Enterprise risk management takes a view of risks across the whole organisation and therefore directs the focus and energy of management to where it matters most.
Identifying and managing risks that do not fit neatly into one business area is vital.
Modern organisations are complex and are exposed to risks that cross traditional organisational boundaries. These may involve not only many areas within one company but also the extended networks that most companies are involved in such as UK and overseas suppliers, Web and Internet systems, offshore exposures and legal, regulatory and technical frameworks outside the UK and Europe. Many companies have business critical data managed by other companies where the control of this data rests with other firms often within other countries.
It is equally important to identify where opportunities are being missed and where risk exposures are acceptable and to what degree. Avoiding risk can be just as costly to a company's profitability and effectiveness as not managing risk.
Enterprise risk management is a process which integrates risks across a whole organisation in order to minimise losses and maximise opportunities. The key components are:
Commitment at the highest levels to enable successful decision making and achieving value.
A dedicated senior manager who is accountable to the executive and the board for driving the enterprise risk management process.
A risk aware culture through the organisation that results in full engagement and accountability at all levels.
Involvement of all stakeholders in the risk management process including suppliers and customers, regulators, shareholders and ratings agencies.
Effective and meaningful risk management reporting and communication.
The definition of risk appetite and alignment with strategy.
The ability to manage risks across departments and processes within the organisation and to link with suppliers and customers.
Risk information fully integrated into the decision making process.
To be able to demonstrate the value added by risk management to the organisation.
To be able to identify current risks, minimise surprises and predict future risks using both internal and external data.
To move from simple risk avoidance to creation of value.
An integrated risk management information system and methodology that allows risks to be managed and controlled in an integrated, company-wide manner.