Enterprise Risk Management
Okay, on to enterprise risk management. At the risk of putting the cart before the horse, let's look at common misconceptions of ERM. The reality is that many people use the term to mean very different things.
Unfortunately, the term ERM has been used in connection with buying insurance to cover specified risks, dealing in financial instruments, and deciding what new corporate initiatives should be approved. Indeed, managers in every company navigate a wide range of business risks on a daily basis in seeking to achieve corporate objectives. But often this is done ad hoc with dramatically varying scopes, results, and consequences. All of this involves some aspect of risk management, but it isn't ERM.
In many companies, internal auditors assess risks to determine where to devote limited audit resources in the audit process and to provide relevant information to management. Sometimes management teams conduct broad-based risk assessments. In these exercises risks may be categorized and rated or ranked, sometimes using heat maps or other graphic depictions, providing important analyses to management and to the board. It's important to recognize, however, that by definition risk assessments are simply snapshots at a point in time and do not represent an ongoing process for identification and analysis of continuing and newly emerging risks and decision-making on how they need to be managed.
What, then, is ERM? One can look to any number of sources for a definition, ...