Enterprise

1. See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/273459903
Enterprise Risk Management (ERM): A New Way of Looking at Risk
Management at an Organisational Level
Conference Paper · July 2013
CITATION
1
READS
16,104
3 authors, including:
Some of the authors of this publication are also working on these related projects:
Megaproject cost overruns and the Gumbel distribution View project
family history View project
Jim Freeman
The University of Manchester
113 PUBLICATIONS 1,236 CITATIONS
SEE PROFILE
Shahzeb Irfan Malik
Shifa College
7 PUBLICATIONS 8 CITATIONS
SEE PROFILE
All content following this page was uploaded by Jim Freeman on 19 April 2017.
The user has requested enhancement of the downloaded file.

2. Enterprise Risk Management (ERM): A New Way of Looking at Risk Management at
an Organisational Level
Dr. Shahzeb Ali Malik
KTP Research Associate
International Institute of Risk and
Safety Management (IIRSM) and
Manchester Business School
(MBS), University of
Manchester, UK
Email: shahzeb.malik@iirsm.org
Barry Holt
Director of Policy & Research
International Institute of Risk and
Safety Management (IIRSM),
UK
Email: barry.holt@iirsm.org
Dr. James Freeman
Senior Lecturer in Operational
Research and Statistics
Manchester Business School
(MBS), University of
Manchester, UK
Email: Jim.freeman@mbs.ac.uk
Abstract:
The discipline of Risk Management is rapidly evolving; risk management practitioners are
increasingly shifting their focus from pure operational risks such as health and safety or financial risks
to a broader perspective of Enterprise Risk Management (ERM) (Bugalla and Kallman, 2012). ERM
is a broader area which involves a set of processes and methods used by the organisation to manage
not just risks associated with accidental losses, but also financial, strategic, technological, operational,
and other business risks (Nayak et al., 2010).
This paper highlights the threats and opportunities associated with the adoption of ERM which
include people’s perception of risk management and why a risk aware culture is important at all levels
before adopting the ERM based approach. The paper also addresses a few popular frameworks which
are used for ERM (i.e. COSO framework and Protivi risk model) which help organisations to
understand a complete picture of ERM activities and its functional areas and gives an idea of how to
implement ERM in an effective way. The work presented in this paper is taken from an on-going
project which is being undertaken to develop a practical tool for providing better analysis of risk data
and improved knowledge management (KM). We will demonstrate how this will generate more
reliable decision making information.
Keywords: Risk Management (RM), Enterprise Risk Management (ERM), Risk Perception, Risk
Culture, ERM Framework, Decision-Support Tool, Knowledge Management (KM)

3. 1. Introduction:
The term Risk is seen differently by different individuals. For instance, during the data collection
stage of current research in which several interviews were conducted with safety professionals
working at various levels of organisations, it was observed that even within the safety domain, each
individual has its own definition of the term risk. Some of these definitions of risk are as follows:
Definition 1: “The term Risk in general is a combination of different activities that we are doing to
identify where we might encounter hazards, what the incident/s might be and then we ask the
fundamental question “what makes that incident that we predicted more or less likely to occur”
(Safety Manager Strategic, A Leading Chain of Supermarkets).
Definition 2: “I don’t think risk is necessarily what has happened; risk is the potential for something
to happen given that the equipments you use, the operations you have, the environment you are
operating etc. My general observation is that we have a number of risks in our workplace that could
occur and a lot of them are overlooked because they don’t necessarily happen that frequently” (Head
of Safety, A Leading Logistics Organisation).
Definition 3: “Risk is a likelihood of a positive or a negative outcome of an event. An event could be
any of those things (i.e. positive or negative). The Risk is an equation of how likely that is to happen
and then what outcome would be” (Group Head of Safety, A Leading Logistics Organisation).
Similarly, Risk Management (RM) is broader area and a systematic process which helps
organisations to understand what the risks are, who is at risk, what current controls are for those risks,
and then making a judgement about whether the current controls are adequate or not. If they are not
adequate then doing something more to manage the level of risk down to an acceptable and
reasonable level (Head of Safety International Operations, Leading Logistics Organisation).
Nowadays, implementing a proper risk management system or a safety system within the
organisations (especially in the large organisations) has become a legal requirement and at the same
time it is a moral obligation of organisations to protect their employees. It helps organisations to save
their costs because implementing risk management systems will help them to reduce the number of
accidents which ultimately reduces the costs associated with accident investigations, compensations,
impact on reputation, and above all the management’s valuable time.
Enterprise Risk Management (ERM) has recently emerged as an important and relatively a new
business trend which incorporates the principles of a traditional Risk Management approach.
According to KPMG (2001) it is more structured and a disciplined approach aligning strategy,

4. processes, people, technology, and knowledge with the purpose of evaluating and managing the
uncertainties the enterprise faces as it creates value. Enterprise-wide means the removal of traditional
functional, divisional, departmental, or cultural barriers. ERM is a new phenomenon which involves
risks associated with not only in health & safety and financial but also with technological, reputational
and with other business areas (Nayak et al., 2010). ERM is encouraging the culture of risk-based
decision making as it provides more holistic view of various risks across the organisation which helps
decision making easy.
Several organisations have realised that ERM has the potential to provide a new competitive
advantage. As a result, they have started adopting the concepts of ERM within their business settings
and are getting benefits from it. However, several other organisations are still uncertain about ERM,
and exactly how to translate the concepts of ERM into concrete action steps that will help them to
enhance shareholder value. Therefore, this paper will address the benefits of ERM within different
business areas of the organisation using COSO framework and Protiviti risk model. Also, the threats
and opportunities associated with the adoption of ERM are also covered. Furthermore, the paper also
presents some discussions about people’s perception of risk and why risk aware culture is essential at
all levels within the organisation. Lastly, discussions about the ongoing research project, its progress
to date, and its future targets are presented in the final section.
2. ERM Frameworks
By definition a framework serves as a guide and provides an overview of different interconnected
activities within an organisation to achieve its targets. In short, a framework would help the
implementation of ERM. In this section, I discuss two popular frameworks that are mostly used for
ERM (i.e. COSO ERM framework and Protiviti Risk Model). These frameworks are selected from the
range of existing ERM frameworks studied during the literature survey. Other frameworks/standards
include Institute of Risk Management (IRM), British Standards 31100, International Organisation for
Standardisation (ISO 31000), Risk and Insurance Management Society (RIMS) Risk Maturity Model,
and Federation of Europeans Risk Management Association (FERMA). The selected frameworks
presented in this section are useful for organisations to understand a complete picture of ERM
activities and its functional areas and gives an idea of how to implement ERM in an effective way.
2.1 COSO ERM Framework
In 2001, Committee of Sponsoring Organisations of the Treadway Commission (COSO) initiated a
project and engaged PricewaterhouseCoopers (PWC) to develop a framework that would be readily
usable by managements to evaluate and improve their organisations’ enterprise risk management.

5. After a couple of years in 2004, COSO published ERM integrated framework which nowadays is the
most commonly used ERM framework in many organisations across the globe (COSO, 2004). A
detailed account of its several components is presented in this section.
Figure 1: COSO’s ERM Framework (Source: COSO, 2004)
2.1.1 Components of ERM Framework:
COSO ERM framework is a three-dimensional model or a framework for understanding enterprise
risk. It consists of eight horizontal rows or risk components as a part of one model dimension. These
components are derived from the way management runs an enterprise and are integrated with the
management process. These are:
 Internal Environment: It consists of the overall environment within the organisation and sets the
basis for how risk is viewed and addressed by an entity’s people, including risk management
philosophy and risk appetite, integrity and ethical values, and the environment in which they
operate.
 Objective Setting: The overall Objectives must be set before management identify potential
events that are affecting their achievement. ERM ensures that management has in place a process
to set objectives and that the chosen objectives support and align with the organisation’s mission
and are consistent with its risk appetite.
 Event Identification: Internal and external events affecting achievement of an organisation’s
objectives must be identified, distinguishing between risks and opportunities.
 Risk Assessment: Risks are analysed (in view of likelihood and impact) as a basis for determining
how they should be managed. Risks are also assessed on an inherent and a residual basis.

6.  Risk Response: Management identify and select risk responses (avoiding, accepting, reducing, or
sharing risk) and develop a set of actions to align risks with the organisation’s risk tolerances and
risk appetite.
 Control Activities: Policies and procedures are established and implemented to ensure that the
risk responses are effectively carried out.
 Information and Communication: Relevant information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their responsibilities.
Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
 Monitoring: The entirety of enterprise risk management is monitored and modifications made as
necessary. Monitoring is accomplished through ongoing management activities, separate
evaluations, or both (COSO, 2004).
Similarly, the second dimension of four vertical columns represents the strategic objectives of
enterprise risk. These include: Strategic – organisation’s high-level goals aligned with and supporting
its mission and vision, Operations – effective and efficient use of its resources including physical and
human resources, Reporting – reliability of reporting and Compliance – compliance with appropriate
laws and regulations and industry standards. Finally, the third dimension describing the organisational
units that are part of the risk framework i.e. entity level, division, business unit, and subsidiary
(COSO, 2004).
COSO believes that the ERM Framework provides a clearly defined interrelationship between an
organisation's risk management components and objectives that will fill the need to meet new laws,
regulations, and listing standards and expects it will become widely accepted by companies and other
organisations and interested parties (COSO, 2004).
2.2 Protiviti Risk Model
The Protiviti Risk Model is another successful ERM model developed by Protiviti which is a global
consulting firm that helps companies to solve problems in finance, technology, operations,
governance, risk and internal audit (Protiviti, 2005). Their ERM model is a comprehensive organising
framework for defining, understanding, and communicating potential business risks within the
organisation. The model categorises business risks into three main areas i.e. Environment Risk (i.e.
Business Environment Risk), Process Risk, and Information for Decision-Making Risk as shown in the
following figure 2. A complete account of these three major areas is presented in this section.

7. Figure 2: Protiviti Risk Model (Source: Protiviti, 2005)
2.2.1 Environment Risk (i.e. Business Environment Risk)
These are the external forces that affect the organisation’s overall performance in terms of strategies,
operations, customer and supplier relationships, organisational structure etc. These forces are outside
management’s ability to control. As shown in figure 2, these forces/risks are: competitor risk,
customer wants risk, technological innovation risk, sensitivity risk, shareholder expectations risk,
capital availability risk, sovereign/political risk, legal risk, regulatory risk, industry risk, financial
market risk, and catastrophic loss risk (Protiviti, 2005).
2.2.2 Process Risk
It involves risks that come as a result of business processes not clearly defined or poorly aligned with
the overall business objectives/strategies, customer needs are not met, or expose assets to
misappropriation or misuse. Process risks include seven sub-categories.
 Financial Risk: These risks occur when the organisation fails to provide adequate liquidity to
meet firm’s obligations or manages the financial risks in such a manner that it is seen inconsistent
with the overall firm’s business objectives. Some of these risks include price risk, liquidity risk,
and credit risk.

8.  Empowerment Risk: These risks occur when both employees and managers do not know what to
do or how to do it. Also, when managers do not have enough resources (necessary tools or trained
employees) to make effective decisions. These risks include leadership risk, authority/limit risk,
outsourcing risk, performance incentives risk, change readiness risk, and communications risk.
 Governance Risk: These risks occur when organisation’s governance processes does not comply
with legal requirements and the board directors fails to provide adequate monitoring in overall
management activities. These include organisational culture, ethical behaviour, board
effectiveness, and succession planning.
 Reputation Risk: These risks are related with loss of brand image e.g. organisation unable to
perform in the marketplace.
 Integrity Risk: This involves risks associated with management fraud, employee fraud, illegal and
unauthorised acts which leads to the reputation degradation in the business market.
 Operations Risk: These risks occur when operations are inefficient in satisfying customers’ needs
and obtaining organisation’s objectives. These include customer satisfaction risk, human resource
risk, efficiency risk, capital risk, compliance risk, business interruption risk, health and safety risk
etc.
 Information Technology Risk: These risks occur when current technologies are not supporting
the needs of the business. These include integrity risk, access risk, availability risk, and
infrastructure risk (Protiviti, 2005).
2.2.3 Information for Decision-Making Risk
It overall involves risks that information used to support strategic, operational, and financial decisions
is not relevant or reliable. These risks include three sub categories.
 Strategic Risk: These include risks such as environmental scan risk, business model risk, business
portfolio risk, organisation structure risk, planning risk, and life cycle risk.
 Public Reporting Risk: These include risks such as financial reporting evaluation risk, internal
control evaluation risk, pension fraud risk, and regulatory reporting risk.
 Operational Risk: These include risks such as budget and planning risk, product/service planning
risk, alignment risk, and account information risk (Protiviti, 2005).

9. 3. Threats and Opportunities with ERM Adoption OR Factors that Affect ERM Adoption
3.1 Risk Culture (i.e. Risk Perception)
For ERM to be successful within the organisations there is a strong need to have a risk-aware culture
at all levels as peoples’ perception to risk varies between different levels in most organisations. This
was observed during the interviews with safety professionals at major UK commercial organisations.
For instance, health and safety manager of a leading international architectural firm views risk culture
differently at different levels at his organisation. He explains risk perception and culture as:
“The overall culture within the organisation varies depending on the employees working at
different levels and even within each department. The reason being that there is a gap
between the top management and the employees working at lower levels in terms of
understanding the overall risk management. I can sum it up in a comment that gives a good
illustration of it. It goes like “you’re health and safety, you deal with it”. In other words, some
people have not fully recognised the fact that health and safety is everybody’s responsibility;
although we do have a health and safety team/health and safety manager, but still it is not
their sole responsibility. It could be a result of how health and safety managers have managed
it in the past; they have not made employees aware that it is everybody’s responsibility to
think about safety at the first place. Also, they have just been more reactive rather than
proactive” (Health and Safety Manager, A Leading International Architectural Practice).
Similarly, safety manager, strategic, of a leading chain of supermarkets describes safety risk
awareness culture as:
“I think there is an excellent understanding at middle level management and below as we
have enough resources to provide training to them about safety risk management. But when it
comes to the senior or top management such as directors etc., I think because we have not
been able to find opportunities to provide training at that level, they are learning about safety
risk management through us which I believe is not ideal” (Safety Manager Strategic, A
Leading Chain of Supermarkets).
Another good example about risk perception and culture was mentioned by an associate director, HSE
International at Speciality Biopharmaceutical Company during the interview. He explained it as:
“If we have a known perceived risk, then there would be group setup to look at it and manage
it. This is how the risks are managed. The culture is that we only deal with it when needed to;

10. I do not think that there is an automated process at the moment”. (Associate Director, HSE
International at Speciality Biopharmaceutical Company).
In order to overcome such problems, Emma Price, director of risk advisory at Active Risk in her
recent article considers the role of senior management and the board essential for ERM policies to be
succeeded. She explained the process of risk changing culture within organisations and proposed
suggestions to the board and senior management in four main steps as:
 Identify the desired future state of the organisation’s risk culture
 Identify the current risk management culture
 Define the roadmap to close the gap between the current and desired states, and allocate the
appropriate resources
 Implement the roadmap and monitor its success
 If it was not successful, choose an alternative and repeat the process.
She also believes that developing an appropriate risk culture is a journey rather than an instant
solution. It requires moulding the behaviours, beliefs, and values of employees. However, in order to
achieve it, the senior management plays a vital role in leading by example to develop this culture by
setting the “tone from the top” both through actions and through effective communication (Active
Risk, 2013).
3.2 Risk Technology (e.g. ERM Hardware and Software)
For implementing a proper ERM based system within the organisations, technology plays an
important role as it has always been seen as an essential component for organisations to run
successfully. According to Ramamoorti and Weidenmier (2006) “technology helps to provide timely
data that will assist with the identification, analysis and response to risks. The organisational changes
and the speed created by technology forces auditors to recognise and monitor how it impacts risk
management. Therefore, technology is an asset for organisations trying to manage risk, but
concurrently the increased use of technology also creates a risk that cannot be overlooked”.
During the recent interviews with safety professionals working at major UK commercial
organisations, they all described the benefits and importance of technology and highlighted the need
for organisations to have a centralised system if they are aiming for an ERM based approach. For
instance safety manager, strategic, of a leading chain of supermarkets highlighted the importance of
having an ERM based centralised system as:

11. “At present, we do have a software procedure for incident recording, investigations and
reporting. But, it is no longer fit for purpose and we are in conjunction with various other
functions within the business corporately and looking for an ERM based risk management
reporting web-based system which will be programmed to analyse the data and produce
monthly and quarterly reports etc. Also, it will be tailored to our particular needs as we are
absolutely against buying risk assessment and incident investigation packages off-the-shelf
because it does not fit in to our requirements (Safety Manager Strategic, A Leading Chain of
Supermarkets).
Similarly, the head of safety, security and resilience of a “publicly-funded research organisation
dedicated to improving public health” talked about how the software functionality supports the goals
of risk management and need for organisations to have a software for predicting risks as:
“It really depends on what the goals of risk management are set for the organisations. For a
lot of people, the goal of risk management is to have a risk register which includes
information about thousands of risks; for them, a risk register software fully fits their goals.
However, there is a need for organisations to have a software through which they can predict
different risks on the basis of previous trends. This will really help organisation in reducing
risks” (Head of Safety, Security and Resilience, A Publicly-Funded Research Organisation
Dedicated to Improving Public Health).
As a result, technology has gained a lot of importance for ERM and implementing a proper centralised
ERM based system is essential as it will not only keep record of potential risks but at the same time it
will provide help with predicting different risks.
3.3 Risk Strategy
As seen in Frigo and Anderson (2011), Michael Porter describes Risk and Strategy in his land mark
book Competitive Advantage as:
“Risk is a function of how poorly a strategy will perform if the wrong scenario occurs” (Porter,
1985; Frigo and Anderson, 2011).
The authors define Strategic Risk Management as:
“It is a process for identifying, assessing, and managing risks anywhere in the strategy with the
ultimate goal of protecting and creating shareholder value. It is a primary component and

12. foundation of ERM which is affected by boards of directors, management and other personnel.
It requires a strategic view of risk and consideration of how external and internal events will
affect the ability of an organisation to achieve its objectives” (Frigo and Anderson, 2011).
Risk strategy is no doubt another important element which is sometimes not very well addressed by
the organisations as most of the organisations fail to design a broader risk management strategy.
During the interviews, several views were gathered about risk strategy; I would share a couple of
them here. For instance, head of safety of a leading logistics organisation emphasised on the need to
have a broader strategy within the enterprise. He explains it as:
“Personally I think that the current Risk Strategy at our organisation is a bit fragmented; we
have strategies within individual business units but not as a whole at the organisational level.
I think it is something that we now need to work on across our organisation because we are
one legal entity and being one legal entity, we come across with several risks such as
prosecution, fines etc. Hence, there has to be an enterprise level Risk Management strategy
(i.e. ERM Strategy)” (Head of Safety, A Leading Logistics Organisation).
Regarding the person responsible for the overall risk management strategy within the organisation,
another safety director within the same organisation explains it as:
“From the organisation’s perspective, I would say that our Chief Executive is responsible for
the overall risk management strategy. Then, Managing Director for Operations is also
responsible. Policies are setup between the levels of those two people. So at our level, we do
not make policies; we just deploy them whereas the Board makes the policy decisions and
people like me at the regional level follow those decisions. My job is to put those decisions in
place and make them work; not create it” (Director of Safety, A Leading Logistics
Organisation).
A proper strategic risk management action plan should consider how risk assessment and management
can be integrated into strategy-execution processes. The Kaplan and Norton’s strategy execution
model describes six stages for strategy execution and provides a useful framework for visualising
where risk management can be done. These are:
 Stage 1 – Develop the strategy,
 Stage 2 – Translate the strategy,
 Stage 3 – Align the organisation,

13.  Stage 4 – Plan operations,
 Stage 5 – Monitor and Learn,
 Stage 6 – Test and Adapt (Kaplan and Norton, 2008)
The authors also designed a Balanced Scorecard approach which is a strategic planning and
management system used extensively in business and industry, government, and non-profit
organisations worldwide to align business activities to the vision and strategy of the organisation,
improve internal and external communications, and monitor organisation performance against
strategic goals. (Kaplan and Norton, 2008; Balanced Scorecard Institute, 2013).
3.4 Risk Monitoring and Control
It is another essential element of ERM which involves the identification, analysis, planning and
tracking of new risks, constantly reviewing existing risks, monitoring trigger conditions for
contingency plans and monitoring residual risks, as well as reviewing the execution of risk responses
while evaluating their effectiveness. The process employs techniques which include variance and
trend analysis (RobustPM, 2013).
Risk monitoring and control was seen as one of the favourite topics during the interviews and several
responses were gathered about this topic; few of them are shared in this section. For instance,
regarding whether organisations use formal or informal systems to monitor risks, director of safety of
a leading logistics organisation explains it as:
“At present, we got a lot better in monitoring risks. Since last 2 to 3 years, we have introduced
a formal system i.e. we have started different risk assessments electronically which is a good
example of monitoring risks. Our senior safety professionals manage the central system; they
are the ones who govern and produce monthly, quarterly, and annual reports etc. However, at
present we do not monitor the quality of risks; we only monitor the number of risks.
Monitoring the quality of risks is one of our future targets” (Director of Safety, A Leading
Logistics Company).
In case of identifying a new risk, head of safety, security and resilience of a publicly-funded research
organisation dedicated to improving human health explains it as:
“If it is a new risk, it will go to the risk register and will be then discussed by the risk
management committee. It will also be highlighted with the operations board. If it has

14. reputational impact, press office will get involved. So, there is a mechanism for escalating
risks and deciding often if it is a risk or not/is it important or not” (Head of Safety, Security
and Resilience, A Publicly-Funded Research Organisation Dedicated to Improving Human
Health).
3.5 Employee Training and Development
Training and development, in other words learning in the workplace is another essential element for
ERM to be fully integrated within the organisation. Nowadays, with increasingly advanced
technology, it is extremely important for organisations to provide training to their employees because
organisations sell services that incorporate new procedures, often based on technology, and aimed at
providing greater benefits to the client which brings greater profit to themselves (Heap, et al., 1995,
p.183). During the interviews, while asking some questions about how important employees training
and development is and whether the organisation already possesses the necessary skills and resources,
majority of interviewees provided positive answers. Most of them feel that training is an essential
component and it always gets top priority. For instance, director of safety of a leading logistics
organisation talked about it as:
“We have people who are trained and skilled; we also have ongoing development of our
employees from lower level so that they can build their skills up. Most of our programs team
possess at least PRINCE 1 and PRINCE 2 (Project Management) qualifications before being
part of the programs team. It is an obligation for them to go through that qualification”
(Director of Safety, A Leading Logistics Organisation).
The health and safety manager of a leading international architectural firm emphasised on training as:
“Our employees have been given proper induction when they start working at the
organisation. From time-to-time we also manage different training sessions for them to
educate them about various risks” (Health and Safety Manager, A Leading International
Architectural Firm)
Goldenberg (2002, p.136) in his book talked about the different forms of training that are generally
available for organisations. These are initial user training, train the trainer, system administrator
training, periodic training. For organisation to implement a new ERM system (ERM based software)
and depending on the size of organisation and the nature of its business, some or most of these forms
of training are essential. A detailed account of these training types is discussed below:

15.  Initial User Training: This type of training is a requirement for almost every employee working at
the organisation. If the organisation ends up purchasing off-the-shelf software, initial user training
is usually included or can be negotiated into the overall price of the software. If the organisation is
developing the software in-house, training programmes can be designed and arranged by the IT
department to educate the employees about the major features of the new software. The main
objective of initial user training is to provide employees (users) with an overview of the new
system, then to go into individual system functions and features. After each section of the
training, it is best practice to ask employees (users) to complete a hands-on test to show that they
have understood how to use that section of the system effectively.
 Train the Trainer: This type of training is essential for those organisations that prefer to do their
own training, or when there are so many system users that it becomes difficult to train them all at
once. The objective of this session is to bring together internal trainers so that they may learn how
to use the system and then how to teach other employees (users) to use the system.
 Systems Administrator Training: If the organisation’s software is purchased from an external
vendor, this type of training takes place between the vendor and the organisation’s assigned
system administrator(s). If the software is built in-house, it is still critical that the system
administrator(s) receives proper training in its use.
 Periodic Training: It involves employees are already trained on the system and they use the
system but shortly thereafter, they are likely to retain much of their training. Nonetheless, the
most seasoned learner benefits from periodic training, particularly if new updates of the software
are installed that include advanced functions and features. Therefore, it is recommended for
organisations to arrange periodic training sessions for employees at least every six months after
the system has been properly installed and implemented (Goldenberg, 2002, p.136).
4. About the Project – An Introduction to the Decision Support Tool (DST)
The aim of the project is to develop a web-based Decision Support Tool (DST) and an accompanying
education programme to improve the reliability of management information for risk practitioners. It
will be an ERM based tool which features several components of ERM such as health and safety
risks, financial risks, environmental risks, technological risks, legal risks, reputational risks etc. The
two project partners involved in designing the web-based decision support tool are International
Institute of Risk and Safety Management (IIRSM) and Manchester Business School (MBS), The
University of Manchester while the design and hosting of the tool will be done by a specialist IT

16. software development organisation. It is envisaged that the tool will enable organisations to improve
their decision making and influence individuals’ perceptions, attitudes, and managerial actions by:
 Extending the scope and reach of a robust risk analysis approach in practice;
 Giving non-experts an accessible tool to enable them to start thinking strategically about risk and
making better decisions that will prevent accidents, injuries, and business impacts;
 Developing the skills and competence of risk professionals;
 Strengthening knowledge of risk whilst reinforcing the support provision offered to members.
The project plan itself will feature the four stages:
i. Research Design and Data Collection: To evaluate current risk management maturity of
major commercial UK organisations through investigating their risk management practices in
relation to current state of the art theory via an on-line questionnaire and structured in-depth
interviews.
ii. Design and Development of the Decision Support Tool: To develop a web-based decision
support tool prototype using the data and analysis from Stage 1.
iii. User Testing: To test and validate the web-based decision support tool prototype. This will be
an iterative and interactive process of testing the prototype, collecting and acting on feedback,
refinement and validation of the web-based user interface. The education programme will be
developed in parallel.
iv. Consolidation and Preparation for Commercialisation of the New Toolkit: To develop and
formalise the supporting documentation for the tool and programme, including marketing and
sales literature. The tool will be rolled out across the pilot organisations.
The tool and a supporting educational programme will encourage risk management practitioners to
reduce over reliance on intuitive approaches, and organisations to employ more systematic and
rigorous risk evaluations, which in turn will result in cost (and human life) savings. In future, it is
anticipated that the decision support tool could provide an opportunity for internal and external
benchmarking of risk data.
4.1 Progress to Date and Future Work
Stage 1 of the project which includes conducting in-depth qualitative interviews with safety
professional working at the major commercial UK organisations is now complete. The organisations
participated during the interviews were:

17. Organisation 1 A Leading Logistics Organisation
About the Organisation: Organisation 1 is a leading logistics and postal service
of the UK responsible for universal mail collection and delivery.
Organisation 2 A Leading Chain of British Supermarkets
About the Organisation: Organisation 2 is an upmarket chain of British
supermarkets, forming the food retail division of Britain's largest employee-
owned retailer.
Organisation 3 A Leading International Architectural Firm
About the Organisation: Organisation 3 is one of the most innovative
architectural and integrated design firm based in London.
Organisation 4 Specialty Biopharmaceutical Company
About the Organisation: Organisation 4 is a global specialty biopharmaceutical
organisation that is the manufacturer of pharmaceuticals.
Organisation 5 A Publicly-Funded Research Organisation Dedicated to Improving Human
Health
About the Organisation: Organisation 5 is a publicly-funded organisation
dedicated to improving human health. The organisation also supports research
across the entire spectrum of medical sciences, in universities and hospitals, in its
own units, centres and institutes in the UK, and in its units in Africa.
Table 1: About the Organisations Participated and Type of Business
The data gathered from these organisations in the form of interviews will be useful to design the
safety and occupational health components of the decision support tool. More interviews are planned
in future with professionals working at different other areas of organisation to gather their views on
ERM and how it should be implemented. This would help to design other components of the tool.
Similarly, Stage 2 is well under way with the prototype resource being currently developed in
conjunction with a leading IT software development organisation to cover safety and occupational
health components.
5. References
Active Risk (2013) “Embedding a Risk Management Culture from the Top Down”, White Paper,
[Online], Available from: http://resources.activerisk.com/embedding-a-risk-management-culture-
from-the-top-down [Accessed 13th
June 2013]

18. Balanced Scorecard Institute (2013) “What Is the Balanced Scorecard?”, [Online], Available from:
https://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.asp
x [Accessed 17th June 2013]
Bugalla, J., and Kallman, J. (2012) “Where Are You on the Risk Management Career Path?”
Magazine article from Risk Management, 59(5)
Committee of Sponsoring Organisations of the Treadway Commission (COSO) (2004)
“Enterprise Risk Management – Integrated Framework”, [Online], Available from:
http://www.coso.org/documents/coso_erm_executivesummary.pdf [Accessed 10th June 2013]
Frigo, M.L., and Anderson, R.J. (2011) “Strategic Risk Management: A Foundation for Improving
Enterprise Risk Management and Governance”, The Journal of Corporate Accounting and Finance,
Wiley Periodicals, Inc., pp. 81-88
Goldenberg, B.J. (2002) “CRM Automation”, Prentice Hall, NJ, 07458
Heap, N., Thomas, R., Einon, G., and Mason, H. (1995) “Information Technology and Society”,
Sage Publications, In Associations with the Open University, Thousand Oaks, London
Kaplan, R.S., and Norton, D.P. (2008) “The Execution Premium”, Boston, MA: Harvard Business
Press
KPMG (2001) “Enterprise Risk Management – An Emerging Model for Building Shareholder
Value”, [Online], Available from: http://www.kpmg.com.au/aci/docs/ent-risk-mgt.pdf [Accessed 10th
June 2013]
Porter, M.E. (1985) “Competitive Advantage: Creating and Sustaining Superior Performance” New
York: Free Press, p.476
Nayak, N., Akkiraju, R., Mantripragada, N., and Torok, R. (2010) “A Knowledge-based Decision
Support Tool for Enterprise Risk Management”, IBM Research Report, IBM T.J Watson Research
Centre, P.O. Box 218, Yorktown Heights, NY 10598, USA, June 7, 2010
Protiviti (2005) “Protiviti Risk Model”, [Online], Available from:
http://cours2.fsa.ulaval.ca/cours/gsf-60808/Protiviti%20Risk%20ModelSM.pdf [Accessed 11th
June
2013]

19. Ramamoorti, S., and Weidenmier, M. (2006) “Is IT Next for ERM?” ERM Under Construction,
Internal Auditor, pp. 45-50
RobustPM (2013) “Risk Monitoring & Control Process” [Online], Available from:
http://www.robustpm.com/processes/tech_enabled/process_risk_mon_cntrl.aspx [Accessed 18th June
2013]
View publication stats
View publication stats