1
REPORTING KEY RISK INFORMATION TO THE BOARD OF DIRECTORS
What is Enterprise
risk management?
2016
Mark S. Beasley
Deloitte Professor of ERM and Director of the ERM Initiative
North Carolina State University
2801 Founders Drive
Raleigh, NC 27695
919.513.0901 | www.erm.ncsu.edu
WHAT IS ENTERPRISE RISK MANAGEMENT?
1
Mark S. Beasley
Deloitte Professor of ERM and Director of the ERM Initiative
All organizations have to manage risks in order to stay in business. In fact, most would say that
managing risks is just a normal part of running a business. So, if risk management is already occurring
in these organizations, whats the point of enterprise risk management (also known as ERM)?
Lets Start by Looking at Traditional Risk Management
Business leaders manage risks and they have done so for decades. Thus, calls for enterprise risk
management arent suggesting that organizations havent been managing risks. Instead, proponents
of ERM are suggesting that there may be benefits from thinking differently about how the enterprise
manages risks affecting the business.
Traditionally, organizations manage risks by placing responsibilities on business unit leaders to
manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is
responsible for managing risks related to the organizations information technology (IT) operations,
the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating
Officer is responsible for managing production and distribution, and the Chief Marketing Officer is
responsible for sales and customer relationships, and so on. Each of these functional leaders is
charged with managing risks related to their key areas of responsibility. This traditional approach to
risk management is often referred to as silo or whereby each silo leader
is responsible for managing or elevating risks within their silo as shown in Figure 1 below.
Figure 1
WHAT IS ENTERPRISE RISK MANAGEMENT?
2
Limitations with Traditional Approaches to Risk Management
While assigning functional experts responsibility for managing risks related to their business unit
makes good sense, this traditional approach to risk management has limitations, which may mean
there are significant risks on the horizon that may go undetected by management and that might
affect the organization. Lets explore a few those limitations.
Limitation #1: There may be risks that fall between the siloes that none of the silo leaders can see.
Risks dont follow managements organizational chart and, as a result, they can emerge anywhere in
the business. As a result, a risk may be on the horizon that does not capture the attention of any of
the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event. For example,
none of the silo leaders may be paying attention to demographic shifts occurring in the marketplace
whereby population shifts towards large urban areas is happening at a faster pace than anticipated.
Unfortunately, this oversight may drastically impact the strategy of a retail organization that continues
to look for real estate locations in outlying suburbs or more rural areas surrounding smaller cities.
Limitation #2: Some risks affect multiple siloes in different ways. So, while a silo leader might
recognize a potential risk, he or she might not realize the significance of that risk to other aspects of
the business. A risk that seems relatively innocuous for one business unit, might actually have a
significant cumulative effect on the organization if it were to occur and impact several business
functions simultaneously. For example, the head of compliance may be aware of new proposed
regulations that will apply to businesses operating in Brazil. Unfortunately, the head of compliance
discounts these potential regulatory changes given the fact that the company currently only does
business in North America and Europe. What the head of compliance doesnt understand is that a key
element of the strategic plan involves entering into joint venture partnerships with entities doing
business in Brazil and Argentina, and the head of strategic planning is not aware of these proposed
regulations.
Limitation #3: Third, in a traditional approach to risk management, individual silo owners may not
understand how an individual response to a particular risk might impact other aspects of a business.
In that situation, a silo owner might rationally make a decision to respond in a particular manner to a
certain risk affecting his or her silo, but in doing so that response may trigger a significant risk in
another part of the business. For example, in response to growing concerns about cyber risks, the IT
function may tighten IT security protocols but in doing so, employees and customers find the new
protocols confusing and frustrating, which may lead to costly work-arounds or even the loss of
business.
Limitation #4: So often the focus of traditional risk management has an internal lens to identifying
and responding to risks. That is, management focuses on risks related to internal operations inside
the walls of the organization with minimal focus on risks that might emerge externally from outside
the business. For example, an entity may not be monitoring a competitors move to develop a new
technology that has the potential to significantly disrupt how products are used by consumers.
Limitation #5: Despite the fact that most business leaders understand the fundamental connection of
risk and return, most businesses are struggling to connect their efforts in risk management to
strategic planning. For example, the development and execution of the entitys strategic plan may not
give adequate consideration to risks because the leaders of traditional risk management functions
within the organization have not been involved in the process.
WHAT IS ENTERPRISE RISK MANAGEMENT?
3
The result? There can be a wide array of risks on the horizon that managements traditional approach
to risk management fails to see, as illustrated by Figure 2. Unfortunately, some organizations fail to
recognize these limitations in their approach to risk management before it is too late.
Figure 2
Embracing Enterprise Risk Management (ERM)
Over the last decade or so, a number of business leaders have recognized these potential risk
management shortcomings and have begun to embrace the concept of enterprise risk management as
a way to strengthen their organizations risk oversight. They have realized that waiting until the risk
event occurs is too late for effectively addressing significant risks and they have proactively embraced
ERM as a business process to enhance how they manage risks to the enterprise.
The objective of enterprise risk management is to develop a holistic, portfolio view of the most
significant risks to the achievement of the entitys most important objectives. The e in ERM signals
that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the
business. In other words, ERM attempts to create a basket of all types of risks that might have an
impact both positively and negatively on the viability of the business.
Leadership of ERM
Given the goal of ERM is to create this top-down, enterprise view of risks to the entity, responsibility
for setting the tone and leadership for ERM resides with executive management and the board of
directors. They are the ones who have the enterprise view of the organization and they are viewed as
being ultimately responsible for understanding, managing, and monitoring the most significant risks
affecting the enterprise.
Top management is responsible for designing and implementing the enterprise risk management
process for the organization. They are the ones to determine what process should be in place and
how it should function, and they are the ones tasked with keeping the process active and alive. The
board of directors role is to provide risk oversight by (1) understanding and approving managements
WHAT IS ENTERPRISE RISK MANAGEMENT?
4
ERM process and (2) overseeing the risks identified by the ERM process to ensure managements risktaking actions are within the stakeholders appetite for risk taking. (Check out our thought paper,
Strengthening Enterprise Risk Management for Strategic Advantage, issued in partnership with
COSO, that focuses on areas where the board of directors and management can work together to
improve the boards risk oversight responsibilities and ultimately enhance the entitys strategic value.
1
Elements of an ERM Process
Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing
process. Unfortunately, some view ERM as a project that has a beginning and an end. While the initial
launch of an ERM process might require aspects of project management, the benefits of ERM are only
realized when management thinks of ERM as a process that must be active and alive, with ongoing
updates and improvements.
The diagram in Figure 3 illustrates the core elements of an ERM process. Before looking at the details,
it is important to focus on the oval shape to the figure and the arrows that connect the individual
components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing
nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify,
assess, respond to, and monitor risks related to the organizations core business model.
Figure 3
Positioning ERM for Strategic Value
Because ERM seeks to provide information about risks affecting the organizations achievement of its
core objectives, the starting point of an ERM process begins with gaining an understanding of what
currently drives value for the business and whats in the strategic plan that represents new value
drivers for the business. To ensure that the ERM process is helping management keep an eye on
internal or external events that might trigger risk opportunities or threats to the business, a
1
Visit our website http://www.erm.ncsu.edu to download this and the other thought papers highlighted in this
document.
WHAT IS ENTERPRISE RISK MANAGEMENT?
5
strategically integrated ERM process begins with a rich understanding of whats most important for
the business short-term and long-term success.
Lets consider a public-traded company. A primary objective for most publically traded companies is to
grow shareholder value. In that context, ERM should begin by considering what currently drives
shareholder value for the business (e.g., what are the entitys key products, what gives the entity a
competitive advantage, what are the unique operations that allow the entity to deliver products and
services, etc.). These might be thought of as the entitys current crown jewels. In addition to
thinking about the entitys crown jewels, ERM also begins with an understanding of the organizations
plans for growing value through new strategic initiatives outlined in the strategic plan (e.g., entry into
new geographic markets, launch of a new product, or the acquisition of a competitor, etc.). You might
find our thought paper, Integration of ERM with Strategy, helpful given it contains three case study
illustrations of how organizations have successfully integrated their ERM efforts with their value
creating initiatives.
With this rich understanding of the current and future drivers of value for the enterprise, management
is now in a position to move through the ERM process by next having management focus on
identifying risks that might impact the continued success of each of the key value drivers. How might
risks emerge that impact a crown jewel or how might risks emerge that impede the successful
launch of a new strategic initiative? Using this strategic lens as the foundation for identifying risks
helps keep managements ERM focus on risks that are most important to the short-term and longterm viability of the enterprise.
With knowledge of the most significant risk on the horizon for the entity, management then seeks to
evaluate whether the current manner in which the entity is managing those risks is sufficient and
effective. In some cases, management may determine that they and the board are willing to accept a
risk while for other risks they seek to respond in ways to reduce or avoid the potential risk exposure.
The Focus is on All Types of Risks
Sometimes this emphasis on identifying risks to the strategies causes some to erroneously conclude
that ERM is only focused on strategic risks and not concerned with operational, compliance, or
reporting risks. Thats not the case. Rather, when deploying a strategic lens as the point of focus to
identify risks, the goal is to think about any kind of risk strategic, operational, compliance, reporting,
or whatever kind of risk that might impact the strategic success of the enterprise. As a result, when
ERM is focused on identifying, assessing, managing, and monitoring risks to the viability of the
enterprise, the ERM process is positioned to be an important strategic tool where risk management
and strategy leadership are integrated. It also helps remove managements silo-blinders from the
risk management process by encouraging management to individually and collectively think of any and
all types of risks that might impact the entitys strategic success.
Output of an ERM Process
The goal of an ERM process is to generate an understanding of the top risks that management
collectively believes are the current most critical risks to the strategic success of the enterprise. Most
organizations prioritize what management believes to be the top 10 (or so) risks to the enterprise (see
our thought paper, Survey of Risk Assessment Practices, that highlights a number of different
approaches organizations take to prioritize their most important risks on the horizon. Generally, the
WHAT IS ENTERPRISE RISK MANAGEMENT?
6
presentation of the top 10 risks to the board focuses on key risk themes, with more granular details
monitored by management. For example, a key risk theme for a business might be the attraction and
retention of key employees. That risk issue may be discussed by the board of directors at a high level,
while management focuses on the unique challenges of attracting and retaining talent in specific areas
of the organization (e.g., IT, sales, operations, etc.).
Monitoring Top Risks with Key Risk Indicators (KRIs)
While the core output of an ERM process is the prioritization of an entitys most important risks and
how the entity is managing those risks, an ERM process also emphasizes the importance of keeping a
close eye on those risks through the use of key risk indicators (KRIs). Organizations are increasingly
enhancing their management dashboard systems through the inclusion of key risk indicators (KRIs)
linked to each of the entitys top risks identified through an ERM process. These KRI metrics help
management and the board keep an eye on risk trends over time. Check out our thought paper,
Developing Key Risk Indicators to Strengthen Enterprise Risk Management, issued in partnership
with COSO for techniques to develop effective KRIs.
Conclusion
Given the speed of change in the global business environment, the volume and complexity of risks
affecting an enterprise are increasing at a rapid pace. At the same time, expectations for more
effective risk oversight by boards of directors and senior executives are growing. Together these
suggest that organizations may need to take a serious look at whether the risk management approach
being used is capable of proactively versus reactively managing the risks affecting their overall
strategic success. Enterprise risk management (ERM) is becoming a widely embraced business
paradigm for accomplishing more effective risk oversight.
Interested in Learning More About ERM?
As business leaders realize the objectives of ERM and seek to enhance their risk management
processes to achieve these objectives, they often are seeking additional information about tactical
approaches for effectively doing so in a cost-effective manner. The ERM Initiative in the Poole College
of Management at North Carolina State University may be a helpful resource through the articles,
thought papers, and other resources archived on its website or through its ERM Roundtable and
Executive Education offerings. Each year, we survey organizations about the current state of their ERM
related practices. Check out our most recent report, The State of Risk Oversight Report: An
Overview of Enterprise Risk Management Practices.
Visit www.erm.ncsu.edu to learn more.
____________________________________________________________________________________
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and Director of the ERM
Initiative at NC State University. He specializes in the study of enterprise risk management, corporate governance,
financial statement fraud, and the financial reporting process. He completed over seven years of service as a
board member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and has
served on other national-level task forces related to risk management issues. He advises boards and senior
executive teams on risk governance issues, is a frequent speaker at national and international levels, and has
published over 90 articles, research monographs, books, and other thought-related publications. He earned his
Ph.D. at .
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
GET A PERFECT SCORE!!! 
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more