Approaching enterprise risk management.

• Author: Muzzy, Ladd

Risk management looks simple on paper. So why is it so difficult to understand and implement? The concept is not new. Those working in business and in corporate functions have been implicitly or explicitly addressing this topic for many years.

But when risk is viewed across the entire enterprise, management activities become more complicated.

Nevertheless, addressing the increased complexity yields stronger benefits including enhanced resource and capital allocation, increased operational efficiencies and better communication on sensitive risk issues. To achieve these benefits, however, risk management must be approached across the enterprise in a method known as enterprise risk management.

Though the ERM acronym is frequently used, there's little understanding of what's involved in creating and managing a workable, successful ERM system.

The following will provide a practical view of the essentials of managing risk in a more holistic manner. It will also discuss how firms can prioritize and focus on significant risks to analyze their core risk-management competencies and evaluate how to best use limited resources.

Not 'One-Size Fits All'

A number of sources claim to have the panacea for risk management. Regulators, industry groups and consultants have all designed "optimal" approaches for managing risk across an organization. They include: the Committee of Sponsoring Organizations of the Treadway Commission (COSO); the International Organization for Standardization, (ISO) 31000; the Australia-New Zealand Standard; and Basel II.

Even with all this information, many companies struggle to find the best method for their firms. One issue: there isn't even a commonly agreed-upon definition of "risk."

To wit: One multinational corporation had more than 10 documented definitions of risk from units including business, audit, legal, supply chain, human resources, finance and compliance.

It's common for companies to approach risk management in a siloed manner, with each unit having specialized knowledge in a particular risk category.

Events at Worldcom Inc., Enron Corp. and others have helped shape a desire for a more comprehensive and integrated view of risk. Boards, audit committees and executives at these and other companies received reports with conflicting information.

Rating Dollar Value Media Attention Compliance/Regulatory 1 $1,000 - $50,000 Not newsworthy Isolated compliance issues 2 $50,001 - $1MM Brief local news On site and practices...