Structuring an Enterprise Risk Assessment Protocol: Traditional Practice and New Methods

• DOI: http://doi.org/10.1111/rmir.12068
• Date: 01 March 2017
• Author: Mark Abkowitz,Janey Camp
• Published date: 01 March 2017

Risk Management and Insurance Review

C

Risk Management and Insurance Review, 2017, Vol.20, No. 1, 79-97

DOI: 10.1111/rmir.12068

PERSPECTIVE

STRUCTURING AN ENTERPRISE RISK ASSESSMENT

PROTOCOL:TRADITIONAL PRACTICE AND NEW METHODS

Mark Abkowitz

Janey Camp

ABSTRACT

In a world that has become increasingly complex, enterprise risk management

(ERM) has emerged as a practice for identifying reasonably foreseeable hazards

that pose risks to an organization, both its physical and human assets. Due to

the breadth and depth of factors that can impact an organization’s risk portfolio,

it is incumbent that the underlying risk assessment process that supports ERM

embodies a holistic and systematic approach. This is easier said than done,

however, as much of the effort in self-acclaimed ERM programs remain en-

trenched in compartmentalized parts of the organization or ignore threats that

are “outside of the box” of the operating environment to which management is

accustomed. This environment therefore creates opportunities for key risks to

go unnoticed. The authors propose a comprehensive, yet flexible framework for

overcoming this challenge, an approach that can be utilized by both the public

and private sector. A sample application is provided, using a free, web-based

tool developed as part of the initiative.

INTRODUCTION

Risk is inherent within any organization, at all levels and in various facets. Such is the na-

ture of the risk versus reward trade-off that representslife as we know it. It should there-

fore come as no surprise that the concept of risk management has existed for centuries,

dating back as far as the Code of Hammurabi. Throughout history, risk management

has embodied considerations that include pollution, transportation, natural disasters,

personal liability, building and fire codes, human health, and food safety (Covello and

Mumpower, 1985). However, today’s risk world has become increasingly complex due

to global competition, dependency on international supply chains, political instability,

climate change, and technological innovation. It demands broader perspective when it

comes to identifying, characterizing, and assessing risks that may threaten an organiza-

tion. This has motivated many organizations to consider implementing enterprise risk

management (ERM) as a core business practice.

Mark Abkowitz is at Vanderbilt University, Civil and Environmental Engineering, 400 24th

Avenue South, Jacobs Hall, Room 292, Nashville, TN 37235. Abkowitz can be contacted

via e-mail: mark.abkowitz@vanderbilt.edu. Janey Camp is at Vanderbilt University, Civil

and Environmental Engineering, Nashville, TN 37325. Camp can be contacted via e-mail:

janey.camp@vanderbilt.edu.

79

80 RISK MANAGEMENT AND INSURANCE REVIEW

In this article, we define ERM as:

...asystematic approach enabling an organization to consider all factors that threaten its

ability to meet business objectives and implement appropriate risk management controls

according to the organization’s risk appetite.

Certain terms have been italicized in this definition because they connote an important

message. A “systematic approach” implies that there is an overarching structure to the

risk management process. Consideration of “all factors” emphasizes the need to cast

the net widely to ensure that all hazards, which can potentially threaten the organi-

zation, have been identified. Reference to “business objectives” recognizes that each

enterprise has its own measures of success upon which it is judged. The implementation

of “risk management controls” defines what the organization believes are cost-effective

mitigation strategies. Reference to the enterprise’s “risk appetite” acknowledges that

each enterprise has a different risk tolerance, which will guide whether a certain risk is

deemed acceptable or requires a mitigation action.

ERM as a concept was introduced in the early 1990s by Miller (1992), although it took a

period of time thereafter for the idea to take root (Kleffner et al., 2003; Liebenberg and

Hoyt, 2003). The maturation of ERM practices also brought a greater appreciation for

the complexities involved in implementing an integrated risk management program as

well as the roles and responsibilities of risk champions.

By the turn of the century,a critical mass of firms was pursuing this concept. As noted by

Gates and Hexter (2005), in surveying 271 financial and risk executives, the vast majority

were either making efforts to develop and implement ERM strategies within their orga-

nizations, or were positively disposed toward using ERM. Concurrently, organizations

involved in establishing industry codes and standards began developing guidelines for

formulating and implementing an ERM practice (Committee of Sponsoring Organiza-

tions of the Treadway Commission, 2004; Australian/New Zealand Standard, 2004).

More recently, a global risk management study conducted by Accenture reported that

over 80 percent of corporate-level executives surveyed viewed risk management capa-

bilities as critical for dealing with management volatility and organizational complexity

(Accenture, 2011). These executives were associated with nearly 400 companies rep-

resenting 10 industry sectors, operating in several continents. The publication of ISO

31000 was designed for guidelines to keep pace with this uptick in ERM interest and

application (International Organization for Standardization, 2009).

Much of the excitement around ERM as a management practice stems from an ap-

preciation for the value it brings to the financial health of the organization (Hoyt and

Liebenberg, 2011; Pagach and Warr, 2011). This has stimulated interest in strategic in-

vestments in ERM with an eye toward improving the bottom line (Ai et al., 2012). The

opportunities that can be derived from an effective ERM program include: (1) enhancing

the safety and security of employees, business partners, and the community at large;

(2) improving the quality of decisions and reducing surprises by being better risk in-

formed; (3) controlling unnecessary expenditures by treating risks before they become

more costly problems; (4) creating opportunities for competitive advantage; (5) helping

to grow a proactive organizational culture that recognizes and rewards problem avoid-

ance; and (6) increasing stakeholder confidence by demonstrating good stewardship. It