Enterprise Risk Management vs Plain Old Risk Management
Upcoming SlideShare
Loading in...5

Enterprise Risk Management vs Plain Old Risk Management



There is an old saying that the more things change, the more they stay the same. That adage is evident in the evolution of traditional risk management into Enterprise Risk Management or ERM over the ...

There is an old saying that the more things change, the more they stay the same. That adage is evident in the evolution of traditional risk management into Enterprise Risk Management or ERM over the past decade. This short article compares ERM to traditional risk management procedures.



Total Views
Views on SlideShare
Embed Views



4 Embeds 42

https://twitter.com 24
http://www.slideshare.net 8
url_unknown 7
http://twitter.com 3


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Enterprise Risk Management vs Plain Old Risk Management Enterprise Risk Management vs Plain Old Risk Management Document Transcript

    • Enterprise Risk Managementvs. Plain Old RiskManagementThere is an old saying that the more things change, the more they stay the same. Thatadage is evident to some extent in the evolution of traditional risk management intoEnterprise Risk Management or ERM over the past decade.Prudent business people have practiced risk management since Edward Lloydscoffeehouse patrons began insuring ships in 1688. A few definitions are necessary tounderstand risk management.Loss is an unintentional decline in value due to damage or destruction of an assetcaused by perils such as fire, wind, explosion or criminal activity. Risk is uncertaintyarising from the frequency and severity of a loss. Finally, a hazard is a condition thatincreases the likelihood of loss. For example, improperly stored flammable liquidsincrease the risk of fire.An organization has six alternatives to manage identified risk. The first is simply to self-insure or retain it, a logical choice for inconsequential risks. A person may forego towingcoverage on their car because they can absorb the low cost of infrequent losses. Riskretention is the default alternative for unidentified risks. The second alternative is riskavoidance. If flood insurance in coastal regions is cost prohibitive, one can rent ratherthan buy a house, thereby leaving the flood risk with the owner.Next is risk transfer. Purchasing insurance transfers risk to an insurer in exchange for thepremium. Risk is also transferred by subcontracting hazardous operations to othersmore capable of dealing with the risk because of economies of scale, financialwherewithal, technical expertise, etc. Another option is to reduce a hazard. As anexample, burglar alarms reduce theft losses by discouraging criminal behavior.The next alternative is to reduce or mitigate a loss once it has occurred. A sprinklersystem will not prevent a fire from starting, but will minimize damage by extinguishing itonce ignited. The final technique is to reduce the peril itself. An example is reducing therisk of worker injuries by conducting employee training and encouraging adherence tosafety standards.
    • What then drove this evolution from risk management to ERM, and how do they differ?ERM first gained wide spread attention with the passage of the Sarbanes Oxley Act in2002. The following year, the Casualty Actuarial Society (CAS) defined ERM as "thediscipline by which an organization in any industry assesses, controls, exploits, finances,and monitors risks from all sources for the purpose of increasing the organizations shortand long-term value to its stakeholders." That definition sounds suspiciously like riskmanagement.An obvious difference is that ERM is not optional for large companies. Sarbanes Oxleymandates risk assessment in internal control evaluation. The SEC requires anassessment of fraud risk, while the New York Stock Exchange requires audit committeesto "discuss policies with respect to risk assessment and management." Even non-governmental agencies such as Standard & Poors evaluate ERM procedures beforeassigning ratings.Perhaps the major difference between risk management and ERM is the much broaderand forward-looking focus of the latter. Risk management could be little more than acost-based euphemism for purchasing insurance, a process sometimes relegated toinsurance agents. It was often a fragmented effort to control and finance losses arisingfrom observable perils and hazards to assets such as buildings, machinery, inventoriesand monetary assets, as well as employee injuries and third party liability losses due tonegligence. These risks are encompassed by hazard risk, the first of four riskclassifications defined by the CAS.The other three classes, arguably more esoteric, are:• Financial risks such as pricing, and currency risk• Operational risks like customer satisfaction and reputational risk• Strategic risks involving competition, social trends capital availability, etc.Managing risk in an ERM framework requires an integrated, value driven approach. It ishard to image an effective ERM process not involving a broad spectrum of subjectmatter experts including lawyers, CPAs, internal auditors, risk managers, productdevelopment professionals and senior management.It also encompasses all strategic and tactical aspects of operations including marketing,treasury operations, customer service and quality assurance. Not surprisingly, ERM ismore resource intensive, but with greater expected returns. 2
    • We end with a comment on the value of ERM by Rick Buy, former Chief Risk Officer atEnron. In 2000 he said, "A rattlesnake may bite us every now and again, but we knew itwas there and how much it might hurt." Mr. Buy later invoked his Fifth Amendmentrights during congressional questioning that followed Enrons 2001 bankruptcy.So have things changed or stayed the same? You decide. © 2012 by Dale R. SchmeltzleAbout the author: Dale R. Schmeltzle, CPA is a founding partner of CFO America, professionalconsultants dedicated to helping business owners define, implement and monitor the strategic andtactical elements necessary to achieve long-term financial and operational success. CFO Americaprovides fractional or part-time executive management expertise not available on an in-house basis.Dale is a frequent speaker for numerous professional, civic and non-profit groups. He wrote HighlyVisible Marketing, 115 Low-cost Ways to avoid Market Obscurity. He has also taught college levelaccounting and financial courses to non-business audiences. For more information, please visithttp://www.CFOAmerica.biz or follow us on Facebook at http://www.facebook.com/CFOAmerica. Consulting CFOs & Executive Management 3