DEFINITION of 'Enterprise Risk Management'

Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess and prepare for any dangers, hazards and other potentials for disaster – both physical and figurative – that may interfere with an organization's operations and objectives. The discipline not only calls for corporations to identify all the risks they face and to decide which risks to manage actively, it also involves making that plan of action available to all stakeholders, shareholders and potential investors, as part of their annual reports.

'Enterprise Risk Management'

Industries as varied as aviation, construction, public health, international development, energy, finance and insurance all utilize ERM.

Risks Companies Face

Of course, companies have been managing risk for years. Historically, they've done this by buying insurance: property insurance for literal, detrimental losses due to fires, thefts and natural disasters; liability insurance and malpractice insurance to deal with lawsuits and claims of damage, loss or injury; etc. But another key element in ERM is business risk, that is, obstacles associated with technology (particularly technological failures), company supply chains, and expansion – and the costs and financing of same. More recently, companies have managed such risks through the capital markets with derivative instruments that help them manage the ups and downs of moment-to-moment movements in currencies, interest rates, commodity prices and equities. From a mathematical point of view, all of these risks or "exposures" have been reasonably easy to measure, with resulting profits and losses going straight to the bottom line.

Modern businesses, however, face a much more diverse collection of obstacles and potential dangers. How companies manage the risks that defy easy measurements or a framework for management also falls under the ERM umbrella. These potentials for exposure include crucial risks such as reputation, day-to-day operational procedures, legal and human resources management, financial and other controls related to the Sarbanes-Oxley Act of 2002 (SOX), and overall governance.

What Are Risk Management Plans?

Project managers and other professionals who work with ERM focus on assessing the risks relevant to their companies or industries, prioritizing those risks, and making informed decisions on how to handle them. The risk management plans they create estimate the impact of various disasters and outline possible responses if one of these disasters materializes. For example, the Environmental Protection Agency (EPA) requires facilities that deal with extremely hazardous substances to develop risk management plans to address what they are doing to mitigate danger and what they will do if an accident occurs.

In addition to just-in-case plans and products, such as a list of alternate suppliers or an insurance policy, companies that successfully manage their risks also adopt routine practices to manage the potential hazards they have identified. In many cases, new positions are created, such as enterprise risk managers, or new departments are developed to integrate risk management into everyday operations, including equipment maintenance and quality control or assurance teams.

In putting together ERM initiatives, companies should focus not only on the downside of risk but the upside as well. The traditional approach was to concentrate on negatives – the losses from currency or interest rate trades in financial markets, for instance, or financial losses that might be caused by a disruption in a supply chain or a cyber attack that impairs a company's information technology.

In thinking about the upside, companies now are supposed to consider competitive opportunities and strategic advantages that might arise out of deft management of risk. Some of these "better decisions" involve items like where to locate a plant or office abroad based on a risk analysis that would examine the political environment in a country.

On the Upside

The "upside" also includes focusing on preventive measures that help a company avoid potential disasters down the road. For example, some of these actions may include determining when and how physical assets need to be maintained and replaced. This way, the company can avoid unexpected and costly plant and equipment failure that might result in shutdowns, explosions or other events that put a company's employees, communities and public profile at risk.

Understanding that their most important and valuable asset is their image, some companies work proactively  when dealing with man-made or natural disasters. One of the most model reputation risk management stories in corporate history involves Johnson & Johnson. The pharmaceutical giant found its reputation and its stock price severely bruised in 1982 over revelations that someone had tampered with and poisoned bottles of its pain reliever Tylenol, resulting in several deaths. The company reacted quickly, removing and replacing its products at retail outlets, cooperating fully with law enforcement authorities, and keeping the media (and, hence, the public) informed throughout. Its decisive actions and honest open communication during the crisis helped in the recovery of share value within a few months.

From 2006 to 2008, the recent push for companies is to prove they are "going green", hoping that aggressive environmental risk management will position their products, plants, supply chain and other operations positively with current and future customers. (Read more in For Companies, Green Is The New Black and The Green Marketing Machine.)

Using Enterprise Risk Management to Invest

Studying how corporations manage the incredibly diverse number of risks they face can play an extremely important role in investment decision-making. Knowledge of individual corporate "risk profiles" can lead investors to identify up-and-coming companies, investing with the confidence that they could meet corporate objectives and investor expectations (not only in good times, but also in bad); it can also help to better understand which companies to allow into your community through a new plant or office, believing that they would do everything possible to avoid environmental damage and to treat employees well.

Until now, particularly in the U.S., the vast majority of corporations have made very little information about their overall risk profiles available to stakeholders. Companies in many other industrialized countries, like Canada, the U.K., and Australia, are much more forthcoming about risk and ERM activities. However, the situation's poised to change as the rating agencies start to factor in a company's ability to manage ERM. Stakeholders will start to see a plethora of new risk-related data and information available to them. This story of risk management is likely to expand greatly over the next decade.

How to Find ERM-Friendly Companies

It is a difficult task for investors to discover which companies are working to manage risk from an enterprise-wide perspective – and an even more difficult job discovering who is doing so effectively. Many corporate board members don't understand ERM, believing it to be simply another potentially costly, hard-to-measure regulatory fiat from Washington. Many others believe that effective ERM can be achieved simply by expanding their SOX-related reporting and controls efforts, which is not the case.

Because it's a new management discipline, what constitutes "best practices" in ERM has yet to be defined. Currently it's being delineated industry by industry, but few if any companies promote themselves as being "best of the best" in ERM or risk management.

So, how do you know who's working hard at effective ERM? One way is to check the executive roster for a Chief Risk Officer (CRO). While CROs are most often found in the energy, banking and insurance industries, more aggressive manufacturing companies are moving in that direction as well. Another clue is found in a tiny nut of companies that have managers specifically in charge of coordinating their ERM efforts. These managers will have the words "enterprise risk" in their titles.

Intensive additional sleuthing from investors may offer worthwhile dividends. Simply searching "enterprise risk management" online will give investors access to numerous recent conference agendas on the topic. Investors should then take note of which companies have executives lecturing on ERM. Also check out the websites of the few associations dedicated to promoting ERM, such as the Risk & Insurance Management Society in New York or the Committee of Chief Risk Officers. The Conference Board in New York also has a dedicated practice examining corporations and their ERM endeavors, and the National Association of Corporate Directors has done a somewhat dated but invaluable Blue Ribbon report on how corporate board members think about risk – and how that needs to change.

Risk Management Doesn't Mean Risk Free

As a word of caution, just because a company has a CRO – or brags about what it's doing in ERM – doesn't mean you should take it at its word; you'll need to look deeper and ask investor relations executives detailed questions. For years, the banking industry has boasted of having the best risk management and ERM programs of any industry. None of that, however, prevented the 2007 credit crunch and mortgage meltdown.

RELATED TERMS
  1. Exchange Rate Mechanism (ERM)

    An exchange rate mechanism (ERM) is based on the concept of fixed ...
  2. Accepting Risk

    Accepting risk occurs when a business acknowledges that the potential ...
  3. Market Risk

    Market risk is the possibility of an investor experiencing losses ...
  4. Business Risk

    Business risk is the possibility a company will have lower than ...
  5. Company Risk

    Company risk is the financial uncertainty faced by an investor ...
  6. Value Of Risk (VOR)

    Value Of Risk (VOR) is the financial benefit that a risk-taking ...
Related Articles
  1. Small Business

    Identifying and managing business risks

    Running a business comes with a lot of associated risks, but there are an equal number of ways to prepare for and manage them to lessen their impact.
  2. Tech

    An Inside Look At Internal Auditors

    Find out why these number crunchers are part of every chief officer's dream team.
  3. Investing

    The Risks Associated with Common Investments

    Investing inherently involves some risk. Here are some of the different types of investment risks.
  4. Investing

    10 Risks That Every Stock Faces

    As an investor, the best thing you can do is to know the risks before you buy in. Find out about 10 common stock risks you should look out for.
  5. Insights

    How to Invest In Developing Markets

    Developing markets can be attractive additions to many investor's portfolios, but carry additional risks that must be considered.
  6. Investing

    Methods of Handling Risk: A Quick Guide

    Discover the five methods to manage pure risk, and learn how they can be implemented to mitigate risk with health and life insurance.
  7. Trading

    How Forex Speculators Profited From Famous Currency Meltdowns

    Studying currency meltdowns shows traders how they can avoid big losses (or make big money) when global politics tilt the forex market.
  8. Investing

    Take a Long-Term View When Evaluating Risk and Investments

    Staying well within your risk portfolio will allow you to avoid short-term reactions to the market.
  9. Financial Advisor

    Risk Tolerance Only Tells Half The Story

    Just because you're willing to accept a risk, doesn't mean you always should.
  10. Investing

    The Key to Understanding Financial Risk Management

    The danger that you outlive your savings is a real financial risk.
RELATED FAQS
  1. How did George Soros break the Bank of England?

    George Soros pocketed $1 billion by betting against the British pound, cementing his reputation as the premier currency speculator ... Read Answer >>
  2. What are some examples of risk management techniques?

    Understand what risk management is in business and why it is a necessary component of ongoing business planning, and review ... Read Answer >>
  3. Financial Risk vs Business Risk

    Understand the key differences between a company's financial risk and its business risk – along with some of the factors ... Read Answer >>
  4. What are the primary sources of market risk?

    Learn about market risk and the four primary sources of market risk including equity, interest rate, foreign exchange and ... Read Answer >>
  5. Why are mutual funds subject to market risk?

    Find out why mutual funds, like all investments, are subject to market risk, including how the different types of market ... Read Answer >>
Hot Definitions
  1. Risk Tolerance

    Risk tolerance is the degree of variability in investment returns that an individual is willing to withstand.
  2. Initial Coin Offering (ICO)

    An Initial Coin Offering (ICO) is an unregulated means by which funds are raised for a new cryptocurrency venture.
  3. Federal Funds Rate

    The federal funds rate is the interest rate at which a depository institution lends funds maintained at the Federal Reserve ...
  4. Ethereum

    Ethereum is a decentralized software platform that enables SmartContracts and Distributed Applications (ĐApps) to be built ...
  5. Perfect Competition

    Pure or perfect competition is a theoretical market structure in which a number of criteria such as perfect information and ...
  6. Restricted Stock Unit - RSU

    A restricted stock unit is a compensation issued by an employer to an employee in the form of company stock.
Trading Center