ERM and discrete risk management processes

ERM may try to recognise all risks everywhere, or just high level risks. Trying to recognise all risks in ERM may be easier with many discrete risk management processes.

What to read first: COSO and ISO 31000 on discrete risk management processes Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

The Clear Lines haven’t yet formally described Enterprise Risk Management, but as a specialist you have probably heard of it already. It may even be your main focus. This section jumps ahead to the relationship of ERM and discrete risk management processes within an enterprise.


The variable size of ERM

ERM may try to recognise all risks everywhere, or just high level risks.

ERM is the management of risk to enterprise objectives. There is usually an expectation that all risks affecting the enterprise in any way will be taken into account. That means considering how almost any event or faulty assumption can affect the achievement of enterprise objectives.

An appreciation of the effect of ‘all risks’ can be approached by explicit identification and assessment of all potential risk scenarios. Those scenarios can come up in every activity and goal of the organisation. There will be a large number of scenarios to register.

Alternatively, total uncertainties in enterprise outcomes can be assessed by considering a manageable number of highly aggregated scenarios. Each aggregated enterprise risk scenario might result from many possible causes. For example, the enterprise risk management team might consider the overall likelihood and effect of a major electronic security breach on enterprise objectives. In doing that, they may not look separately at each of the hundreds of particular ways in which security might be breached. Going directly to a high-level assessment involves assumptions that may be dangerous, but it might be better to try the high-level approach immediately than to ignore security risk until that whole world of doubt is fully analysed.

Centralised and decentralised ERM

Trying to recognise all risks in ERM may be easier with many discrete risk management processes.

If ERM is based on identification of all risk scenarios affecting every layer of the enterprise, there may be an attempt to capture and assess all those scenarios centrally. Central risk management is an alternative to dividing the total risk management activity for the enterprise into discrete units, and then building an overview of enterprise risk from all of those units of risk management activity.

I argued for a decentralisation of effort in the Everyone article, and I recommend discrete distributed risk management processes as the way to do that.

In practice there can be both centralised and distributed risk management at the same time. There can be discrete risk management activities for defined activities and risk themes, along with a central risk management activity for the enterprise as a whole. The central risk assessment can draw on the available discrete assessments in any way that makes sense. If both exist, it makes little sense for the central assessment to register all the risks that are also registered in the distributed discrete risk assessments. The central register will record only ‘high level’ risks, in manageable numbers.

Adding up all the risk ratings from separate assessments as numbers does not make sense. For assessing risk to the enterprise as a whole, counting up instances of risks rated at particular levels doesn’t make much sense either. That sort of thing commonly appears in ‘heat maps’, which are themselves of very limited value. I will be suggesting a much better approach in a later article.


Drill-down articles

Discrete risk management processes within an enterprise (CRMA)

The CRMA Study Guide does not recognise the possibility of discrete risk management processes within a single enterprise.

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

Risk management processes within an enterprise (CRISC)

The CRISC Review Manual does not discuss the possibility of discrete risk management processes within a single enterprise. There is implicit support for a discrete risk management process for ICT, which may be independent of enterprise or business risk management.

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Risk Specialists

COSO and ISO 31000 on discrete risk management processes

COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Parent articles

Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *