"What is the totality of our enterprise risk?" That’s a question being raised more often in today’s boardrooms as organizational leadership comes to realize that effective enterprise risk management (ERM) entails more than just the monitoring of financial risk. While financial risk is still an ongoing concern, enterprises also must be vigilant about identifying and being prepared to respond proactively to a wide range of risk.
Depending on the organization and its industry, key risk areas may include:
- Strategic risk (e.g., losing market share due to industry transformation)
- Environmental- or health-related risk (e.g., an explosion at a facility)
- Political/geopolitical risk (e.g., terrorism or nationalization of international assets)
- Operational risk (e.g., aging equipment causing a major manufacturing disruption)
- Legal and compliance risk (e.g., insider fraud)
The practice of proactive risk management improves an organization’s ability to manage both existing and emerging risks. It requires understanding the effects of key assumptions about risks and being able to visualize how risks relate to each other. In addition, proactive ERM means thinking "outside of the box" when identifying emerging risks and having measures in place to prevent them, mitigate their effects and, perhaps, seize upon opportunities they may present.
It is important to recognize that proactive ERM is not a process motivated by a compliance effort or an audit — nor is it an activity performed in isolation. To understand the totality of risk to the business, and to manage known and emerging risks effectively and to the benefit of corporate strategy, risk management capability must be integrated within the organization. It should be an embedded process that ultimately becomes part of the company's "DNA.”