ERM overview

EENTERPRISENTERPRISE RRISKISK MMANAGEMENTANAGEMENT
December 2017 Hisham Haridy, MBA, PMP, PMI-RMP, PMI-SP

Content
Introduction
Conceptual Roots
What’s Enterprise Risk Management?
Risk
Risk Management
ERM Implementation
References
ENTERPRISE RISK MANAGEMENT 1

Introduction
Traditional risk management formally developed as a field in the
1960s and focused on “pure” risks - Loss/no loss situation – that
often could be insured and developed from insurance purchasing
area.area.
Foreign exchange risk from Bretton Woods agreement in 1972,
Commodity price risk from oil price fluctuations of the 1970s,
Equity risk from development of option markets in1973, and
Interest rate risk from Federal Reserve Board policy shift in 1979
were the new elements of Risk in 1970s.

In 1980s, new risk management was developed to deal with the
financial risk (Foreign exchange risk, Interest rate risk, Equity risk,
and Commodity price risk),
In 1990s, Enterprise Risk Management was developed to initial
INTRODUCTIONINTRODUCTION
focus on avoiding derivative disasters and developing into
optimizing firm value.
Enterprise Risk Management (ERM) proposes that firms address all
their risks comprehensively and coherently, instead of managing
them individually.

Kloman's (1976), “The Risk Management Revolution” many
practitioners have advocated a coordinated approach to risk
management.
Crockford (1980), argued for multidisciplinary risk management
Conceptual Roots
Crockford (1980), argued for multidisciplinary risk management
rather than risk management siloed and “fragmented among a
number of sects.”
Bannister and Bawcutt (1981), proposed that risk management
requires multiple disciplines working together to manage “future
uncertainty.”

Titman (1986) discussed the “benefits to integrating risk
management activities in a single framework”.
Haimes (1992) called for “the evolution toward a more holistic
approach,” which Haimes terms, “total risk management.”
Kloman (1992), described concepts coming out of Europe from the
CONCEPTUAL ROOTSCONCEPTUAL ROOTS
Kloman (1992), described concepts coming out of Europe from the
mid 70s to the early 80s that we now associate with ERM.
Holton (1996), The term Enterprise Risk Management appears.
Stulz (1996), proposed that academic theory expand beyond the
traditional risk management (TRM) goal of “variance minimization”
with its focus on the downside of risk.

Colquitt et al., 1999 called for “integrated risk management,” the
first academic papers using the term “Enterprise Risk Management”
appeared in 2001.
Dickinson (2001) stated that ERM emerged as a corporate concept in
the mid-1990s, and defined ERM as a “systematic and integrated
CONCEPTUAL ROOTSCONCEPTUAL ROOTS
approach of the management of the total risks a company faces.”
Brogan (2001) offered one of the first definitions of ERM: “The
process by which organizations in all industries assess, control,
exploit, finance and monitor risks from all sources for the purpose of
increasing the organization's short- and long-term value to its
stakeholders”.

Enterprise Risk Management is the process of 1- identifying major
risks that confront an organization, 2- forecasting the signiﬁcance of
those risks in business processes, 3-addressing the risks in a systematic
What’s ERM?
and coordinated plan, 4-implementing the plan, and 5-holding key
individuals responsible for managing critical risks within the scope of
their responsibilities.
““ERM provides a framework forERM provides a framework for Risk ManagementRisk Management””

ERM is a strategic business discipline that supports the achievement
of an organization's objectives by addressing the full spectrum of its
risks and managing the combined impact of those risks as an
interrelated risk portfolio, Risk and Insurance Management Society (RIMS)
(2011)
WHAT’S ERM?WHAT’S ERM?
Governance Risk and Compliance
(GRC)
Enterprise Risk Management
(ERM)
Embraces compliance as a
separate activity for each
business silo.
Is concerned with delivering
measurable business value by
tying front line operational
activities to goals across all
business units.

Strategic
Achieving Organizational
objectives “Focus on
results”
ERM DEFINATION LEVELSERM DEFINATION LEVELS
Functional
Activities that reduce risk and
seize opportunities.
Process
Actions undertaken by managers to manage risk

ERM “COMMON RISK ALLOCATION”ERM “COMMON RISK ALLOCATION”
Hazard risk Financial risk
Operational risk Strategic risk
ERM
“Common Risk
Allocation”

1. The possibility of suffering harm or loss (American Heritage
Dictionary, Houghton Mifflin Co.)
RISK
2. Uncertainty of an event which if occurred would result in a
negative or positive effect on the project (Project Management
Institute).

Uncertainty is a lack of knowledge about an event that reduces
confidence in conclusions drawn from the data.
The investigation of uncertainties may help identify RISKs.
Under certainty, the outcome can be predicted with a high degree
UNCERTAINTYUNCERTAINTY
Under certainty, the outcome can be predicted with a high degree
of confidence.
In reality, most decisions are taken
without complete information, and
therefore give rise to some degree
of uncertainty in the outcome.

RISK ATTITUDERISK ATTITUDE
Organizations perceive risk as the effect of uncertainty on projects
and organizational objectives.
Organizations and stakeholders are willing to accept varying degrees
of risk depending on their risk attitude.
The risk attitudes of both the organization and the stakeholders mayThe risk attitudes of both the organization and the stakeholders may
be influenced by a number of factors, which are broadly classified
into three themes:
1. Risk appetite
2. Risk tolerance
3. Risk threshold

RISK APPETITERISK APPETITE
Risk appetite is about the pursuit of risk.
Organizations have to take some risks and they have to avoid
others.
Risk appetite is delegated downward (from strategic level) to
through the organization using various means such as policies,through the organization using various means such as policies,
procedures, training, and supervision.
The organization’s risk exposure Risks an organization’s to engage

RISK TOLERANCERISK TOLERANCE
Tolerances are the areas of risk that are acceptable or unacceptable
OR which is the degree, amount, or volume of risk that an
organization or individual will WITHSTAND.
Three common classifications used for describing risk tolerance or
risk profile are the risk averse (or avoider), risk neutral (orrisk profile are the risk averse (or avoider), risk neutral (or
tolerant), or risk seeker (or taker).
The organization’s risk exposure Risk an organization could potentially tolerate

RISK THRESHOLDRISK THRESHOLD
Refers to measures along the level of uncertainty or the level of
impact at which a stakeholder may have a specific interest.
A threshold is the point at which a risk becomes unacceptable.
Below that risk threshold,Below that risk threshold,
the organization will accept
the risk.
Above that risk threshold,
the organization will NOT
tolerate the risk

Risk management is the identification, assessment, and prioritization
of risks followed by coordinated and economical application of
resources to minimize, monitor, and control the probability or impact
Risk Management
resources to minimize, monitor, and control the probability or impact
of unfortunate events or to maximize the realization of opportunities
The effect of uncertainty on objectives, defined in ISO31000
Risk management’s objective is to assure uncertainty does not deflect
the endeavor from the business goals.

•Identify the
threats/opportunit
ies and analyze
them to determine
potential impact to
outcomes and
determine
appropriate
treatment
priorities.
•Identify the
key elements
of the risk
management
Plan Asses
RISK MANAGEMENT STEPSRISK MANAGEMENT STEPS
•Plan and
implement the
treatment of the
identified risks
•Monitor the
implementation
of risk treatment
actions, report
on status, and
adjust actions
according to
results.
treatment
priorities.
TreatControl

Risk Assessment
Establish Goals &
Context
Identify Risks
Monitor/Review
Consultation/Communication
RISK MANAGEMENT PROCESSRISK MANAGEMENT PROCESS
Identify Risks
Analyse Risks
Evaluate Risks
Treat Risks
Monitor/Review
Consultation/Communication
Based on ISO 31000

1. Risk Assessment
Risk identification establishes the exposure of the organization to
risk and uncertainty.
This requires an intimate knowledge of the organization, the market
in which it operates, the legal, social, political and cultural
environment in which it exists, as well as an understanding of
strategic and operational objectives.
This will include knowledge of the factors critical to success and the
threats and opportunities related to the achievement of objectives.

ENVIROMENTAL SCANENVIROMENTAL SCAN
Foreign exchange rate
Equity
Interest rate
Commodity price
Financial Risks Strategic Risks
Political impediments
Technological innovation
Regulation
Regulation
ERM
Foreign exchange rate
Employee related
Liability
Property
Pure - loss situations
Hazard Risks Operation Risks
Product recall
Management fraud
Labor dispute
Information technology
Customer satisfaction
Political impediments

TOOLS AND TECHNIQUESTOOLS AND TECHNIQUES
1) Brainstorming
2) Interviewing
1) Brainstorming
3) Delphi Technique
2) Interviewing
4) Root Cause Analysis 5) Financial Statements 5) Historical Records

InternalInternal
InternalInternal
ExternalExternal

Activities within the organization have been evaluated and all the
risks flowing from these activities defined.
Risk analysis can be used to produce a risk profile that gives a
rating of significance to each risk and provides a tool for prioritizing
risk treatment efforts.
This ranks the relative importance of each identified risk.
The overall objective of perform Qualitative Risk Analysis and
Quantitative Risk Analysis processes is to determine which RISKS
warrant a treatment.

Key Action
Risks you should definitely move into the Perform Quantitative analysis
Risk Analysis process and/or the Plan Risk Responses process
(High Risks)
Risks you might decide to move into the Perform Quantitative
Risk Analysis process and/or the Plan Risk Responses process
(Medium Risks)
Risks to simply document
(Low Risks) = WATCHLIST
Probability and Impact Matrix (PIM)Probability and Impact Matrix (PIM)

1) Interviewing
2) Expert Judgment
1) Interviewing
Expert Judgment
3) Probability Distribution

Sensitivity Analysis
“Tornado Diagram &
If-What Scenarios”
Expected Monetary
Value Analysis (EMV)
Decision Tree Analysis
Modeling & Simulation
“Monte Carlo
Simulation”
Determines which
risks have the most
potential impact on
the project.
Multiplying the value
of each outcome by
the probability of its
occurrence.
The overall probable
Incorporates
probabilities of risks
and costs or rewards
of each logical path.
Future events are not
Translates how
uncertainties specified
in a detailed level of
the project may affect
its objectives.
The overall probable
circumstance will be
as a result of the
events.
Future events are not
certain
its objectives.
Derive overall
project risk from
individual risks.
Completion Date
Frequency
CumulativeProbability
3/11/31 4/5
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0.02
0.04
0.06
0.08
0.10
0.12
0.14
0.16

2. Risk Treatment
Risk treatment is presented the activity of selecting and
implementing appropriate control measures to modify the risk.
Risk treatment includes as its major element, risk control (or
mitigation), but extends further to, for example, risk avoidance,
risk transfer and risk financing.
Any system of risk treatment should provide efficient and effective
internal controls.

Effectiveness of internal control is the degree to which the risk will
either be eliminated or reduced by the proposed control measures.
The cost effectiveness of internal control relates to the cost of
implementing the control compared to the risk reduction benefits
implementing the control compared to the risk reduction benefits
achieved.
One method of obtaining financial protection against the impact of
risks is through risk financing, including insurance.

RISK REGISTER SAMPLE AND OUTPUTSRISK REGISTER SAMPLE AND OUTPUTS

3. Feedback
ISO 31000 recognizes the importance of feedback by way of two
mechanisms.
1. Monitoring and review ensures that the organization monitors
risk performance and learns from experience.
2. Communication and consultation is presented in ISO 31000 as
part of the risk management process, but it may also be considered
to be part of the supporting framework.

Integrate with
Project
Open and
Honest
Communication
Organizational
Commitment
Risk Effort
Scaled to
RISK MANAGEMENT SUCCESS FACTORSRISK MANAGEMENT SUCCESS FACTORS
Risk
Management
Success
Value Risk
Management
Project
management
Scaled to
Project
Responsibility

ERM Implementation
1- Planning and
designing
2- Implementing
2- Implementing
and benchmarking
3- Measuring and
monitoring
4- Learning and
reporting

ERM IMPLEMENTATIONERM IMPLEMENTATION
1. Planning and designing
1- Identify intended benefits of the enterprise risk management
initiative and gain Board mandate
• Benefits of ERM
• Embedding risk management
2- Plan the scope of the ERM initiative and develop common
2- Plan the scope of the ERM initiative and develop common
language of risk
• Upside of risk
• Stakeholder expectations
3- Establish the risk management strategy, framework, and the
roles and responsibilities
• Risk management policy
• Risk architecture

2. Implementing and Benchmarking
4- Adopt suitable risk assessment procedures and an agreed
risk classification system
• Risk description
• Risk classification systems
5- Establish risk significance benchmarks and undertake risk
5- Establish risk significance benchmarks and undertake risk
assessments
• Risk assessment techniques
• Benchmark tests of significance
6- Determine risk appetite and risk tolerance levels, and
evaluate the existing controls
• Risk register
• Risk appetite

3. Measuring and monitoring
7- Ensure cost-effectiveness of existing controls and introduce
improvements
• Risk improvement plans
• BCP and DRP
8- Embed risk aware culture and align risk management with
other management tasks
• Control environment
• Risk communications

4. Learning and reporting
9- Monitor and review risk performance indicators to measure
ERM contribution
• Risk improvement plans
• BCP and DRP
8- Report risk performance in line with legal and other
obligations, and monitor improvement
• Risk reporting
• Legal requirements

Offers
Survival
A better chance
Provide
Stability
In creating,
distributing,
financing, and
selling products
and services
Adds
Confidence
The board and
WHY ERM?WHY ERM?
Why
ERM?
A better chance
to identify,
mitigate, avoid,
and treat risks
that could close
us down
selling products
and services The board and
CEO are meeting
fiduciary,
community,
social, and ethical
responsibilities
Build good relationships with regulators

How ERM Can Increase Firm ValueHow ERM Can Increase Firm Value
Process can focus on protecting Value, Cash flows, and Earnings but
it Cannot protect all three at once.
•Reducing taxes.
Earning based
Strategy
•Insuring to prevent assets from declining.Value based
•Hedging to maintain internal funding
So decreasing the volatility of future cash flows can decrease the cost
of capital.
V = Σ FCFt / (1+WACC)t
V : Firm value
FCF : Free cash flow
WACC : Cost of capital
•Hedging to maintain internal funding
sources.
Cash flow based

1. A structured approach to Enterprise Risk Management (ERM) and the
requirements of ISO 31000
2. Enterprise Risk Management: Review, Critique, and Research Directions,
Philip Bromiley, Michael McShane, Anil Nair, Elzotbek Rustambekov,
2014.
References
2014.
3. Strategic Risk Management: Improving Your Organization’s Chances for
Success, RIMS Conference 2012, Philadelphia.
4. Enterprise Risk Management: Department of Finance, Steve D’Arcy,
March 15, 2005.
5. A guide to the Project Management Body of Knowledge (PMBOK
Guide), Fifth Edition.

ERM overview

More Related Content

What's hot

Similar to ERM overview

More from Hisham Haridy MBA, PMP®, RMP®, SP®

Recently uploaded

ERM overview