Enterprise risk management (ERM): Challenges, best practices and solutions
Benchmark your company's expenses with Ramp's data.
straight to your inbox
Risk management is important for every business regardless of size.. No matter what your business model is or what services you provide, there are internal and external risks you’ll need to think about to ensure your business operates smoothly.
Most companies employ a range of risk management initiatives to help reduce the risk they face. However, how you employ these initiatives will play a significant role in just how effective they might be.
Enterprise risk management (ERM) is a top-down approach to minimizing your company's risk. Below, you’ll find the details of what ERM is, why it’s important, and tips and tricks for implementing ERM into your business process.
What is enterprise risk management (ERM)?
Enterprise risk management (ERM) is a methodology for managing risk across your company. The ERM process takes a holistic approach to risk management by looking at risk management for the company as a whole rather than finding solutions on a business unit basis.
The Committee of Sponsoring Organizations (COSO) published the ERM framework in 2004 to help companies reduce risk exposure and meet their business objectives. Today, nearly two decades later, the ERM framework forms the basis for how some of the world’s largest companies manage risk in their organizations.
Once corporations create an ERM plan, that plan goes out to employees at all levels. Publicly traded companies typically also provide their ERM plan to stakeholders as part of their annual reports.
Main benefits of enterprise risk management
Enterprise risk management offers you a more complete view of your business's risks and provides a plan to control and minimize those risks. This approach has several benefits, the most important of which are outlined below.
Prioritize decision-making from the top down
Before enterprise risk management became widespread in business, these efforts were typically delegated to the heads of each department, with C-suite executives taking little part in managing corporate risks.
C-suite executives who take the ERM approach are more in-tune with the risks their companies face and the processes for managing them because they engage with the process. This gives business owners and upper-level management the ability to prioritize their decision-making based on which decisions pose the most risk to their companies.
Companies that take this approach clearly understand their most significant risks and most important risk management processes.
Create a holistic view of enterprise risks
The business-unit risk management approach was a go-to for years but had one fatal flaw. When each business unit manages its own risk, it creates a silo effect. Each unit is only concerned with the risks that directly relate to it, even though one unit can often have a detrimental impact on another unit.
The ERM model creates a holistic view of enterprise risk.
When you look at your company from the top down, you can see the risks each business unit faces, whether they’re direct within the unit, potentially caused by other units within the company, or even indirect risks from outside the company as a whole.
Build a better business strategy
Several factors go into your business strategy. Of course, you want to create growth, generate more revenue, and achieve improved profitability. Then again, a strong business strategy should also focus on risk mitigation.
With the ERM approach to risk management, you better understand the risks your company faces. This means you can design core business processes that create improving revenue while mitigating risk.
Increase competitive advantage
Every large business has a competitive advantage. That advantage may include copyrights on innovative technologies, a strong team of highly-motivated individuals, or simply better business processes.
The ERM strategy offers a competitive advantage because it allows you to spot and mitigate risks before they become issues. As a result, you’re not stuck in the same rut fighting the same battles your competition is. Instead, you have more time to focus on marketing and growth.
Boost operational efficiency
Your sales, management, and fulfillment teams—and every other team you employ—have specific jobs to do. Their work becomes inefficient when these teams must run around putting out fires caused by risks that could have been avoided.
When you take the ERM approach, you can solve problems before they start. With fewer problems, your teams have more time to focus on the jobs you hired them to do. As a result, operations run more smoothly, leading to higher efficiency within your company.
How to implement enterprise risk management framework in 5 steps
Enterprise risk management is an ongoing process. However, once you implement the ERM framework, it’s easy to create efficiency within the process while mitigating as much risk as possible.
The 5 steps to implementing the ERM framework are described in detail below.
1. Goal setting
You can’t achieve your strategic objectives unless you know what they are. So the best place to start as you implement an enterprise risk management framework in your business is to set goals.
However, it’s important to set your goals based on your company’s risk appetite.
The more aggressive your company plans to be, the more risk your plan likely poses. You should decide to take 1 of 3 approaches to goal setting:
- Slow and steady. The slow-and-steady-wins-the-race approach may lead to relatively slow growth, but it also tends to pose the least risk.
- Moderate. A moderate approach means you strategically take small added risks to set goals that allow your company to grow faster.
- Aggressive. An aggressive approach to enterprise growth can get you where you want to go faster, but it also typically poses the most risk.
2. Risk identification
Next, it’s important to focus on identifying your business's potential risks, whether minor or significant. Some of the most critical key risk areas to dive into include:
- Legal risk. Legal risks include things like liability and regulatory risks. For example, a biotechnology company faces the regulatory risk that the FDA could decline its new drug application.
- Operational risk. Operational risks relate to any risk inherent to completing your business operations. For example, a roofer falling off a roof is an operational risk.
- Vendor risk. Vendor risks are those your vendors pose to your business. For example, if a vendor doesn’t deliver on time, you may not be able to fulfill orders.
- Reputational risk. Anything that could harm your company’s reputation is a reputational risk. Disgruntled employees or a less-than-thoughtful marketing message can cause severe pain.
- Financial risk. Financial risks can hit your company’s balance sheet. For example, holding inventory for too long is a financial risk. Quality business budgeting software can help manage this risk.
- External risk. You should also think about external risks, such as dwindling economic conditions, and how to react when they arise. Keeping an eye on external risks can help you fight recession.
3. Risk assessment
Risk assessment has to do with the financial impact of risk and your understanding of it, as well as the likelihood of the risk event taking place. For example, if a roofer falls off a roof, the event could cost the company hundreds of thousands of dollars.
However, the likelihood of a fall like this taking place is minimal. Moreover, when you take an ERM approach, you enact processes to reduce the possibility further.
Nonetheless, you should assess your business's risks to ensure you thoroughly understand your risk profile.
4. Risk response
There are 4 responses to consider for each risk:
- Avoidance. Avoid the risk by ending the business process that causes it.
- Minimize. Minimize risk by implementing procedures.
- Share. Share risk by partnering with a third party.
- Accept. Accept the risk and continue forward as is.
5. Monitoring
Monitoring your ERM process is all about maintaining internal control of risk. The controls at your fingertips include:
- Preventative. Processes to mitigate risk are known as preventative controls. Management should ensure all employees follow these processes to prevent undue risk.
- Detective. Detective control processes make it easy to detect when a high-risk event occurs. Although you may allow the event to go forward, the detection helps ensure all preventative control objectives are met.
You should also consider regular internal audits to assess the effectiveness of your ERM strategy.
Biggest challenges associated with ERM
ERM offers a more holistic—and therefore better—approach to risk than traditional risk management models. Although this approach can help improve your business, it’s not likely to occur without some growing pains.
The simple fact is that any time you incorporate new business processes, you have to get used to those processes. Enterprise risk management is no different. So consider the details on some of the most pressing challenges associated with incorporating ERM strategies in your business.
Ranking and prioritizing risks
Although it may be easy to determine that an event poses a risk to your company, it may still be challenging to assign a value to that risk and determine what the likelihood of the event taking place might be. Both of these are important aspects when it comes to ranking and prioritizing risks.
Ranking and prioritizing risks is a critical aspect of the ERM process because you must put the most effort into risks that are both likely and expensive—the most high-priority risks your business faces.
Assigning risk ownership
The person who’s responsible for managing risk is the person who owns that risk. However, assigning ownership can be challenging. When you assign risk ownership, it’s essential to be fair to all employees involved.
Some of the challenges involved in this process include the following:
- Teams. If the work of an entire team poses a risk, does that risk fall on the whole team’s shoulders, or does it lie with the teammate that caused the risk event?
- Management. Everything rolls uphill in business, but how much control do your managers really have regarding risk mitigation?
Moreover, once you assign risk ownership, it’s crucial to think about how your company will respond when risk events occur.
Developing action plans
ERM action plans span your entire company and are designed to decrease overall risk exposure. However, developing these action plans takes quite a bit of work. As you do, you should consider the following:
- Additional work. How much extra work is required to implement your action plans?
- Mitigated risk. How effective are your action plans in terms of mitigating risk?
- Cost of implementation. Will your action plan create a high cost for your business?
The most efficient action plans require little additional work for your employees, incur a minimal implementation cost, and have a high potential to alleviate risk.
Monitoring risk mitigation results
It can be challenging to monitor the results of your risk mitigation efforts. After all, predicting risk is like predicting the future; there’s no way you’re going to be accurate 100% of the time. So, how do you monitor your effectiveness in minimizing risk events that haven’t happened yet?
One effective way is to consider your company’s history. Is your company experiencing more or fewer risk events today than before you implemented ERM strategies? Quantify your results by determining if your company is experiencing more or fewer risk events.
Best practices for implementing an ERM system
Although there are some challenges to implementing an ERM system in your business, doing so can be highly rewarding. Moreover, a few tips can make the process easier to employ. Those tips are described in detail below.
Involve and consult top management
There are some misconceptions when it comes to enterprise risk management systems. One of the biggest is that because it’s a top-down approach to managing risk, those at lower levels in the company shouldn’t be involved in the process. That’s not necessarily the case.
The truth is that the C-suite in your company can likely gain quite a bit by involving top management members of each department in the ERM process. These managers may not be C-suite level executives, but they do handle the day-to-day operations on the ground floor and can provide valuable insights into the risks your company faces.
Start small and with fewer risks
Some companies hit a brick wall when they try to implement ERM systems because they try to minimize all the risks they face. The simple fact is that there are several risks in business, and if you try to minimize them all at once, chances are you’ll create a highly inefficient process when you do.
That’s why it’s so important to prioritize your risks.
It’s best to start with a small list of 3 or 4 high-priority risks and implement strategies to avoid or minimize them. Once those strategies have been implemented, and your operational process has adjusted, you can begin focusing on other risks your company may face.
Take a holistic approach
Consider how each business unit faces risks and poses risks to all other units. It’s often helpful to hire a Chief Risk Officer (CRO) who works with other members of the board of directors and senior management to determine all the risks your company faces.
Your CRO will also help you prioritize those risks and create a reasonable plan for minimizing them.
Approach ERM as a cyclical process
The ERM process is never complete. As your business grows, new risks will appear. Moreover, keeping tabs on your progress as you go is important. Remember that your business experiences more or less risk at different cycles.
For example, suppose you’re a wholesaler. In that case, you may experience a high level of financial risk when you receive a large purchase order—a risk that’s alleviated when the buyer pays for the purchase order.
Solve this problem by treating your ERM process as a cyclical one. Define the highest-risk cycles and intervals for the reassessment of your processes.
Use measurable goals
Goals do nothing for you if there’s no way to tell whether or not you’re achieving them. That’s why it’s crucial to create measurable goals.
For example, an ERM program goal may be to reduce overall risk, but what metrics will you use to determine risk reduction? A couple of example metrics include:
- The number of risk events. Keep track of the number of risk events that take place. If that number is falling, you’re on the right track.
- The cost of risk. Add up how much risk costs you each period. If your cost is going down, you’re doing things right.
No matter how you measure your success, make sure your goals are measurable.
FAQs
Traditional risk management processes are highly segmented, and those segments typically don’t communicate with one another. As a result, these risk management efforts fail to employ strategies to mitigate risks between business units and external risks.
When you employ an ERM strategy in your business, you take a more holistic approach. This means you better understand correlations between business units and the risks those correlations pose.
Moreover, ERM strategies consider external risk factors. This holistic approach gives you more information, making it easier to keep risk under control.
The most common types of risk companies uncover as they employ ERM systems include:
- Legal risk
- Operational risk
- Vendor risk
- Reputational risk
- Financial risk
- External risk
Although these are the most common risks, they’re not the only ones out there. To understand your company's overall risk, you should carefully assess your business processes.
Although the COSO ERM Integrated Framework is the most widely accepted, it’s not the only framework available. Other options include:
- The Casualty Actuarial Society (CAS) ERM Framework
- The COBIT ERM Framework
- The ISO 31000 ERM Framework
- The NIST ERM Framework
- RIMS Risk Maturity Model ERM Framework
Strategic risk management is the traditional risk management system. This is when each business unit strategically manages its own risk. Enterprise risk management takes a more holistic approach, managing risk from the top down.