The blog hasn’t yet formally described Enterprise Risk Management, but as a specialist you have probably heard of it already. It may even be your main focus. This section jumps ahead to the relationship of ERM and discrete risk management processes within an enterprise.
The variable size of ERM
ERM may try to recognise all risks everywhere, or just high level risks.
ERM is the management of risk to enterprise objectives. There is usually an expectation that all risks affecting the enterprise in any way will be taken into account. That means considering how almost any event or faulty assumption can affect the achievement of enterprise objectives.
An appreciation of the effect of ‘all risks’ can be approached by explicit identification and assessment of all potential risk scenarios. Those scenarios can come up in every activity and goal of the organisation. There will be a large number of scenarios to register.
Alternatively, total uncertainties in enterprise outcomes can be assessed by considering a manageable number of highly aggregated scenarios. Each aggregated enterprise risk scenario might result from many possible causes. For example, the enterprise risk management team might consider the overall likelihood and effect of a major electronic security breach on enterprise objectives. In doing that, they may not look separately at each of the hundreds of particular ways in which security might be breached. Going directly to a high-level assessment involves assumptions that may be dangerous, but it might be better to try the high-level approach immediately than to ignore security risk until that whole world of doubt is fully analysed.
Centralised and decentralised ERM
Trying to recognise all risks in ERM may be easier with many discrete risk management processes.
If ERM is based on identification of all risk scenarios affecting every layer of the enterprise, there may be an attempt to capture and assess all those scenarios centrally. Central risk management is an alternative to dividing the total risk management activity for the enterprise into discrete units, and then building an overview of enterprise risk from all of those units of risk management activity.
|I argued for a decentralisation of effort in the Everyone article, and I recommend discrete distributed risk management processes as the way to do that.|
In practice there can be both centralised and distributed risk management at the same time. There can be discrete risk management activities for defined activities and risk themes, along with a central risk management activity for the enterprise as a whole. The central risk assessment can draw on the available discrete assessments in any way that makes sense. If both exist, it makes little sense for the central assessment to register all the risks that are also registered in the distributed discrete risk assessments. The central register will record only ‘high level’ risks, in manageable numbers.
Adding up all the risk ratings from separate assessments as numbers does not make sense. For assessing risk to the enterprise as a whole, counting up instances of risks rated at particular levels doesn’t make much sense either. That sort of thing commonly appears in ‘heat maps’, which are themselves of very limited value. I will be suggesting a much better approach in a later article.
Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Some other main topics
Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.
All pages on ‘Discrete risk management processes within an enterprise’