Organizations are confronted every day by myriad risks that could disrupt — or even destroy — their business. Prudent companies protect themselves with enterprise risk management (ERM) frameworks that systematically assess probable risks, reveal sensible precautions, and begin planning for how to recover from risks that can’t be avoided.
He compares implementing an organizational risk management program to fire protection planning for your home. Once you’ve assessed your fire risk, you might decide that hard-wiring fire alarms in your house is worth the extra cost compared with simple wall-mounted smoke detectors, but retrofitting a sprinkler system is too expensive (to say nothing of the risk of accidental water damage). In the same way, your organization has to assess the probability of potential risks and the likely severity of each one.
Often, there are severe risks that are low probability, like freak weather or a natural gas explosion in the neighborhood, along with more ordinary risks, such as fender-bender crashes or power outages, that are disruptive but don’t threaten the existence of the organization. A sound ERM considers each risk and evaluates reasonable responses, whether that’s buying more fire extinguishers or simply reviewing your insurance policies.
There are four frameworks companies commonly use to guide their organizational risk management program.
What to consider before choosing an ERM framework
Herrera says choosing a framework for your organization starts with identifying risks. Consider the big stuff, from geopolitics to the economy. Are there trade negotiations underway that could change the rules of how your company interacts with offshore clients and customers? If interest rates rise, does that affect your business? How much?
Once you have thought that through, Herrera says, consider which framework can accommodate the future growth of your company. You need a reliable framework to adjust to changing needs as your business scales.
Herrera warns against excessively complex frameworks. The more difficult your program is to implement, the less likely it is that your organization will use it. Choose a framework your team can easily merge into their workflow.
Enterprise risk management frameworks
Companies most often choose enterprise risk management frameworks provided by one of the following organizations: Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (IOS), the Risk Management Society (RIMS), and the Casualty Actuarial Society (CAS). Each framework takes a slightly different approach to evaluating risk.
Committee of Sponsoring Organizations (COSO)
International Organization for Standardization’s ISO 31000
Risk Maturity Model from the Risk Management Society (RIMS)
Casualty Actuarial Society (CAS)
According to Herrera, COSO offers detailed examples for applying risk management principles and standards that companies can use to measure their current processes. The framework addresses strategic, operational, reporting, and compliance risks. Each of the four major risk categories are assessed for control environment, risk assessment and management, control activities, outsourcing, and monitoring.
Herrera says that ISO 31000 approaches risk broadly, which makes it applicable to a wide range of business sizes and models. The ISO principles, framework, and process for managing risk allow businesses latitude to adapt what will work best for their situation. ISO includes principles of risk management, a detailed management framework, and steps for process implementation.
Hererra’s preferred framework is RIMS, which he describes as an “umbrella” that takes all the other frameworks and their components into account when assessing risk. As the other frameworks update their standards, RIMS updates too.
RIMS identifies seven components of an ERM program, beginning with adopting a program and ensuring that it follows best practices for identifying and responding to risks. RIMS has an objective process for understanding the company’s risk tolerance, identifying the root causes of risk, and evaluating business resilience and sustainability.
The CAS framework uses a seven-step process to assess risk. The process begins with establishing the context and identifying risks, and then moves into analyzing, integrating, and prioritizing the risks. The process ends with managing the risks, and continuously monitoring and reviewing the risk environment.
The framework includes four categories of risks: hazard, financial, strategic, and operational. Herrera notes that the CAS framework is the least commonly used of the four frameworks.
For more information, check out our lengthy guide on enterprises and enterprise resource planning.