must be set cautiously. An analysis of the organization’s strengths, weaknesses, opportunities, and threats (SWOT analysis) can go a long way in practical thinking based in reality. When objectives are identified, management should also ensure that a metric is tied to each objective so that progress is measurable. You can’t track what you can’t measure.

Event Identification
Once an organization has decided upon the objectives to be pursued, the next step is to identify events that can directly or indirectly affect these objectives or the efforts to achieve them. At this stage, it is important to differentiate between risks and opportunities. Opportunities can, at times, offset the effects of risks.

One of the main aims of the ERM implementation team during the event identification phase should be to understand the micro-process flows and workings of each department and functional business unit that will play a part in pursuit of the organization’s objectives. This understanding will help the ERM team factor in the interdependencies of processes across the enterprise. It is at this stage that a risk portfolio must be created to provide a single view of all the risks faced by the organization’s objectives.

Risk Assessment
The risk assessment phase is the most critical one in the ERM framework. The ERM team must identify exactly to what extent the events identified in the previous phase can impact organizational objectives. Using a hybrid method to include both quantitative and qualitative aspects, the team must assess and analyze the impacts and likelihoods associated with each event. Once the risk assessment is complete, a risk map can be created that highlights the findings of the risk assessment. The map should depict key risks faced and also factor in the risk appetite of the organization.

During the risk assessment phase, the ERM team must also perform a comprehensive information technology (IT) risk assessment. The goal of this risk assessment is to ensure that the organization’s critical information systems can fully support and further all organizational objectives.

Risk Response
The risk response phase of an ERM implementation is very important, to enable an organization to be able to address risks adequately.

The findings of the risk assessment must be analyzed in order of priority by the ERM team, along with a detailed cost-benefit analysis to guide senior management in developing a risk response. An organization can choose to mitigate/control a risk, share it, control it, or simply accept it.

Control Activities
Once management decides upon the risk responses to be initiated, the ERM team should create a risk register that outlines all the possible risk treatment options available to the organization per risk identified. This must be done in close consultation with the various departments associated with each risk. The risk register must detail risk treatment procedures and be approved by management for implementation.

Information and Communication
The information and communication phase of the ERM implementation begins with the establishment of accountability. The first kind of accountability comes with allocating a risk responsibility to a specific individual for each risk identified. This person or team then becomes the risk owner.

The second kind of accountability allocates specific timeframes for the implementation of the identified risk responses. Once these are communicated across the organization, a visible and predictable path is available for the organization to proceed with.

Another important role played by this phase is that of tracking and reporting key metrics. An organization should, ideally, appoint an information officer to track and report the key metrics, identified during the objective setting phase, to senior management in a formal and documented manner.

Monitoring
The last phase of the ERM framework implementation is the monitoring phase. The information officer must be required to keep an eye on the key metrics to ensure that they are within the organization’s risk tolerance levels at all times. Any warning signs noted must be escalated to senior management immediately.

When a warning sign indicates that risk tolerances are about to be exceeded, corrective actions must be strategized and implemented. The information officer must then track when the corrective actions are having desirable effects. It is also a good idea to have an independent third-party evaluate the ERM framework implementation on a periodic basis.

Goal Oriented Risk Management
The ERM framework is more than a methodology; it enables precise and goal-oriented management of enterprise risks. Goal orientation has always been encouraged in every aspect of work culture and ethics and has now become critical and standard practice to incorporate risk management methods as well. The ERM framework ensures that while parts of an organization function independently, the larger objectives of the organization, as a whole, are always in sight.

One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.
- Arnold Glascow
American Humorist