Enterprise Risk Management

Traditional risk management, or risk handled by each separate business function or unit has become obsolete due to several factors. The fiercely competitive market with complicated supply chain arrangements increases the impact of any business interruption. Catastrophic events, such as the recent Hurricane Katrina disaster, illustrates that a company’s customer or supplier base can evaporate overnight. Risks are ever changing and corporations must adjust as new situations develop. Risk management by subject matter experts inside silos of finance, insurance, operations, and the legal department do not consider organization wide risks. Enterprise Risk Management is gradually becoming the standard for companies worldwide as the preferred method to manage organizational risk.


In the past, the one focus for risk management has been on financial risks such as interest rate or market trading risks. The portfolio manager, for example, would manage the organization’s investments based on management’s risk tolerance. The goal of the portfolio manager would be to maximize shareholder value by diversification of assets. Additionally, the credit department would evaluate customer’s credit history to determine if sales should be made to this customer.

Another traditional function for risk management is hazards management which would include insurance of facilities, business interruption insurance, director’s and officer’s liability insurance, etc. The corporation typically has a department or an individual charged with evaluating exposure to insurable losses. This individual is responsible for reducing to an acceptable level, the corporation’s exposure to uninsured losses.

Marketing and sales departments, along with operations departments of the company consider risks when evaluating business opportunities. Examples include decisions such as whether to increase production capacity due to an increase in forecasted demand or whether to purchase additional locations in order to increase revenues and market share. The return on investment is usually used as a benchmark for these decisions.

Regulatory risk is often handled by the legal department. The types of regulatory issues considered depend on the industry. For example a bank is heavily regulated by many federal agencies. Another type of regulatory risk currently in the news includes regulations covered by the Sarbanes Oxley Act of 2002 which covers Corporate Governance, and also imposes new reporting and attestation standards concerning internal controls over financial reporting.



One advantage of using the silo approach to risk management is that the personnel departments are experts in their field. However, most risks cross multiple departments of the company. For example, the fire affecting the supply for handsets for Nokia and Ericsson handsets affected operations including purchasing, logistics, marketing, sales and financial risks related to degradation in access to capital markets due to loss of market share. Additionally, regulatory issues could also have been affected since publicly traded companies are required to disclose relationships with major suppliers in their public filings with the Securities and Exchange Commission. Considering each of these risks separately in a silo would not account for the interrelationship between the variables. A problem with supply chain management led to problems with supplying the product and consequently brand image and ultimately a lower market share and a drop in stock value and a loss to the shareholders.




An alternative to the traditional silo approach is an overall organizational approach to risk management, often referred to as Enterprise Risk Management (ERM), adopted by many progressive corporations today. The goal of ERM is to maximize shareholder value by developing an executive level all risks approach. Risks are measured in terms of their impact on the company, not on the impact to each individual silo such as the investment portfolio or the marketing department. The emphasis the financial markets place on consistently meeting earnings expectations has further increased the pressure for organizations to adopt ERM, which is uniquely suited to meeting this requirement.



Risks are constantly evolving and changing including technological failures, natural disasters, terrorist acts. These events, which appear to increase in intensity, frequency, and magnitude over time mandate that corporations re-evaluate their approach to risk management in order to ensure their organization’s continued operations. For example, until the fall of 2005 no one could have imagined the magnitude of a disaster such as Hurricane Katrina hitting the United States and more importantly the lack of coordinated preparation and response by government officials.



FEMA, the Federal Emergency Management Agency was strongly criticized during this disaster for lack of preparation and analysis of risks along with other federal agencies. A lack of integration of risk analysis among the various federal, state, and local agencies was also evident. Failures, such as this disaster rightly cause all emergency agencies and businesses to re-evaluate their risk management programs to ensure that they are as well prepared as possible.



One valuable aspect of ERM is the ability to address risks not previously identified by traditional risk management performed in “silos”. For example ERM was implemented at NASA following the February 1, 2003 Space Shuttle Challenger disaster. The Space Shuttle disintegrated shortly after takeoff, killing all seven astronauts on board. Agency officials determined that part of the cause of the disaster was a breakdown in communications between various parts of the agency. The NASA Chief Information Officer met with information security personnel and business managers, determined enterprise wide risks, many previously unidentified and developed strategies to mitigate them. One risk identified was lack of consistency in data security policies which could have led to a serious breech.



A more sophisticated method of evaluating investment opportunities is another decisive advantage of ERM. Decision making methods utilizing ERM can be woven into the corporate culture allowing organizations to avoid poor investments while allowing riskier investments with potentially higher returns if analysis supports the decision. One method used by financial services organizations to analyze the risks associated with trading activities is VAR or Value at Risk. Non-financial services firms also utilize ERM when evaluating projects. One example is aerospace supplier Rockwell Collins, whose implementation of ERM was so successful the firm was named the best managed aerospace firm by Forbes in 2004. Rockwell Collins reviewed each project using risk analysis principles.




Enterprise Risk Management has been adopted by many corporations with good reputations for exceptional leadership. Competitive pressures in the financial markets have forced corporations to strive for maximum performance which can be achieved through utilizing the more sophisticated ERM tool and abandoning traditional risk management methods. Risk tolerance can be adjusted to planned levels allowing for investment in projects with higher return on investments. Additionally, corporations can anticipate risks by considering the organization as a whole and the relationship between risk factors. ERM will enable corporations to maximize shareholder value while managing risk at tolerable levels.