Understanding Enterprise Risk Management

Before discussing the importance of ERM, we must first define "risk." A risk is an event that may occur and affect the achievement of an objective. Risk is present in virtually all meaningful endeavors in one form or another. Enterprise risk management (ERM), akin to a quality management system (QMS), plays a distinct role through simplified lines of defense addressing Insight, Oversight, and Foresight.

With a QMS, ERM can ensure business activities are aligned and integrated so that the organization's performance can be improved considerably. When quality management is involved, it creates a culture of improvement while validating and gathering requirements before the approach becomes beneficial.         

Risk can exist at any organization and is often managed by multiple entities through a "siloed" approach supporting a division, department, unit, or program, not always within a formal enterprise risk management (ERM) framework. ERM provides the process of identifying and addressing methodically the potential events that represent risks to achieving strategic objectives or opportunities to gain competitive advantage through professionals working together to help their organizations manage risk. It is not enough that the various risk and control functions exist — the challenge is to align specific roles addressing risk and coordinate effectively and efficiently among these groups so that there are neither "gaps" in controls nor unnecessary duplications of reporting.

ERM provides a process of identifying and addressing the potential events that represent risks to achieving strategic objectives or opportunities to gain a competitive advantage. Risk Management (RM) facilitates risk classification and the response to risk while providing information control, the efficiency of actions, and compliance. While RM plays a vital role, it sometimes provides a fragmented or siloed approach and may not align with the idea that risk should be considered part of a system.

A successful ERM program adopts processes, systems, and oversight (conformity with requirements) to inform leadership on the full range of significant risks that threaten an organization's ability to achieve strategic objectives within the mission, program, or operational sphere. ERM allows leaders to use risk insight (program knowledge) to make timely and informed decisions about resource allocation, strategy setting, and performance planning.

ERM will leverage existing structures and processes to foster a culture of transparency and improve enterprise risk awareness and foresight (mitigate future problems and set a path for future unfolding circumstances) to take preventive actions towards reducing adverse outcomes within its risk appetite while increasing organizational agility and resilience.

Why enterprise risk management (ERM)?

ERM expands traditional risk management, elevating it to a strategic governance level in response to a rapidly shifting risk climate. Not only does it assess risk through a much wider lens, but it also facilitates a more integrated approach that looks at opportunities and threats.

ERM is a holistic, disciplined approach to identifying, addressing, and managing risks. ERM looks at risk management strategically and from an enterprise-wide perspective. Thus, a "top-down and bottom-up" risk management methodology calls for leadership-level decision-making.

With ERM, risk management is not put on individual departments or business units. Instead, the organization's leadership will assess risks from an enterprise-wide lens, set expectations accordingly, and manage risks and opportunities.

This approach sets ERM apart from the "silo approach" of traditional risk management. In older risk management models, the potential risk is managed by departments, with the heads of each department taking their own risk and managing their risk response measures.

Successful ERM programs find ways to develop an organizational culture through a quality management system (QMS) which documents processes, procedures, and responsibilities for achieving quality policies and objectives. A QMS also coordinates and guides activities to continuously meet customer and regulatory requirements and improve effectiveness and efficiency, supported by employees communicating and identifying risks and potential opportunities to enhance organizational goals or value.

A QMS enhances business activities through coordination so that the organization's performance can be improved considerably. When QMS is unified within an organization, it provides a nexus by creating an improved culture. Aligning or designing an ERM process to goals and objectives ensures the supporting process of the ERM process maximizes the achievement of the mission and results.

By aligning the ERM process to the strategic objectives, leadership can address risks via an enterprise-wide, strategically aligned portfolio rather than addressing individual risks within silos. As a result, leadership is supported by better data and an understanding of risk towards a more effective decision when prioritizing risks and allocating resources to manage risks to mission delivery.

While leadership and governance are integral throughout the ERM process, aligning ERM to goals and objectives is also essential, thereby engaging senior leadership in an active role in strategic planning and accountability for results. An ERM framework relies on a detailed understanding of the individual steps in the assessment process and then connects its risk taxonomy to determine which type of risks may occur, what controls are in place, and what are the remaining significant risks?

In the end, the effectiveness of any ERM with a QMS structure depends on the quality of the team assembled, the strength of the governance structure, organizational-wide culture of risk, and quality awareness aligned with the threats and vulnerabilities that need to be managed.