Risk Management Blog
Content for Risk
Management Professionals
December 31, 2018
They day is coming when risk managers will no longer pull risks out of a hat and decide its fate with the organization. Instead, risk managers should begin shifting their focus on a more strategic approach--one where the goal is to get their entire organization to pursue long-term success by recognizing the link between risk and strategy. Enter: Enterprise Risk Management (ERM).
Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
If you take a look at recent corporate scandals resulting in financial and reputational damage to the organizations, the common thread is that risks were not identified and mitigated across the entire enterprise. Rather, symptoms of risks were addressed as they occurred (the old pull a risk out of a hat trick), and “treated” in silos. To properly identify root-cause risk, organization must employ an effective enterprise risk management program.
ERM isn’t a new concept. It’s existed dormantly all along, going undisturbed for a few reasons:
The key to getting the ball rolling is by focusing on what is mission-critical to the organization when speaking with management and the board. If you can find out what is mission-critical and what impacts your organization is willing to tolerate from those exposures, you’ll find the lines between risk management, continuity planning, and strategic planning begin to blur.
Using this mission-critical lens makes ERM manageable and shows you how the once-silos are actually pieces of the same puzzle. Strategic planning is planning for growth, risk management allows you to remove vulnerabilities that can interrupt that growth, and continuity planning identifies and reduces potential threats to sustainability.
If a risk manager is able to successfully talk to management and the board about the organization’s definition of mission-critical, its impact, and its tolerances, they’ll have talked about ERM without management and the board even realizing it. They’ll have awakened the sleeping giant, and will finally be able to give it a name and a shape.