Enterprise Risk Management

Society grows more complicated every day, as does keeping your employees, equipment, and business safe. To cope with the proliferation of risks, we develop systems and technologies which, in turn, create their own risks. Successful long-term organizations learn to manage risk effectively and efficiently.

You have likely read or heard the term Enterprise Risk Management (ERM), but you may not be able to explain what it is or define it. ERM has become common at financial institutions, colleges, healthcare organizations, and federal agencies. Definitions of ERM differ by organization, but one of the most used comes from the Committee of Sponsoring Organizations (COSO):

“Enterprise Risk Management can be defined as the process affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

This definition can be distilled into two main ideas:

1. Every Employee is a Risk Manager
2. The science and art of making risk informed decisions

The International Risk Management Standard ISO 31000 defines risk as “the effect of uncertainty of objectives.” This definition means that risks include both threats and opportunities. To ignore uncertainty would have the same result as driving through a large metropolitan area at rush hour with no traffic lights or stop signs: nothing happens and eventually tragedy occurs. No organization will exist long without some form of risk management.

ERM is a tool that may or may not be helpful depending on how it is used. It is absolutely necessary to have enterprise-wide risk management to most effectively and efficiently reach your organization’s objectives, but a formal ERM program is optional. If labeling your risk management strategy as ERM creates a perception of added bureaucracy, it will do more harm than good.

ISO 31000, the international risk management standard originally released in 2009 and updated in 2018, provides a fantastic model to help properly manage risk throughout most organizations. It is becoming the preferred model for organizations developing ERM programs. ISO 31000 has three primary parts:

1. Purpose and Principles (Mission and Core Values)
2. The Framework (Management Model)
3. Risk Management Process (Decision Model)

ISO 31000 is less than 30 pages long and is specifically written for use in all types of organizations. It contains some concepts important to successful risk management, such as:

• Significant risks need an assigned “risk owner”: a specific person with ability and authority to control the risk.
• Risk management should facilitate “risk informed decisions.”
• All employees have risk management responsibilities.

For more information about this article, please contact your Moreton & Company consultant, or email [email protected]. This post is intended to inform recipients about industry developments and best practices. It does not constitute the rendering of legal advice or recommendations and is provided for your general information only. If you need legal advice upon which you can rely, you must seek an opinion from your attorney. © 2007, 2010, 2013-2026 Zywave, Inc. All rights reserved.