By Magnus Krog 4/8/2023

Enterprise Risk Management - A great tool for organizational performance

In 2004 COSO (Committee of sponsoring organizations of the treadway commission)

transformed their current approach from risk management to a more comprehensive
enterprise risk management approach. From this point onwards ERM became the overarching
framework for internal control. Prior to 2004, the risk management was applied separately in each
department in an organization, rather than the whole enterprise. The aim was to satisfy relevant
stakeholders, which can be analyzed from the COSO l (1992). Organizations thought about risk
management in terms of being able to comply with external regulation. They didn’t perceive risk
management as something the organization could benefit from.

The Turnbull report argued the case that internal control systems should be embedded in the culture of
the organization. However, the purpose of this - together with the SOX report (2002) was to comply
with external requirements to satisfy their stakeholders. The “new” ERM focus (COSO 2004) can be
explained by the ERM cube, which highlights points such as internal control, objective setting,
information and communication, risk assessment and response. The ERM cube should be applied to the
whole enterprise, rather than few relevant departments or organizational levels. From a decision-
making perspective, the decisions are now to consider the organizations risk landscape, and not only the
departments current outlook. The structure of the ERM-system is more holistic compared to a risk
management system. Risk management considers processes based on given projects in different
departments, while ERM considers all risky projects a part of the organizational process.

The emergence of ERM has given companies some advantages, when comparing with the old
risk management approach. ERM became wildly known for its holistic viewpoint, which meant focusing
on the interlink of different departments. By doing so, organizations would be in better control of the
risk they were facing, and all the departments should be having a more coherent risk appetite. Plus, an
additional set of guidelines, which can help identify risk and determine how to execute on the problem
at hand, while staying in the business scope of the organization. Typically, an organization would want
all its departments to work towards a common goal or follow the overall business strategy. ERM
supports this viewpoint as it aims towards aligning the understanding of the organizations risk appetite
in the different departments. Thus, the departments should be promoting the same risk culture. LEGO
used a risk management silo approach, which tempted the product developers to take on new and
comprehensive products, without considering the company’s financials or cost system. This resulted in
LEGO losing control of their expenditures, and the profits eventually started to decline. An ERM-
system would have aligned the decision-making across the departments in LEGO to fit the risk appetite
and risk tolerance of the whole organization.

More general benefits of ERM implementations are increased organizational effectiveness and improved
business performance. This is a result of clear and relevant communication going to the important
decision makers in the given departments. Also, the communication of risk culture is the same
throughout the whole enterprise to align risk allocation and business strategy. Risks will be identified,
assessed and executed to align the risk exposure and business strategy, which will have a positive effect
on the business performance. Overall, the ERM is going to give the enterprise a more comprehensive
view of risk exposure, and the construction of risk in the company. By making use of the ERM-system,
LEGO developed a comprehensive risk exposure tool, which enabled more departmental managers to
track risks across the organization. The departmental managers started approaching risk from an
organizational standpoint, which led to more risk intelligent decisions being made.
By Magnus Krog 4/8/2023

It can be hard for any organization to make new risk implementation. Especially
fundamental changes such as trying to implement the ERM framework. ERM framework requires
support and buy-in from the entire enterprise. Management might think about implementing the ERM-
system, but they might face some criticism from middle management. Departmental managers might
not be willing to give up their current risk culture or autonomy, which has become a part of their sub-
culture in the department. Buy-in from top management is just as important as buy-in from the rest of
the organization.

RBS CEO Sir Fred Godwin managed his bank based on strict ruling and fear. Even though senior
managers wanted to establish a clearer and more comprehensive view on the risk exposure, this wasn’t
possible. Sir Godwin would overrule the senior members of the board to make them follow his own
risk agenda, even though this might not have been the ideal decision according to the firms’ risk
tolerance.

Often larger and older companies have a well-established company culture, and this can be especially
hard to change. The culture has been a part of the organization’s decision guidelines for years, and
suddenly management determines to implement a new system - ERM - which will drastically affect the
risk culture in place. Sometimes, organizations even experience branches or departments has developed
their own subcultures. Subcultures is developed by geographical separation, functional specialty,
identity traits etc. and can be hard to change when they are first in place. Wells Fargo experienced a
high-pressure sales culture, which coursed some of the branches to commit fraudulent activities to reach
sales targets. These fraudulent schemes can be perceived as a toxic subculture, negatively impacting the
risk exposure in the organization. Another key challenge when trying to implement an ERM framework
is poor communicational effort. If top management doesn’t clarify the new system by reports,
meetings, workshops etc. then employees will not be able to enforce the appropriate risk appetite.
Furthermore, it’s important to ensure regular monitoring of the risk decisions to see if the decisions are
being carried out based on the organizations risk appetite. Overall, ERM has helped a lot of larger
organizations pivot towards better organizational performance, but doesn’t it have any limits for when
it can be applied? And is the transformation towards ERM-system always with a happy ending?