Management of corporate risk has traditionally been done in an informal and localized way across most corporations at best. It has been managed in local silos in which each department or business unit attempted to reduce the overall risk of its operations, usually without coordination with other related corporate groups. Even worse, it has often been treated as a side issue, not as a formal discipline that should be part of all operational and decision-making procedures.
Recently, the effects of this approach have become painfully obvious. A number of factors have caused this shift in thinking about formal risk management, including:
-
The complexity and interdependency of today’s corporate risk,
-
The rise and increasing numbers of legislative mandates,
-
Increased globalization and the complexity of compliance with (sometimes conflicting) international regulations, and
-
Increased visibility of recent corporate breaches and the associated catastrophic losses.
Enterprise risk management (ERM) is the systematic and formal management of risk to not only reduce loss but also to capitalize on opportunities. The goal of ERM is to create a sustainable and effective methodology for handling all forms of risk throughout the company, not to create a central bureaucracy to handle risk. This can only be done if risk management is a process that permeates all corporate decision-making, and is done by everyone, at all levels of the organization.
Despite widespread recognition of the value of this type of program, adoption remains somewhat limited. The 2007 Iron Mountain Compliance Benchmark Report revealed that only 35 percent of respondents said they have a formal, enterprise-wide records management policy - despite new e-discovery rules for civil litigation. The potential for increased adoption of this type of methodology is very high.
This limited adoption is not surprising, though, due to some inherent challenges in implementing ERM. For example, managing complex and sometimes unknown risks across business units presents severe organizational challenges. Also, the complexity and often conflicting nature of international mandates make managing regulatory risks very difficult. As a result, many companies see the need for a formal ERM program but are unsure how to proceed or which technologies to adopt to help them in this process.
Risk Categorization
What types of risks are included within ERM? As the name implies, it should include any risk that could impact the corporation in any nontrivial way. The major classifications of risks faced by most corporations include:
-
Hazard risk (fire, flood, theft, etc.);
-
Financial risk (price, credit, inflation, etc.);
-
Strategic risk (competition, technological innovation, regulatory changes, brand image damage, etc.); and
-
Operational risk (IT capability, business operations, security threats, etc.).
All of these types of risks are critical for a company to monitor and manage, and each could, in extreme cases, have catastrophic impacts for the corporation. The type of risk, though, that is often most predictable and most amenable to control is operational risk. Operational risks relate to the regular operations of the company and, therefore, are the easiest to impact with improved and strengthened internal controls.
Operational risk can be either internal or external in nature. Examples of operational risks include:
-
People – Inadequate technical or managerial expertise, attrition, etc.
-
Process – Inadequate process controls, corporate mergers, legal, supplier and partner risk, etc.
-
Technology – Inadequate system and physical security, system reliability, obsolescence, offsite data storage, etc.
Any risk that has a potentially significant impact on corporate goals requires a mitigation strategy. This involves the creation of controls to reduce the risk of loss, as well as monitoring capabilities to ensure that current risks are always correctly analyzed. Most risks require continuous and very proactive monitoring and analysis; some require slightly less proactive management.
Be the first to comment on this post using the section below.