EpSILOn
It is my 5th post! A perfect post to summarize my way of defining risk management.
The definition of enterprise risk management is tricky. It is a complex concept that touches on so many parts of an organization. For a long time the Committee of the Sponsoring Organization’s definition from their 2004 framework was “the” definition:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ”
But what does that mean? Well, after studying ERM for many years, I picked out some important concepts that for me define ERM. Essentially, as I see it, there are four dimensions of ERM: “risk management”, strategy, integration and governance.
With this in mind, we can more clearly capture what ERM is. All of these dimension are central to the definition from COSO (2004) as well.
“risk management” - “potential events”, “assurance”
strategy - “strategy setting”, “risk appetite”, “achievement of entity objectives”, “board of directors”
integration - “across the entity”, “boards of directors, management and other personnel”
governance - “process”, “boards of directors, management and other personnel”
Why “risk management” in quotes? Because of course it has to do with managing risk, but we have to change our mindset in terms of how we define risk. There is a shift in in focus from:
calculable probability based “risk” to uncertainty
downside of risk to considering both risk and opportunity
non-core (often financial) risk to core business risk
The strategic is connected to the fact that we focus on both risk and opportunity, that the objectives and strategies of the firm are the starting point of our risk identification, we certainly account for strategic risk, and we aim to manage risk to enhance the strategic efforts of the firm.
There is some confusion concerning what integration means. Risk management should be integrated into all types of activities in the firm (dare I say all?). But when people began to discuss “integrated risk management” what they meant was a risk management that assessed the portfolio of firm risk. So we have to integrate across the firm, abandon silos!, and look for connections between risks across the firm, increase communication across the firm, and coordinate risk management across the firm. Coordination perhaps is an even better name for this dimensions. Not only do we integrate across the firm but up-and-down the firm - aka work on developing a risk culture incorporating “all” or almost all levels.
Finally governance, in order to accomplish the strategic and integrated there has to be a supporting structure as well as responsibility and accountability for risk management. This is risk governance.
To read more about these dimensions, check out my paper with co-author Niclas Andrén: Incentive Based Dimensions of Enterprise Risk Management. Or continue to read my blog! I’ll be addressing these dimensions in more detail going forward.