The first thing to realize is that risk will evolve from either internal or external sources with the potential to affect strategy. Risk represents the possibility that some event will occur. Management’s job is to assess all the risks associated with implementing strategy and achieving the organization’s objectives. It boils down to considering the impact of all the underlying events that might have some impact. Enterprise Risk Management (ERM) is a framework for aligning risk appetite and strategy. Based on application of the framework, managing risk becomes a process of enhancing our risk management decisions. It is about reducing operational surprises and losses through a process of identifying and managing the entire multiple and cross-enterprise risks. It is more than avoiding losses; it is a process of seizing opportunities and looking for ways to improve the deployment of capital.
It is very closely linked to internal control in that is a process that is created and managed by people. It is, or should be, applied in a strategy setting and across the enterprise. It will only provide reasonable assurance and is geared to the achievement of objectives. When we say that risk management is applied in setting strategy is that it sets strategies and then considers risks relative to alternative strategies. It evaluates alternatives and helps decide on a course of action.
Risk management is applied across the entire enterprise and should consider the entire scope of activities at all levels of the organization. You need to consider special projects and new initiatives. Don’t apply the concept too narrowly because taking a portfolio of risks may override the occurrence of a single isolated event. Your assessment should consider both quantitative and qualitative factors in reaching judgments. Also, it is useful to group risks into categories so they can be effectively managed.
Now that we’ve got you started on the road to understanding risk management we will next take up risk appetite in our next post.