Assignment 4: Enterprise Risk Management Flashcards
Four Major Differences Between RM and ERM
- Risk categories
- Strategic integration
- Performance metrics
- Organizational structure
Risk Categories (Traditional RM vs. ERM)
RM: Pure risk only
ERM: Both pure and speculative risks (and the interrelationships between them)
Strategic Integration (Traditional RM vs. ERM)
ERM is integrated with the entire organization’s strategy, while RM is siloed
Exposure Spaces Model
A three-dimensional depiction of attributes – resources, events, and impacts – which is used in ERM to consider the range of potential impact from positive to negative
Performance Metrics (Traditional RM vs. ERM)
RM: Measures activity and result, without considering a more balanced equilibrium between the strategic goals and the risk
ERM: Seeks to optimize risk taking in relation to strategic goals
Organizational Structure (Traditional RM vs. ERM)
RM: Generally reports to a centralized organizational department
ERM: Unlike RM, engages all of the organization’s stakeholders in the risk management process – it is both iterative and recursive
Chief Risk Officer (CRO)
Also known as an enterprise risk manager, they are a senior risk professional who has oversight over an organization’s enterprise risk management function
They help their enterprise create a risk culture in which individual department heads and project managers are identified as risk owners
Risk Owner
Someone who is responsible for managing risks from a specific center or operation
Strategic Planning
The process by which an organization’s board and executives develop, refresh, and refine its strategies in line with its view of the future
Business Model
The core aspects of an organization, including its vision, mission, strategies, infrastructure, policies, offerings, and processes
It is recognized in ERM that this will not survive indefinitely
Improvements in Strategic Decision Making (by incorporating ERM)
- It can address potentially devastating threats
- It can exploit opportunities by incorporating them into its current business model or completely reinventing a new model that will successfully carry it into the future
- It can use ERM as a process to manage unwanted variations from expectations
Process to Integrate ERM
- Develop ERM goals (establish the internal and external contexts)
- Identify risks (risk assessment)
- Analyze, evaluate, and prioritize critical risks (risk assessment)
- Treat critical risks, considering priority (risk treatment)
- Monitor critical risks (monitor and review)
Categories/Techniques for Treating Risks to Strategy
Avoid: Use alternative approaches that eliminate the cause of the risk or its consequences
Accept: Accept the risk by planning for ways to deal with the uncertainty if it occurs
Transfer: Assign the responsibility to manage the risk to a third party
Mitigate: Initiate activities to reduce the probability, impact, or timing of a risk event to an acceptable risk tolerance
Optimize/Exploit: Develop actions to optimize positive consequences to achieve gains
Enhanced Decision Making
This is one of two important benefits to adopting an ERM approach and has the following advantages:
1. Increased profitability (economic efficiency)
2. Reduced volatility
3. Improved ability to meet strategic goals
4. Increased management accountability
Improved Risk Communication
This is one of two important benefits to adopting an ERM approach and has the following advantages:
1. Management consensus: ERM creates a corporate culture that embraces risk as an additional component of each decision
2. Stakeholder acceptance: ERM builds a spirit of cooperation among management, which subsequently instills confidence among all employees. It also establishes management strategies that protect assets and reputation, which encourages the buy-in of external stakeholders
ISO 31000:2009
Provides an international standard for risk management as well as a generic approach to risk management applicable within any industry sector
Three major parts are principles, framework, and processes for managing risk
It is not certifiable, but some other ISO standards are
BS 31100
A code of practice for risk management with the following four primary goals:
1. Ensuring that an organization achieves its goals
2. Ensuring that risks are managed in specific areas or activities
3. Overseeing risk management in an organization
4. Providing “reasonable assurance” on an organization’s risk management
COSO II
Provides an effective mechanism for initiating a dialogue with an organization’s board and its senior executives about establishing ERM goals as part of the strategic management process
Intended audience is organizations of sufficient size to examine risk appetite at the board level
AS/NZS 4360
A joint Australian/New Zealand Standard for ERM intended to provide only a broad overview of risk management
They later adopted ISO 31000:2009 renaming it AS/NZS/ISO 31000:2009
The Federation of European Risk Management Associations (FERMA)
An organization consisting of national risk management associations, individual risk managers from Central European countries, and representatives from health organizations, educational sectors, and public sectors
Adopted Risk Management Standards with several elements:
1. The establishment of consistent terminology
2. A process by which risk management can be executed
3. An organized risk management structure
4. Risk management goals
Basel II
Established an international standard that banking regulators can use when creating regulations regarding the amount of capital banks need to keep in reserve to guard against the financial operations they face
