Navigating the Enterprise Risk Management (ERM) Process: A Guide for New Risk Managers

As a new risk manager, understanding the Enterprise Risk Management (ERM) process is vital. ERM is a structured and proactive approach designed to identify, assess, manage, and monitor risks across an organization. By integrating risk management into the organization's culture and decision-making processes, ERM not only protects against potential threats but also enables the organization to seize opportunities aligned with its strategic objectives.

This article will walk you through the ERM process, breaking down each step and highlighting best practices from the leading research and case studies in risk management.

Step 1: Establish the Governance and Culture

The ERM process begins with governance and culture—the foundation of effective risk management. Governance structures define how risks are managed, while the organization’s culture determines how risk-conscious employees are at every level.

Key Actions:

• Define Risk Roles and Responsibilities: Ensure that governance bodies such as the board and senior management are engaged and oversee risk management activities.
• Cultivate a Risk-Aware Culture: Encourage employees to understand their role in managing risk and to raise concerns without fear.

As outlined in Practical Enterprise Risk Management, successful organizations create a risk culture where everyone understands their responsibilities regarding risk.

Step 2: Set Strategy and Objectives

The next step is aligning risk management with the organization's strategic goals. This involves setting the organization’s risk appetite—how much risk the organization is willing to accept in pursuit of its objectives—and ensuring that risk management supports the broader strategy.

Key Actions:

• Align Risk Appetite with Strategy: Establish clear boundaries for risk-taking in line with the organization’s strategic vision.
• Integrate Risk into Planning: Make sure that risks are considered during the strategic planning process.

According to Enterprise Risk Management, aligning risk management with strategic objectives ensures that risks are evaluated in the context of achieving business goals.

Step 3: Identify Risks

Once the governance and strategy are in place, the organization can move on to risk identification. This step involves identifying all possible risks—both internal and external—that could impact the organization’s ability to achieve its objectives.

Key Actions:

• Perform a Risk Inventory: Identify potential events or conditions that could pose risks, such as regulatory changes, market shifts, or operational inefficiencies.
• Consider Emerging Risks: Monitor industry trends and external factors that may introduce new risks in the future.

In Implementing Enterprise Risk Management, practical examples highlight the importance of staying alert to both existing and emerging risks.

Step 4: Assess Risks

After risks are identified, the next step is to assess them based on their likelihood and impact. This assessment helps prioritize risks, enabling management to focus on the most critical ones.

Key Actions:

• Use a Risk Matrix: Assess risks by mapping them on a matrix that evaluates likelihood and impact. This helps visualize which risks need immediate attention.
• Quantitative vs. Qualitative: Use a combination of qualitative and quantitative assessments to measure risks.

As discussed in COSO Enterprise Risk Management, combining qualitative assessments with quantitative data ensures that the organization can understand the potential financial and operational impacts of risks.

Step 5: Develop Risk Responses

Once risks are assessed, the organization must decide how to respond. Responses typically fall into four categories: avoid, accept, mitigate, or transfer.

Key Actions:

• Avoid: Eliminate the risk by stopping the activity causing it.
• Accept: Acknowledge the risk but take no immediate action if the impact is low.
• Mitigate: Take steps to reduce the likelihood or impact of the risk.
• Transfer: Shift the risk to a third party, for example, through insurance.

Practical Enterprise Risk Management emphasizes the importance of choosing the proper risk response based on the organization’s risk appetite and the specific nature of the risk.

Step 6: Implement Control Activities

Control activities are the policies and procedures implemented to ensure that the risk responses are carried out effectively. These controls should be embedded in the organization’s daily operations and decision-making processes.

Key Actions:

• Design Effective Controls: Develop control activities such as approvals, verifications, and reconciliations that mitigate risks.
• Automate Where Possible: Use technology to automate controls and reduce human error.

As noted in Enterprise Risk Management Best Practices, automation is becoming an increasingly important part of risk control, allowing organizations to manage risks more efficiently.

Step 7: Monitor Risks

Monitoring is an ongoing part of the ERM process. Risks should be continuously monitored to ensure that controls remain effective and that emerging risks are addressed in a timely manner.

Key Actions:

• Track Key Risk Indicators (KRIs): Establish metrics that signal when risks are increasing or becoming more likely to occur.
• Regular Reviews: Conduct regular reviews of risk management activities and control effectiveness.

Implementing Enterprise Risk Management stresses the importance of ongoing monitoring to adjust to new risks and changing conditions.

Step 8: Communicate and Report

Finally, the success of ERM relies on effective communication and reporting. Risk information must flow throughout the organization, from operational levels up to senior management and the board. Reporting ensures that all stakeholders are informed about risk management activities and that adjustments can be made where necessary.

Key Actions:

• Internal Reporting: Ensure that risk management updates are regularly communicated to senior leadership and relevant teams.
• External Reporting: For publicly traded companies, communicate risk management efforts to external stakeholders, including investors and regulators.

As discussed in COSO Enterprise Risk Management, clear communication is critical for aligning risk management efforts across the organization's levels.

Conclusion

The ERM process is integral to managing risks in today’s complex business environment. For a new risk manager, mastering these steps will help ensure that risks are identified, assessed, managed, and monitored effectively. By following the ERM process, organizations can not only protect themselves from potential threats but also seize opportunities that align with their strategic goals. Each step, from setting suitable governance structures to continuously monitoring risks, plays a critical role in creating a resilient and agile organization.

Reference:

1. Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives. John R. S. Fraser, Rob Quail, Betty Simkins (Editors), August 2021.
2. Enterprise Risk Management Best Practices: From Assessment to Ongoing Compliance. Anne M. Marchetti, August 2011.
3. Practical Enterprise Risk Management: A Business Process Approach. Gregory H. Duckert. October 2010.
4. Implementing Enterprise Risk Management: Case Studies and Best Practices. John R. S. Fraser, Betty Simkins, Kristina Narvaez (Editors), October 2014.
5. COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes. Robert R. Moeller, August 2011.

Clement Ong is an ethics and compliance professional with a portfolio that includes trade compliance, anti-money laundering, personal data protection, anti-bribery and corruption compliance, internal control, and risk management, among other areas.

The information provided in this commentary is intended solely for educational purposes and does not constitute legal advice. While every effort has been made to ensure the accuracy and reliability of the information presented, it should not be relied upon as a substitute for professional legal advice tailored to your specific circumstances. The views and opinions expressed in this commentary are those of the author and do not necessarily reflect the opinions of any organization or institution with which the author is affiliated.