Enterprise Risk Management

You, StrategyRiskRisk ManagementSecurityERM
Back

Introduction

Enterprise Risk Management (ERM) is an approach to risk management that takes the whole organization into consideration (Beasley, 2016). This differs from traditional approaches to risk management that place the responsibility of managing risk at the business unit level, creating potential silos within the organization (Beasley, 2016). It has been suggested that ERM should play a consequential role in the strategic planning processes of organizations (Do et al., 2016).

This paper will examine the role that ERM and its supporting frameworks serve, as well as the various components that might be found in an effective ERM framework. Additionally, various challenges that might impede an ERM implementation will be discussed. These things will be discussed theoretically alongside practical observations from real organizations that have gone through the processes of implementing, updating, and integrating various ERM frameworks.

ERM Fundamentals

At a high level, ERM is the process of developing a complete understanding of the risks that might prevent an enterprise from achieving its specified objectives (Beasley, 2016). More specifically, ERM is an ongoing process that consists of the following components: objective setting, risk identification, risk assessment, risk response, and monitoring (Beasley, 2016).

In his paper titled “What is Enterprise Risk Management”, Beasley (2016) notes that while ERM processes should receive strategic priority, ERM should also be concerned with all types of risk (including operational, strategic, compliance, and reporting risks). Other researchers have categorized risk more broadly into the following three categories: hazard risks, opportunity risks, and control risks (Hopkin, 2010). Hopkin (2010) characterizes hazard risks as those risks that would inhibit the organization’s main objectives, opportunity risks as the risks related to deploying resources on opportunities with a wide range of outcomes, and control risks as those risks that introduce uncertainty.

There are several frameworks that organizations can use to help them establish effective ERM processes. One such example was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (Pierce & Goldstein, 2018). COSO initially released a document in 2004 titled “Enterprise Risk Management—Integrated Framework,” which was “recognized as best practice guidance concerning the management of risk in organizations throughout various industries within the USA” (Pierce & Goldstein, 2018, Introduction). Despite the initial success of this document, it contained several shortcomings, such as a lack of maturity and leaving strategic planning out of the process (Pierce & Goldstein, 2018).

Due to these shortcomings, COSO released a subsequent document in 2017 titled “Enterprise Risk Management: Integrating Strategy and Performance” (Pierce & Goldstein, 2018). This document aimed to address the previous issues and placed a meaningful emphasis on the integration of ERM and the strategic planning processes of organizations (Pierce & Goldstein, 2018). Pierce and Goldstein (2018) even introduced Strategic Risk Management (SRM) to further emphasize the integration of these two processes.

In addition to high-level ERM frameworks, there are several frameworks that exist to help organizations manage risk across specific business functions (Al-Ahmad & Mohammad, 2013). These frameworks include Control Objectives for Information and related Technology (COBIT) (IT Governance Institute, 2007), Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) (Mackita, 2019), Information Technology Infrastructure Library (ITIL) (Al-Ahmad & Mohammad, 2013), and International Standards Organization 27001 (ISO 27001) (Lopes et al., 2019).

The COBIT framework focuses on technological systems, grouping IT operations into 34 processes, and was created to be “business-focused, process-oriented, controls-based and measurement-driven” (IT Governance Institute, 2007, p. 10). ITIL functions slightly differently than other frameworks as it is a governance framework rather than a risk framework (Al-Ahmad & Mohammad, 2013); however, it could serve as a critical component of a larger risk management strategy. Finally, ISO 27001 outlines the operational requirements related to Information Security Management Systems (Al-Ahmad & Mohammad, 2013) and serves as the international standard for IT risk frameworks (Lopes et al., 2019).

The OCTAVE framework focuses on threat mitigation and is made up of the following three phases: “Build asset-based threat profiles,” “Identify infrastructure vulnerabilities,” and “Develop security strategy and plans” (Mackita, 2019, Section 2.1). Multiple variations of OCTAVE have also been created to fit various circumstances. ERMOCTAVE, for example, incorporates the ERM process into the OCTAVE risk framework (Mackita et al., 2019). Other OCTAVE variants include OCTAVE Allegro and OCTAVE Strategic (OCTAVE-S) (Peters, 2023). OCTAVE Allegro seeks to make the OCTAVE framework more useful to small and medium-sized businesses (SMBs), while OCTAVE-S aims to adapt the conventional OCTAVE framework to focus on more strategic-level priorities (Peters, 2023).

While frameworks can be useful resources as organizations build out their own ERM processes, the specifics of those implementations will likely vary from firm to firm, depending on their unique risk profiles. As an example, cloud computing is becoming increasingly popular (Buyya et al., 2018). While cloud computing affords organizations many luxuries, it also introduces new risks that organizations must work to mitigate.

ERM Benefits

While researchers have come to differing conclusions on the empirical relationship between ERM and organizational performance, a comprehensive literature review by Anton and Nucu (2020) has found that the majority of researchers do attribute ERM to positive firm performance. Anton and Nucu (2020) note that the existing literature may not be representative of all industries, geographies, or time frames. Most of the empirical research performed on this relationship is U.S.-based (Anton & Nucu, 2020).

One staggering statistic arising from a quantitative study of U.S.-based insurance firms is that ERM could increase firm value by 20% (Hoyt & Liebenberg, 2011). Hoyt and Liebenberg (2011) focused their study on just one geography and industry to control for variability. While Hoyt and Liebenberg’s (2011) study is limited in scope, similar results are found in other geographies and industries. In an article titled “The Impact of Enterprise Risk Management on Firm Value: Empirical Evidence from Romanian Non-financial Firms,” Anton (2018) finds that organizations with ERM are valued 46.5% higher. Regarding these statistics, it’s important to note that correlation does not necessarily equal causation; however, there is an observable phenomenon that is undoubtedly occurring.

If one were to assume that ERM adoption was driving firm value rather than firm value necessitating ERM adoption, the next natural question one might ask is, “Why would ERM produce value for businesses?”. Blanco-Mesa et al. (2019) suggest that firms with sufficient strategies to manage risk and uncertainty may have a competitive advantage in the market. Lechner and Gatzert (2017) suggest that ERM processes actually increase capital efficiency in the organizations in which they are deployed. Berry-Stölzle and Xu (2018) come to similar conclusions about financial metrics in their article titled “Enterprise Risk Management and the Cost of Capital,” where they conclude that the adoption of ERM systems is statistically associated with a reduction in an organization's cost of capital.

Pérez-Cornejo and De Quevedo-Puente (2022) found that ERM implementations afforded multiple benefits as they relate to an organization's reputational risk. The first benefit is that well-implemented ERM systems improve the organizational reputation and satisfy stakeholder expectations through high levels of Corporate Social Responsibility (CSR) performance (Pérez-Cornejo & De Quevedo-Puente, 2022). The second benefit is that “effective risk management helps avoid the perception of guilt when a crisis is caused by a risk that is inherent to a company’s normal activity” (Pérez-Cornejo & De Quevedo-Puente, 2022, p. 376). The idea behind this is that effective ERM practices enforce stakeholder beliefs that the organization has acted responsibly (Pérez-Cornejo & De Quevedo-Puente, 2022).

Implementation Challenges & Solutions

Many of the challenges pointed out by researchers relate to organizational attitudes concerning ERM. These challenges include the tendency for organizations to see ERM as a linear process rather than an iterative one, the tendency for operational and strategic risks to be addressed separately, or strategically unaligned ERM practices that are deeply embedded in organizations (Pierce & Goldstein, 2018).

The literature also contains several case studies that involve organizations making attempts to integrate ERM processes with their strategic planning cycles, facing specific challenges, and proposing solutions to overcome those challenges (Do et al., 2016). Mitchell Industries, for example, identified the following two issues they faced when trying to integrate ERM into their strategic planning cycle: perceived non-value and leadership changes (Do et al., 2016). Mitchell Industries planned to overcome these challenges through workforce education and organizational realignments (Do et al., 2016).

Eli Lilly and Company (Eli Lilly) similarly identified several areas of improvement for their integration of ERM and strategic planning: opportunity identification, enterprise-wide adoption of key risk indicators, and the identification of risk interconnectedness (Do et al., 2016). Eli Lilly plans to address these improvement areas going forward through annual workshops, establishing key risk indicators, and developing an organizational understanding of how various risks are related (Do et al., 2016).

Daisy Company faced similar challenges as those faced by Mitchell Industries (Do et al., 2016). The employees at Daisy Company initially felt that risk identification was a burden that did not provide a justifiable benefit (Do et al., 2016). Instead of ignoring this concern, Daisy Company used its Risk Management Committee (RMC) to lighten the workload for Daisy Company employees (Do et al., 2016).

Conclusion

Operating environments are becoming increasingly complex and interconnected, necessitating the need for organizations to implement holistic approaches to risk management (Beasley, 2016). ERM helps organizations build out processes to manage risk at this holistic level; however, it has been argued that ERM must be integrated with an organization's strategic planning cycles in order to be truly effective (Do et al., 2016; Pierce & Goldstein, 2018).

Not only does ERM give organizations the necessary tools to effectively anticipate and mitigate risk it also provides a framework for organizations to confidently pursue opportunities (Hopkin, 2010). Organizations that can effectively quantify opportunity risk may be more equipped to make informed decisions about mobilizing resources when opportunities present themselves (Hopkin, 2010). Effective ERM processes may also provide firms with measurable financial benefits, such as increased capital efficiency (Lechner & Gatzert, 2017) and a reduction in the cost of capital (Berry-Stölzle & Xu, 2018). Additionally, firms may receive reputational benefits through the implementation of effective ERM processes (Pérez-Cornejo & De Quevedo-Puente, 2022).

This isn’t to suggest that the implementation of ERM is without its challenges. Firms may face obstacles such as misapplications of ERM processes (Pierce & Goldstein, 2018), perceived non-value within the organization (Do et al., 2016), or issues in establishing how various risks are related (Do et al., 2016). However, the literature contains many examples of organizations applying various approaches to overcome these challenges (Do et al., 2016). Organizations like Dasiy Company demonstrate that obstacles such as these can be overcome through leadership commitment and building a culture that embraces ERM processes (Do et al., 2016).

ERM research has continued to address emerging technologies, such as cloud computing paradigms (Mackita et al., 2019). Newer technologies, such as Blockchain or Artificial Intelligence, may necessitate organizations performing specialized research to adapt their ERM processes to accommodate these concepts. Vincent and Barkhi (2021) attempt to address how blockchain technologies should be evaluated in the context of ERM in their article titled “Evaluating Blockchain using COSO”. Lee (2020) attempts to address how Artificial Intelligence and ERM can be used in tandem to improve business performance in his article titled “ Role of Artificial Intelligence and Enterprise Risk Management to Promote Corporate Entrepreneurship and Business Performance: Evidence from Korean Banking Sector”.

References

Al-Ahmad, W., & Mohammad, B. (2013). Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2), 28–43. http://www.ijiss.org/ijiss/index.php/ijiss/article/download/20/pdf_5

Anton, S. G. (2018). The Impact of Enterprise Risk Management on Firm Value: Empirical Evidence from Romanian Non-financial Firms. Engineering Economics, 29(2). https://doi.org/10.5755/j01.ee.29.2.16426

Anton, S. G., & Nucu, A. E. A. (2020). Enterprise Risk Management: A Literature Review and Agenda for Future Research. Journal of Risk and Financial Management, 13(11), 281. https://doi.org/10.3390/jrfm13110281

Beasley, M. S. (2016). What is Enterprise Risk Management? (919.513.0901). Retrieved August 29, 2024, from https://erm.ncsu.edu/wp-content/uploads/sites/41/migrated-files/What_is_Enterprise_Risk_Management.pdf

Berry-Stölzle, T. R., & Xu, J. (2018). Enterprise Risk Management and the Cost of Capital. The Journal of Risk and Insurance, 85(1), 159–201. https://doi.org/10.1111/jori.12152

Blanco-Mesa, F., Rivera-Rubiano, J., Patiño-Hernandez, X., & Martinez-Montaña, M. (2019). The importance of enterprise risk management in large companies in Colombia. Technological and Economic Development of Economy, 25(4), 600-633. https://doi.org/10.3846/tede.2019.9380

Buyya, R., Srirama, S. N., Casale, G., Calheiros, R., Simmhan, Y., Varghese, B., Gelenbe, E., Javadi, B., Vaquero, L. M., Netto, M. a. S., Toosi, A. N., Rodriguez, M. A., Llorente, I. M., De Capitani Di Vimercati, S., Samarati, P., Milojicic, D., Varela, C., Bahsoon, R., De Assuncao, M. D., . . . Shen, H. (2018). A manifesto for future generation cloud computing. ACM Computing Surveys, 51(5), 1–38. https://doi.org/10.1145/3241737

Do, H., Railwaywalla, M., & Thayer, J. (2016). Integration of ERM with strategy: Case study analysis. NC State Poole College of Management. Retrieved September 5, 2024, from https://erm.ncsu.edu/az/erm/i/chan/library/Integration_of_ERM_and_Strategy_Case_Study.pdf

Hopkin, P. (2010). Fundamentals of Risk Management : Understanding, Evaluating, and Implementing Effective Risk Management. Kogan Page.

Hoyt, R. E., & Liebenberg, A. P. (2011). THE VALUE OF ENTERPRISE RISK MANAGEMENT. Journal of Risk and Insurance, 78(4), 795-822. https://www.proquest.com/scholarly-journals/value-enterprise-risk-management/docview/912208029/se-2

IT Governance Institute. (2007). COBIT 4.1. In www.itgi.org. Retrieved September 14, 2024, from https://ucilnica.fri.uni-lj.si/pluginfile.php/76917/mod_folder/content/0/Cobit%204.1.pdf?forcedownload=1

Lechner, P., & Gatzert, N. (2017). Determinants and value of enterprise risk management: empirical evidence from Germany. The European Journal of Finance, 24(10), 867–887. https://doi.org/10.1080/1351847X.2017.1347100

Lee, H. (2020). Role of artificial intelligence and enterprise risk management to promote corporate entrepreneurship and business performance: evidence from korean banking sector. Journal of Intelligent & Fuzzy Systems, 39(4), 5369–5386. https://doi.org/10.3233/JIFS-189022

Lopes, I. M., Guarda, T., & Oliveira, P. (2019). How ISO 27001 Can Help Achieve GDPR Compliance. 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), 1–6. https://doi.org/10.23919/CISTI.2019.8760937

Mackita, M., Soo-Young, S., & Tae-Young, C. (2019). ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing. Future Internet, 11(9), 195. https://doi.org/10.3390/fi11090195

Pérez-Cornejo, C., & De Quevedo-Puente, E. (2022). How corporate social responsibility mediates the relationship between corporate reputation and enterprise risk management: evidence from Spain. Eurasian Economic Review, 13(2), 363–383. https://doi.org/10.1007/s40821-022-00223-2

Peters, M. (2023, April 12). What is OCTAVE and OCTAVE Allegro? https://michaelpeters.org/what-is-octave-and-octave-allegro/

Pierce, E. M., & Goldstein, J. (2018). ERM and strategic planning: a change in paradigm. International Journal of Disclosure and Governance, 15(1), 51–59. https://doi.org/10.1057/s41310-018-0033-3

Vincent, N. E., & Barkhi, R. (2021). Evaluating Blockchain Using COSO. Current Issues in Auditing, 15(1), A57–A71. https://doi.org/10.2308/CIIA-2019-509

© Trevor French.RSS