Enterprise risk management is the identification and management of potential losses at the level of an organization. This can be contrasted with risk management at the level of a business unit, team or project. The following are illustrative examples of enterprise risk management.
OpportunityEnterprise risk management frameworks often speak of risk as an opportunity. This leads to much confusion as people perceive risk as a negative thing and risk management is indeed about avoiding losses. The inclusion of opportunity as a goal of risk management is to make it clear that it is not an exercise in minimizing risk. Risk taking is the foundation of every business and risk management is designed to make risk taking more efficient. For example, an organization that mitigates risks can often take on more opportunities at the same level of risk exposure. This typically increases revenue.
ComplianceRisk management is often a compliance function that is required as a basic element of corporate governance. Some organizations treat risk management as administrative overhead that doesn't add much value. Others treat it as an opportunity to take better managed risks as a fundamental tool of revenue optimization.
AuthorityManaging risk at the level of an organization requires significant authority. This typically falls under an executive role such as Chief Risk Officer reporting directly to the CEO.
Risk IdentificationRisk identification is the process of identifying risks to an organization and its objectives.
Risk AnalysisRisk analysis is the practice of assessing risk probability, impact and identifying risk treatments and responses.
Risk InventoryA tool for tracking identified risks throughout their lifecycle.
Risk TreatmentEach identified risk is treated with some combination of acceptance, avoidance, transfer, reduction and sharing.
Risk ResponseA risk response is a plan for dealing with a risk that is realized to become a loss or issue. This can be contrasted with risk treatment that is about avoiding losses before they occur. Note: several enterprise risk management frameworks confusingly use the term "risk response" in place of risk treatment. Whatever the terminology, there are two fundamental types of plan for dealing with risk: preventive and corrective.
Implementing the internal controls required to achieve risk treatment and risk response plans.Monitoring risk and risk controls.Measuring risk metrics such as risk exposure.
Developing targets for risk measurements, particularly a risk exposure target known as risk appetite.
Risk CommunicationCommunicating risk monitoring and measurement to stakeholders. Risk communication also includes the risk register and any documentation related to risk analysis.
Risk IntegrationIntegrating risk measures into the reporting and measurement tools that are used to manage an organization and business units.
ResiliencyResilience is a class of strategy that reduces or avoids a large number of risks. This can be described as building a healthy business and organization that resists stresses in areas such as disasters, competition and regulation. For example, a data center business that moves closer to energy self sufficiency with solar panels. This may reduce a broad array of risks in areas such as sustainability, reputation, regulatory and operational risk.
This is the complete list of articles we have written about risk management.
If you enjoyed this page, please consider bookmarking Simplicable.
© 2010-2023 Simplicable. All Rights Reserved. Reproduction of materials found on this site, in any form, without explicit permission is prohibited.
View credits & copyrights or citation information for this page.