Desktop version

Home arrow Management


Metaphorically, ERM can be compared to a tree[1] with branches growing in various directions. The enterprise risk management process has emerged from its fundamental risk management roots: preserving assets, protecting people, and complying with laws and regulations. The ERM tree developed several new branches growing in multiple directions during its initial growth period.

A standard ERM framework does not yet exist. After more than a decade of evolution, the various different national standards or artificially created frameworks and differing lexicons for marketing and commercial purposes that had existed have been reduced to two.[2] There is the framework developed by the Committee of Sponsoring Organizations (COSO) and the framework and lexicon developed by the International Organization for Standardization (ISO). These two different frameworks have different DNA. The COSO sponsoring organizations are (1) the American Accounting Association, (2) the American Institute of CPAs, (3) Financial Executives International, (4) the Association of Accountants and Financial Professionals in Business, and (5) the Institute of Internal Auditors. COSO's DNA is the financial reporting scandals of the early twenty-first century. ISO 31000:2009 is designed to be the standard principles and guidelines; it provides principles, framework, and a process for managing risk. However, actual risk management practice by a cross section of organizations indicates that hybrid frameworks are being utilized because some organizations reject strict adherence to either of the two self-proclaimed standards.[3] The hybrid idea is that the best parts of both frameworks produce a more customized model that better serves the needs of an organization, such as providing a unique competitive advantage. There also is still considerable confusion over the purpose of ERM. Some organizations view ERM as a strategic function, while others still see ERM as only a control and compliance function.

Another reason ERM has lacked a uniform standard is the way commercial firms sell ERM. The marketing of ERM by professional services firms mirrors the services and product offerings that are the core business services of those firms. For example, accounting and audit firms view ERM through the lens of audit, compliance, and control, whereas insurance brokers see ERM through the supply chain lens that leads them to a range of insurance-based products. Financial institutions, such as banks, see ERM as a methodology to comply with laws and regulations. And consulting firms focus on utilizing ERM in strategy and organizational structure. Additional branches on the ERM tree have been created by other specialties such as information technology (IT), business continuity, and crisis management.

The shape of ERM within organizations is largely dependent upon which branch of the ERM tree it emerged from. The practice of ERM will be biased toward the partisan internal forces claiming ownership of the process. For example, accounting firms may place compliance at the top of the tree. In contrast, insurers put financial outcomes and statutory regulatory requirements at the top, subjugating all other actions to creating economic value. As another example, utilities place reliability at the pinnacle of the ERM tree, knowing that is their core mission.

The lowest branch on the tree closest to the base represents the earliest forms of ERM. They were called ERM programs in the financial press, but were in actuality integrated risk programs. One such program that received a great deal of attention in the financial press in the late 1990s was the United Grain Growers (UGG) ERM program.[4] The fruit of this branch was creative financing of historically heterogeneous risk categories into new blended programs (i.e., volume risk combined with hazard risks). Creative financing came from aggregating these different kinds of risks into a blended multiyear basket, sometimes coupled with an exotic trigger.

Two additional limbs appeared in quick succession in 2001 and 2002. In the wake of 9/11, the business continuity planning branch emerged with a focus on disaster preparedness and emergency response planning. A renewed emphasis on physical security and system redundancy was accompanied by terrorism risk assessments, modeling of man-made disasters, and the passage of the Terrorism Risk and Insurance Act (TRIA).[5] IT departments and asset managers led the way in nurturing these branches. Another compliance-related branch grew out of the Enron implosion and other issues of corporate fraud. These fiduciary breaches led ultimately to the Sarbanes-Oxley Act,[6] the creation of the COSO ERM Framework,[7] and passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act.[8]

Yet another branch in the compliance and audit family that emerged over the past few years is called governance, risk, and compliance (GRC). This branch focuses on blending the ERM approach to include corporate governance and risk management requirements from entities such as the New York Stock Exchange. This branch gains its support from audit firms and information technology providers.

As the United States embraces the general concept of sustainability, a new ERM branch has grown to include the green movement. One such branch includes John Elkington's concept of the triple bottom lines of profit, people, and planet.[9] From this perspective, ERM is seen as being more holistic about the risks faced by businesses in executing their strategies. In addition to managing variation in a business's economic performance, this ERM approach also includes assessing the impact on social justice performance and environmental stewardship. The social justice aspect requires an analysis of how risks impact stockholders, but also customers, vendors, governments, and employees. The environmental aspect has broadened the vocabulary of ERM. Terms like cap and trade, carbon footprint, and sustainable development have worked their way into the risk management lexicon. Company stakeholders have expanded far beyond employees, owners, and customers to encompass literally the entire world.

Several years ago another new branch started to grow where the idea was that the ERM process could support the addition of new measurable value to an organization. Adherents to this philosophy view ERM as encompassing both threats and opportunities. The practitioners in this camp consider leveraging risk to take advantage of the upside of opportunities, while at the same time addressing the traditional downside of risk. While some of the opportunities identified can be transactional or product-related in nature, by and large ERM should be focused on supporting business strategies. In this way ERM can be utilized to take advantage of operating conditions by aligning business growth opportunities with agreed risk appetites and tolerances to overall organizational goals: risk-adjusted decision making. Executive managements' willingness to reexamine the purpose of ERM is the first key element toward recognizing that it is a strategic function that supports reducing the impact of adverse advents and exploiting opportunities to achieve better outcomes.

  • [1] John Bugalla, Barry Franklyn, and Corey Gooch, "Climbing the ERM-Enterprise Risk Management Tree," Risk Management, May 2010; and National Law Review,
  • [2] The two major frameworks are ISO 31000, accepted in approximately 25 countries, and COSO, which is mainly utilized in the United States. Other frameworks include those created by AS/NZ 4360 and the Conference Board of Canada.
  • [3] For a discussion of the benefits and disadvantages of ERM standards, there are many articles; for example, see, ments/coso_erm_executivesummary.pdf and
  • [4] See "United Grain Growers Limited (A)," Harvard Business School Case Study 9-201- 015, June 11, 2001.
  • [5] For the full Terrorism Risk Insurance Act of 2002 Reauthorization Act of 2013, see
  • [6] To read the full act, Public Law 107-204-July 30, 2002, see about/laws/soa2002.pdf.
  • [7], accessed December 8,2013.
  • [8], accessed December 2013.
  • [9], accessed December 8, 2013.
< Prev   CONTENTS   Next >

Related topics