Too many requestsToo many requests GRC Resource » Risk Management

Risk Management

The management of risk has been an important concept for millenia, starting with the distribution of wares across several ships and leading to the most commonly known type of risk management: insurance. From a GRC perspective, the recent notion of “Enterprise Risk Management” (ERM; also “Corporate Risk Management”, “Enterprise-wide Risk Management”) is of principal interest. While the different methods to calculate, hedge and mitigate financial, operational, strategic and hazard risks deserve a thorough examination in any GRC project, it is especially the holistic view of all risks of a company that GRC should strive to provide. The requirement for such a holistic view is increasingly driven by legislation, but it should be important to executives anyhow, as it impacts the company’s performance and proves to stakeholders that the company is steered in a responsible manner. Managing risks separately, be it in functional or organisational silos, is no longer sufficient in the times of global markets and supply chains. Let us take a look at some ERM definitions:

“ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.” The Casualty Actuarial Society Enterprise Risk Management Committe (2003): Overview of Enterprise Risk Management. p. 8.

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Committe of Sponsoring Organizations of the Treadway Commission (2004): Enterprise Risk Management – Integrated Framework. Executive Summary. p. 2.

The latter definition is probably the most frequently used, as COSO also provides an “Integrated Framework” for ERM that is likely to be the industry standard model used by companies when implementing ERM.

Resources for starters

  • The Casualty Actuarial Society Enterprise Risk Management Committe (2003): Overview of Enterprise Risk Management.
    The Casualty Actuarial Society is a professional organization whose purpose is the advancement of the body of knowledge of actuarial science applied to property, casualty, and similar risk exposures.
  • Barton, B.L., Shenkir, W.G. & Walker, P.L. (2002): Introduction to Enterprise Risk Management.
    An introductory sample chapter from the book “Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management.”

Case studies

In-depth resources