Enterprise Risk Management
Organizations must identify and avoid major catastrophic events. Changing market conditions, employee unrest, negative public relations events, major accidents, legal conflicts, inadequate manpower resources, natural disasters and supply chain disruption are just some of the many risks that challenge an organization. The objective of enterprise risk management (ERM) is to provide enduring management of internal and external risks that threaten achievement of an organization's mission.
Becoming a Risk-Informed Organization
ERM should not be a standalone process, but an integrated element of an organization's performance management system. ERM should support business planning cycles, such as budgeting and strategic planning, to guarantee progress in identifying and managing risks. In other words, as ERM is implemented and matured over time, activities will become risk-informed, and key business decisions will be improved by considering risk impacts as part of the process. Specifically, an integrated ERM process will generate information in four key areas to help inform the key decisions:
Strategic Risk Understanding
Are the enterprise strategic risks adequately understood?
Strategic Risk Tolerance
Which strategic risks should be accepted? Which should be reduced?
Strategic Risk Management
Which treatments will be most efficient and effective in reducing risk? When and how will they be implemented?
Risk Management Optimization
Are performance measures and the implementation status monitored to inform which treatments should be increased, decreased or eliminated in subsequent cycles to optimize risk reduction across the enterprise?
Traditionally, an organization's approach to ERM tends to be internally focused on governance and compliance-oriented risks in the areas of financial reporting, taxes, information security, human resources, fraud and legal. While these are undoubtedly important areas to consider as part of ERM, the ABS Group approach takes a broader perspective using its technical subject matter experts to identify both internal and external events that could threaten an organization's viability, including:
- Natural hazards
- Major accident hazards
- Security hazards
- Unfavorable economic conditions
- Competition in the marketplace
- Compliance failures
- Governance failures
We call this Adaptive ERM, an approach that makes business activities more risk-informed. The end result is that risk impacts are considered part of a process that can improve decision-making and, in turn, business results.