Enterprise risk management (ERM) is a strategy that helps organizations better manage the risks they face. A sound ERM plan has three components: risk identification, risk assessment, and risk response. By implementing an ERM strategy, you can be more prepared for potential losses or disruptions in your business which will ultimately make for a strong future for your company. Let’s take a look at each of these components to see why it’s so important to implement an ERM strategy today.
- What is the enterprise risk management process framework?
- What are the 5 risk categories?
- The 5 ERM categories of risk management
- What is risk identification?
- How are new competitors entering a market a risk?
- How can changes in public policy affect the risk of new competitors entering a market?
- How is a supplier going out of business a risk?
- What is risk assessment?
- 4 risk assessment questions you can ask about current or potential future events
- What are some ways that risks can be prioritized?
- What are risk assessment tools?
- How can you use brainstorming sessions to assess the risks of new competitors entering a market?
- What is the purpose of a risk register?
- 6 things to consider when prioritizing risks
- What is an “emerging risk”?
- What are the five risk categories?
- 6 reasons that Risk Management is important
- Why is it important for companies to look at all five categories of risk?
- What if you do not know about all of your risks?
- What if you do know about all of your risks?
- What is enterprise Service risk?
- What are the 8 components of COSO ERM?
- Why it’s important to listen to stakeholders?
- How do you listen to stakeholders?
- How do you know if your company is under-resourced?
- Caveats, disclaimers & risk management processes
What is the enterprise risk management process framework?
The enterprise risk management framework is a system of risk management principles across an organization. In short, it defines what qualifies as a company-level risk and factors in how it should be managed.
What are the 5 risk categories?
- Strategic Risk
- Technological Risk
- Organizational Risk
- Executional Risk
- Financial Risk
The 5 ERM categories of risk management
An ERM is a senior management-level risk management program that spans the entire organization. There are five categories of risks within this program:
1. Strategic Risk
This is the risk of getting caught off guard by major trends, whether they be social, technological or economic. One example is how people will adopt new hightech gadgets and devices. We might think it’s sort of cool to text on our phone but if everyone has one then what do we need our phone for? We might be caught off guard if everyone decides to communicate via email or chat. It’s important that we are aware of the potential impact these changes will have on our business and how it could affect our strategy moving forward.
2. Technological Risk
This is the risk associated with using new technologies to do certain things, but not being aware of the potential risks. An example for this may be social media. We might just want to listen in on what our customers are saying, but then suddenly there is a negative post that goes viral and it can have an impact not only your company’s image but also sales. With these kinds of risky activities, there needs to be a way to monitor them and ensure that there is a strategy in place in case something goes wrong.
3. Organizational Risk
This risk can be associated with the people within the company. For example, it could be that key managers leave or someone might not have the right skills for their given role. In these cases, you want to make sure the company has a succession plan in place, as well as relevant development programs or training.
4. Executional Risk
This is all about having the right goals and milestones in place for your organisation to make sure it can reach its targets. It may also be about making sure you have support from the upper management team because any changes that happen near the top will trickle down through the entire company.
5. Financial Risk
This is pretty self-explanatory and it’s all about making sure you meet your financial targets, whether they be revenue goals or operational ones. We also need to make sure we do not overspend and become too leveraged too quickly since that can have a major impact on the business.
What is risk identification?
Risk identification is the first step to developing enterprise risk management strategy because you have to know what risks exist before mitigating them or taking action against a threat. With a solid understanding of risks, you can begin risk assessment and management. But first, you have to identify the risk.
Risks can present themselves through a variety of ways, such as finances, customer satisfaction, employee turnover rates, and market conditions. Here are some examples:
• New competitors entering a market
• Changes in public policy that affect your industry
• A supplier going out of business
These are just a few examples to show how risk identification can be complicated because no two risks are exactly alike. The best way to identify risks is by consulting with experts across the organization and assessing different scenarios as they develop.
How are new competitors entering a market a risk?
New competitors entering a market are a risk because of increased competition, revenue decline and losing profits in the short-term and long-term. You will also have to decrease costs and expenses when dealing with this new competitor since they offer similar products.
Since the market is competitive, you will need to be flexible and try different tactics and points of value. The benefits of your product or service may not outweigh the inconvenience and cost of for your clients switching to a new competitor. This can affect growth in revenue and may trigger further risks.
How can changes in public policy affect the risk of new competitors entering a market?
Changes in public policy can create new problems and opportunities that you will have to identify through risk assessment. Public policy is law or regulation that affects your industry, such as environmental protection laws or tax benefits. You might need to shift resources to meet these policy changes, which can bring more competition.
How is a supplier going out of business a risk?
In this scenario, the supplier is your primary source for a product. If it goes out of business, you lose an irreplaceable resource and may not be able to get the products you need in time for customer orders. Your company would be exposed to market risk while trying to find another supplier and also exposed to competitive risk because the competition might take advantage of your situation and gain more market share. This example is why it’s important to consult with experts across the company and assess various scenarios as they develop because even a supplier going out of business can be considered a risk that requires mitigation or management strategies. Remember, risk identification starts with asking what types of risks exist and then moves into determining how you can mitigate and manage risks.
What is risk assessment?
Risk assessment is the process of identifying, prioritizing , and evaluating risks to determine the probability they will occur. Some common steps for conducting a risk assessment include:
1) Identifying risks by asking questions about current events or what could happen in the future
2) Prioritizing risks based on their likelihood and impact
3) Evaluating risks by identifying countermeasures to reduce the probability of something happening or reduce the negative consequences if it does happen.
4 risk assessment questions you can ask about current or potential future events
- What is happening in your industry that could affect your company, such as new competitors entering the market or changes in public policy?
- What is happening in your company that could affect you, such as employees leaving for a competitor or new hires not working out?
- What do you think will happen next if nothing changes within your company, such as losing customers and struggling to gain revenue?
- How might your department be affected if resources are shifted, such as the marketing team losing resources to another department?
What are some ways that risks can be prioritized?
Risks can be prioritized by how likely they are to happen or by how bad the consequences would be. Other factors for priority might include current events in your industry, internal changes at the company, or volatility in your marketplace.
1) How likely is something to happen?
2) How bad would the consequences be if it did happen?
3) What are some other things that could affect priority rankings?
4) Are there any red flags you should look for when conducting a risk assessment?
Red flags to look for include when risks seem to keep happening or low-priority risks suddenly become more relevant due to recent events. For example, if employees keep leaving for a competitor and you don’t know why, this could be a sign of employee dissatisfaction. Additionally, current events such as new competitors entering the market or suppliers going out of business can make low-priority risks more relevant.
What are risk assessment tools?
The goal is to determine how great or small a threat is and who may be impacted by it. This process involves breaking down the risks into manageable pieces, prioritizing them and evaluating the likelihood that they’ll occur.
You can use several tools to assess risks, including expert opinions, brainstorming sessions, and risk registers. Each technique has its strengths and weaknesses depending on what kind of information you’re looking for. For example, if you want to predict a risk impact on your bottom line, an expert opinion is best. If you want to know how likely it is that a risk will actually occur, then brainstorming sessions are best because they encourage group participation.
How can you use brainstorming sessions to assess the risks of new competitors entering a market?
Brainstorming sessions have many benefits for assessing the risks of new competitors entering your market. Some examples of questions that might be explored are:
– What actions would they take to get new customers?
– How do you think your competitors will react to their entrance into the market?
– Do you think you can compete with them if they enter the market? If so, how?
Brainstorming sessions encourage group participation and generate many ideas. Participants should take notes on the ideas generated to keep track of them. Brainstorming sessions are especially useful when assessing risks that have a high impact, but are difficult to predict accurately. For example, if no other companies have entered your market before, it’s harder to determine how you might compete with them for customers or what types of actions they’ll take to acquire customers.
What is the purpose of a risk register?
A risk register displays all risks and potential courses of action. It provides:
- A clear overview of your company’s current and future risks and opportunities
- Insight into how risks can affect different departments or business units
- An idea of how much time and money might be required to deal with the risk
- Insight into whether or not risks can actually be dealt with successfully
A risk register is useful for identifying the priority of each risk, predicting potential consequences, and choosing courses of action. For example, if a company has too many higher priority risks (such as lack of funding) it might be a good idea to focus on these first before taking courses of action on other lower priority risks. This might also be referred to as Triage, where you focus on high priority tasks first.
6 things to consider when prioritizing risks
- Prioritizing your risks is useful because it allows you to determine how much time, money and resources are required to deal with each risk. Each risk has its own unique circumstances so there’s no specific formula for prioritization. However, there are some things to consider that could help you prioritize your risks.
- Risk probability – How likely is it that the risk will occur? If there’s a high chance of something happening, then this will require more attention. For example, if your top competitor has gone out of business, this would be high priority because they might no longer be able to compete with you.
- Risk impact – How much damage would be done if the risk were to occur? If something has a high impact, it should be dealt with before other risks. For example, if your company earns all of its money from one customer and they cancel their contract because of badly written contracts, this could have a high impact.
- Risk frequency – How often could the risk occur? If something has a high frequency of occurring, this will require less attention than one that might only happen once and cause a lot of damage. For example, if you need to get funding for your business and no more than 1 out of every 10 businesses gets funding from investors, this would be lower priority than something that happens to almost every business.
- Risk mutability – How much can you change the risk? Can you reduce its impact by implementing a thorough risk management plan, or is there nothing you can do about it? For example, if your company has few resources and little funding, this wouldn’t be as high priority as something that you could improve (such as poor customer service).
- Risk type – Some risks are more important than others. For example, if your company has no protection against natural disasters, this would be higher priority than something that’s not likely to happen.
What is an “emerging risk”?
An emerging risk is a new or unusual risk that hasn’t been encountered before. It’s often hard to predict and could have a severe impact on your company if it were to happen. A good example of an emerging risk is the introduction of Crypto-currency such as Bitcoin, which has the potential to completely disrupt the way we think about money and has many implications for businesses such as banks.
What are the five risk categories?
1) External Regulatory – for example, if your company is based in the EU and Brexit causes restrictions on moving employees between EU countries, this could affect your company’s ability to do business.
2) External Market – for example, if a competitor in your industry is going to stop offering a service that you offer, this could have a negative impact on your company.
3) Internal Processes – for example, if errors in finance processes mean that you’re not able to produce accurate reports and financial forecasts because the system isn’t recording transactions correctly, this will affect your business.
4) Human Resources – for example if key staff members leave the company and it takes a long time to hire replacements, this might mean that you can’t offer customers their usual service or products.
5) Strategic – For example If you’re in the start-up phase of your company and your business model isn’t profitable yet, this would possibly be the highest priority because you need to find a way to turn things around before it’s too late.
6 reasons that Risk Management is important
- Risk management allows companies to understand their exposure to risk so that they can identify which risks are likely to occur, and how they can reduce the likelihood and impact of those risks.
- Decision making becomes easier when information is presented clearly and concisely, and risk management helps to do this so that everyone is aware of what’s going on in the business.
- Risk management allows companies to have a plan for if anything goes wrong so they can avoid or recover from impacts quickly and efficiently.
- If you’re a small business, it’s important to implement risk management as soon as possible so that critical risks can be identified and addressed sooner rather than later.
- Without having clear information about the key risks for your business, you run the risk of making poor decisions or not even knowing why something has gone wrong if it does.
- Risk management is a discipline that involves everyone in the business, and knowing what risks they’re working to manage allows them to see how their work has impact on the wider company.
Why is it important for companies to look at all five categories of risk?
If your company doesn’t think about all the risks they face, not only is this likely to mean that some risks are overlooked entirely but it can also lead a company thinking they aren’t exposed to certain risks. For example if your company is under-resourced and doesn’t have a Data Protection Officer (DPO) the company may think they don’t have any risks when in reality there are significant issues that aren’t being addressed. This is more likely to happen when companies are smaller or under-resourced, because larger more established companies have the staff and expertise to address risks in addition to legal requirements.
What if you do not know about all of your risks?
Companies should make every effort to identify risk even if they can’t anticipate everything. For example, if you run a restaurant there may be construction happening near your business that hasn’t been completed yet and the restaurant is exposed to risk. Even though this isn’t something that can be planned for, it’s important to communicate this information. Without it, key people might not understand the full impact of what they’re working on.
What if you do know about all of your risks?
Just because you’re aware of all the risks for your business, doesn’t mean that they’re not affecting it. For example, imagine that you come into work one day and there’s a big queue at the front door. If this is something that happens occasionally but has never been a serious issue, you might be able to close the store. But if this has happened before and it’s resulted in lost sales or customers being dissatisfied, you’ll want to know about it so that you can make better decisions.
What is enterprise Service risk?
A service risk is a risk that has an impact on service delivery. These risks can include poor infrastructure, human error, or the failure of a critical vendor.
What are the 8 components of COSO ERM?
The eight components of ERM help ensure that you are identifying risks, taking the proper measures to address them, and making sure no issues slip through the cracks. It is important for both financial professionals and non-financial professionals to understand the eight components of ERM. The 8 components of ERM are:
1. Risk assessment
2. Risk response (risk mitigation)
3. Monitor risks and risk responses
4. Report on ERM success
5. Engage the board of directors and key executives in the plan
6. Integrate with existing strategies or processes, where applicable, including IT infrastructure and control activities
7. Incorporate with training and rewards programs, where applicable
8. Ensure continuous improvement in the design and effectiveness of ERM activities.
ERM is an established practice among the larger corporate entities, but has yet to pick up steam among small businesses or sole proprietorships. According to the COSO report, approximately one-third of organizations that have formally established an ERM program are small or medium-sized businesses.
Why it’s important to listen to stakeholders?
It’s important to listen to all of your key stakeholders, including customers, suppliers, shareholders, and employees. A key reason for doing this is because if you listen to them they’re likely to be more engaged with your business which can help reduce risk. For example, if employees know that you’re listening then they feel more invested in the business and therefore may take fewer risks than they did before.
How do you listen to stakeholders?
Well, the first step is learning what your stakeholder’s risk tolerances are and how they may be impacted. For instance if you’re a retailer selling large appliances like washing machines and fridges, there could be customer safety issues if you don’t know about or provide clear instructions on how to use it.
How do you know if your company is under-resourced?
If your company has limited resources, then it’s likely that it doesn’t have the expertise or systems in place to manage risk at an enterprise level. For example, if you’re a small startup business then there may only be one person who knows about data security, or no one who is specifically tasked with assessing and managing risks.
Well, the first step to figuring out if your company is under-resourced is by assessing what risks you’re exposed to.
If you don’t do this then there’s no way for you to know if your company is under-resourced. Plus, the more you know about your company’s risks then the easier it is to properly position resources.
Caveats, disclaimers & risk management processes
At ESG | The Report, we believe that we can help make the world a more sustainable place through the power of education. We have covered many topics in this article and want to be clear that any reference to, or mention of risk maturity model, approach, manage, mitigate, environment, risk reduction of business units, risk severity of business units, functions, oversight, casualty actuarial society, committee, strategic planning, tolerance compared to how to manage financial and data privacy, erm framework, business strategy, business objectives, executive management and risk mitigation activities, personal data, management accountants, decision making, response strategy, different business units, regulatory requirements, establishing context, control framework, business leaders, potential or audit committee in the context of this article is purely for informational purposes and not to be misconstrued as investment advice or an endorsement. Thank you for reading, and we hope that you found this article useful in your quest to understand ESG and sustainable business practices. Long live planet earth.
Research & Curation
Dean Emerick is a curator on sustainability issues with ESG The Report, an online resource for professionals focusing on ESG principles. Their primary goal is to provide resources to help middle market companies, SMEs and SMBs transition to a more sustainable future.