The case for an enterprise-wide approach to risk management
Traditional risk management approaches may no longer be the most beneficial approach to risk
Traditional Risk Management approaches within companies have focused on operational risk. This stemmed from the initial process where risk was related to the insurance industry with companies trying to secure the best liability cover for their potential risks at the lowest price possible (Waring & Glendon, 1998). This train of thought led to a fragmented risk management process within many companies, as individual business divisions assessed and prioritised the risks that were pertinent to their operations.
The lack of inter-relationships and communication within a company's operations resulted on focus being placed primarily on physical and financial assets. Over time, companies began to realise that the emphasis on loss prevention rather than adding value, was acting as a restraint in an increasingly competitive and fast changing business environment.
In recognition for the requirement of an integrated and comprehensive strategic approach to managing risks, Enterprise Risk Management (ERM) has received increased attention in the Risk Management discipline and within the corporate community over recent years. Although ERM is often substituted with terms such as holistic, strategic or integrated Risk Management, these adjectives generally refer to the same idea of managing all risks with the final objective of creating value.
The Committee of Sponsoring Organisation of the Treadway Commission (COSO) provides a useful definition of ERM in their ERM - Integrated Framework Report (2004). It defines ERM as "a process effected by an entity's board of directors, management and other personnel, applied in strategy and across the enterprise, designed to identify potential events that may affect the entity... to provide reasonable assurance regarding the achievement of entity objectives".
Prior to providing the arguments that support the case for an enterprise-wide approach to risk management, it is necessary to firstly provide a brief overview of what ERM entails and how a company can go about creating and implementing a holistic risk management framework.
Overview of Enterprise Risk Management principle
The ERM approach differs from the traditional risk management approach as the focus is placed on an enterprise-wide strategy. Meilbroek (2002) argues that in order to achieve integrated risk management, a company must review and assess all the risks that could potentially affect its value. This core principle of ERM ensures that senior managers' focus is engaged on the uncertainties around the company's entire asset portfolio.
A second fundamental concept of ERM relates to the people that carry out and manage the process. Although ERM is the ultimate responsibility of the board of directors with the support of senior management, (i.e. a top-down process) it must be noted that in order for the approach to be enterprise-wide, every employee from every level of the organisation must support the framework. Without everyone's support into the process, the ERM infrastructure would be worthless.
Furthermore, as discussed in Protiviti's bulletin paper (2006), companies will need to be aware that they will require to be open and flexible to change. The ERM initiative can change organisational behaviour with the need for "building awareness, developing buy-in and ultimately driving the acceptance of ownership throughout the entity"