Panel: Ed Hida, Kathleen Murray, Jeff Sauntry, and Alex Sharpe
A board of directors of a company must manage risks in order for the company to remain viable. Managing risk is thus just a normal part of running any business. With this in mind, what is “enterprise risk management?”
According to the Poole College of Management, “[t]raditionally, organizations manage risks by placing responsibilities on business unit leaders to manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is responsible for managing risks related to the organization’s information technology (IT) operations, the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating Officer is responsible for managing production and distribution, and the Chief Marketing Officer is responsible for sales and customer relationships, and so on. Each of these functional leaders is charged with managing risks related to their key areas of responsibility. This traditional approach to risk management is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing risks within their silo.”
There are a number of limitations to this approach, so “business leaders have … have begun to embrace the concept of enterprise risk management as a way to strengthen their organization’s risk oversight. They have realized that waiting until the risk event occurs is too late for effectively addressing significant risks and they have proactively embraced ERM as a business process to enhance how they manage risks to the enterprise … The objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the strategic objectives of the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business.”
Based on regulatory requirements and industry and firm needs, some organizations have developed substantial ERM functions including sizeable risk management departments, Chief Risk Officers responsible for ERM, and Board Risk Committees charged with board oversight of the CRO and risk management. These developments are perhaps most common in financial services firms, especially banking organizations, and also more common in power/energy and life sciences companies.
At the end of the day, the risk management approach should be appropriate for the organization’s size, complexity, and risk profile.