What is enterprise risk management? At its core, ERM is a business process which provides an organization with a structured framework to monitor and manage correlated risk exposures to reasonably ensure the firm is operating within established risk tolerances. Essentially, a well-functioning ERM program provides a disciplined approach to the identification, quantification, mitigation, and monitoring of the risk and opportunity sets organizations face each day.
Why ERM matters
A formal ERM program helps companies manage their risk profile and risk exposures across their entire organizations. No ERM program can completely eliminate risk, but when properly utilized, companies that ingrain risk-based decision-making into their core operations through an ERM framework tend to have a much better handle on articulating their risk profiles and managing to those risk profiles. Companies with well-functioning ERM programs are able to manage to their articulated risk profiles because they are able to identify risks which may impact their particular enterprise and also understand the correlated impact(s) that particular risk may have on various components of their business - not just on the silo of the organization from where the risk was initially identified.
During the peak of the financial crisis of 2008/2009 global insurance titan American International Group (AIG) provided an unfortunate case study in how silo-based risk management does not achieve the same results as an enterprise-based approach. Considering this somewhat oversimplified example provides insight into how, despite each silo of a business having risk management processes and procedures, without any structure in place to aggregate the information and observe the correlated risk exposures across the entire enterprise, the entire business can be adversely impacted to the point that it can crumble.
Again, from a slightly oversimplified view, consider AIG's three core businesses: Insurance, Financial Products, and Aircraft Leasing. Each of these businesses was solvent and profitable as a stand-alone business prior to the financial crisis. However, due to the Financial Products division layering on ever-greater amounts of risk in pursuit of increased profits prior to the financial crisis, the entire AIG organization was assuming greater risk at the enterprise level - yet only one of the underlying businesses - Financial Products - was truly aware of the increased risk profile. Had AIG employed a robust enterprise risk management program at the enterprise level, the ERM framework should have forced AIG to not only view the increased risk profile in the Financial Products division, but also the correlated impacts that increased risk profile would have had on the Insurance and Aircraft Leasing businesses. In other words, an ERM program operated at the enterprise level should have forced AIG to recognize its entire enterprise risk profile had increased due to the actions of the Financial Products division. Further, an ERM program should have provided AIG with the framework to assess whether or not the increased enterprise risk profile remained consistent with the desired enterprise risk profile that would have been originally articulated prior to the financial crisis.
Enterprise risk management is not a business practice that only benefits large organizations. In fact, ERM principals can be applied to organizations of all types and sizes. One of the core components of a properly established ERM program at any company is the proper scaling and complexity of the program and the cultural fit within the organization. For instance, an international construction firm that employs an ERM program will require far more resources and complexity than a smaller construction firm that tends to operate in a tri-county area. An insurance carrier such as Zurich, with all of its ownership of non-risk-bearing revenue-producing operations, will require a far more complex and costly ERM program than a company the size of Amerisure. At the end of the day, a well-designed, well-implemented, and well-functioning ERM program will have considered the size, complexity, resources, organizational culture, and other external requirements on a given organization in order to tailor the ERM program to fit the organization.
This article is part one in a series on enterprise risk management.