The ABCs of ERM: The Rise of Enterprise Risk Management

Events of the last twenty years have thrust enterprise risk management (ERM) to the forefront of the contemporary business scene. Unfortunately, too many organizations leave out the all-important step of implementing strategies to mitigate the risks they identify. 

Related on BCMMETRICS: What’s Ahead in the World of Enterprise Risk Management

The Rise of ERM 

There are few trends in business whose origin can be pegged to one date on the calendar. However, the rise of enterprise risk management is such a trend. The date is Sept. 11, 2001.  

The attacks on the World Trade Center made organizations everywhere mindful of the potential for devastating blows to arrive out of a clear blue sky. They also made organizations cognizant of the need to systematize their efforts to identify, assess, and mitigate the risks that have the potential to disrupt their mission-critical business processes. 

The two decades since 9/11 have not exactly seen the return of global tranquility.  

The financial crisis of 2008, the Covid pandemic, the rise of extreme weather, mushrooming cybercrime, supply chain problems, and chronic geopolitical tensions have all contributed to the appearance—and reality—of an increasingly perilous organizational environment. 

In such an environment, the need for organizations to get serious about identifying  

and mitigating the hazards that threaten them is self-evident.  

The Importance of Follow-Through 

Enter enterprise risk management, the activity of identifying and mitigating the risks that threaten an organization, including natural, human, and technological threats as well as threats to the organization’s reputation and profitability and to the larger economy. 

As a business continuity professional, I applaud the fact that many companies have recently created ERM departments.  

Unfortunately, many corporate ERM departments today suffer from the same shortcoming: lack of follow-through. 

In a typical situation, the department might reach out to the executives in doing an annual assessment of risks. It might even go so far as to identify the top five threats facing the company. After that it’s, “Great. Thanks. Have a nice day. Talk to you next year.” 

And nothing further is done. 

This barely qualifies as enterprise risk management. I don’t think it does qualify. Because there’s no management at all. 

Sound ERM requires intelligent follow-through. 

The Four Risk Mitigation Strategies 

A proper ERM program incorporates risk identification and assessment and risk mitigation in an ongoing, actively tended cycle. 

Have you had a chance to look at the glossary of business continuity terms we published recently? It’s called “Strong Language: The MHA Glossary of Essential Business Continuity Terminology.”

In it we identify and define the four risk mitigation strategies. They are: 

• Risk acceptance. A mitigation strategy involving a conscious decision to remain vulnerable to a potential harm, usually based on a cost-benefit analysis. 

• Risk avoidance. A mitigation strategy centered on altering organizational behavior to eliminate a given risk. 

• Risk limitation. A mitigation strategy in which measures are taken to reduce risk, short of completely eliminating it. Incorporates a combination of the strategies of risk avoidance and risk acceptance. 

• Risk transfer. A mitigation strategy in which a risk is passed on to another organization, such as by hiring a third-party vendor to perform the associated function. 

A complete enterprise risk management program must go beyond identifying and ranking risks. It must also include the thoughtful implementation of risk mitigation strategies, in order to bring risks under intelligent control. 

Taking Ownership of Risk 

A careful reading of the descriptions of the risk mitigation strategies will make one thing clear. The goal of ERM is not to reduce risk to zero. This is probably practically impossible. If it weren’t impossible, it would likely be prohibitively expensive. If it weren’t prohibitively expensive, it would probably amount to a waste of company resources. 

The real aim of ERM is for the organization to take ownership of its risks. To be aware of them. And to make informed decisions about them, whether that decision involves living with them, reducing them, or handing them off to another organization. 

Practicing True Enterprise Risk Management 

Since 9/11, organizations everywhere have come to recognize the importance of systematically identifying, ranking, and mitigating threats. Unfortunately, many ERM departments fall short in implementing that final step.  

True enterprise risk management requires not just identifying and assessing threats but consciously applying risk mitigation strategies to bring them under control. To reflect the fact that organizations and environments change, the whole process should be conducted on an ongoing, cyclical basis. The goal is not to reduce risk to zero, but rather to manage it in an informed and conscious fashion. 

Further Reading 

For more information on enterprise risk management and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting: 

• Risk Assessment: The Best Way to Identify Your Biggest Threats 
• The Risk Management Process: Manage Uncertainty, Then Repeat 
• Every Single Day: Make Risk Management Part of Your Company’s Culture 
• A Great Place to Start: The ISO 31000 Risk Management Guidelines 
• What’s Ahead in the World of Enterprise Risk Management 
• Don’t Just Hope: Choosing Strategies to Mitigate Risk