Enterprise Risk Management 101: Programs, Frameworks, and Advice From Experts

Enterprise risk management (ERM) is a constantly evolving field, but remains focused on identifying and minimizing risks that companies face. These risks might be specific to an industry (for example, HIPAA compliance in the healthcare field) or those faced by virtually every organization in the 21st century, such as cyber threats.
 
An enterprise risk management framework is a tool that can help a company identify, list, and rank potential risks to specific parts of the organization. See below for more information and an example.

Why do enterprises need risk management? To succeed financially and otherwise, an enterprise needs to be aware of potential risks that could affect security, reputation, profits, operations, and more. An enterprise that ignores risks and the ways to mitigate them could potentially face catastrophic consequences.

Companies have faced risks since commerce began. Theft, natural disasters, and numerous other external factors posed threats to early businesses and continue to present risks today. By the 20th century, however, risks to enterprise organizations became more sophisticated and the results potentially more dire. 
 
According to Gerry Dickinson in his series in the Financial Times and in his book Enterprise Risk Management: The Way Ahead for DRDC Within the DND Enterprise, enterprise risk management as we know it began after WWII, when professionals identified certain risks, like natural disasters, that insurance companies would address and cover. 
 
In 1963, Robert I. Mehr and Bob Hedges wrote Risk Management in the Business Enterprise. This book articulated the idea that businesses should not only insure the risks they face, but also identify and manage them across the enterprise, with visibility from the C-suite down.
 
Dickinson writes that the 1970s saw a rise of financial risks (a result of the growing popularity of derivatives and hedge funds), and major companies realized that they should manage both insurance risks and financial risks. Moreover, as industries evolved — and entirely new industries were created — business leaders began to encounter compliance and regulatory issues, which posed general and industry-specific risks. All of these risks could affect a company’s reputation, performance, and profitability. Thus was born the modern concept of enterprise risk management.

Today’s business environment is complex and ever-changing. Many companies operate around the world, where different laws and regulations may apply. As more companies conduct their business over the internet, cybersecurity has become a threat to virtually every organization. Here are some types of risks that individual industries may face:

• Financial: Nearly every type of risk can affect a company’s bottom line. Failure to respond to a natural disaster, theft from within, and reputational issues affect not just those specific operations, but potentially the financial health of the overall company. 
• Interest Rate: The fluctuation in interest rates can impact all manner of industries, including banking and lending, the stock market, real estate, and others.
• Legal Issues: Companies may face legal penalties if they fail to comply with the letter or spirit of the law, whether they be local, national, or even international regulations. They could also face civil suits as a result of perceived negligence, discrimination, etc.
• Hacking and Cyberattacks: Any company that does any of its business online can face enormous risks to the security of its data, its financial accounts, and more. See more details below.
• Theft: One of the biggest risks companies deal with is theft from suppliers, vendors, and employees. This can range from taking home burgers at the end of a fast-food shift to embezzling millions of dollars.
• Uncertain Financial Markets: Global and national financial market instability is a risk to any enterprise. A company’s stock may suddenly plunge due to no fault of the company itself.
• Natural Disasters: Disasters like earthquakes and hurricanes can devastate regions to the point where they affect supplier delivery and order fulfillment, sometimes for long periods.
• Government and Regulatory: Compliance in several industries, especially finance and health care, is a business-critical factor for risk. Compliance and regulations are constantly evolving, so it’s incumbent upon businesses to be aware of and in alignment with all relevant regulations.
• Accidents: An accident, with a shipment of goods, for example, could put a company at risk. So could an accident involving an employee, if the legal system determines that the company is responsible.
• Global and Political Instability: The uncertainty of the geopolitical arena influences international trade and the companies that engage with it.

An enterprise risk management system typically has five goals, all of which are important for a solution to be successful. Any program that doesn’t include all of these may not be thorough and effective. The five goals include: 

• Identifying, monitoring, and mitigating risks
• Being as proactive as possible in risk prevention
• Providing clear steps for remedying potential adversity
• Creating transparency and accountability to increase the faith and confidence of shareholders
• Conforming to industry-specific compliance and regulatory rules

Ray Monteith is the Senior Vice President and Risk Control Services Leader in the British Columbia offices of HUB International, a risk-management consultancy. He would add a sixth goal to this list: constantly reevaluating the first goal.

“It is so important for businesses to keep working to identify new, potential risks. New risks can emerge in any industry, so it’s critical to be constantly evaluating the landscape.” — Ray Monteith, Senior Vice President and Risk Control Services Leader, HUB International, British Columbia, Canada

Some industries face more risks than others, especially the financial sector. Investment banking, money management, the mortgage industry, and other types of financial services face several potentially harmful risks. These include the following:

• Investment Risks: No investment is completely risk-free, and financial institutions, mutual funds, etc., can face severe losses if investments don’t pay off.
• Security: Financial institutions must protect not only their own money and profits, but their investors’ and customers’ as well. Customers need to know their deposits and transactions are secure and protected.
• Breaks in Business Continuity: When enterprises merge, close, or have breaks in operations, financial sector businesses may suffer, either directly or indirectly.

Moreover, because of the risks faced by this sector, the Basel II Accord of 2004 international regulation requires financial services companies to use risk management software. This regulation also requires that banks have enough cash reserves to cover the cost of any problems that occur, including fraud and IT-related events.
 
In addition, the primary integrated financial trading systems, such as Misys, Calypso, and Murex, have built in risk management and compliance. Misys is a London-based financial conglomerate. San Francisco-based Calypso provides solutions to trading companies the world over. Murex, based in Paris, offers software IT products and solutions to the financial sector. Because of the nature of these companies’ customers, they all must conform to regulatory stipulations, as must the companies that do business with them.

In the past several years, enterprise risks involving IT and the internet have increased exponentially. There are essentially two types of IT risk issues. The first concerns the tech and IT industries, where perpetrators can infiltrate a company’s proprietary software or email servers. The second involves virtually all companies, since nearly every enterprise has a significant internet presence and uses email to conduct transactions and communicate.
 
Every organization is vulnerable to cyber risks, particularly as hackers and malware grow ever more sophisticated. Compromised companies can suffer harm to their products, their reputation, their customer service, their growth, their employees, and other areas. Companies that experience hacking or data breaches need to act as quickly and transparently as possible, contacting customers to announce how they plan to remedy the situation. 
 
Also, the highest-level executives need visibility into all cyber threats to their organization. An IT department cannot combat these sophisticated attackers on its own. The powerful, pervasive nature of cyber threats underscores the need for an enterprise-wide enterprise risk management system.
 
Every company, regardless of industry, should cultivate and maintain strong relationships between IT risks, assets, processes, and controls by defining them according to description, category, hierarchy, ownership, and visibility. Companies should empower IT departments to assess, quantify, monitor, and manage IT risks. There should be issue management and remediation policies, including investigation protocols and root cause analyses. Lastly, there should be risk monitoring and metrics available to IT and other business leaders, so they can quickly identify risks and take action if needed.

The leading risk factor faced by the retail world, especially fast-food restaurants, is theft by employees, says Mike Compton, President of DIGIOP, a loss- prevention company based in Indianapolis. 

“U.S. companies lose $40 billion a year in employee theft, according to the U.S. Chamber of Commerce, and retailers are among the hardest hit. Our goal is to help make that a thing of the past.”— Mike Compton, CEO, DIGIOP

 

“Loss can come from employees taking cash and then voiding a sale or helping themselves to merchandise and food, etc. Because there can be a high turnover in these businesses, employers and companies often can’t catch up or are just resigned to this loss as a ‘cost of doing business,’” Compton points out.
 
“We try to help our clients be more strategic and stop that loss where it happens,” he continues. That includes his company’s solution, which integrates video monitoring with accounting and combines them in a dashboard.

As mentioned, virtually every industry faces its own types of risks. Savvy CEOs and other business leaders have their eyes open about potential risks and oversee the implementation of the right risk management solution for their industry. Here are some of the risks faced by industries other than retail:

• Insurance: Insurance companies face a constantly evolving landscape of risk, measuring ever-shifting changes in population, geography, etc. 
• Healthcare and Health Insurance: Healthcare providers are bound by strict protocols, including HIPAA, and can face risk regarding how a doctor diagnoses or treats a patient. Now, health insurance companies must comply with the U.S. Affordable Care Act, in addition to following insurance industry regulations.
• Manufacturing: Manufacturing companies face risks in their supply chains, in the actions or inactions of their vendors, in their plants (safety issues), and in other areas.
• Transportation: Numerous factors affect transportation companies, including the price of gasoline, supply and demand, and potential supply chain and manufacturing risks. 
• Entertainment: Even the entertainment industry isn’t free of risk, as people steal artists’ work or sample it without permission.Moreover, companies may assess artists’ royalties incorrectly, etc.
• Nonprofits: NGOs, educational facilities, and nonprofit organizations also face risks in  their interactions with the communities around them, in adherence to regulations, and in auditing.

Industries face unique risks regarding compliance and governance issues. As the government imposes more regulations to help consumers, companies must quickly adapt to the increasing number and types of compliance regulations. These can include the following:

• Government Regulations: The city, state, and federal governments can all have their own regulations with which companies must comply. For example, manufacturing and transportation companies typically must limit their carbon emissions according to local, state, and federal laws. Noncompliance exposes these companies to major risks concerning their operations and reputations.
• International Regulations: Industries that do business globally face additional types of risks and challenges. Some transactions are governed by international agreements, while others are subject to requirements and regulations in the individual countries where a company does business. These restrictions may include language and cultural issues, and noncompliance can pose a huge risk for a company.
• HIPAA: The Health Insurance Portability and Accountability Act of 1996 applies to the security of all health information related to individuals. Breaches of protected health information pose an enormous risk to healthcare companies, as well as individual providers. Compliance protocols must be followed to the letter. If they are not, the government can penalize the entire institution.
• Financial Regulations: After the recession of 2007-09, Congress enacted many laws intended to prevent a similar financial crisis. These include regulations governing sub-prime mortgages and other risky practices.

Other industries belong to their own relevant trade associations, which include voluntary compliance to any related regulations. One example is the Motion Picture Association of America, which rates Hollywood films distributed to wide audiences.

A comprehensive ERM policy statement supplies a high-level overview of an organization’s ERM program and guides its members to effective risk management. The board of directors usually approves it, and the statement contains the chief tenets of the organization’s ERM program.
 
“The transparency and buy-in from the entire company is essential,” emphasizes Monteith. “It’s so important to have a risk strategy, not just a policy,” he says. “This will help the organization understand where all the risks reside and how to assign ownership of monitoring and addressing those risks.”
 
Monteith’s company helps clients transfer the risks they can out of the organization and into insurance policies. For those risks that remain, “We help the client evaluate how to manage them and align them with the company’s overall mission and vision. It’s also important that at the most senior level, the risk appetite of the company is understood,” Monteith notes.
 
An ERM policy is broad and detailed, covering the known key risk indicators (KRIs). These could include the failure to meet sales projections, workforce availability, the strength or weakness of the dollar, etc. “The key to an ERM policy that works in the current environment,” Monteith explains, “is that it must be a continuing conversation. The company should be in a continual state of implementing, monitoring, addressing, and re-adjusting.” A KRI roadmap can be a strong guide in this process.

“Having a strategic risk management policy also helps companies think ahead and be agile,” Monteith addes. “We hear people say, ‘But something like that has never happened before. Why should we prepare for it?’ And we say, ‘because there is always the risk of events that can be transformational.’” Companies whose risk management policies foster this kind of agility and questioning may be best armed for the unexpected risks they could face.
 
An ERM framework is different from a policy. The policy comes first, and the framework is built to support it. The policy states the overarching goals of risk reduction in an organization. The framework can be as granular as needed so that those throughout the company can have all the guidance they require to reduce risk.
 
“Companies should also be increasingly evaluating their own risk culture,” recommends Alasdair Wood, Director, Human Capital and Benefits, Willis Towers Watson, in London. “In short, this involves a company’s defining what are acceptable, even necessary, risks its employees can take and what are unacceptable. It comes down to empowering employees to take the right risks in an informed manner. No more, no less,” concludes Wood.

An ERM framework is a useful tool in helping teams visualize the risks and ownership, as well as the responsibility for monitoring and addressing those risks. To learn more about different frameworks, including how to create a custom ERM framework, see "Guide to Enterprise Risk Management Frameworks" (this article link).

An enterprise risk management maturity model consists of two axis of desired business outcomes measured against investments and a timeline. Ideally, a strategic organization working on enterprise risk management will see its progress go up and to the right over time. As a company matures, so should its strategic implementation of risk management.

Source: IDC Financial Insights
 
The nonprofit Risk Management Society, known as RIMS, is another useful resource. The organization offers a free tool online to create your own risk maturity model. You can adapt it to any enterprise in any industry. To learn more about the RIMS risk maturity model, see "Guide to Enterprise Risk Management Frameworks".

Experts who work with enterprises see a rapidly changing terrain of newer potential risks. “The companies that are agile and continually revisiting their risk policy and plan are the ones most likely to respond quickly and well if something happens,” Monteith says. 
 
The current risks, though, are likely to remain risks for the foreseeable future. They include employee theft and human error.
 
“Being able to monitor an employee’s actions at the cash register, or throughout the store, is a huge opportunity for retailers and others doing transactions and selling goods and services,” says Compton. Making even a small dent in that $40 million loss related to employee theft could save companies significant amounts of money.
 
Monteith believes that where there are catastrophic failures in business, it’s clear that human error was a factor. “Lehman Brothers, the failure of which led to the financial crisis, clearly misidentified and recklessly managed enterprise risks,” he stresses. 
 
Another tragic example of mismanaged risk is the 2013 derailment of a train carrying fuel oil through the Québec town of Lac-Mégantic. “The train was unstaffed. There were no brakes, and on and on, resulting in a catastrophic loss of life,” Monteith says. Thirteen people were killed and many more injured. In the investigation that followed, authorities cited 18 different factors as reasons for the crash. According to CNN, those included a "weak safety culture" in the railroad that carried the oil, a law requiring, but rarely enforcing, safety plans from the industry, and a train composed almost entirely of substandard tanker cars.
 
“There was a clear disconnect between the organization’s goals and risk management on an operational level,” Monteith remarks.
 
Some companies have done a good job in mitigating risk when dealing with threats. Tylenol faced a crisis in 1982 when an unknown person laced several Chicago-area bottles of the drug with potassium cyanide, resulting in at least seven deaths. The company immediately pulled all its products from retail shelves, restocking them only after creating the now-ubiquitous seal under the lid. Home Depot and Target immediately reached out to customers and the media when they learned credit-card data had been hacked and stolen.

Most large enterprises use risk management software or systems to help identify, monitor, and communicate risks associated with a given set of assets. Typically, the solutions collect data from throughout the business to indicate where risks may lie and then display results on a dashboard. These systems also notify businesses (or, specifically, the owner of the particular risk issue) of these occurrences, including security breaches.
 
In this era of doing business at internet speed, the benefits of using risk management software are substantial. Some benefits to organizations include:

• Increased Shareholder Value: Mitigating risk efficiently results in a better brand and reputation, boosting stock prices.
• Optimized Risk/Return Outcomes: The more quickly you identify and address risk, the better the outcomes for the whole company.
• Greater Transparency: Managers and others gain the ability to tackle projects with the best risk/reward outcomes.
• Prioritization: The company can monitor and manage higher-risk initiatives more closely as needed.
• Reduced Compliance Costs: An in-house solution that integrates compliance and regulatory processes results in lower costs.
• Strengthened Operations: As a company identifies, addresses, and prevents risks according to the risk maturity model, operations become progressively more efficient and streamlined.

There are plenty of educational resources, organizations, and events that enterprises can turn to for help and advice. They include:

• RIMS and the RIMS Annual Conference
• The Conference Board of Canada: ERM
• RMA’s Annual Risk Management Conference
• The Smartsheet risk management certification guide
• The North Carolina State University Enterprise Risk Management Studies program
• The University of California Office of the President Risk Summit
• The National Association of College and University Business Officers’ 2013 report on enterprise risk management
• The Protiviti FAQ Guide to Enterprise Risk Management

You can also read our How to Choose the Right risk Management Certification for You article to learn about the types of certificates available and the opportunities having one can garner.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.