1 Kigam

Essay On Enterprise Risk Management

This article examines the development of Enterprise Risk Management (ERM) processes and systems. The types of risks addressed by ERM are explained along with how enterprise risk analysis can assist boards of directors, corporate managers, investors, and industry analysts. The Integrated Framework for ERM of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is also reviewed. The processes and challenges of implementing ERM and information systems to support ERM are examined along with steps that stakeholders can take to address technical and cultural issues. Past experiences in developing and implementing large-scale systems that drive organizational change are also reviewed.

Keywords: Data Analysis; Decision Support Systems; Enterprise Resource Planning (ERP); Executive Information Systems (EIS); External Risk; Information System Development Life Cycle (ISDLC); Manufactured Risk; Organization Change; Public Company Accounting Oversight Board (PCAOB); Risk Analysis; Risk Mitigation; Sarbanes-Oxley Act; Technological Risk


Enterprise Risk Management (ERM) is a data intensive process that measures all of a company's risks. This includes providing managers with an understanding of the full array of a company's risks including financial risks, investment oriented risks, operations based risks, and market risks, as well as legal and regulatory risks for all of the locations in which a company operates or invests (Peterson, 2006). Risk can also be a result of political or social conditions in locations where a company has operations, suppliers, or customers (Woodard, 2005). Risk to a company's reputation is also an important aspect and element of ERM (Ruquet, 2007).

In each of the risk areas there are two primary types of risks that companies face:

  • External Risk
  • Manufactured Risk

External risk is the risk of events that may strike organizations or individuals unexpectedly (from the outside) but that happen regularly enough and often enough to be generally predictable. Manufactured risk is a result of the use of technologies or even business practices that an organization chooses to adopt. A technological risk is caused or created by technologies that can include trains wrecking, bridges falling, and planes crashing (Giddens, 1999). Business practice risk is caused or created by actions which the company takes which could include investing, purchasing, sales, or financing customer purchases.

ERM analytical models should encompass both external and manufactured risks which can be identified through historical analysis as well as reviews of current operations and exposures ("Expect the Unexpected," 2009). Once identified, risks can be validated through discussions with corporate executives, operations managers, production managers, and business unit executives. In addition to gaining a better understanding of risks these discussions can also provide insight into existing mitigation practices that have been designed to reduce specific risk (Muzzy, 2008).

The data intensity of ERM requires risk managers to obtain data from numerous sources, test the integrity and accuracy of that data, and to assure that the data is being properly applied and interrupted. Assumptions about the models or analytical approaches behind an ERM analysis must also be carefully examined and tested (Cotton, 2009; Vlasenko & Kozlov, 2009). The internal audit department can help validate some of the financial data used in ERM models as well as provide other potentially relevant financial information (Gramling & Myers, 2006).

The 2008 economic downturn caught many corporate executives working with analytical models that assumed that the housing market would not decline so drastically or on such a widespread basis (Korolov, 2009). Clearly the assumptions and the analytical model had not undergone stringent enough testing. However, most risk managers had also not previously seen the convergence of negative economic trends occur so quickly and across so many sectors simultaneously (Morgan, 2009).

Putting ERM to Work

The ERM process is designed to enable corporate executives as well as investors to quantify and compare risks and to gauge the overall health of a company (Coccia, 2006; Panning, 2006). Investment advisors, institutional investors, and credit rating agencies are adding to the pressure for companies to develop ERM systems and disclose their risks (Karlin, 2007). ERM enables top managers of a company to aggregate, prioritize, and effectively manage risks while enabling business-unit managers to improve decision making in operations and product management (Kocourek & Newfrock, 2006). In managing risks there are several options that corporate executives can take including accepting, preventing, mitigating, transferring, sharing, or avoiding the risks (Woodard, 2005).

The ERM process can also support strategic planning activities as well as provide insight into alternative business practices and goals (Millage, 2005). One of the biggest challenges in implementing ERM strategies is to make sure that selected analytical methods are appropriate for the type and size of organization to which they are being applied (Milligan, 2009). ERM strategies and models as well as the utilization of ERM analyses will vary with corporate culture, business goals, and risk management objectives. This means that a one-size-fits-all approach towards ERM is not likely to be successful (Lenckus, 2006).

The Push for ERM

Although many companies have used ERM over the last decade, the economic downturn of 2008 showed that some companies had not done well when it came to managing their risks (Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that corporate executives were not taking newly developed models of risk analysis as seriously as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the ERM concept is changing as more and more companies attempt to recover from the downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy base for using ERM to help manage companies through all phases of business cycles (Van der Stede, 2009)

In addition to pressure from the investment community, corporations also face new legal requirements that have increased the interest in ERM. After Enron, WorldCom, Tyco, and other large business failed, the United States Congress passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM. Section 302 mandates disclosure controls and procedures so that companies could disclose developments and risks of the business and section 404 requires an assessment of the effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).

The United States Securities and Exchange Commission (SEC) has also implemented requirements for publicly traded companies to disclose risk factors in section lA of their 10-Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed Section 404 guidance that supports top-down risk assessment that holds boards of directors more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir & Walker, 2009).

In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Integrated Framework for ERM. The framework identifies four types of objectives for ERM:

  • Strategic,
  • Operations,
  • Reporting, and
  • Compliance.

In addition, organizations are charged with examining eight components for each of the four objectives:

  • Internal environment,
  • Objective setting,
  • Event identification,
  • Risk assessment,
  • Risk response,
  • Control activities,
  • Information and communication, and
  • Monitoring (Bowling & Rieger, 2005a, p. 31; Wheeler, 2009).

A summary as well as detailed information about the COSO framework is available at www.coso.org.

Thus, the stage is set and the pressure is on for organizations to use ERM to gain greater insight into company-wide risk. But it may not all be that easy. Even after ERM systems are in place the analysis they render must then be applied to the business decision making process. Even at that point, it will require an added dose of knowledge, wisdom, and experience to develop a competitive strategy and support that strategy with rational day-to-day business management skills before ERM becomes an integral part of a company's success formula.


Implementing ERM

As companies begin to implement ERM processes and systems the most important decisions they face is to decide who will be in charge of the ERM processes and systems and where in the organization the structure the ERM function will be placed. Many companies have opted to create a position of chief risk officer (Wheeler, 2009). This trend has created new career paths for those interested in risk management, especially those that are interested in working in the highest levels of organization management (Branham, 2006).

Establishing an effective risk management organizational structure also requires that the risk management department or director be provided an adequate degree of independence similar to that of an internal auditor. This includes the ability and the resources to build an ERM information system that can support data collection, information-gathering, modeling, and risk analysis (Shan, Xin, Xiaoyan & Junwen, 2009).

ERM staff also need to develop a broad knowledge of the company in which they work and cultivate relationships with key players in all parts of the company in order to promote risk management (Loghry & Veach, 2009). Once relationships are established they must be maintained through continuous, meaningful, and understandable communications regarding the company's risks. ERM staff may also need to develop new skills and will always need to keep their skills and knowledge base updated through continuing education and training in the risk analysis and risk management fields (Zaccanti, 2009).

Corporate executives who are responsible for directing risk analysis need to have enough influence in their organization to gain the attention and respect of other executives (Baker, 2008). The quality of risk analysis and the sophistication or risk inventories and projections may help to persuade corporate executives that there is value to the ERM processes, systems, and staff (Johnson & Swanson, 2007).

ERM staff also need tools to help them crunch through the vast amounts of data that can be used to support risk analyses. The marketplace for applications software programs is beginning to emerge and ERM staff are faced with selecting from tools that may have had little actual real world use (Lenckus, 2006; Ramamoorti & Weidenmier, 2006). Tools and people cost money and if ERM programs are not adequately funded results are likely to be anemic at best (Panning, 2006).

Back to Basics in Information Management

The fundamental principle behind ERM is that it is designed to take a broad and comprehensive view of risks and focus on the basic causes and effects that can keep companies from achieving their strategic business goals (Loghry & Veach, 2009). Some analysts view this as a departure from the past when risk management was depicted as a fragmented, silo-ridden function in most organizations (Bowling & Rieger, 2005). However, ERM systems of this scope are largely based in information creation and analysis and thus the basic rules and processes of information management apply to ERM systems just as they do to any other information system.

Database Software

There are four basic steps to business data management:

  • Data creation,
  • Data storage,
  • Data processing, and
  • Data analysis.

A considerable amount of data is created through every-day business processes such as production of items, consumption of supplies or resources, sales of goods or services, and customer service activities. The primary tool for processing and managing such large amounts of data is database software. Database software is used in virtually all industries especially those that are transaction focused and need to track large quantities of items or activities. Enterprise storage systems are capable of storing vast amounts of data and modern storage management tools have eased many of the problems associated with this task.

Complex data analysis, beyond what database software provides, has become essential to manage large organizations and may be more essential in ERM. This type of data analysis can be performed with a variety data mining, statistical analysis, and decision support software packages. This software helps managers and analysts compile or create statistics on millions of business transactions. These statistics can support business forecasting and planning efforts as well as ERM analysis.

Data analysis software has evolved over the last 60 years. For decades most such software was rather cumbersome and required custom programming. In the 1970s decision support systems (DSS) were introduced that provided assistance for specific decision-making tasks. While DSSs can be developed for and used by personnel throughout the organization, they are most commonly employed by line staff, middle level managers, and functional area specialists. Among the latest developments are expert systems, which capture the expertise of highly trained, experienced professionals in specific problem domains.

In the 1990s executive information systems (EIS) or executive support systems (ESS) were being developed in large organizations. At first these systems were cumbersome and most were stand alone systems requiring time consuming data entry processes. As expected, the technology for EIS has evolved rapidly, and new systems are more integrated with other applications like the DDS or Enterprise Resource Planning (ERP) systems (Watson, Rainer & Koh, 1991).

Information System Development Life Cycle (ISDLC)

Regardless if the ERM team is going to use off-the-shelf products such as DSSs or an EIS or develop their own in-house applications, they still need to apply the Information System Development Life Cycle (ISDLC) model to implementation. The traditional and well established approach to the ISDLC is that a development project has to undergo a series of phases where the completion of each is a prerequisite to the commencement of the next and where each phase consists of a related group of steps. The general scheme for the ISDLC is similar almost everywhere. It typically contains four major phases consisting of several steps each:

  • Definition Phase: consisting of preliminary analysis, feasibility study, information analysis, and system design.
  • Construction Phase: consisting of programming, development of procedures, unit testing, quality control, and documentation.
  • Implementation Phase: consisting of user training, conversion of old systems to new systems, thorough field testing, and then a move to full operations.
  • Maintenance Phase: after the system is full operation updates are made to assure continued operations as new equipment or upgrades to operating systems occur. Enhancements to the system can also be made to meet changing user requirements.

Effective management of information systems requirements analysis, and thus the design of appropriate systems, is critical to the success of an ERM systems project. Systems development methodologies must be selected and applied based on requirements and goals stated by staff who will ultimately use the system (Avison & Taylor, 1997). ERM practitioners can benefit from these basic information systems practices and should look to traditional development procedures and processes instead of going it alone and trying to reinvent the world of information management.

Issue: Overcoming the Hurdles

The last several years have been a rocky road for many ERM programs and many have been viewed as failures in their early stages. When ERM programs are driven by individuals, single divisions or business units, or function as silos they do not have the ability to bridge with other parts of the company and become integrated into the management process. In addition, ERM has often been viewed as a costly program that takes years to implement and years can pass before any real benefits are derived from the expenditure of time and money...

  • Value Creation through Risk Management

    October 1, 2015

    Many companies have come to realize that risk management serves more than just a compliance function. In the ever-changing risk environment we live in today, risk management also serves to add value to the company. After conducting their Global Governance, Risk and Compliance Survey, EY published a white paper with a three-step approach to risk management.

    Read More

  • An Insight into the Benefits of Risk Maturity

    November 1, 2013

    A recent report issued by Aon PLC in conjunction with the Wharton School of the University of Pennsylvania reports that firms with advance risk management processes experienced noticeable stock appreciation…

    Read More

  • Create Synergies between Risk Management and Internal Audit

    November 1, 2013

    Companies are always scanning the business landscape for the next way to get ahead, to gain a competitive advantage, and to take the next step, particularly in the area of…

    Read More

  • SunGard Survey: How Are Companies Managing Financial Risk?

    December 1, 2012

    This white paper presents the results of a recent study conducted by SunGard, a global provider of technology-related services and solutions. The purpose of the study was to gain an…

    Read More

  • The Future of ERM

    October 2, 2012

    Steve Dreyer, Managing Director and Practice Leader at Standard & Poors, speaks to whether he thinks Enterprise Risk Management is just another consultant’s fad or if it will be an…

    Read More

  • Education of ERM Concepts at the Collegiate and Corporate Levels

    October 2, 2012

    Laurie Brooks, retired Chief Risk Officer at Public Services Enterprises Group and current board of director at Provident Financial Services, shares her views about the long-term viability of ERM and…

    Read More

  • Managing Third-Party Risk in an Increasingly Collaborative Business Landscape

    July 1, 2012

    Businesses today rarely do everything in house. While outsourcing offers a number of unique advantages, those benefits may also expose the organization to a number of new risks. Relying on…

    Read More

  • Super Bowl Embraced ERM

    June 1, 2012

    Imagine being responsible for managing risks related to the NFL Super Bowl. With the millions of viewers drawn to this event each year, one shudders to think about an event…

    Read More

  • Sustainability:  Considerations that Can’t be Ignored from a Strategic Perspective

    May 17, 2012

    The topic of sustainability means a host of things to people. Many view it from a “going green” or “social responsibility” perspective. While there is value in considering sustainability related…

    Read More

  • Lack of Senior Manager Support Impairs Risk Management

    May 1, 2012

    Here’s a new twist to “risk management”: one of the most damaging risks an organization may face is “management” itself. A recent article in Disaster Recovery Journal highlights the realities…

    Read More

  • How to Manage Risks Associated with Organic Growth Strategies

    May 1, 2012

    A sound approach to organic growth enables an organization to sustain itself through the toughest circumstances in the business environment. The authors of this Harvard Business Review article believe that…

    Read More

  • How the NC State ERM Initiative Views ERM vs. Traditional Risk Management

    January 10, 2012

    If a business has its doors open, then it is managing risk in some way. However, that does not mean the organization has an enterprise-wide, holistic, and strategic approach to…

    Read More

  • Enterprise Risk Management and the Banking Crisis:  Lessons Being Learned

    November 2, 2011

    Many critics of ERM point to the banking crisis of 2008 and 2009 as an example that ERM does not work. Steve Dreyer, Managing Director and Practice Leader at Standard…

    Read More

  • How ERM Differs from Traditional Risk Management?

    November 2, 2011

    Often times, corporations don’t see the value in adding additional processes in order to have an enterprise-wide view of risk management. Laurie Brooks, retired Chief Risk Officer at Public Services…

    Read More

  • The ERM Process at Xerium Technologies Part 2

    November 1, 2011

    Bonnie Hancock speaks with Fred Caloggero, VP of Audit Services at Xerium Technology, about the ERM process that he helps lead at the company. Many companies look at risk on…

    Read More

  • Webinar Featuring Insights from Two COSO Risk Oversight Reports

    February 9, 2011

    Download the presentation ERM Board Risk Oversight – A Tale of Two Surveys from COSO, that highlights key findings and insights from two recent COSO released survey reports on the…

    Read More

  • Impact of Risk Management Failures on the Financial Crisis

    January 3, 2011

    A report released by The Financial Crisis Inquiry Commission presents findings and conclusions related to the causes of the current financial and economic crisis in the United States. Failures of corporate governance and risk management at many systemically important financial institutions are among key causes of the crisis, as concluded by the Commission.

    Read More

  • Case Study Illustrations of Launching ERM

    December 21, 2010

    The AICPA’s Business, Industry & Government Team commissioned faculty in the ERM Initiative to develop case study illustrations of how organizations have successfully launched ERM. Case Studies on ERM Implementations:…

    Read More

  • ERM Roundtable Summit Panel Discussion – The Value Proposition of ERM: Strategic or Compliance

    October 1, 2010

    The ERM Initiative at NC State University hosted a half-day ERM Roundtable Summit on October 1, 2010 in Raleigh, NC. Following the keynote speaker who provided an overview of ERM…

    Read More

  • ERM Roundtable Summit- Enterprise Risk Management at Target

    October 1, 2010

    At the October 1st, 2010 ERM Roundtable Summit hosted by the ERM Initiative at NC State, Tony Heredia, Vice President of Corporate Risk and Responsibility for Target, Inc., provided an…

    Read More

  • Page: 1 of 4 Pages  1 2 3 >  Last ›

    Leave a Comment


    Your email address will not be published. Required fields are marked *