Enterprise Risk Management (ERM)
Introduction
An enterprise risk management (ERM) is a strategic business approach for identifying, planning, organizing, leading, and controlling activities in an organization to ensure that it prepares for potential uncertainty that can disrupt if the risk occurs during organizational operations (Majdalawieh & Gammack, 2015). Some of the factors considered in an ERM include the people, regulations, and equipment/tools. Therefore, an individual can define ERM as a framework that determines the responsibility of each individual, establishes repeatable principles, and determines the type of tool for mitigating the risks. There are different benefits of using ERM in a corporation. For example, through ERM, an organization can focus more on the risk associated with its operation, enhance its capability to analyze risk, and improve efficiency in the use of resources. ERM can also enable an organization to monitor and comply with regulations requirements effectively. Majdalawieh & Gammackm (2015) suggest that ERM can help an organization reduce operation costs by fostering improvement in competitiveness and developing a more focused culture on managing risks. However, when most organizations try to implement a holistic ERM in strategic planning, they fail due to some of the challenges that occur in the process.
This article evaluates some of the challenges an organization can face while implementing ERM and assessing how an organization can use the COSO Cube ERM and GRC approach to overcome these challenges. In also include how an organization can use ERM as a strategy in its. The challenges discussed are human errors, environment/organizational complexity, process-related challenges, and difficulties in the scoring model.
Kerstin, Simone & Nicole (2014) suggest that despite there are different approaches that an organization can use to implement ERM, human error is a factor that can negatively affect the suitability of the ERM framework used by a particular organization. Regardless of the approach used to establish the ERM framework, there is a possibility that some people may not have the same perspective as the management expect. This variation may lead to conflicting perceptions of different factors such as the meaning of risk, the purpose of the ERM framework, and confusion of the difference between inherent risk and residual risks. This means that after an organization has implemented an ERM, it is essential also to clarify some terms. For example, providing a clear definition of risk according to an organized environment can eliminate human error due to misinterpretation. Kerstin, Simone & Nicole (2014) suggest that clarifying terms’ meaning is a strategic move that ensures that every individual in the organization has the same understanding.
Moreover, the corporation should establish consistent monitoring to ensure what is agreed upon as risk meets its needs. An organization can select staff and assign them the responsibility for auditing, managing, and monitoring the process after implementing the ERM program. Communication is also a crucial factor for an organization when eliminating human error in ERM. Kerstin, Simone & Nicole (2014) state that communication is the key to establishing risk awareness among the staff and emphasizing the benefits of using an ERM framework.
The business world is characterized by volatility, uncertainty, complexity, and ambiguity, making the environment within which businesses operate very complex. For example, the environment within which companies operate involves unpredictable dynamic changes that make it challenging to evaluate, measure, and anticipate risks. Moreover, climate and weather are factors that can include unexpected changes such as earthquakes, hurricanes, and tornadoes, which, despite their potential threat to any organization, have a significant degree of uncertainty. The only way to mitigate these challenges is to realize that the set of potential risks listed for the ERM framework does not guarantee a hundred percent immunity.
Fraser & Simkins (2016) suggest that an organization can also have difficulties in implementing and procedure besides these two challenges. The ERM framework processes include identifying risks, assessing risk, evaluating risk, treating risk, and monitoring risk. It is not a walk in the park for some organizations when it comes to identifying the risks. Fraser & Simkins (2016) states that identifying the risks management team must systematically collect information on different risk types. Failure to do so can potentially lead to undetected risk, which can negatively impact the ERM framework’s efficiency. Among other activities, the team must conduct a prior internal audit, develop a risk questionnaire, think-critically, and analyze the business’s scenario. Other factors, such as finance, regulation concern, available strategies, and litigation, can also contribute to process-based challenges. This implies that an organization eventually cannot quantify, assess, evaluate, and address the risks even after establishing an ERM framework. Fraser & Simkins (2016) proposal that an organization requires first to identify and develop a set of appropriate key risk indicators using a metric that has essential information for identifying the potential risks in different dimensions. Moreover, an organization need should integrate a scoring model in the ERM framework to overcome scoring difficulties.
Both COSO Cube and GRC model can help an organization strategically implement ERM and manage to use its framework as a strategy. In this article, the following discussion demonstrates how ERM implementation becomes a strategy for dealing with risk.
Kerstin, Simone & Nicole (2014) suggest that the GRC model of implementing ERM consists of G-governance, R-risk, and C-compliance as the primary principles. In this model, the governance principle forms a strategic direction toward which an organization’s objective can be achieved. Kerstin, Simone & Nicole (2014) add that organization governance involves developing general-based rules and procedures that every department should follow. These rules and guidelines are usually communicated to the stakeholder, followed by monitoring processes to reward performance based on them. The risk principle in the GRC model can also potentially enable an organization to use ERM strategically. Kerstin, Simone & Nicole (2014) suggest that an organization must assess risks, identify/analyze risks, explore/develop risks, and monitor them through this principle. These activities enable an organization to strategically emphasize the need to evaluate every level of threats in the best way possible and promote the strategic development of solutions to those risks. It also tailors risk management in a manner that an organization realizes the potential risk associated with uncertain situations. The principle of compliance in the GRC model focuses on ensuring that an organization adheres to the legal requirement based on regulations, law, and the organization’s internal policies. Kerstin, Simone & Nicole (2014) suggest that through this principle, an organization can ensure that it consistently follow up with an update on government regulation, establish awareness, fosters communication, and maintain continuity.
References
Fraser, J. R., & Simkins, B. J. (2016). The challenges of and solutions for implementing enterprise risk management. Business Horizons, 59(6), 689-698.
Kerstin, D., Simone, O., & Nicole, Z. (2014). Challenges in implementing enterprise risk management. ACRN Journal of Finance and Risk Perspectives, 3(3), 1-14.
Majdalawieh, M., & Gammack, J. (2015). An Integrated Approach to Enterprise Risk: Building a Multidimensional Risk Management Strategy for the Enterprise.