Enterprise Risk Management
Enterprise risk management (ERM) is a strategic framework that enables organizations to systematically identify, assess and manage risks that threaten the achievement of their objectives.
Traditional approaches to risk management often address risk in isolation; ERM takes a holistic view with the understanding that risks are interconnected and can impact more than one area of an organization. Because risk management is integrated into all aspects of an organization’s operations, ERM does more than help mitigate potential threats — it helps organizations capitalize on opportunities arising from uncertainty.
In addition to the above, ERM is important because it allows organizations to manage risks in alignment with their strategic goals. Risks are constantly evolving, whether from technology, regulatory shifts or market fluctuations; ERM ensures organizations are prepared to respond by fostering a risk-aware culture, which helps them avoid surprises and minimize potential losses.
PART 1
Risk management process
The risk management process contains seven steps:
- Determine the organization’s risk tolerance or appetite. This establishes the level of risk the organization is willing to accept in pursuit of its objectives.
- Identify potential exposures by recognizing and documenting the risks that could impact the organization.
- Quantify each exposure by assessing the likelihood and potential impact of the identified risks.
- Compare current levels of risk to the target level of risk established in the first step. This highlights any gaps between the current risk profile and the organization's risk appetite.
- Develop and implement an appropriate risk management strategy to manage the differences, whether by mitigating, transferring, accepting or avoiding risks.
- Monitor the exposures and evaluate the effectiveness of the strategy regularly. This ensures that the strategy is still aligned with the organization's objectives and risk environment.
- Conduct a review and modify the strategy as needed, ensuring it remains effective and in alignment with the organization's risk tolerance.
For more information about the risk management process, see “7 Steps to an Effective Risk Management Process.”
PART 2
Categories of risk
The goal of ERM is to understand how each department contributes to, or is affected by, specific risk categories. Two of the most critical types of risk that affect every aspect of the organization are market risk and operational risk.
Market risk
Market risk refers to the potential that changes in financial market rates and prices will diminish the value of a security or portfolio. It’s typically broken down into two categories: general risk, which is tied to overall market conditions, and firm-specific risk, which pertains to individual companies. The four types of market risk are equity price risk, interest rate risk, foreign exchange (FX) risk and commodity price risk.
- Equity price risk refers to the potential for loss due to fluctuations in stock prices.
- Interest rate risk is the possibility that fluctuations in interest rates will affect the value of investments and the cost of borrowing.
- FX risk comes into play when a company deals with transactions, assets or liabilities in a foreign currency.
- Commodity price risk is notable because, in the markets where commodities are traded, just a few people control most of the supply, which makes prices more volatile.
Operational risk
Operational risk is the risk of direct and indirect loss that results from external or internal sources and affects an organization’s operations. The primary internal sources of operational risk are people, processes and technology.
When people, i.e., employees, are the source of operational risk, it can result from fraud, data entry errors, lack of knowledge or skills, or loss of key personnel, among other things.
Day-to-day processes incur a range of risks, such as accounting or financial reporting errors, a formula error in a spreadsheet, errors in the clearing or settlement processes, and stolen customer personal data.
The last internal source of risk comes from technology and includes things such as the potential for the vendor of your chosen software to go out of business, employees committing security violations and third-party access to the organization’s systems.
External sources of risk come from:
- Financial institutions, e.g., bank failure.
- Counterparties, i.e., the risk that the other party in a contract or financial transaction will not perform as promised.
- Suppliers, e.g., if they don’t deliver on time or provide you with an inferior product, this could impact your organization through customer dissatisfaction and loss of sales.
- External theft/fraud, e.g., false invoices, check fraud.
- Legal and regulatory compliance, potential lawsuits or other legal actions instigated by customers, trade partners, or governmental agencies and regulators.
- Physical and electronic security, e.g., failure of biometric security systems.
- Events, e.g., natural disasters, terrorism, pandemic.
- Sovereign or political conditions, e.g., a government defaults on its debt, uncertainties about future tax liabilities due to changing government control.
PART 3
Techniques used to measure risk
There are five primary techniques used by organizations to measure risk, which are briefly described below.
Sensitivity analysis
Sensitivity analysis is used to assess how changes in a single variable impact a financial outcome when all other variables remain constant. For example, an analyst could calculate an investment’s net present value (NPV) based on different values of the cost of capital. Varying this one input allows the analyst to observe how sensitive the NPV is to changes in the cost of capital. This analysis tells us which variables have the most significant effect on the financial model.
Scenario analysis
Scenario analysis also evaluates how changes in variables impact a financial outcome; however, it does so by considering multiple variables at the same time. You begin with a base case, which represents the expected values for each input. Then, employees who are familiar with the variables are asked to estimate their best- and worst-case values. Combining these estimates, the best- and worst-case scenarios are created, providing the financial model with a range of possible outcomes.
Monte Carlo simulation
This is an advanced technique that requires specialized software to leverage probability distributions and random numbers to simulate outcomes for various models. The software can quickly generate thousands of scenarios, allowing analysts to explore a multitude of potential outcomes.
For example, if you’re calculating the NPV of an investment, the Monte Carlo simulation can simultaneously vary assumptions about cash flows and the opportunity cost of capital, then randomly select values based on user-defined probability distributions. The final step is to run numerous simulations from which the user can review key statistics, such as the minimum, maximum, mean and median values, gaining deeper insights and allowing for more informed investment decisions.
Value at risk (VaR)
Value at risk (VaR) answers the question: What is the maximum loss that can be expected with a certain level of confidence? It does this by analyzing the probability and financial impact of specific events, using historical data to predict future risks. VaR combines various risk factors into a single measure, which is then expressed as a probability, an amount and a time period. Because of its reliance on past data, organizations have to be vigilant about updating their data to ensure accuracy.
Cashflow at risk (CaR)
A company-specific adaptation of VaR, cashflow at risk (CaR) assesses how future cash flows could be affected by changes in market conditions. It helps companies better understand the impact of market volatility on cash flow performance by analyzing how different risks combine to affect outcomes. It’s also used to evaluate the effects of various market scenarios, such as changes in exchange rates or commodity prices, or to assess the potential impact of major decisions, such as an acquisition or merger. It’s important to remember that, like VaR, CaR relies on historical data, meaning it might not fully capture the effects of future events.
PART 4
Risk management policy
Essential for any organization, a risk management policy provides a clear structure for identifying, assessing, and mitigating potential risks that could impact its operations, reputation and financial stability. Having a policy in place allows organizations to proactively address risks before they escalate, ensuring business continuity and protecting their assets.
A good risk management policy should include an outline of the organization's risk appetite, the roles and responsibilities of key stakeholders, the processes for risk identification and assessment, and the strategies for risk mitigation and monitoring. Guidelines for conducting regular reviews and updates should also be included, ensuring relevancy as the organization grows.
PART 5
Risk management oversight
Having a risk management policy in place is an excellent start, but risk management oversight is necessary to ensure that the policy is effectively implemented and continually improved. While a policy outlines what should be done, oversight ensures it’s actually being followed.
Oversight helps ensure the policy is regularly reviewed and updated to reflect new threats or changes in the organization’s goals and operations. It also establishes clear accountability and ensures there is a governance structure in place to track, report and address risks.
Further, the insights gained from risk management activities are more effectively integrated into decision-making processes, ensuring alignment with the organization’s strategic objectives and leading to better outcomes.