A simple guide to enterprise risk management

Chapter One

I. An introduction

A. Definition of Enterprise Risk Management (ERM)

Townend Risk Consulting subscribes to ASO ISO 31000: 2018 due to its widespread acceptance as the prominent Australian risk management standard, and its adaptability to different industries and contexts.

Under ASO ISO 31000, ERM is defined as a set of (largely self-explanatory) principles that provides a foundation for managing risk, to enable organisations manage the effects of uncertainty on its objectives. ERM provides a methodology/ set of coordinated activities to help organisations to create and protect value.  

Figure 1. AS ISO 31000:2018 Principles

Risk is further defined as a deviation from an expected outcome; risk can be both positive and negative and presents both opportunities and threats.

ERM is comprehensive; it encompasses specialist approaches to managing risk such as cybersecurity, business continuity, climate risk and safety.

B. Importance of ERM in today's landscape

Corporate and government entities have many incentives to adopt an ERM approach that include to gain a competitive advantage, manage legal & regulatory obligations, meet community, customer, and other stakeholder expectations, protect value, enhance resilience, reduce costs, and maintain quality.

ERM enables entities to navigate today’s uncertain and complex external environment. Failure to adopt an ERM or similar approach, leaves entities exposed, and reactive, to unplanned threats and opportunities.

II. Understanding Enterprise Risk Management

A.      Components of ERM

At its core, there are two elements to ERM: the framework and the process.

Framework

The ERM framework is a systematic comprehensive approach used to integrate risk management within an organisation. ERM frameworks must be designed (tailored/ customised) to the needs of the organisation and the internal and external context.

Leadership and commitment underpin an ERM framework. Top management support is critical to embedding risk management within an organisation. Top management is accountable for managing risk and to ensure that the framework is integrated into organisational structures, particularly governance and decision-making processes, and the organisational context (e.g. procedures, job descriptions, and performance management).

Implementation requires a plan and is supported by training, awareness, and change-management.

An effective framework must be periodically evaluated to ensure it remains suitable and fit for purpose. The organisation should continually adapt and continuously improve its framework to ensure its ongoing effectiveness, and adequacy for the management of risk.

Figure 2. AS ISO 31000:2018 Components of a framework

Process

The risk management process is an iterative process that should be integrated into organisational processes, decision making and structures. It is adaptive in that it can be applied at any level within an organisation, such as project, process, or enterprise wide.

Human and cultural factors underpin all aspects of the risk management process. Recognising their importance, communication and consultation with internal and external stakeholders are considered critical to effective implementation and embedding of a risk management process. Consultation ensures that the risk assessment considers and includes relevant expertise, diverse perspectives and up to date information, leading to more accurate outcomes. Communication and consultation also promote awareness, understanding, and facilitate buy in and ownership of outcomes. For a further discussion on risk culture, see our insights article.

The scope involves setting up the boundaries of the extent of application of the risk process, including determining at which level the process is applied, as well as the relevant organisational objectives. The organisation should establish the context in which the organisation operates, and the risk management process is applied. Context encompasses a broad range of internal and external factors from vision, values, strategy, regulatory, culture, capabilities, data, political, geographic, to external relationships. Defining risk criteria involves developing the evaluation framework that enables the relative assessment of risk, is aligned to appetite and policy, and enables decision-making.

Risk Assessment encompasses risk identification, risk analysis and risk evaluation. In line with concepts and principles outlined above, the risk assessment process should be consultative, iterative and leverage up to date information.

Risk identification is the process of recognising and documenting risks to objectives. Risk identification should consider a broad range of factors including the scope, context and emerging risks.

Risk analysis is the process of understanding the nature of the risk , such as causal factors, and its characteristics such as likelihood and impact. Risk analysis techniques can vary widely and can be qualitative or quantitative. The purpose of risk analysis is to facilitate the risk evaluation, enabling a comparison against the defined risk criteria, and to inform a decision about what to do (i.e. do nothing, or treat the risk).

Risk treatment options include avoidance, sharing (e.g. insurance), acceptance or mitigation. Treatment can also include taking more risk to take advantage of the opportunity. Risk mitigation efforts tend to focus on enhancing the control environment to either prevent the risk from occurring, thus changing the likelihood, or to correct risk events, to limit the impact, once they have occurred.

Figure 3. AS ISO 31000:2018: Risk Process

Monitoring and review involve ongoing review of the performance of the risk assessment process and providing feedback to improve quality and enable continuous improvement.

Recording and reporting involves communicating outcomes of the risk process to appropriate stakeholders and governance committees. Reporting enables transparency of outcomes, which positively influences behaviour, accountability and facilitates decision-making.

Previous
Previous

A simple guide to the risk matrix

Next
Next

SASB: The use case for Australian reporting entities