Risk management has evolved over the years to ultimately become enterprise risk management (ERM) with a guidance standard (ANSI/ASSP/ISO 31000) for best practices. This standard defines risk as the effect of uncertainty on objectives looking at objectives as both threats and opportunities to organizations.
“ERM has been in practice since the mid-1990s, yet many organizations are still using a traditional, siloed approach where risks are viewed independently and as unrelated events,” said Sara Gibson, Senior Risk Services Manager at Safety National. “Some companies may view it as unnecessary, given their size or limited risk appetite, but its benefits extend as far as increasing efficiency and operational effectiveness.”
Organizations seeking to understand their current risk management style should consider which aspects of these three approaches fit best.
1. Traditional Approach: Risk is considered bad and it should be transferred.
- Insurance is purchased to cover risks.
- Negative hazard-based risk identification and controls are utilized.
- Compliance issues are addressed separately.
- A silo approach is integrated where risks are treated independently.
- The risk manager is the insurance buyer.
2. Intermediate Approach: Risk is an expense and its costs should be reduced.
- There is greater use of alternative risk financing techniques.
- Stakeholders are more proactive about preventing and reducing risk, but only negative risks.
- Risk management integrates claims, contract review, insurance, and risk transfer techniques.
- There is more collaboration throughout the organization.
- The hierarchy consists of a risk leader with several departments assigning risk owners.
3. Enterprise Risk Management: Risk is uncertain and should be optimized to achieve organizational goals.
- There is a strong focus on all risks as threats and opportunities to reputation, human capital, and strategic and operational goals.
- This method aligns risk management with the organizational strategy, goals and mission regarding both negative and positive risks.
- It helps to manage growth while allocating capital and resources.
- Risks are owned by all stakeholders and mitigated at the lowest level.
The Chief Risk Officer is the facilitator of an ERM Committee, with everyone in the organization being a risk manager by finding and working on threats and opportunities.