The management of an organization's risks on a true enterprise basis should be the aim of contemporary risk management. Enterprise Risk Management "ERM" succinctly captures this approach yet it is called many things including GRC, IRM, and ORM. Regardless of the label, we need to be clear as to what true ERM is, and is not.
Law Number IX: Acronyms and abbreviations should be used to the maximum extent possible to make trivial ideas profound ... Q.E.D.
Norman Ralph Augustine
This quote, by the ex-CEO and Chairman of the Lockheed Martin Corporation, is potentially worrying for us risk professionals! Why? The risk management world is awash with acronyms: ERM, GRC, IRM, ORM to name a few.
Does this mean Risk Management is trivial? I hope not!
Risk has been around since the beginning of time. It shapes every aspect of our history, our planet, and our lives. Risk Management has been around for the same amount of time driven by our human survival instincts.
It is hard to see how Risk Management can be trivial.
So why all the acronyms? Maybe it is an attempt to be different. To invent something new that can drive the consultant sale. To differentiate ourselves from the pack to say we invented something!
It was good old “Risk Management” back in the ’80s when I began my career in this wonderful discipline. Then “Enterprise Wide Risk management” (EWRM) appeared which soon became Enterprise Risk Management (ERM), as we seem to prefer 3 letter acronyms. The Protecht Group was founded in 1999 when ERM (Enterprise Risk Management) was on top. We have seen no need to change since. Our Risk system is “Protecht.ERM”. “ERM” captures exactly our mission – to enable organizations to manage all of their risks on an enterprise basis.
So what of the other acronyms?
- GRC – Governance Risk and Compliance
- IRM – Integrated Risk Management
- ORM – Operational Risk Management
- FRM – Financial Risk Management
- NFRM – Non-Financial Risk Management
They mean, or they should mean the same thing. ERM captures Governance, Compliance, Operational Risk, Financial Risk, Non-Financial Risk, and most importantly, ERM is based on integration, the ability to collate, analyze and view risk at an enterprise level. “Integrated” is a key feature of ERM, not an alternative to it.
22 years after co-founding The Protecht Group, ERM is still on top. It is still the holy grail we are pursuing, to manage all risks of an organization in a true enterprise manner.
What does true ERM (Enterprise Risk Management) look like?
- Risk is managed consistently across the enterprise. This means managing all risks:
- Using the same framework and methodologies
- Using the same risk processes
- Using the same definition and construct of risk, regardless of risk type
- Risks are managed in the same Enterprise Risk Management System, not disparate, disconnected risk-specific systems. ERM should manage all of your risks, Third Party, Cyber, EHS, Fraud, and so on, under the one enterprise wide risk management framework and system.
- All risk processes and related risk data, such as risk assessments, incident management, and controls assurance are integrated to allow a complete picture of each risk at any time.
- Risks are aggregated and collated to provide an overall enterprise risk profile rather than each different risk type being reported separately.
An example is provided below. This provides an integrated view of risk and allows the business unit to quickly highlight where action is required to improve the ERM health score.
Value is created from risk information through:
1. Providing Assurance
2. Highlighting issues and warnings
3. Providing risk information that is useful to assist in better decision-making.
4. Providing risk information early so that risk can be managed proactively rather than reactively
There is a wonderful quote in a recent paper issued in the US by the Association of Federal Enterprise Risk Management emanating from Federal Agencies being required to implement Enterprise Risk Management (Circular A-123 – 2016).
“Unlike traditional risk management approaches, which tend to focus on the identification and treatment of risks in discrete functions or domains, ERM is intended to enable a “portfolio-view” of risks, looking across an organization (“the enterprise”) and considering all categories of risk it may face in the delivery of its overall mission”
This captures the essence of true ERM and the paper highlights the confusions associated with its intent.
Learn more about true Enterprise Risk Management (ERM)
Interested in learning more about enterprise risk management benefits? Click the banner below to download our eBook: