Business risk management
|Business risk management|
Business risk management (also: enterprise r.m., corporate r.m.) is a set of activities related to planning, organizing, leading and controlling the organization's processes in order to minimize the effects of risks and utilize potential opportunities. It is not limited to finance, but includes also other areas as environment, information security and quality management. The modern approach uses the same methodology to treat risks and opportunities.
Risk management frameworks
Casualty Actuarial Society (CAS) framework
The Casualty Actuarial Society defined the RM framework in 2003. It defines risk types:
- Hazard risk - property damage, natural disasters
- Financial risk - related to currency, assets, pricing, liquidity
- Operational risk - related to customer, product, reputation
- Strategic risk - competition, social trends, shareholders
The risk management process includes:
- Establishing context
- Identifying risks
- Analysing risks
- Assessing risks
- Treating risks
- Monitoring and reviewing
COSO ERM framework
The COSO Enterprise Risk Management - Integrated Framework was published in 2004. It defined enterprise risk management as a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives [COSO 2004]. The risk management falls into four categories:
- financial reporting
The COSO identifies 8 risk management components, which include:
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
RIMS Risk Maturity Model
RIMS Risk Maturity Model was published in 2006. It isn't a methodology or framework, but works rather as an umbrella for different approaches. The model describes competency drivers that are important for company risk management. They were grouped into 7 categories:
- ERM-based approach
- ERM process management
- Risk appetite management
- Root cause discipline
- Uncovering risks
- Performance management
- Business resiliency and sustainability
The idea of maturity models became popular in last years. After Capability Maturity Model many scientist and organizations creates own maturity models. They help to compare systems of different organizations.
Risk management standard
The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of information security. Their approach was adopted by standard for information security management systems (ISO 27001). Those standards were withdrawn.
The current international standard for risk management is ISO 31000. It was published in 2009. Detailed description of the standard was presented in article ISO 31000.
Problems of business risk management
- Lack of executive support. Often top managers don't see value of risk management. They prefer rather to react on problems than think ahead of many possible risk factors. Implementation of business risk management without executive support is difficult and never gives the full value in return.
- Changes of responsibilities. The risk management system shouldn't rely on persons, but on structure and processes. People change their jobs sometimes. Therefore, the RM system should be prepared for such a change.
- Organizational culture. Risk management system requires some centralization, which is not welcome in decentralized organizations. However the structure of the system can be adapted to every enterprise. Just don't copy the system from another company.
- Organizational structure. Risk management, in order to work properly, has to be high in organizational structure. Otherwise risk management department won't be listened by top managers. It will be only blamed for all failures.
- Communication. The expectations, responsibilities, plans and activities should be communicated across the board in order to have everyone on the same page.
- Lack of discipline. The risk management doesn't end with initial risk evaluation. It requires systematic work. Otherwise it won't deliver.
- Lack of competences. The risk management methodology looks simple: likelihood and consequences. But the problems begin as soon as you try to implement results of the risk assessment. This requires not only technical skills but also political ones.
- Lack of budget. Every activity in the enterprise requires money. The aim of business risk management is to save money, but you have to invest some first.
- Lack of value. The risk management team has to articulate the values for the company from RM system. The goals should be reviewed and updated systematically. Success factors should be analysed.
- COSO (2004), Enterprise Risk Management - Integrated Framework
- RIMS (2016), What is ERM? Guide
- PwC, How ERM programs evovle?
Author: Slawomir Wawak