ENTERPRISE RISK MANAGEMENT (ERM)

By: Joy Ann R. Gonzales

 ERM is a process that engages all in the practices of identifying, managing, monitoring,
and communicating risk across its organization.
 Its aim is to function in a proactive and efficient manner and as a key enabler of the
organization’s strategic objectives
 The main objective of ERM is to help management and the board understand and manage
those events most likely to impact the organization’s strategic objectives.
 Also, it seeks to orchestrate the harmonization, synchronization, and rationalization of
areas managing risks by moving beyond organizational barriers to open transparent
communication across disciplines.
Definition of Key terms
RISK CULTURE
 This is “the values, beliefs, knowledge, attitudes, and understanding about risk shared by
a group of people with a common purpose, in particular the employee of an organization”
(Institute of Risk Management)
RISK APPETITE
 Relates to the amount of risk that an organization is willing to seek or accept in the
pursuit of its long-term objectives.
 So, in simple terms, risk appetite is the level of risk that an organization is prepared to
accept to attain its objectives, before an action is deemed necessary to reduce the risk.
APPROACHES TO SETTING RISK APPETITE
• Averse: Avoidance of risk and uncertainty is a key organization objective.
• Minimal: Preference for ultra-safe options that are low risk and only have a potential for
limited reward.
• Cautious: Preference for safe options that have a low degree of risk and may only have
limited potential for reward.
• Open: Willing to consider all potential options and choose the one most likely to result in
successful delivery, while also providing an acceptable level of reward and value for
money.
• Hungry: Eager to be innovative and to choose options offering potentially higher business
rewards, despite greater inherent risk.
The appropriate approach may vary across an organization, with different parts of the business
adopting an appetite that reflects their specific role, with an overarching risk appetite framework
to ensure consistency.
ERM PROVIDES A PROCESS THAT ALLOWS THE organization to:
o Present government governance and management with a comprehensive picture of
interdependent risk across the entire enterprise.
o Break down the silos that tend to exist in assessing risk.

o Create cross-functional teams evaluating risk using a comm0n framework.

o Communicating information about risks in a consistent manner.

TRADITIONAL HEALTH CARE RM VS. ERM

TRADITIONAL RISK MANAGEMENT
• Reactive, Incident-based, clinically focused program.
• May use different processes, controls, metrics, language, and frameworks for discussing
risks and risks mitigation strategies.
• Considers impact of risks to specific departments or issues in isolation
• Focus on adverse events most likely to Impact operations and finances.
• Examines risks individually, with limited communication between disciplines to consider
the Impact of their actions on other parts of the organization.
• Defines risks in terms of the probability that adverse events will occur and result in
financial losses.
• Tendency to be a bottom-up approach.
ENTERPRISE RISK MANAGEMENT
• Proactive, holistic, multi-disciplinary approach focused on anticipating and managing
both internal and external risks.
• Provides a common framework, processes, metrics, and language for discussing risks and
risk mitigation strategies.
• Considers impact of risks across the organization.
• Focus on events most likely to impact strategic objectives.
• Emphasis on synergistic relationship. Among and between risks that span across the
organization.
• Recognizes that risk does not solely mean something negative has or could occur-
something good not happening as a result of not acting is also a risk.
• Top and bottom-up approach.
Enterprise risk management benefits
 Helps identify and understand key risks impacting achievement of strategies and
objectives.
 Invites broad participation and perspectives of senior leaders and governance.
 Helps avoid a "functional silo “approach that often fails to consider the interconnective
nature of risks across large, complex organizations .
 Provides a common framework for discussing risks and risk management or "treatment
“strategies.
 Assists in establishing accountabilities for risk management activities.
 Integrates risk planning with strategic and tactical planning.
 Over time, more effective and cost-efficient management of risks increases enterprise
value.
Therefore, it can be concluded that a robust ERM system is extremely important in every
business. It enables better management of the market, cost management, and operational
activities risk visibility.

IMPORTANCE OF Enterprise risk management APPROACH

The United States Federal Sentencing Guidelines are clear that standards and
procedures should provide sufficient and effect controls that take into account the highest
risk areas, given an organization's business.
Also, The OFFICE INSPECTOR GENERAL(OIG) is clear that a comprehensive
risk assessment cannot be pursued by the Compliance Department alone, and
involvement from key business leaders (including legal) is critical to the effectiveness of
the risk assessment process.
The ERM is important because of the ff:
 All major rating agencies include ERM in their evaluation of credit ratings
 Critical component of financial and insurance industry evaluations
 Healthcare auditing entities, such as those that have oversight for HIPAA, may inquire
into the process when auditing areas that require a risk-based approach. (e.g., information
security)
 Components of a Successful ERM Approach
By: Bea Mallari
 Step One: Know the Business Climate
 Understand which business factors have the ability to impact operations or cause
potential compliance concerns
 Benchmark both inside and outside the organization, and possibly even outside the
industry

 Step Two: Understand and Prioritize Risks and Opportunities

 Ensure colleagues understand how to identify and report risks and opportunities
 Two key activities:
 Deploy a comprehensive Education and Awareness program
 Perform an Enterprise Risk Assessment, with focused reviews of an
organization’s most significant risks, on an ongoing basis

 Step Three: Manage the Identified Risks and Opportunities

 Create a centralized process or have a collaborative process to analyze and manage
risk and opportunity information
 Some common risk management (“treatment”) techniques:
 Avoidance (eliminate, withdraw from, or not become involved)
 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)

 Step Four: Reporting and Metrics

 Reports and metrics can be used by operations, budgeting, strategy, audit,
compliance, and many other departments for strategy and decision-making, where the
consideration of risk can influence the outcome

 Step Five: Risk “Alert” Culture and Risk Control 

 A risk alert culture is the intrinsic understanding and assessment of risk embedded in
day-to-day operations. It fosters the integration of enterprise risk principles
throughout every layer of the organization 
 Risk Controls are measures to limit vulnerabilities and manage risks to an acceptable
level 
 A risk alert culture and risk control are created by:  
 Adhering to policies and procedures, laws, and regulations
  Educating and holding colleagues accountable for evaluating risk holistically in
strategic initiatives
 Creating and utilizing a common language
 Effectively using preemptive risk concepts within business units

 ERM Is Everyone’s Responsibility

 ERM engages everyone at the organization in the management of those risks for which
they are responsible 
 Risk ownership does not reside in a single department
 The compliance department can easily facilitate an ERM approach to managing risks
across the organization

Examples of Enterprise
 Authority
 Managing risk at the level of an organization requires significant authority. This
typically falls under an executive role such as Chief Risk Officer reporting
directly to the CEO.
 Risk Identification
 Risk identification is the process of identifying risks to an organization and its
objective.
 Risk Analysis
 Risk analysis is the practice of assessing risk probability, impact and identifying
and identifying risk treatments and responses.
 Risk Inventory
 A tool for tracking identified risks throughout their lifecycle.
 Risk Treatment
 Each identified risk is treated with some combination of acceptance, avoidance,
transfer, reduction and sharing.
 Risk Response
 A risk response is a plan for dealing with a risk that is realized to become a loss or
issue. This can be contrasted with risk treatment that is about avoiding losses
before it occur.
Note that, several enterprise risk management frameworks confusingly use the
term “risk response” in place of risk treatment. Whatever the terminology, there
are two fundamental types of plan for dealing with risk: preventive and corrective.