WHAT IS ENTERPRISE RISK MANAGEMENT?
We begin this chapter and the book with the above two quotes to highlight the importance of organizations being able to adapt to change and to being prepared for the uncertain future. We believe this book is crucial to organizations being ready for change, survival, and success and would like to see more organizations adopt enterprise risk management (ERM). ERM is about preparing the organization to survive and thrive in the future, as the Charles Darwin quote implies about living organisms, and we extend to our context. We believe that the organizations that are successful are the ones that are best able to adapt and adjust to the changing world they find themselves. History has shown this for both species and organizations. The Niels Bohr quote reminds us how difficult it is to predict the future. ERM prepares us for this!
In 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined enterprise risk management as: “The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” This COSO definition is intentionally broad and deals with risks and opportunities affecting value creation or preservation. Similarly, in this book, we take a broad view of ERM, or what we call—a holistic approach to ERM.
The purpose of ERM is not only to minimize risk exposure. It is to assist in finding the ideal level of risk for an organization to take in order to maximize opportunity. As in the past, many organizations continue to address risk in “silos,” with the management of insurance, foreign exchange, operations, credit, and commodities each conducted as narrowly focused and fragmented activities. Under ERM, all risk areas function as parts of an integrated, strategic, and enterprise-wide system. And while risk management is coordinated with senior-level oversight, employees at all levels of the organization are encouraged to view risk management as an integral and ongoing part of their jobs.
The purpose of this book is to provide a blend of academic and practical experience on ERM in order to educate practitioners, academics, and students alike about this evolving discipline. The leading experts in this field clearly explain what enterprise risk management is and how you can teach, learn, or implement these leading practices within the context of your business activities. Furthermore, our goal is to provide a holistic coverage of ERM, and, in this process, provide the what, why, and how of ERM to assist firms with the successful implementation. Our companion volume, Implementing Enterprise Risk Management: Case Studies and Best Practices (2015), consists of numerous case study examples of how companies have actually implemented ERM in their organizations.
We believe that the implementation of ERM is not a one-size-fits-all exercise. Effective ERM implementations can include a broad range of activities, tools, and processes. Prudent practitioners will select and adapt common ERM practices to suit the culture, structure, and role of risk in value creation for their organization. Enterprise Risk Management introduces you to the wide range of concepts and techniques for managing risk in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the different types of techniques: the role of the board, risk appetite, risk profiles, risk workshops, and the allocation of resources, while focusing on the principles that determine business success. This comprehensive resource also provides a thorough introduction to ERM as it relates to numerous specific risks such as credit, market, operational, climate change, cybersecurity, foreign exchange, and project management risks. As well, it offers a wealth of knowledge on the drivers, the techniques, the benefits, and the pitfalls to avoid in successfully implementing ERM.
DRIVERS OF ENTERPRISE RISK MANAGEMENT
There are theoretical and practical arguments for the use of ERM. As outlined in Chapter 2, “A Brief History of Risk Management,” and Chapter 39, “A Review of Academic Research on Enterprise Risk Management,” there has been an increasing consciousness in risk literature that a more holistic approach to managing risk makes good business sense.
External drivers for ERM's implementation have been studied, such as the Joint Australian/New Zealand Standard for Risk Management,1 the Committee of Sponsoring Organizations of the Treadway Commission (COSO),2 the Group of Thirty Report in the United States (following derivatives disasters in the early 1990s),3 CoCo (the Criteria of Control model developed by the Canadian Institute of Chartered Accountants),4 the Toronto Stock Exchange Dey Report in Canada following major bankruptcies,5 and the Cadbury report in the United Kingdom.6
Major legal developments such as the New York Stock Exchange Listing Standards and the interpretation of the Delaware case law on fiduciary duties, among others, have provided an additional force for ERM.7 In addition, large pension funds have become more vocal about the need for improved corporate governance, including risk management, and have stated their willingness to pay premiums for stocks of firms with strong independent board governance. ERM has also increased in importance due to the Sarbanes-Oxley Act of 2002,which places greater responsibility on the board of directors to understand and monitor an organization's risks.
For more information on the latest additions to regulatory requirements and recommendations for improved risk governance, please refer to Chapters 2 for highlights and to Chapter 6, “The Role of the Board in Risk Management Oversight,” for more details on the changes.
Finally, it is important to note that ERM can increase firm value.8 Security rating agencies such as Moody's and Standard & Poor's include whether a company has an ERM system as a factor in their ratings methodology for insurance, banking, and...
