All organizations face risk while making different business decisions and do risk management to prevent risk. Risk management is considered an essential component of strategic management of any organization and therefore, should be included in a business’s ongoing activities.
One such risk management is Enterprise risk management (ERM) which is considered a process through which risks are assessed for identifying threats related to the financial well-being of an organization and its market opportunities. The main objective of the ERM is to determine the tolerance level of any organization for risk and its categorization and further, quantifying it.
In other words, ERM is referred to as a process through which the potential events are identified and addressed and these events are those events that represent risks while achieving strategic objectives of an organization or identifying opportunities to achieve competitive advantage. Through the ERM process, it is possible to plan, organize, lead, and control an organization’s activities for minimizing the risk effects on the capital and earnings of the organization. Different risks such as operational, financial, and strategic are included in enterprise risk management other than risks related to accidental losses.
Elements of ERM
Below are the main elements of ERM:
Code of Conduct of an Organization
In defining an organization’s risk aptitude, its core values and code of conduct have a significant role to play. Work standards of employees and their ability to deal with risks are determined by a healthy work culture.
Objective Setting and Goals
The mission and vision of an organization are made to ensure that all employees work towards achieving a common goal. Once these goals are spread across the whole organization, all employees are able to know their roles and responsibilities. While framing a risk management plan, these common objectives of an organization act as a guide. As everyone is aware of the common goal for which they are working, it helps in assessing if it is worth taking the risk or not. Also, the following aspects should be estimated:
Risk tolerance level: This includes the maximum level of risk that an organization can handle to achieve its mission and objectives.
Risk appetite: This consists of the type or level of risk that an organization is willing to handle for pursuing goals.
Once these attributes are defined, it is possible for an organization to make a risk management plan of high-level that meets the goals and strategies of the organization.
Identifying Risks and Opportunities
This is considered one of the most crucial elements in the framework of ERM. While executing any project, an organization can encounter two types of events i.e. risks and opportunities. The project process can be disrupted due to risks; whereas, opportunities can provide the firm with some tangible benefits. So, the core of the risk mitigation strategy includes doing an analysis of these events.
Assessing and Categorizing Risks
Different types of risks are there based on the different business areas on which they create an impact. These risks include strategic risks that can be a threat to the sustainability of the business, Operational risks that can result in inefficiency in managing resources, compliance risks that are related to violation of an organization’s rules and regulations.
Risk Response and Mitigation
Once risks are carefully assessed and categorized, a response should be decided. The response will vary based on the type of risks. Risks can be responded to according to the following ways:
- Reducing the risks for minimizing its impact
- Accepting the impact if it’s the minimum one or negligent
- Transferring or assigning the mitigation to the third party that is competent
Checks and Balances
These are required to carry out response activities as per the policies. The ethics and values of an organization have equal importance as risk mitigation measures.
Information and Communication
The essence of any business is communication and in the world of digital technology, it has great value. It is required that all employees must be capable of identifying potential risks in risk management and can communicate risks to managers and stakeholders. This process helps in ensuring that no risk is overlooked.
For this, investment should be done in training programs so that employees can understand risk assessment and identification.
Monitoring and Call to action
Risk management strategy must be monitored and reviewed at regular intervals by organizations. This helps organizations in making some improvements that will be an advantage in mitigating risks.
Types of ERM and their Significant Roles in Strategy
There are mainly three types of Enterprise Risk Management (ERM) i.e.:
Individual Risk Management
These programs help in contributing to all phases of strategy i.e.:
Through individual ERM program, it is possible to identify different failed and failing strategies as ERM focus on selecting risk, mitigating, and controlling it. ERM can identify warning signs that occur due to the adverse effect caused by failing strategy and these signs can be identified before these become problems.
Also, it is possible to identify new opportunities to expand in which, existing different processes such as risk selection, mitigation, and control work well.
Formulation of Strategy
ERM handles information regarding selection, mitigation, and control of risk; and this characteristic of ERM helps in suggesting the scope of improvements in existing strategies.
Selection of Strategy
In strategy selection, there should be an important role of ERM opinions related to selection, mitigation, and control of risk on current and future competencies.
Implementation of Strategy
There can be a significant contribution of ERM in plans related to risk selection, mitigation, and control for either new strategies or improving continuous strategies.
Aggregate Risk Management
The contribution of aggregate risk management programs can also be there in all phases of strategy i.e.:
Through ERM, it is easy to determine that up to what extent the insurer has over or underutilized different capital resources. This can help in identifying a strategic need.
Formulation of Strategy
With the help of ERM, organizations can find a new strategy that may support in achieving organizational goals in a better way, and at the same time, available capital can be utilized fully. This may lead to another strategy through which capital can be utilized more effectively by analyzing capital utilization and its correlation with available strategies.
Selection of Strategy
ERP facilitates developing and applying criteria for using capital that will be utilized in selecting a strategy. The total amount of available capital, the degree of correlating the new strategy with existing risks can be included in these criteria.
Implementation of Strategy
An assessment of the aggregate capital can be provided by ERM in an adequate manner.
Risk Reward Management
This program can also help by contributing in all phase of strategy:
One of the main metrics developed by risk-reward management is risk-adjusted returns. These are also considered primary indicators of strategies that are failed.
Formulation of Strategy
Adjustments to current strategies can be suggested by ERM that might help in improving risk-adjusted returns. Higher risk-adjusted returns related opportunities can also be identified by ERM.
Selection of Strategy
There is a hurdle rate with whom the risk-reward management process will be operated and that is acceptable as it is the lowest risk-adjusted return. Through ERM, this hurdle rate is developed. ERM also helps in assessing the proposals related to the projections of risk-adjusted returns.
Implementation of Strategy
The process of risk-reward management supports the allocation of full capital and the process of budgeting informed by projections related to risk-adjusted returns of the future.
Core Areas of ERM
Below four core areas are mainly covered in enterprise risk management:
Hazard Risk Management
Risk managers follow the below steps to assess hazards:
- Identification of exposures related to risk
- Assessing the frequency of these risk exposures and also, how severe these are
- Identifying alternative approaches
- Selecting the suitable alternative and implementing the same
- Monitoring the implementation and making adjustments as required
- The main focus of the ERM process is on both crisis and preventive risk management.
Using internal control processes, process efficiency is improved in different areas such as conformity, reporting, and effectiveness of the general process. Larger organizations that are mainly operating in highly regulated industries use internal control systems that are expensive and elaborate.
To ensure whether internal controls are working properly or not, internal audits are used. Unlike risk management, this process is concerned with the costs, effectiveness, and efficiency of ERM processes.
Internal audits deal with the way risks are actually being managed practically. The working area of the team of internal auditors is to oversee operating activities, compliance, and consistency. The audit report is generated that includes results of the audit including recommendations and weak points.
Organizations must follow certain rules and regulations. ERM includes efforts to make sure that the requirements of regulatory compliances are met. For instance, different requirements may be issued from government bodies such as safety of the site, social responsibility, environmental policy, or financial reporting. Generally, a compliance officer or unit specialized in this interprets such requirements and provides advice, recommendations, and training.
Examples of organizations that have adopted the ERM framework
Below are a few examples of organizations using the ERM framework:
The ERM framework of KPMG includes risk assessment, risk governance, quantification and aggregation of risk, risk reporting and monitoring, risk, and control optimization.
ERM approach of KPMG includes below key aspects:
- Common policy, language, and methodology to drive risk management and facilitate enabling holistic risk scenario.
- Robust risk information by keeping in view the needs of stakeholders according to the strategic objective.
- Justification or enhancements of different roles and responsibilities. This includes establishing embedded business risk units.
- Enhancing the process of risk management that includes identification, reporting, and management.
- Monitoring of industry trends periodically and needs of constituencies.
ERM Approach and Framework of Johnson & Johnson
The ERM framework of leading healthcare company Johnson & Johnson helps in identifying potential events that may create an impact on the enterprise, managing the associated risks and opportunities, and providing reasonable assurance so that the objectives of the company will be obtained.
The approach of Johnson & Johnson to risk management is:
- Aimed at promptly resolving risks that are identified internally as per the compliance with laws and regulations, so that the provision of quality products can be maintained and safety of patients can be protected and appropriate relationships with end customers can be ensured.
- Facilitates strategies so that effective utilization of resources can be ensured and an optimized, proactive approach to auditing can be enabled. This also includes the identification of compliance issues and promoting monitoring and reporting across functions of compliance.
- Supports in enabling improved decision making, prioritizing, and planning by considering assessments of opportunities and threats.
- Supports in driving value creation and for this, management is enabled to respond promptly, effectively, and efficiently to futuristic events that are responsible for representing a threat or opportunity and creating uncertainty.
Components of ERM Framework of Johnson & Johnson
Below are the main components of the ERM framework of Johnson & Johnson:
Strategy and Objective-Setting
Different strategic goals and financial targets are established by the Executive Committee of the company as per their global growth drivers. The accountability to meet these goals and objectives lies in senior management. The goals and objectives of the business unit, functions, and individual employees are generally aligned to the overall strategic objectives and goals of Johnson & Johnson.
A business cycle of the company includes identifying different internal and external issues and events at various points that affect the company’s ability to achieve pre-defined objectives. During processes of planning and review, the competitive environment and marketplace are assessed by business unit management. The purpose of doing so is to identify different risks and opportunities faced by their business. Expertise, input, and support are provided into the process by different functions of risk management as and when required.
Business leaders are associated with risk management functions to determine a suitable way through which risks can be identified.
In order to ensure the implementation of risk responses in a consistent way, different policies may be defined by risk management functions, and guidelines may also be issued that are applicable to the business activities of Johnson & Johnson. With the help of risk management functions, these policies, guidelines, and standards can be implemented using monitoring tools.
Business unit management along with the risk management functions is able to make action plans that are useful in implementing or strengthening activities of risk-mitigating, as per the applicability.
Review and Revision
The review and reporting process is considered a critical aspect of the ERM framework of Johnson & Johnson as it ensures the effective assessment of risks and appropriate responses and controls related to risk are available.
The functional leadership of risk management and business unit management is responsible for monitoring the effectiveness of activities related to risk mitigation using metrics review and other data periodically. Apart from this, there is a review of key risk metrics with the Board of Directors of the company, the Executive Committee, the Business sector, and other teams in a leadership role, and also, Enterprise Governance Council, and Compliance committee.
Information, Communication, and Reporting
There are channels for information and communication in Johnson & Johnson to create awareness of risks among business leaders and employees as these risks come under their responsibility area. Applicable personnel provides training i.e. both formal and informal. Information related to key processes is provided which is applicable to the respective roles of new hires and other employees who are being transferred to the new function. There is an exchange of knowledge within the risk management functions and this is done through regular meetings at the departmental level, rotations of short durations through corporate functions.
Governance and Oversight
Oversight of the management of senior leadership of the different risks faced by the company is provided by the Board of Directors of Johnson & Johnson. Risk factors of the company are discussed by the Board with Executive Committee (EC) members, leaders of risk management functions, and other senior business leaders at regular intervals.