Enterprise Risk Management (ERM)
What is ERM?
ERM is an approach – consisting of methods & processes – to manage risks and to seize opportunities related to the achievement of the enterprise mission & objectives.
Why would you apply ERM?
The identification and the pro-active management of risks and opportunities enables an enterprise to protect and to create value for all its stakeholders; not only its shareholders (owners), but also its personnel, customers, suppliers, possible regulators, and the overall society more in general.
There are several ERM-frameworks which you may consider to apply to your organisation. Some of those are:
- The Risk Maturity Model – by RIMS, which stands for ‘RIsk Management Society’
- The Casualty Actuarial Society (CAS) framework – CAS is the abbreviation of Casualty Actuarial Society
- The COSO ERM framework – COSO stands for COmmittee of Sponsoring Organisations
ERM and Business Process Management
As you may read more about those frameworks through the respective links, it is not the purpose to explain these further into details. However, you may still ignore the ninth reason why it is so useful and valuable to know your organisation’s business processes, e.g. to manage risks through your business process knowledge.
Basically, risk management consists of following activities; you may call it the ‘Risk Management process’:
1. Identify the risks: the worst risks are often the ones which are unknown. Hence, the first step is to identify the risks. The good thing is that, once you have modelled your business processes, it is much easier to determine which events and activities in each business process may cause risks. The figure at the left illustrates how a risk – e.g. ‘omission to take a sample for each delivery’ – may be indicated within the process “Receive & Control raw materials” (from the blog of 5th February)“. As you can see, even the specific risk control, including a link to the Key Risk Indicator (KRI) description – named “KRI Sample” -, is documented.
2. Assess the risks: once a risk is known, you should evaluate its likelihood, and its potential impact or severity; using a typical risk assessment matrix like illustrated here at the right. Notice that the product of likelihood and impact represents the “risk value”. Ex.: if a risk has an impact of € 1 Million and its likelihood is 5%, then the risk has an expected value of € 50.000, meaning that complete exclusion of this risk is worth € 50.000.
Besides prioritising, you may also categorise risks according to other parameters. Often used risk categories are internal vs. external risks, strategic vs. operational risks, etc.
3. Mitigate risks: particularly for the “unacceptable” risks, you should think of how to mitigate these; either by reducing the likelihood, or the impact, or both. You may also decide to insure against a risk. Risk mitigation is also often a matter of process management. Indeed, in the above example (omitting to take a sample or raw material), you may enforce a confirmation of sampling before being able to print a Good Receipt Note. This way, the receiver of the raw materials could not forget to take a sample, as the supplier will urge for a Good Receipt Note at the delivery. This is a typical Poka-Yoke technique to avoid a risk to occur.
4. Monitor / Control risks: all previous activities are meaningless as long as you do neither act upon, nor follow up the planned actions to mitigate the risks. Hence, risk management should also include a plan to monitor risks and to control the effects of the mitigation actions. Similarly to KPI’s (= Key Performance Indicators – see also the blog of 5th of March 2015), for important risks, you better define a Key Risk Indicator (KRI), using a fact sheet for each risk. Do you want an example of a KRI template (for free)? Just request it through below comment box or via the contact form.
It is clear that Business Process Management also contributes to effective enterprise risk management; a process-oriented risk management approach is recommendable.
Would you like to know more about Enterprise Risk Management? Write anything about your experience with ERM in below “Comment” box (for example whether it is already applied in your organisation, how it is implemented, what challenges were met, etc.) and receive a bunch of interesting documents on the COSO ERM framework for free.
P.S.: If you found this information useful, please don’t hesitate to share it with your Facebook friends and fans, LinkedIn contacts, Twitter followers and Google+ circles, through the share buttons below. Thank you!
Sources: Image 1