Without going into its roots, Risk Management has been around since after World War II. However, whilst risk management focuses on mitigating and addressing risks at the level of the business unit in a siloed approach, Enterprise Risk Management (ERM) which is a more recent development takes a holistic approach that involves Board and Executive management decision-making to identify and address those risks that when combined at enterprise level could impact the organisation’s strategic goals and objectives.
If one had to look at it from a different angle, what may make sense at the department/unit level when mitigating and addressing risks may not always make the same business sense at the enterprise level for the simple fact that many other factors could come into play that could trigger off further reduction to the Organisation’s objectives. However, with the right level of information at enterprise level about the risks, including those relating to operational and business risks, Executives and Boards would be better positioned and have better insight to ensure that the Organisation is not negatively impacted, and that stakeholder value is maximised. Similarly, ERM facilitates the achievement of strategic objectives through the realisation of opportunities and gaining competitive advantage over competition.
Therefore, whilst ERM is a top-down strategy that aims to identify, assess, and mitigate potential losses, dangers, from significant risks and other uncertain incidents and events, the organisational ERM framework and governance structure must be established in such a way so as to facilitate the embedment of risk management in the day-to-day operations across the organisation’s functions and departments.
It is through a well established ERM framework that the Board and Executive team are able to shape the Organisation’s overall risk position through the implementation of effective risk management responses whist at the same time allowing for key strategic informed decisions to be taken in the interest of the whole organisation.
But is the success of ERM solely in the hands of the Board and Executive. Far from it. The Board is responsible for maintaining proper oversight. The Executive team need to ensure that the framework and governance structure is implemented and in place. The Risk Management function (part of the 2nd line) needs to ensure that management and key staff (together risk owners and part of the 1st line) are knowledgeable, capable and responsible for taking ownership to identify and mitigate operational business risks. Where necessary, the internal audit function also plays its role to assess and audit the effectiveness of the controls put in place by the 1st line of defence.