Enterprises Risk Management – ERM

Subject: Risk Management
Pages: 50
Words: 16624
Reading time:
57 min
Study level: Master


All business entities encounter uncertainty and the main issue for management is to determine how much improbability to accept as it struggles to enhance investor value. Vagueness offers both opportunity and risk, with the probable to enhance or erode value. Enterprise risk management (ERM) facilitates management to efficiently deal with vagueness and integrate both opportunity and risk and incrementing the capacity to foster value.

In only 3 hours we’ll deliver a custom Enterprises Risk Management – ERM essay written 100% from scratch Get help


Within the few years, enterprise risk management (ERM) has become an influential, new operational, financial and strategic management technique. ERM process centres on the concept that customary elucidations of risks are ineffective and may result in inappropriate allocations of resources, involuntary manipulation of material risks within the business or the misapplication of operational and financial solutions. Initially, ERM started with its coverage for –profit business but later expanded into the not-for-profit sector also.

If in a business, every risk is alleviated and if every loss is recouped and if every employee respected businesses values and worked for attaining organisation’s goal, then such goals are termed as enterprise risk management or ERM. A survey done by Deloitte & Touche in 2007 indicates at least 80% of global financial services institutions have created the job of “ Chief Risk Officer” which is increased substantially from 65% in 2002 and also indicates that three-fourth of these CRO’s are reporting directly to the CEO of the company. Further, about a third and half fortune 500 companies have introduced ERM initiatives. Now, ERM has been introduced in commercial banks, financial service companies and in insurance industries.

About $ 15 trillion is being invested in enterprise risk management solutions as of date by the business. In earlier days, enterprise risk solutions were initiated as multiline / multilayer insurance contracts which later covered the areas like operational, market and reputation risks.

Committee on Sponsoring Organisations (COSO) is a private sector group established to fight fraudulent financial reporting and to usher larger precision on how public companies should perform, has offered a real time solution and workable framework for enterprise risk management.

According to the Institute of Internal Auditors, the main objective of an ERM is to develop, safeguard and increment stakeholder’s value by controlling the risks which are contiguous to the attainment of the objectives of the business.

Difference between customary risk management and ERM.

Academic experts
We will write a custom Risk Management essay specifically for you for only $16.00 $11/page Learn more

Table 1: Customary Risk Management vs. ERM Strategies.

Customary Risk Management Strategies Enterprise Risk Management strategies
1 Consider the risk as an individual hazard. Risk is being valued on the business strategic aspects.
2 It is pertaining to risk classification and appraisal. It is pertaining to the growth of risk portfolio schemes.
3 Discrete risk is being given more focus. Critical risk is being given more focus.
4. The method for alleviation of risk is explained. Optimization of risk is explained.
5. Risk minimization is defined. Deliberate analysation of risk is made.
6 No responsibility is fixed for risk. Responsibility for risk is being defined.
7. Haphazard of the risk is being defined It concerns with screening and gauging of risks.
8. No one can be assumed with the responsibility in this case of risk. Accountability of the risk is fixed on the entire team.

Source: KPMG LLP, (Banham 2004:65).

Literature Review

This research paper mainly investigates the wide scope of ERM and challenges posed in managing a business risk in an uncertain business environment. Further , this research paper analyses from the secondary sources available on the subject which have listed in the reference section of this paper to demonstrate the significance of ERM , its relevance in today’s business and how it is being applied and its success stories through case studies that has explained in the case study section of this research paper.

The case studies have demonstrated in crystal clear terms that ERM did help to prevent risk and increased the shareholders value. For explaining the concept of ERM, its ERM –Integrated Framework (2004) and COSO Internal Control Framework, the research paper heavily relied on COSO’s website for gathering enough information and data to substantiate its finding.

Further, in analysing my company’s ERM (Boeing International) with the best practice or internationally recognised ERM Frameworks (i.e. COSO Framework) , this research paper has proved that Boeing has successfully introduced ERM frame and is reaping much benefits out of it thereby mitigating considerable amount of risk that may inflict potential loss and deterioration of shareholder’s value in the future.

It is crystal clear from the case studies illustrated in this research paper that ERM plays a key role in mitigating the risk. It helps to avoid unnecessary and superfluous cost in the case FirstEnergy and in case of Split Rock Energy, ERM is able to realise substantial amount from Enron before its failure which is a clear evidence for mitigation of risk and able to manage unexpected blackout in case of United Illuminating company. These case studies corroborates that ERM is an inevitable process for increasing shareholders value in any company and it has to be efficiently introduced and managed to reap higher benefits from ERM.

This study also analyzed how COSO internal control plays an important role in obtaining ISO standards for risk mitigation through its code ‘the code of practice for information security management ‘(ISO 17799) and the prerequisites for information security management system (ISO 27001) respectively and also discuss about ISO 31000 that is going to implemented in 2009.. It is to be noted that there are close association between risk management and information security and these standards strengthen these relationship.

15% OFF Get your very first custom-written academic paper with 15% off Get discount

This research paper also discuss about how COSO framework is able to help to adhere corporate governance requirements and how the function of internal audit can be enhanced in any organization in identifying and mitigating business risk and to introduce necessary internal controls to avoid such risks in future.

Finally this research concludes by summarizing the key findings, evaluating how ERM works and its chief advantages and how it creases shareholder value through demonstrating its success in my company section of Boeing International and in the sections of case study.

Choice of Methodology

This research project will be conducted mainly by qualitative research methods and accompany by analysing secondary data, like previous empirical studies on the subject , peer view journal articles , case studies , official website of COSO…etc. The reasons for choosing qualitative research method instead of quantitative research method are due to four perceptions

  1. the nature of the research project;
  2. the scale of the project;
  3. the cost of carrying out the project and
  4. time limitation.

Further, this is a small scale research project with very short period of time (about two to three months), so there will be not adequate manpower and time to perform quantitative research method, like conducting survey to collect primary data for statistical analysis.

Since this project is not a funded project, carrying out a survey will involve more expenses like designing, printing, mailing, delivering and collecting the questionnaires etc.

Last but not the least; it will be more time-consuming to gather enough amounts of qualified questionnaires and to scrutinize large volume of data from received questionnaires.

In conclusion, indicative in-depth case study research provides “a means of generalising about processes managers get involved in” (Watson, 1994, p.7) where generalisation comes from the theoretical developments enabled by the study (Yin, 1994).

Get your customised and 100% plagiarism-free paper on any subject done for only $16.00 $11/page Let us help you

Application of Methodology

This research emphasises that ERM is an inevitable tool to control risks as evidenced by corporate failures like Cendat, Enron and WorldCom. Further, recent regulations like corporate governance and SOX also exerts more emphasis on internal controls to control and manage the risk. Risk mitigation process as emphasised by ISO and COSO integrated ERM frame work is discussed and deliberated in detail in this research.

The main strength of this research is the case studies on ERM which clearly establishes how ERM helps to control, manage and mitigate risk in a business organization. Case studies on Wal-mart, Split Rock Energy, United Illuminating Company, First Energy and Boeing clearly demonstrates how ERM helps in identifying and managing the risks. Further, this research also deliberates in details how ERM helps to mitigate risks in information technology and banking industry.

This research also deliberates why ERM fails in certain cases and suggests ways and means to avoid such failures.

To conclude, case studies discussed in this research offer excellent insight on the function of ERM in business and business has used ERM tools to identify, define, manage and control the risks.


From the above case studies, I have revealed that ERM do help to minimise the losses and to maximize the revenue of a business.

In Wal-Mart, ERM is not considered as a nirvana process but it assisted them to recognise and spotlight on some risks that are most vital to address. Further, Wal-Mart is planning to implement ERM in a global level in the coming years. It is crystal clear from the above case studies that ERM plays a key role in mitigating the risk. It helps to avoid unnecessary and superfluous cost in the case FirstEnergy and is able to realise substantial amount from Enron before its failure which is a clear evidence for mitigation of risk in case of Split Rock Energy and able to manage unexpected blackout in case of United Illuminating company. These case studies corroborates that ERM is an inevitable process for increasing shareholders value in any company and it has to be efficiently introduced and managed to reap higher benefits from ERM.

Discussion and Recommendations

What are the ERM Frameworks and latest developments in this area?

COSO’s framework assists businesses to access their framework for internal control and to improve their internal control systems. These frameworks have been integrated into strategies, canons and regulations and are being used to enhance the control activities in shifting towards attainment of their defined goals. ERM framework is offering key codes and concepts, a general communication and a crystal clear track and direction and became more persuasive.

COSO’s internal framework standards are meant to satisfy the Sarbanes-Act stipulation of maintaining adequate internal control ,facilitate auditors to perform their duty in unencumbered style and to certify that a company’s internal control framework are more effective and reliable. COSO’s framework has been acknowledged to have satisfying framework for reporting mandatory requirements. Further, the structure of COSO’s internal control framework also convince corporate’s internal control requirements and march toward a complete risk management method. COSO’s framework states that a business entity goal can be regarded in the aspect of four categories namely

  1. strategic
  2. processes
  3. exposure and
  4. observance.

Further, there are eight ingredients of COSO’s internal control framework and they correlated and they are

  1. Internal atmosphere
  2. Determination of objectives
  3. Recognition of events
  4. Identification of events
  5. Assessment of risks
  6. Retorts to risks
  7. Initiation of control measures
  8. Dissemination of information
  9. Supervision
  10. Introduction of vibrant internal control measures.

The latest development in the area of COSO’s framework is that many corporations have introduced the framework in full or in part and or in the process of implementing the same very soon. There is now increased awareness among companies to increase their framework for internal control and many companies have created a separate risk management and control department with a creation of a post namely “ Chief Risk Officer “ (CRO) mainly to minimize risk and losses.

A survey conducted by IIA research foundation conducted in 2005 indicates that companies are paying more attention to identification of risks, make suggestion to risk control activities and in the effective supervision of ERM strategies. Many feel that ERM has ushered new knowledge, skills and setting that have increased their mix of services, facilitated companies to manage with adequate resources and more operational understanding has been given to internal auditors.

International Best Practices and ERM

The latest guidelines on COSO’s internal audit framework reveal that internal audit plays a pivotal role in identification and evaluation of risks. Hence, internal auditors currently are contributing much to ERM process implementation and help to increment value to implementation of ERM in organisations. It has been established in a study that companies like Wal-Mart Stores Inc, General Motors Corp, FirstEnergy Corp, Canada Post Corp and Unocal Corp which represent divergent spectrum of industries and internal audit in the above companies have played a vital role for their ERM efforts. The CRO at GM regarded ERM as a crusade to maximise shareholders values through ERM efforts.

In Unocal, ERM facilitated the departments to know about the company’s risk outlines and to measure the quantum to which risks were being controlled. In Wal-Mart, managers were able to manage their departments more effectively by optimal use of their ERM resources. Canada Post engaged almost 43 internal auditors and issued more than 90 audit reports to manage their risks.

Risk Management

Whether the Risk Management is necessary?

In the earlier chapters like in introduction and in literature review, I have strongly demonstrated that ERM do play a key role in an organisation success.

In this chapter, I wish to detail more on the definition of risk management in general.

Risk has been defined as either” pure or speculative “or “accidental” risks. Pure or speculative risks are those risks for which the prospect of financial profit exists along with the prospect of loss. For instance, under stock market speculation, there are chances to make money and also there are risks of loosing money due to stock market volatility. Accidental or fortuitous risks are those risks which do not entail the risk taker the prospect for operational or financial gain and it is normally connected with insurance risks and for these risks, the chance of loss can normally be ascertained and an associated cost is transferred to a third party.

Risk managers have identified that within a business, risk has been recognised and managed in ‘functional silos.’ A corporate risk manager will usually handles the hazard risks and treasury manager handles treasury related risks like foreign exchange risk or hedging risks, Chief Financial Officer handles market risks and capital acquisition risk and the risk arises under day –to-day operations of a company are managed by Chief Operating Officer or line manages and employee related risks are handled by human resources manager.

The customary forms of risk management have lost their significance due to operational speed, financial accuracy and dexterity in management decisions. Any mismanagement of risk may place the business in peril of extinction. The traditional methods of risk handling have become obsolete as many number of market conditions have emerged.

  • Maximising shareholders value has now become major focus of companies. Companies with large institutional shareholders have now started to focus on realigning their organisational and financial precedence to earn as much revenue into their shareholder’s kitty as possible. It is evidence from the North American stock market that those companies who have not realigned their business precedence have been penalised with sharp decline in their stock price.
  • ERM symbolises a device to recognise ,categorise and gauge the volatility of risk from its starting point and assists to explain which capital solutions is to be deployed. (Carroll 2001:160].

The prime focus on maximising shareholder value will coerce markets to find new avenues to deploy risk as part of the competitive demarcation of a company. Risk is no longer perceived as bad but it has become a part of a company’s goal of the competitive landscape.

If a company really wants to thrive in a competitive scenario, it has to acquire a complete knowledge about risks and should have the ability to control risk as part of its business strategy. (Risk management handbook for health care organisation 160).

Internal Control –A Definition

In the banking industry, new risk capital regulations namely Basel II is playing a pivotal role in risk mitigation. Basel II is an accord which insists that banks must transfer a portion of their capital to separate reserve mainly to meet the prefixed risks, including not market and credit risk but also covering their operational risk.

Corporate Failures

Sydney Finkelstein of Dartmouth’s Tuck School of Business has studied about 51 companies that had collapsed and sustained losses about hundreds of millions of dollars and some forced to file bankruptcy.The companies that were took up for the research were from all industries from Johnson & Johnson to Samsung and from Boston Red Sox to Motorola

In his research study of corporate failures, Finkelstein categorised failed companies into four categories.

  1. Breakdowns of new business.
  2. Failures due to change and innovation.
  3. Breakdowns due to merger and acquisitions.
  4. Failures due to collapses of plans.

He also described the causes of corporate failures including having hallucination of a dream company, having a wrong vision, following the foot prints of lost signals and engaged in bad habits.

Finkelstein researched the three companies namely Motorola, Rubbermaid and Johnson & Johnson which witnessed heavy losses not because they did something wrong but due to their failure not to do certain things. They remained dormant and never tried to adapt to change in technologies that is transforming. These companies failed to take cognisance of competitive challenges and ever changing customer preferences and suitably failed to retort to these changes.

Johnson & Johnson was once the market leader in the stent which is being used in angioplasty which replaced the need for cardiac surgeons. However, despite of heavy demand , Johnson & Johnson failed to make some improvements of its product and it also blamed for price gauging strategy as it was very rigid in pricing the product thereby declining to offer discount for bulk orders. Taking the advantage of Johnson & Johnson failure to take into account the competitor’s risk, Guidant, a European company penetrated into the U.S market by heeding the customer’s wishes and captured about 70% of the market of Johnson & Johnson in U.S alone.

Motorola is a manufacturer of walkie-talkie, television and space programs and introduced the pagers and cell phones for the first time in the market and had a market share about 60% of the cell phone market in 1994.

Motorola preferred to remain with analog technology whereas wireless carriers preferred Motorola to switch to digital. Though, Motorola owned some patents on wireless technology, it rather interested in licensing the same to its competitors like Ericsson and Nokia. Motorola was happy with the royalties received but never took into the cognisant the ever increasing digital market. Motorola’s lack of vision, impassiveness and not realising the changing technology ultimately landed it to loose its market share to its competitors.

In Rubbermaid’s case, company failed to react to the changes in distribution channel technology in appropriate time. When they retorted, it was too late. Thus, Rubbermaid introduced crash programs to manage a change and due to years of inaction, it never yielded any positive results.

Finkelstein examination of above three companies and their inability to visualise, adapt to change in the scenario has lessons for any organisation. Thus, if companies do not identify its risks, prioritize the same and initiate corrective actions in time, no doubt it will be filing bankruptcy under chapter 11 later on.

Thus, failure of these companies may be attributed to their inertia and having remained wooden-headedness there by harping on preconceived fixed ideas while rejecting or neglecting any opposite signs. (Fletcher 2007:44]

Corporate Scam

Cendant, a franchiser of hotel chains (Travelodge, Ramada Inn, and Howard Johnson), real estate agencies and car rental agencies, which merged with a company called CUC International whose business was selling memberships in discount shopping clubs. CUC was later found to have methodically overestimated the revenues to be gained from its new members.

Cendant scandal related to inflated earnings and improper employment of reserves. The Cendant scandal was related to report inflated earnings to SEC and the investing public mainly to manipulate the stock price synthetically. The modus operandi of the fraud was to fraudulently increase the earnings of Cendant Membership Services Inc (CMS), which in turn fraudulently inflated earnings of Cendant as reported to SEC (Stock Exchange Commission) and the investors, thereby the price of Cendant stock jacked artificially. By using CUC International, Inc (CUC) stock as compensation for acquisition, the price of which had been synthetically increased, to defray for CUC’s acquisition of other companies.

Further, by employing the artificially jacked price of CUC stock, CUC deceitfully raised earnings reports, and dishonestly manipulated the future earnings estimates of CUC mainly to influence HFS Inc (HFS) and its investors to merge with CUC.

Top executives of Cendant whether out of greed or out of extreme anxiety, utilised the accounting fraud to fabricate imaginary revenues or sales figures mainly to jack up the earnings, over a period of years. Due to this over -greediness of the top executives, the real losers were the shareholders who lost billions of dollars when Cendant stocks plummeted.

On April 15, 1998, Company officials had detected a serious accounting fraud in its main membership-club processes that would compel them to reduce the already reported operating income of 1997 by $ 100 million or more and this had its impact on Cendant earnings in 1998. The most important issue at hand was the method adopted by the CUC unit in accounting revenues in its club-memberships revenues. It was detected that excess revenue was reported upfront, while accounting of expenses related with the membership was delayed to future accounting periods.

Due to this press announcement, the stock price of Cendant plummeted the following day from that of $ 36 to $ 19.06 as a whooping 108 million shares were traded on that particular day alone against normal trading volume of 4 million shares per day. The disaster did not stop for the Cendant stock holders. Again, on July 14, 1998, the company released second outrageous news to the market: So as to cater the Wall Street’s earnings expectation, CUC had accounted nonexistent revenue of $300 million over the past three accounting periods.

It is perplexing to note that how Ernst & Young LLP, auditors of the CUC had issued unprofessional audit views for the accounting periods concerned. In an effort to defend their stand, Ernst & Young LLP maintained that “Revenue recognition is an intricate matter. Book keeping is a fine art. Accounting principles are prone to elucidation.” In the Cendant scam, fraudulent accounting and misreporting of earnings had been carried out with connivance of auditors who failed to detect fraud and failed to foresee the risk that Cendant was facing in advance.


Lack of internal controls may lead to corporate failures and this had happened in Enron and WorldCom cases. If no personal controls are in place that may lead to fraud and poor management decisions.

In scandals like Enron, WorldCom and Cendat, there was evident that top management had overruled internal controls and engaged in offensive conduct. Fraudulent activities were possible since internal controls were not vibrant and no one was supervising the activity of the top executive’s action. However, in the post-Enron, this has been minimized as under SOX 404, there should be certification of internal controls. For companies registered with the New York Stock exchange, audit committees of these companies have to certify that company do have risk evaluation and risk management including risk beyond their financial reporting.

In post Enron period, new internal controls have been introduced extensively and constant supervision is made to assert whether the internal controls are really being observed or not.

Non-reporting of off balance sheet items and contingent liabilities may cause pilferage in financial position of the company later and recent example for this is Enron scandal. Due to this, Sarbanes-Oxley Act in U.S now requires to report all off-sheet balance sheet transactions that will have impact on the financial position of the company in the near future.

The technique of keeping off balance sheet amount is to form a related entity to incur a debt, but maintain ownership interest in the entity such that it does not have to be consolidated into the parent’s financial statements and this was one of the devise used by Enron to disguise its true financial conditions.

WorldCom also had a corporate culture where the company was run by the top management without checks and balances. Internal controls were actually not present in WorldCom. Top management engaged in unethical activities and was not held responsible for their actions. Accounting practices perused by WorldCom facilitated the top management to maneuver their earnings to tailor the same with needs of Wall Street anticipations.

Thus, it is clear cut evidence, when there is absence of internal controls, corporate fraud is perpetrated on large scale. Hence, an effective ERM can put a full stop to these corporate scandals.

Corporate Governance

Corporate governance is the process by which the corporate can implement proficient decision making, appropriate resource allocation, and involve in strategic planning. It concentrates on how objects are laid down and attained, how risk is watched and evaluated and how performance are maximised.

Corporate governance helps corporations to construct value through innovation, provide accountability and to implement proper control system to quantify the risk involved.

Corporate governance has become more relevance to determine the cost of capital in a global capital market. Corporate governance must be evolutionary and receptive to the information requirements of local and international investors.

Most definitions on corporate governance refer mainly the following:

  • The devise by which companies are controlled and directed and
  • The devise by which those who control and direct a company are supervised.

Fundamentals of Corporate Governance

  • To explain the functions of the management and the board clearly.
  • The Board is vested with a balance of skills and independence.
  • More emphasis on the honesty on decision makers on corporate’s plan and financial performance.
  • To inform periodically the investors the important happenings in corporate financial activity and enhances the integrity of the corporate reporting.
  • To report all material factors in time and with a matured outlook.
  • The shareholder’s rights shall be clearly acknowledged and to be honoured.
  • Business decisions with inherent risk and uncertainty is to be handled with proper internal control.
  • To cope with the modern risks of business, introduction of formal mechanisms to enhance the board’s and managerial effectiveness.
  • Proper rewarding system should be designed to attract skills required to achieve the result anticipated by shareholders.
  • Good governance takes care of the interest of all stakeholders.

The main general salient features of corporate governance codes are:

  1. It is the way of guaranteeing that the implementation of economic power by the corporate sector.
  2. Board of Directors of a corporation has inherent managerial and supervisory function.
  3. It ensures that there is a demarcation between managerial and supervisory roles. It includes the separation of the office of the Chairman and CEO, the installation of independent directors, formation of committees of Board like remuneration, audit, share transfer etc.
  4. Major codes of the corporate governance deals with disclosures to shareholders more particularly director’s remuneration, top executive remuneration, independence of directors and shareholding pattern etc.

Thus corporate governance is aimed at the maximisation of shareholders wealth and to protect their interests. While the corporate governance is helpful to instil confidence on investors and at the same time if there are grave governance deficiencies, the investors may shun the shares of individual companies, a section of markets or even national capital markets.

Comparison between Corporate Governance and Corporate Responsibilities

The recent scandals in US like Enron, WorldCom, and Adelphia has compelled the governments across the world to promulgate enhanced legislation, improved corporate codes and corporate boards have been “re-balanced” to have more independent directors.

Corporate responsibility is nothing but the extension of governance beyond simple compliance to squeeze wider social values. A recent survey finds that of late more business leaders and corporate investors are factoring corporate responsibility into their decision making process.

Thus, the corporate responsibility has become vital or pivotal consideration in investment decisions. Further it is revealed that corporate responsibility could augment corporate’s bottom line and result in intangible advantages of brand enhancement and better staff morale but it has disadvantages also like unproven business benefits and high cost involved.

But the full compliance by the corporate can not be possible unless there exists adequate enforcement mechanism. Hence support of the government is needed for their mandatory enforcement in their securities market.

Corporate Governance in USA

In US, in addition to annual and quarterly financial reports, a listed company has to file periodical reports on material ‘off-balance sheet ‘transactions. Further, it requires personal certification by the CEO or CFO that reports do not include any untrue statements or material omissions and reporting of changes of ownership status.

Under US governance codes, stringent and rigid set of prohibitions are placed on external auditors and audit functions which is in line with the US ‘rules based approach’.

Under SOX, CEO or CFO has to certify that they have reviewed the relevant financial report and it is not misleading or contain untrue information and there exists enough internal controls.

The recent corporate scandals have diluted the confidence of stakeholders and creditors on corporate form of business. Hence, now companies have started to manage perils across the whole enterprise and also engaged in integrating corporate governance with enterprise risk management (ERM). Further, business objectives and business risks are being now correlated as risk taking is pre-eminence for the success of any business. A business may fail to maximise its revenues if it does not assume risks. Hence, certain risks are to be undertaken to reap benefits from tactical opportunities. Risk management also involves mitigation of certain risks that hamper success of a business. These risks are failure to attain business objectives and misappropriation of business assets.

An ERM is a controlled and regimented approach to assist a business to aware and manage business risks and to cover all risks employing a holistic and structured approach. Board of directors of a company peruses corporate governance to offer path, authority and to monitor the activities of the management for the benefit of company’s investors.

It is to be noted that though the Board of Directors assume overall responsibility for the implementation of corporate governance but they are not directly accountable for risk management in a business. However, a committee of the Board oversees the corporate governance aspect of the company.

Though, the board of directors is not held responsible for the management of risk, the corporate governance committee of the board contribute considerably for the effective ERM. The board should engage itself in the ERM practice by offering guidance, power and vision. (Reding 2004).

While integrating the corporate governance with the ERM of a business, the directors should pay attention to the following;

  • Directors should offer proficiency and their evaluation to the strategic planning procedures.
  • Clarify and correspond thresholds of risk tolerance to top management to channel management’s decision.
  • Grant power to top managerial personnel to control risks within the outlined tolerance scales.
  • To supervise the operation of the company’s risk administration method and to oversee the procedures to make sure that it functions efficiently in the best interest of investors ; and
  • Make sure that management’s performance indicators are linked with key perils and are inter-associated with the investor value correctly.

It is to be noted that corporate governance process is overseen by the Board whereas the ERM is overseen by the management. Thus, senior management of the company is assigned with the responsibility to design and to introduce a streamlined and disciplined approach to control risks. Under the superintendence of top management, the risk managers conceive, introduce, execute and oversee risk management activities and capabilities.

A committee on risk at the executive level can contribute to valuable corporate governance by guiding and supervising the ERM activities on a daily basis and overseeing the company’s risk management activities and decisions.

Further, auditors can educate the management about perils and controls, helping to have peril and control self-valuation conferences, giving recommendation for the improvement of ERM process and offering other consulting services on ERM. For instance, in JP Morgan Chase & Co and in Agricore United, the risk management performance is being reported to respective board committees by the senior management committee.

The following are the specific ERM and corporate governance information that top management should brought to the notice of the board of directors of the company.

In some companies, multiple risk and performance results are considered when deciding ERM performance and communication decisions. This method assesses probable results and measures, board-level as well as top management forbearance and communication threshold within the following six performance result namely reputation, legal and regulatory, strategic, financial, asset safeguarding and people.

The top management should communicate to the board the following corporate governance and specific ERM governance:

  • The top management has to report the initiation taken by them to create a vigorous ethical culture and to administer prominent code of conduct and infringement as they happen.
  • The strategic goals and its map for attaining those goals are to be explained by top officials.
  • The prominent risks that hamper the business capability to attain its strategic goals,
  • The initiation which the management has implemented or will implement to control these risks, and
  • The detailed account of performance results of ERM.

For an efficient corporate governance and ERM policy, company’s policy statement should be properly communicated to the lower levels by the top officials. For instance, in FirstEnergy Corporation, risk control techniques details out the corporation’s “charter” for ERM. FirstEnergy Corporation ERM consists of seven significant sections namely risk recognition and description, risk administration practices, overseeing and reporting, communication and edification, peril administration philosophy and peril management doctrines.

For those companies listed in New York Stock Exchange , as per listing agreement , its audit committee should deliberate policies in connection with risk management and risk assessment The audit committees of these companies should also deliberate major financial risk exposures and the measures management will initiate to supervise and manage such exposures.

Under section 404 of the Sarbanes-Oxley Act, company should introduce some risk management procedures around disclosure control and policies and in-house controls for reporting financial results.

Federal sentencing rules demand that company should carryout ongoing risk assessments to establish a fundamental for the prolonged enhancement of its compliance programs.


In this chapter, I have discussed that why risk management is necessary and why risks have to be classified. Further, I have demonstrated in this chapter, I have stressed that internal controls are like oxygen for any business and without that no business can survive. Internal controls will help to prevent losses and control risks in the business. Hence, it is duty of the business to identify such risk, classify the same and to introduce control measures and to monitor the same continuously. I have explained in detail the reasons for failure of big corporations like Cendant, Enron, WorldCom and the need for introduction of ERM to control risks.

I have also explained in details the origin of corporate governance in U.S.A and now business is compelled to introduce of ERM through SOX guidelines. This will no doubt prevent corporate failures in future and no Enron, WorldCom situation will rear its head again due to introduction of strong internal controls.

Enterprise Risk Management

In earlier chapter, I have discussed in detail about risk management and also explained that the absence of internal control in an organisation may lead to corporate failure by citing case studies on the subject. In this chaper, I wish to explain in detail about ERM, its evolution, the COSO’s integrated framework, COSO’s internal control and ISO’s risk management standards.

Enterprise Risk Management- Risk Classifications

Market Risk

A risk that exists exogenous to a business that may have a negative impact on its capital value or stock value is known as market risks. It includes ingress of a competitor, political risk, changes in tax rates or unanticipated both foreign and domestic regulations.

Operational Risk

It relates to a hazard or risk that subsists within a business production process or value chain if left unattended, can weaken a company’s capital or stock value. Reputational risks;

This risk pertains to brand of a company. This risk includes poor product design or product tampering that ends in depletion of market or public confidence. For instance, the public opinion about health care has declined over the past periods and prolongs to deplete especially in the province of financial and managed care incentives. (Carroll 161).

ISO on risk management

ISO was established in 1987, is the first effort to develop an international standard to assist companies and other business institutions to measure and oversee their quality initiatives. ISO is a document based process and it asks the companies to tap employees to perform as internal auditors and to evaluate work procedures and jointly formulate a quality manual and corrective action procedures. ISO standard means ‘Generic Management System Standards” and generic connotes that these standards can be used by any business organisation either by giant, big or small and also includes service industry ISO 9000 and ISO 14000 are the famous and widely recognised standards.

These standards have been perused by more than 620000 organisations in about 160 countries around the globe. ISO 14000 is the standard which facilitates to meet the environmental challenges whereas ISO 9000 is the standard which facilitates to meet quality management compliances. (Brenner 2001)

ISO plays a key role in contemporary business world and has been accepted as benchmark for environmental responsiveness and quality control. A company with ISO mark is said to have proven and accepted code of best practices.

Many of us unaware that there exist ISO standards which are starting to play more a vital role in the risk management arena. These standards are known as ‘the code of practice for information security management ‘(ISO 17799) and the prerequisites for information security management system (ISO 27001) respectively. It is to be noted that there are close association between risk management and information security and these standards strengthen these relationship.

ISO 17799 is a set of rules that may be used in fostering an information security management system. These guidelines are internationally acknowledged as one of the industry best practice baselines in reality. For ISO 17799, there is no certification is available as it is only a set of guidelines that can be utilised to help to ensure the observance and successful implementation of the ISO27001 specifications.

Certification in ISO 27001 will offer the business a vigorous IT –related controls that will assist to cater the requirements of many regulatory standards. ISO 27001 is having an agnostic approach. It is surprise to note that either no new technology or even a computer is needed to get the certification of ISO 27001.

ISO 27001 needs only the apt choice of IT-related controls and an execution of these controls in a manner that offers vigour to them. This is how standard fits into the risk management sector so tightly. In ISO 27001, the evaluation, administration and treatment of risk are integrated throughout the whole process.

ISO 27001 also mandates the control of records and documentation which will assist to accomplish observance to other regulatory standards. Risk managers have to use a set of documents like risk identification, risk evaluation, risk treatment and other overall documented procedures.

It is to be noted that business often see risk and security issues as technical issues rather than management issues which carries high costs with them but with little return. Further ISO certification is a voluntary standard as opposed to other regulatory standards which are mandatory. Further, many organisations exhibit reactive approach to security and risk management and frequently initiate actions only when a problem has occurred.

However, ISO 27001, offer a third party guarantee that the organisation is more concerned about information security and is very serious about controlling the related risks. ISO 27001 certification also offers an assurance to compliance auditors that the organisation has a system for mitigating risks and maintaining records and documents and is minimising time and cost spent on audit. ISO 27001 will help in offering an exhaustive and structured advance to risk and security management which will assure that the business have right personnel, technology and process in place so as to match one’s business model.

ISO 27001 offers a structure that adheres for majority of the common regulatory needs that are currently in use. This certification not only offers an embedded accountability but also demonstrates that the organisation is committed to the security of their business and hence they are capable of safeguarding the confidential customer information.

Further, ISO 27001 standards is identical to ISO 9001 and 14001 and it act as a compliment to the objectives which the other standards try to accomplish. Further, it also offers a priceless marketing edge especially for those businesses when venturing across international borders.

ISO 27001 certification offers an objective corroboration by a neutral certifying agency that the organisation is cautious in undertaking due diligence. This offers peace of mind to business partners, clients, shareholders and for vendors. Further, this certification offers a competitive benefit and makes easy audits to other regulatory bodies. (Brenner 2001)

ISO 31000 is a new standard which deals with ERM which is likely to published in the first quarter of 2009 which will be precious to make sure that ERM process adds significance to one’s organization by assisting with introduction of the most up-to-date and paramount global risk management procedures.

COSO Integrated ERM Framework and Corporate Governance- Background

COSO was established in 1985 as an independent body, initiated by private-sector mainly to research the casual factors that can drive to fraudulent financial reporting and to support the National Commission on Fraudulent Financial Reporting.COSO also framed recommendations for SEC, for public companies and for their independent auditors, for educational institutions and for other regulators. The leading five professional institutions have sponsored the National Commission jointly.

Its governing body not only consisted the representatives from the above sponsored institutions but also representatives from public accounting, industry, the New York Stock Exchange and investment firms.

COSO published an Enterprise Risk Management Framework in 2004 which contains eight ingredients of enterprise risk management as given under:

Internal Environment

This section contains the function that board of director’s plays in instituting a risk management and governance philosophy. Further, the doctrine of risk appetite has also been explained in this function. Risk appetite is a vital element in governance and in ERM agenda since it is the founding stone forming the risk tolerance instruction offered by the board to top management and by top management to operating management.

Setting of objectives

This section creates reference to appreciating and communicating a corporate’s risk appetite establishing and articulating business goals.

Risk Response

This ingredient contains notion that management may have varied options for retorting to risk. The top management should articulate the choice it has selected to the board to assist directors to perform their governance supervision duties.

Information and communication

The multifaceted articulation within the governance and ERM structure are the vital bridges between different units within the structure.


It is the responsibility of board of directors for overseeing how efficiently management accomplishes governance procedures that the board frames. Monitoring activity in the company must start both at the transaction and at the activity level and at the enterprise stage to cater the board’s requirements. It is to be observed that success lies at the alignment of corporate governance with risk management.

The level players like directors, risk owners, top executives, both internal and external auditors should aware that governance and ERM process must progress continuously. If there is an overlap between governance and ERM processes in their articulation and response level, naturally one procedure will influence the other. Hence, all players have distinct roles to play as they make effort to more rapidly integrate their corporate’s governance with that of their ERM procedures. (Reding 2004].

Table 2 : ERM and Corporate Governance.

Who is Responsible for What in a company’s corporate governance and ERM?
Leading Roles in Corporate Governance Risk Management Responsibilities
Board of Directors Offer risk management course, power and oversight to top management. No
Top Management The major accountability for ERM. Assigns risk management power and spells out risk tolerance limits to risk owners. Yes
Risk Owners Delegate explicit risk management power and risk tolerance limits to other employees. Reporting ERM strategies and performance outcomes to top management. Yes
External and Internal Auditors Offer independent goals and promise to top management and the board of directors about the efficacy of risk administration, management and governance procedures. No

Source: (Reding 2004].

Table 3: ERM Measurement.

Financial Results and measurement of Enterprise Risk Management
Categories Potential Results Potential procedures
Financial Gross earnings, net earnings, revenues before income taxes, are below thresholds. Price/earnings ratio, earnings per share and other financial ratios.
Depressing cash flow / liquidity concerns Cash forecasts techniques, liquidity ratios.
Insufficient / misleading disclosures SEC (Securities & Exchange Commission) enquiries or enquiries from other statutory bodies.
Deficient return on investment against to permissible regulatory earnings. Return on investment or Return on assets ratios.
Inadequacy of capital that hamper growth. Cost of capital
Inappropriate use of capital Capital and return on investment ratio

COSO Integrated ERM Framework -Background

COSO was established in 1985 as an independent body, initiated by private-sector mainly to research the casual factors that can drive to fraudulent financial reporting and to support the National Commission on Fraudulent Financial Reporting.COSO also framed recommendations for SEC, for public companies and for their independent auditors, for educational institutions and for other regulators.

Its governing body not only consisted the representatives from the above sponsored institutions but also representatives from public accounting, industry, the New York Stock Exchange and investment firms.

ERM –Integrated Framework (2004)

COSO issued ERM –Integrated Framework (2004) guidelines to assist business to devise and to carry out efficient enterprise-wide approaches to manage a risk. The aforesaid frame work delineates critical enterprise risk management elements, defines vital ERM doctrines and concepts, recommends a common ERM language and offers clear direction and assistance for an effective ERM. The above framework not only initiates an enterprise-wide overture to risk management but also introduces new concepts like risk tolerance, risk appetite and portfolio approach. The above said framework is widely used by the companies around the globe to structure and to introduce an efficient ERM processes.

COSO’s guidelines mainly intended to assist business and other stakeholders to evaluate and improve their internal control system. COSO’s framework has integrated into rule, policy and regulation and widely utilised by companies to manage their business activities in shifting toward achievement of their recognised goals.

Due to recent corporate scandals and failures , there has been increased focus and worry on managing the risk and it has become necessarily obvious that a need subsists for a healthy framework to efficiently recognise , evaluate and control risk. Earlier in 2001, COSO introduced a project and appointed PricewaterhouseCoopers to formulate a structure that would be willingly employable by companies to assess and enhance their organisation’s ERM.

Risk management has assumed more significance due to increased sophisticated business failures and scandals which shattered the confidence of investors, regulators, company employees and other stakeholders as they encountered a mammoth financial loss. Due to this, there were hue and cry to strengthen the risk management and corporate governance in companies with stiff law, listing standards and regulations. Hence, it has become more compelling to have an enterprise risk management structure that provides vital concepts and principles, a clear guidance and track.

COSO strongly is of the opinion that Enterprise Risk Management –Integrated Framework plug this loophole and anticipate that it will become more widely acknowledged by organisations and companies, all vested parties and stakeholders.

To have a check on corporate frauds and failures, Sarbanes –Oxley Act of 2002 was introduced in U.S.A mainly to maximise the internal controls in organisations to manage the risks. Analogues legislations were enacted in other parts of the world. Sarbanes –Oxley Act extends the long-standing need of the public companies to sustain internal systems of control, demanding management to vouch and the independent auditor is required to certify the efficacy of those systems

Further ,it specifies that the Sarbanes-Oxley Act of 2002 stretches such obligations to annual reports of all publicly traded companies as demanded by the section 13 (a) and 15(a) of the Securities Exchange Act of 1934.

An enterprise objective can be classified into the following four categories:

  • Planning or Strategic
  • Process or Operation
  • Detailing or Reporting
  • Observance or Compliance

ERM includes the following:

Integrating risk appetite and stratagem

Management views the businesses risk appetite in assessing strategic alternatives, framing related objectives and emergent mechanisms to control related risks.

Improving risk response decisions

ERM offers the firmness to recognise and select among varying risk responses like risk reduction, risk avoidance, risk acceptance and risk sharing.

Minimising operational losses and surprises

Business entities can achieve increased capability to classify potential incidents and foster reactions, minimising surprises and linked losses or costs.

Recognising and controlling cross –enterprise and multiple risks

Every business entities witness varied types of risks influencing different divisions of the organisation and ERM helps efficient response to the integrated impacts and interrelated responses to varied risks.

Grasping opportunities

By recognising a full variety of potential incidents, business is positioned to recognise and proactively realise chances.

The following eight ingredients COSO Integrated framework is interrelated with each other:

Internal Environment

A business defines a risk and its management. Both expected and unexpected events are being given recognition. It also formulates the organisation’s risk culture and deeply analyses how various actions may impact the organisation’s risk culture.

Goal setting

Strategies are identified and various shapes of the risk appetite of the entity are discussed. The quantum of risk that the board and the management are eager to accept is defined. Risk tolerance level, the permissible degree of variation from goals is integrated with risk appetite.

Event recognition

Opportunities and risk are differentiated and some events may be permitted to have negative effect reflecting risks. This process recognises those events that occur internally or externally which could impact strategy and attainment of goals. It also addresses how external and internal issues unite and act together to manipulate the risk profile.

Assessment of Risk

Under this process, business understands the degree to which probable incidents might affect its goals. Further, business evaluates risks from two angles viz. its effect and likelihood. Under this process, not only risk is assessed but also employed to gauge the associated goals. Both quantitative and qualitative risk assessments techniques are employed.

Retort to Risk

Under this process, recognition and evaluation of probable responses to risk is analysed. It analyses various choices in relation to organisation’s risk appetite, outlay versus gains from probable risk reposes and extent to which a retort will minimise the impact and or probability is also discussed. It chooses and performs responses based on assessment of the range of risks and responses.

Control initiatives

Control efforts have to be carried out in whole gamut of organisation in all functions and at all levels.

Reporting through communication and dissemination of information

Communication plays a significant role in both upward and downward reporting in case of risk management in an organisation.

The following are the governance and ERM information that top officials of a business should enlighten downward to control and manage risks includes:

  • A scripted code of conduct that communicates the corporate ethical standards and precise regulations of conduct;
  • A scripted risk management policies that articulates the top official’s risk management values , strategies ,policies and procedures;
  • Risk administration authority, tolerance limits and performance yardsticks for individual risk assumers in the company. For instance, in General Motors, managers do communicate on the efficacy of their risk management initiations.

The following are the information to be communicated by the risk managers to the top officials of the company on their risk management happenings.

  • A written declaration as to observance of corporate’s code of conduct.
  • Standard due diligence reports on ERM.

Business should recognise, collects and disseminates relevant information in a form and in specific time schedule that facilitates employees to accomplish their responsibilities. Communication should flow in all direction from top, bottom, up and across the organisation.


The efficacy of ERM elements is supervised through prolonged monitoring activities.

COSO Internal control Framework

Basing on the COSO Internal framework, certain countries have introduced regulations demanding some companies to publish publicly on the efficacy of their internal control.

The proper introduction of monitoring can help in achieving the two objectives of enhancing internal control while minimising the costs of internal control.

Thus, COSO’s internal control guidelines can assist businesses to enhance their efficiency and effectiveness of their internal control systems. This guideline will help businesses to maximise the style of monitoring and to improve monitoring in spheres where enhancement may be necessitated.

Further, it offers a practical guiding principles that demonstrates how monitoring can be introduced into a businesses internal control methods.

In a nutshell, COSO’s internal control guidelines will result in the maximisation of efficiency and effectiveness of operations, the dependability of financial reporting and observance of relevant regulations and laws.

COSO framework explains that “COSO’s internal guideline main goal is to monitoring that guarantee about the internal control prolongs to operate efficiently. Further, as an improvement its 2004 guidelines, COSO issued 2006 guidelines that improves the appreciating by forwarding two interlinked principles.

  • Enduring and/ or individual assessments make management to decide whether the other elements of internal control prolong to function in the long run.
  • Deficiencies in internal control are recognised and informed in a timely way to those stakeholders for initiating corrective steps and to the board or management as necessary.

The outcomes of evaluation at the start should end in a basic awareness of the efficacy of controls that can be overseen in the near future.

The COSO Framework understands that risks transform over years and that there is a requirement for management to “decide whether the internal control system prolongs to be suitable and is competent to challenge new risks. Hence, monitoring should evaluate whether management reassesses the design of controls when risk transform and to check up the prolonged operation of present controls that have been structured to minimise risks to a tolerable level. Hence, this direction continues to stress COSO’s faith that monitoring should be relied on a basic evaluation of risks and an appreciation of how controls may or may not mitigate or handle those risks.

The Coso’s Monitoring Process

Each of the above mentioned five ingredients of internal control explained in the COSO framework is vital to attaining the businesses objectives. It is not needed that each module should perform perfectly. A defect in one element might be corrected by other controls present in that element or another element that are robust enough to minimise the risk of failures of internal control to a tolerable level.

Monitoring process includes

  1. Creating a fundamental for monitoring,
  2. Conceiving and implementing monitoring methods that are prioritized on the basis of nature of the risk.
  3. Evaluating and reporting the results, including following up on remedial action wherever needed.

Designing and organisational shore up make the fundamental for monitoring process which includes

  • a clear message from the top echelon about the significance of internal control which includes monitoring also.
  • a necessary organisational structure that take into account of the roles of the board and the management as regard to monitoring and the employment of evaluators with necessary potentialities , authority and objectivity and
  • an understanding about the fundamental of efficacy of internal control.

Monitoring Process

Monitoring Process

Creating a fundamental for monitoring

Message from the top echelons

The effectiveness of internal control relies on the confidence placed by the board and the management on the significance of monitoring. Support by the management and its tone will wield influence on employees to participate and place their active involvement in monitoring process.

Active participation by the Board and the Management

It is the primary responsibility of the management of an organisation for the efficacy of a businesses internal control system. The system is being established by the management and sees that its operation being carried out continuously and efficiently. To make a check point for the overriding actions by the senior management, board-level monitoring has become inevitable one.

Attributes of Evaluators

Evaluators should be objective and competent under any given scenario for conducting the monitoring. Evaluators should have precise knowledge of the controls and associated processes. He should aware about the operation of controls and how to identify a deficiency in a control process. Evaluators should act without any bias and they should have no vested interest in using the information for self-preservation or for personal benefit.

Establishing the monitoring procedures

Monitoring process has to be designed and implemented which evaluates significant controls over substantive risks to the businesses goals. Devising of monetary process requires knowledge of and prioritizing the risks to gain significant organisational goals. For instance, monitoring of controls that dissuade theft of supplies may be purposeful to a store manager but might not invite the individual notice of the CEO. (Chief Executive Officer). Then prioritizing the risk will be done and it will be matched to the businesses objectives. The prioritization will help to decide the variety, timing and degree of monitoring.

Key controls relate to the ability of the internal control system to operate effectively and their failure may be affecting businesses function drastically. Monitoring should assess an enough quantum of reliable information like

  1. Key risk pointer
  2. Operating Statistics
  3. Key Performance Indicators (KPI}
  4. relative industry metrics.

An evaluator may find out whether gross profit for a specific product remains unaffected over the period and is within the budget. If there is a variance, then he should try to find out the reason and try to analyse the same and ways and means by which it can be improved.

The COSO internal control frame work forwards a significant point as regards to construction of monitoring process into the usual operations of a business.

“A business that identifies a requirement for recurrent and separate examinations should spotlight on means to increase its present monitoring process and thereby, to highlight ‘constructing in’ versus ‘adding on” measures of control.”

An appropriately constructed and implemented monitoring process will offer

  1. credible information to the top layer of the management as to the efficacy of internal controls system in an organisation.
  2. It identifies and disseminates internal control inconsistencies in a timely way to those accountable for initiating corrective action and to the board and management as necessary.

This helps to have control over inconsistencies before they virtually impact the attainment of businesses goals.

Every business should pay its attention on the following in their optimal approach to monitoring.

  • Monitoring is to be perused proactively by formulating a fundamental awareness of internal control efficiency.
  • Board has the responsibility to monitor the internal control and in alleviating the peril of management override.
  • An efficient internal audit system may support the board in their monitoring process.
  • Organisation has to identify and prioritize the risk that will be minimised by efficient internal controls.
  • Appropriate software like ERP (Enterprise Resource Planning) may be used by organisations in their internal control and monitoring process.

Global Application of ERM- Its Application in U.K, Australia and Canada

It is significant to note that risk management standards were first introduced in first in Australia / New Zealand, then in Canada and then only in U.K even prior to introduction of COSO ERM.

ERM Process in U.K.

The amended Combined Code in U.K is now mandate that all directors are needed to offer entrepreneurial management of the company within a structure of effective and discreet controls which facilitate risk to be evaluated and controlled.

Corporate governance guidelines in U.K mandate the application of ERM in U.K companies. Some companies try to integrate risk management and corporate governance process through the correlation of top-down and bottom-up risk processes. It has been proven that ERM tools have helped the company to attain major cost savings in their overheads.

U.K risk management standards have necessarily established a standard namely an ERM standard for the EU and for many countries in the globe, beyond United States. It is to be noted that U.K risk management standards have been transformed into a set of common standards for the employment by the EU and for other interested countries like Saudi Arabia and China. Thus, these common British risk management standards have been developed and communicated through the International organization Federal of European Risk Management Association (FERMA).

ERM Guidelines in Australia and New Zealand

Australia and New Zealand were the first countries in the world to take a lead role in establishing standards on risk management that have become a model for other countries to follow the suite. Though, Australia and New Zealand are two separate and distinct independent countries, these countries often collaborate on various common policies, standards and rules. As early as in 1993, a project was introduced to develop risk management standards for Australia and New Zealand which were first introduced in 1995.

AS/NZS 4360:2004 is the risk management standards issued by Standards Australia ( which offers a detailed guide for managing and controlling the risk. This standard details the components of risk management procedure and is not enforcing to have homogeny of risk management process. Hence, it may be termed as generic and it can be applied to any organization irrespective of their size, industry or economic sector.

The special features of Australian/ New Zealand standards are that they are having holistic overtures that encompass all risks and advantages and it can be extended to all risk scenarios and applicable to all organizations. Further, it is emphasizing to establish a context for risk management and encourages consultation process rather than just communicating the same.

The Australian Guidelines offers constructive tools like how to tabularize risks of varied categories, how to evolve a risk treatment strategy and to construct a Risk Register or Risk Information Library.

Risk Management Standard In Canada

Canada has its own national risk management standard namely “Risk Management: Guidelines for Decision-Makers – A National Standard for Canada which was released by the CSA (Canadian Standards Association). Canadian Standards are key document in the background of a Canadian Government Directive on Regulating.

The Canadian Standard (CSA 1997) is more concerned with the key decision making process namely risk evaluation. Further, Canadian standard is relatively more centered on public policy than on operational and financial risks.

The Canadian Standard employs the term “risk communication” instead of “ risk consultation” and does not specify that communications should always be a two-way.

In 2002, Canadian government introduced a very wide-ranging report namely “ Improving Government capability to Handle Risk and Uncertainty “ which pioneered a number of initiatives that go beyond the initiatives included in the Canadian Standard (CSA 1997).


In the above chapter, I have explained in detail the COSO ERM process, ERM –Integrated Framework (2004), COSO Internal Control frame work and COSO’s monitoring process. In this chapter, I have emphasised that COSO’s internal control guidelines will result in the maximisation of efficiency and effectiveness of operations, the dependability of financial reporting and observance of relevant regulations and laws.

I am strongly believe that COSO’s Enterprise Risk Management –Integrated Framework will plug all existing loophole in the internal control system of a company and increase the shareholder’s value by minimizing the losses and risks and anticipate that it will become more widely acknowledged by organisations and companies, all vested parties and stakeholders.

ERM in Practice – Industry Experience

In the last chapter, I have made exhaustive research on COSO’s ERM and its application in other countries like in U.K, Australia and in New Zealand and in Canada. In this chapter, I wish to corroborate ERM significance by employing four case studies on the subject.

Wal-Mart- Enterprise Risk Management – A Case study

ERM was first introduced in Wal-Mart in 1990. Since Wal-Mart is a giant business organisation, ERM is an inevitable process to mitigate many risks that the company poses. Wal-Mart ERM centres on the following five processes.

  1. Risk recognition
  2. Risk alleviation
  3. Action scheduling
  4. Performance metrics
  5. Return on capital / Shareholders value.
Risk Identification

Under this process, a risk is recognised by employing a risk map where ‘x’ axis denotes probability and ‘Y’ axis denotes impact. Risk identification map assists to rank what are viewed as company’s significant risks. In Wal-Mart, risk identification workshop will be organised to make the senior leadership to judge what risk may dissuade them to meet their organisational goals. For clarifying business risks, Wal-Mart business goals are delineated like target sales, budgeted revenues and opening of ‘x” number of new branches to achieve these objectives. Then risks are categorised in to external and internal risks. External risks are those like political, legal / regulatory level and business environment. Internal risks are those like operational, financial, strategic and integrity which involves theft, fraud and embezzlement.

Then, Wal-Mart leadership team will be asked to identify the top five risks which they visualise may hamper the attainment of business objectives. Then, about 21 to 30 risks will be identified and again participants in the workshop will be asked to prioritize the same. On the basis of their finding, risk will be identified and prioritized in Wal-Mart.

Risk Mitigation

In a risk mitigation workshop in Wal-Mart, about three to five most significant risks are further elucidated. Those managers who will be affected by a particular risk will be asked to participate and share his knowledge. For example, in case of employee risks, human resources, operations, legal and training department will be asked to identify the risk and to quantify the same. Once the risk is identified, then a project team is created in the provinces like recruitment, training, development and retention.

One of the main aims of the risk mitigation workshop is to minimise the workload of the managers concerned. The risk mitigation team will then conduct a survey of existing procedures to redress an explicit risk. A questionnaire containing questions like the purpose of these initiatives, how to measure the same and how effective are these initiatives will be given and feedback is gathered. With the help of feedback, risk mitigation team will recognise the superfluous activities that can be purged.

Action scheduling

In this stage, there will be meeting to decide the responsibilities. Then, the team will work on the project for many months to initiate their project aims.

Measurement of Performance

Under this phase, ERM team will gauge whether the project plans are having an optimistic or downbeat effect on the recognised risks. Performance is being measured from the results achieved and the budgeted performance versus the real performance is also analysed which exhibit the trends over the period.

Return on capital / enhancing the value to shareholders

Under this, performance will be measured whether project has achieved an increase in sales or succeeded in minimising the expenses.

During May 2003, Wal-Mart engaged outside consultant namely Craig Faris to evaluate and help in the implementation of ERM in Wal-Mart. With the help of Faris, Wal-Mart is able to segregate its risk into further three levels namely highly risk oriented corporate risk, spotlighting on the international risk assortment, and risk at the functional level.

Wal-Mart country president in Canada informed that ERM assisted them in recognising clear deliverables associated to risk reduction. It assisted the team to remain concise about key risk areas and ERM facilitated them to compare their results from their action strategies to the shareholder value and the bottom line.

In Wal-Mart, ERM is not considered as a nirvana process but it assisted them to recognise and spotlight on some risks that are most vital to address. Further, Wal-Mart is planning to implement ERM in a global level in the coming years and to introduce in Puerto Rico, Germany, Korea and Argentina shortly.

According to Faris, if one understands the risk, then it opens up new vistas for the business. (William Atkinson 2004).

Split Rock Energy: A Case Study

Split Rock energy (SRE) is a wholesale electrical –power marketer and trader in the U.S. Its mission is to offer service to its joint-venture partners through offering power at low costs, utilisation of generation assets to the maximum level and enhanced access to energy markets in a deregulated atmosphere. The company is maintaining an independent risk management committee to adhere some risk forbearances. ERM performance gauging method depends in the translating board policies, heading the risk management committee and giving feed back on the actions taken to the risk management committee.

SRE is maintaining an independent risk management committee and its independence is vital to SRE’s ERM. SRE has delineated its corporate goals and missions to integrate with federal risk management requirements, thereby organising to enter the Midwest Independent System Operation. (MISO).

SRE regarded ERM as the limitation of probable losses to a predictable limits and its ERM would meet some risk tolerances. SRE has categorised its risk as follows: portfolio risk, credit risk, risk monitoring and operational risk. ERM in SRE is concerned with the management of the risk tolerances and wishes preferred by the customers.

In SRE, ERM is being given strong support from the board and support pours down throughout the whole organisation. SRE’s ERM is being designed into an independent forum with precise authority to introduce programs required to attain the board’s declared risk tolerances.

ERM spreads its message through meetings, reports, social events and training in SRE. Further, ERM releases various reports periodically which act as a good tool for management for risk mitigation. These reports include earnings at risk (EaR), value at risk (VaR), margin at risk, margin-to-margin (MtM), principal at risk (PaR), bad debt cost , credit risk and earnings quality.

ERM risk policy include credit risk, market risk , foreign exchange risk , liquidity risk ,investment risk , operational risk and cash management risk.

In SRE, the functions of the risk management committee are to deduce, examine, and offers direction and recommendations on risk and policies. The functions of ERM group are to deduce, acts, functions within the policies threshold set and feedback to risk management committee for appraisal.

The main goal of the ERM in SRE is to assist in solving problem as they occur and to make sure to exchange information with all stakeholders.

ERM has actually helped SRE in saving money by avoiding risk. For instance, prior to its collapse, Enron was its customer. The risk control in place in SRE had fortunately identified Enron as a risk and all collateral from Enron was cleared off the books. Finally, ERM in SRE saved its money and trust in the ERM has increased.

Even though ERM is found to be successful in SRE, ERM is yet to be integrated into the SRE’s overall business scorecard. This is due to the fact that the board does not want to jeopardise the independence of the ERM and business. However, ERM offer feedback that facilitates to design new strategy and plans for the business.

The lessons learned by SRE from ERM are as follows:

  • It is crucial to recognise risk well ahead by conceiving early and to foresee risk beyond modelling.
  • Exploring for new things and to be ready for meeting future events.

SRE future objectives include accomplishing operational risk control and to make recommendation for improvement Main aims include dissuading all probable operational risks , formatting all contracts and to discourage non-standard flow charts to abhor all probable legal risk and to formulating credit-risk flow charts and performance metrics to dissuade all possible risks.

United Illuminating Company – A Case Study

United Illuminating Company (UI) is a regulated utility that offers electricity and energy-related services to residents in Connecticut. The company uses a prolonging strategic planning method to attain strategic goals in the areas of operational, financial and capability. It employs a customary organisational structure relied on functions and incorporating transition to process-oriented management.

UI uses an uninterrupted strategic planning method to attain strategic goals. Though these objectives are long-term, UI continuously evaluates and gauges progress to understand gaps overcome gaps in balance, lessons learned and transforming business demands. UI objectives can be divided into four categories namely customer related goals, financial goals, operational goals and capability aims.

Projects to attain these goals are characterised through the strategic planning method which includes risk identification and evaluation. Traditionally, UI managed the risk on project-by-project or case-by-case basis. In 2002, the UI audit committee discovered that there were several risk response categories in the organisation. In 2003, UI’s internal audit took control over the ERM of the company and found two recurrent discoveries spotlighted the need for change.

  • Identification of risk and its management were still not happening across all divisions.
  • Strategy –setting method is not driving the UI’s ERM and hence, risks were not always addressed in alignment with the objectives and strategies of the business.

ERM was integrated into UI’s “formulate strategic direction “program in 2004. Employing a mixture of COSO and PMBOK principles, UI formulated its ‘managing risk ‘process. UI has identified fourteen special risk areas and the first phase of rollout of “manage risk’” was aimed to these special risk areas.

Table 4:

Safety Accident / injury
Security Fire / Crime
Business continuity Interruption in business
IT disaster recovery Widespread IT infrastructure design
Storm recovery Widespread ES infrastructure design
Claims Insurable Risks
DPUC review officer Increased customer complaints
Strategic Planning Opportunities and threats
Project management Portfolio risks
Process improvement Opportunities and threats
Environment Pollutions and pollutants
Records management Access /loss of UI records
Code of conduct Reputation risks and frauds
Revenue integrity Theft / billing of electric service

The annual ERA survey offers an idea about UI’s recognised strategic risks and approaches. Further, UI has prioritized the risk according to its value. For instance, UI is presently constructing a new high-voltage transmission line; the risk impact was quantified before the project cost accorded approval. Since UI has to get regulatory approval to make sure 100 percent recovery, cost recovery is considered to be very crucial and is being termed as key risk. The decision making process is to mitigate that risk that preceded the project recovery.

UI was able to respond effectively to and control a 2003 blackout. UI’s incident management team kicked into action and managed the crisis smoothly even though this setting had never been anticipated. During 2005, UI identified a 2007 reputation risk relating the closure of power-supply contracts. As such, UI reputation is at risk due to pricing which is beyond UI’s control. UI pursued a short and long-term communication stratagem to educate consumers and assist them to rise up to the situation through aggressive conservation.

UI is of the opinion that ERM is a long journey.UI is of the view that it has travelled far, visualises a clear road ahead and inclines to stay on the course.

Firstenergy – A Case Study

FirstEnergy is one of the primary utility companies in the U.S. It owns twenty generating stations and maintains transmission and distribution lines covering more than 228,000 miles. Company is employing ERM and its risk control group is spotlighting on fostering control procedures and risk management systems at the new unregulated subsidiary. It is publishing quarterly risk reports to highlight earnings per share with market. FirstEnergy witnessed many confronts in its history and managing risk is fundamental to its success.

In 1997 itself, FirstEnergy introduced risk management governance structure. In 1998, FirstEnergy sustained a mammoth loss due credit default by an energy supplier and learned about credit risk.

FE (FirstEnergy) realises that risk is both an opportunity and a threat and for instance, when deregulation was initiated, FE tried to mitigate risk by diversifying into other lines of business. Further, as a risk control, FE seeks credit rating from Standard and Poor to know its ability to borrow since utility companies are highly leveraged as compared to other industries. The risk management structure recognises, prioritizes and enumerates risks. The structure also facilitates the development and administration of risk management stratagem like shun, accept, alleviate, transfer and utilise and communicate results.

In FE, risk identification is carried through business planning, with each business division recognising their own risks. Then, prioritizing the risk is done by the FE business division by analysing the risks against others in the organisation. Any misalignment in risk identification is being addressed by a top-down or a bottom-up communication approach.

FE’s internal audit department is responsible for prevention and detection of fraud in the organisation. It has to also report the financial and operational risk like Sarbanes-Oxley testing.

ERM department of FE releases quarterly reports which contain charts depicting earnings per share (EPS) with outage and market risk range and executive summaries of drivers and details of major risks drilled down by event and market. Further, summaries of major risks are being reported by category under the heading operational, strategic and event, by risk pointers and by management approach.

FE gauges its ERM success through enhanced earnings with lower oscillation, on-time and within the budget projects and increased earning by minimising costs.

An illustration of success on avoided cost can be explained through FE’s decision on particular demand of remittance-processing centre. The centre handles about 5 million invoices per month with payment ranging from $ 10 to thousands of dollars. The remittance processing group wants to purchase a generator which costs about $ 1.5 million. ERM division of FE by conduction a risk analysis has discovered that a robust back-up plan is in existence and there is no need to for additional $ 1.5 million expenses thereby averting a substantial cost.

FE’s future strategies include formulating a rotational agenda in which top level employees will be trained in ERM, automatic risk assembling and reporting methods , convening continuing education and training on ERM within the business , to force business units to take more active role in ERM implementation and to remain flexible ,


From the above case studies, I have revealed that ERM do help to minimise the losses and to maximize the revenue of a business.

In Wal-Mart, ERM is not considered as a nirvana process but it assisted them to recognise and spotlight on some risks that are most vital to address. Further, Wal-Mart is planning to implement ERM in a global level in the coming years. It is crystal clear from the above case studies that ERM plays a key role in mitigating the risk. It helps to avoid unnecessary and superfluous cost in the case FirstEnergy and is able to realise substantial amount from Enron before its failure which is a clear evidence for mitigation of risk in case of Split Rock Energy and able to manage unexpected blackout in case of United Illuminating company. These case studies corroborates that ERM is an inevitable process for increasing shareholders value in any company and it has to be efficiently introduced and managed to reap higher benefits from ERM.

My Company’s Approach to Risk Management – ERM Methodology

In this chapter, I wish to prove that ERM has a lot of benefits for a business by demonstrating how it has been successfully applied in my favourite company namely Boeing International.

Boeing International – ERM Application – An Analysis-

The Boeing Company pursued the COSO doctrine partially as the fundamental for its internal control strategies and procedures. Boeing internal audit department evaluated the quality of internal checks and balances in their system. Boeing later found that introducing these standards in reality turned to be challenging. Boeing ratings were predominantly subjective, not involving systematic analysis and documented support replicated in their report. Hence, Boeing reengineered its audit process totally to suit with COSO framework.

Boeing employ all the fundamentals of COSO to define their control goals to be audited , evaluated the ingredients to detail the control goals to be audited , to assess the ingredients of Boeing’s control system and to report the outcomes to management. Amalgamating COSO in this style adds framework to their audit process and to make sure that relevant standards are taken into account in key segments of each audit and offers a trial to support the outcomes arrived.

A vital aspect of Boeing reengineered process is that they spotlight each audit on a single COSO intent. In conjunction with Boeing management, each auditor specifies the relevant COSO goals – financial reporting, operations or compliance. Boeing is seeking to make sure that larger consistency in audit performance and to exploit audit efficacy at its maximum. Audit team also communicated to Boeing management their assessment employing a COSO –model control evaluation form that they structured.

Though, COSO implementation was successful, Boeing faced a few impediments. Initially, auditors were totally puzzled by dissimilarity in terminology as explained in COSO and in IIA’s (Institute of Internal Auditors) standards for the professional practice of Internal Auditing. Further, there was little awareness among audit staff in understanding the COSO framework and no criteria regarding control ranking were given to guarantee consistency. However, these problems were solved later through a consensus –building measure integrating management direction, involvement of employees, exhaustive written guidance, training workshops and follow-up verification.

One of the major benefit of COSO enabled ERM is that it has resulted in enhancing the financial reporting of Boeing‘s internal control position to their audit committee. Thus, Boeing top management is able to receive a bird’s eye view of their internal control efficacy based on evaluation derived from their COSO rating structure.

Further, integrating the COSO framework to their standard audit process has been advantageous in so many means as against following on a single COSO objective during each audit which will finally enhance the efficacy and efficiency of their projects.


I have established that Boeing International has reaped most benefits by introducing and integration COSO’s ERM framework.

One of the major benefit of COSO enabled ERM is that it has resulted in enhancing the financial reporting of Boeing‘s internal control position to their audit committee. Thus, Boeing top management is able to receive a bird’s eye view of their internal control efficacy based on evaluation derived from their COSO rating structure.

Further, integrating the COSO framework to their standard audit process has been advantageous in so many means as against following on a single COSO objective during each audit which will finally enhance the efficacy and efficiency of their projects.

Elements of an effective ERM – Practical Consideration

ERM can assist managers to decide the apt quantum of capital which companies should divest toward risk by collecting or otherwise polling risk managers to recognise the threats to the company, its financial impact and the efficacy of risk avoidance strategies.

Companies should use ERM to evaluate risk across the organisation. Viewing risk specifically on a project wise basis can restrict a businesses capacity to evaluate the effect of risk connected with that project can have on the whole of the organisation.

Further, companies can map the significant risks on a matrix so as to align their business process to make sure that they are regularly gathering and warehousing related information in a database so that the risk committee or the chief risk officer can supervise. In case , if there is any exceptions , like risks protruding company’s threshold or tolerance level , then risk mitigation efforts can be initiated immediately to control losses.

Business should utilise business intelligence software mainly to dig out data’s pertaining risk and exhibit them on a dashboard. With the help of traffic light system, risk of an organisation is evaluated. A red light will pop up, if risk exceeds a particular level, thereby cautioning the responsible official to find out the reasons and to take more improved decisions. (Banham 2004:65).

ERM in Information Technology Industry

Due to ever increasing complex work environment, security measures that were adequate in the recent past have become a thing of past today. As technology is rapidly is changing, computer security is also at risk due to new techniques adopted by hackers. As the business process is moving outside the corporate firewall to cover both wired and wireless mobile communications, protection of data is attaining a new level of importance. As the vital corporate information’s that are stored in the laptop of mobile workforce of an organisation, the risk of theft, loss or unauthorised access is on the increase and result in increased potential vulnerabilities.

Further, use of mobile devices like –handhelds and smart phones are on the increase. Emerging new technology like best-of-breed solution offers solution to mitigate risk of computer security concerns and this solution will make sure that data protection is key to the business process. All the transaction like key data entry, transportation and storage has to be performed in a secured manner. Rigorous meticulous, and multilevel security is an essential pre requisite of modern business operations. As of now, Security measures like encryption, virtual private networks (VPN) are being adopted to safeguard the data’s of the business.

New security measures like encryption and decryption on –the-fly, encryption integrated into an organisation’s infrastructure, and transparent encryption / decryption of e-mail and files without requiring user interaction is being employed now. Some hardware vendors are incorporating integrated circuits (ICs) in computers and handheld devices that strengthen the protection of the security software.

These IC’s link storage devices with a single owner and a single computer and the identification mechanism such as biometric reader that scans the fingerprints, offers an additional dimension of security protection. IBM and Utimaco joined on the development of an integrated circuit , part of an embedded security system , that binds the encrypted contents of a hard drive to one particular computer so that a copied drive or stolen won’t compromise data. Now, accountability and security have become mandatory requirements in industries like health care, financial services and insurance due to Sarbanes-Oxley (SOX) Act, Health Insurance Portability and Accountability Act (HRAA) etc (Wagner 2001).

Latest generation processors carry out complex encryption and decryption operations in a lucid way. Processor –intensive operations-encryption and decryption, advanced validation and authentication methods and biometric algorithms no longer acts as a barrier to the implementation of sound security measures.

For business that employs security solutions, technology is now a business driver, rather than a pure commodity. Companies now feel free to choose security solutions that are more apt for their business model, lessen operating costs, offer enhanced service to customers and to minimise legal risks.

For instance, IBM and Utimaco has joined together to tooth IBM ThinkPad notebook computers with some of the latest and advanced anti-theft, data protection facilities in the industry. This collaboration can bring very positive development of advanced security solutions that meet real-world challenges.

Risk Management

The methods consist of policy alternatives that have varying effects on risk, including the removal, reduction or reallocation of risk. In the end, an adequate and acceptable level of risk is determined and a method for achieving that level of risk is pursued. As a result, most computer systems cannot be made secure even after the application of broad ‘computer security ‘measures. Even if they are made secure, it will result in detriment of usability.

According to E.Dash’s article , “ Visa to bar transactions by processor “ published in the New York Times ,July 19,2005 , Companies have lost their business because of security breaches and even Microsoft fights to recover from the worst security reputation it has earned over past few years. (Schneier 2005). It is better to design the software which can be both usable and secure. (Granor and Garpikes 2005).

For procurement of computer system or software for a military project or a space project, vendor has to successfully complete the evaluation process. Appraisal is the wide-ranging technical scrutiny of a product’s security functionality. Vendor has to provide the details of system level, developer –oriented training for the product and it is followed by analysis of the product design, spotlighting mainly on security features of both the hardware and software.

It is necessary to provide strong protection to these systems and it involves a significant trade-off between security and functionality based on the premises that more than required functionality offers more opportunity for exploitation. Significant reduction in system functionality and a higher risk of application breaking is possible and may result in increased costs for system support. Specialised security –limited functionality environment is not suitable for widespread enterprise usage. For instance, while installing windows XP, specific settings have to be changed because they might reduce the functionality or usability of a system, which interfere with legacy applications or conflict with local policies.

Control measures:

  • Select security controls that offer a reasonably secure solution while supporting the needed functionality and usability.
  • Examine all security controls to determine what effect it would have on system security, functionality and usability and address any significant issues. (Shirley Radack 2005).

Availability of information is often overlooked security goal. Keeping data available is important when designing a security policy. For instance, if all data in a security solution is kept confidential and has to retain complete proof of integrity, data access will be slower or more troublesome. This may adversely affects the usefulness of the solution. Wherever legal compliance is required, business should clearly document the security plans and ensures that security solutions meet the regulations. (Krouk, D. 200).

Security solutions should be defined and security mechanism is identified for the successful implementation of security functions of an organisation.

  • Institute the comprehensive configuration of security solutions.
  • Employ security solutions, managing the provision of access to staff within the organisation.
  • To continue the deliverance of the security solutions.
  • Examine the components and the overall security implementation.


In this chapter, I have narrated how COSO’s ERM helps to maximise the shareholder’s revenue from the best practices in industries like IBM and Utimaco.

Erm in Banking Industry

As a risk control measure, banking industry has to introduce mandatory ERM due to Basel II accord. Basel II mandates that bank should effectively manage their credit, market and operational risk on their all varieties of asset and it is being perused now around the globe in the banking industry. Further, banks must make adequate reserves to meet the loss arises out of risk exposure. To help the banking sector to observe the Basel II guidelines, HP has introduced its enterprise risk management solution software which offers solution to cater the mandatory requirements of Basel II thereby incorporating best practices for risk management on international level.

This ERM tools helps the banks to increase their capital allocation and to enhance return on capital. HP solution for ERM offers enhanced dependability makes simple its manageability and queries can be performed on high speed level. The implementation of data warehousing in a phased manner permits the banks to access tangible advantageous and value during the overall performance period. The main benefits of using HP tools of ERM is that it offers enhanced risk management ,capital allocations is done on more economical means and to make risk adjustment value in easy manner. This ERM tool customises the compliance procedure, makes easier and faster and result in more accurate reporting. of compliances.

HP risk data repository offers an interrelated view of risk oriented data of the whole business enterprise. Further, data is warehoused at a granular level as required by Basel II in their three tire categories of treasury, risk, operational and credit. Thus, risk analysis is possible through the structured mining of data. Thus, HP ERM offers the best elucidatiohn, warehousing, extraction, analysis and collation of risk data on wide classes and categories.


Due to Basel II accord implementation, all banks around the globe have to introduce internal control processes and this has been detailed in this section. To illustrate this, I have explained how HR ERM tool will be helpful to mitigate risks in the banks.

Critical Analysis ,Conclusion & Recommendations

Why ERM fails?

A Critical Analysis of ERM

ERM process does have many disadvantages. An unambiguous business case has to be established for the successful implementation of ERM. There always exists misalignment of incongruent ERM process paths or steps. An ERM process may not be successful due to overestimation of risk due to false conclusion. If a business is estimating high about it by not properly having understood its competitor’s strategy or a business unit, ERM may not be successful in those organizations.

ERM could be a failure if there is bad assumptions as the management may not aware how they are going to handle the situation. If there is vagueness like something is likely to occur but management may not be sure when, where, how it will occur and no prior arrangement has been in place to counter those incidents. A business ERM without any proper apprehension or envisioning may be at the mercy of events. If a business does not have strong intelligence department, ERM may not be successful one as it fails to make interjections between specks of intelligence to shape a rational whole.

For instance, despite of being super power of the world and having strong investigation agency namely FBI (Federal Bureau of Investigation), U.S could not avert the sudden and unexpected strikes on 11 September 2001 and at Pearl Harbor in 1941. ERM failed due to overemphasis in collected information which resulted in a false conclusion. ERM may be a failure if there is underestimation of risks. For instance, despite of strong warning from U.S and Great Britain, Stalin strongly believed that Hitler didn’t have intention to attack U.S.S.R in 1941.

However, majority of ERM process covers only regulatory compliance aspect and financial risks or some particular industry risk like banking due to Basel II obligation. Major ERM process fails to cover operational risk or strategic risk. In a survey conducted by Slywotzky in 2005, many companies admitted that their ERM process is the just expansion of their legal compliance and regular audit processes. Thus, current ERM process falls short to cover strategies risks like brand erosion, improvement in technology or cut-throat competition. (Slywotzky et al 2005]. As per COSO, operational risk would include business process, organizational culture and leadership attention.

According to Hammer, transforming a process or a system is not an easy task and changes like mergers, reengineering and enterprise-wide software installation have frequently failed to meet anticipated increase in shareholders value and in productivity. Most of the reengineering efforts ultimately failed due to failure to recognize human wants and motivation. (Davenport 1992). Efforts to increase the process by outside “experts” or imposed by the top management will always resisted by those who opposed to change by their sabotaging attitudes.

To conclude, an ERM is not a total solution to risk control but it is a process that can help a business to introduce systems and process to control risks for enhancing the shareholder’s value.

The recent corporate scandals have diluted the confidence of stakeholders and creditors on corporate form of business. However, the introduction of corporate governance has restored some confidence on investors. Hence, now companies have started to manage perils across the whole enterprise and also engaged in integrating corporate governance with enterprise risk management (ERM). Further, business objectives and business risks are being now correlated as risk taking is pre-eminence for the success of any business. A business may fail to maximise its revenues if it does not assume risks.

Hence, certain risks are to be undertaken to reap benefits from tactical opportunities. Risk management also involves mitigation of certain risks that hamper success of a business. These risks are failure to attain business objectives and misappropriation of business assets.

New technologies that can defend latest, mysterious threats without human intervention must be developed and deployed to guarantee the integrity of IT systems.Moreover; it should be cost effective and must be within the security budgets of an organisation. Information in a network should be adequately protected to prevent major catastrophic events. Vendors has the moral duty to develop more sophisticated measures that are hard to compromise, while end users should enhance their awareness of the technical and administrative procedures with the help of ERM that can increase information security. It is important to note that in case of information security, a dollar spent on prevention methodology is worth of thousands of dollars of IT man-hours.

After the scandal, Enron was taken over by Dynegy. During the restructuring effort, strong internal control system has been introduced in Enron now. After the failure of Enron, the industry has understood the significance of internal controls in a business. Best practices firms always built their internal controls on the fundamentals of COSO Internal Control Integrated framework to manage the risk. A Canadian bank, namely CIBC with the help of its ERM was able to minimise considerable losses and lowered its risk by 30 percent by reacting to early warning signals unearthed through its risk management procedures.

Likewise , JP Morgan Chase , a leading global financial services company , was able to find out from its past experience that the company was badly in need of developing a market risk officer for doing analytical research to assist it to control its market risks.

Thus, the risk management department helped JP Morgan to survive from the Russian crisis and the company reported about 5 percent profit in a market condition where its competitors suffered heavy losses. Rockwell Collins, a military parts supplier witnessed turmoil after 9/11 attack due to sudden collapse in commercial market. However, the company was able to retort within 10 days with a contingency scheme. It was discovered later that company’s ERM program was the rationale for its capability to counter and adapt quickly to the changed scenario.

It is to be noted that strong and vibrant internal controls are crucial to ensure compliances and to formulate necessary check and balances in the internal system of a company.

Companies should use ERM to evaluate risk across the organisation. Viewing risk specifically on a project wise basis can restrict a businesses capacity to evaluate the effect of risk connected with that project can have on the whole of the organisation.

It is crystal clear from the above case studies that ERM plays a key role in mitigating the risk. It helps to avoid unnecessary and superfluous cost in the case FirstEnergy and is able to realise substantial amount from Enron before its failure which is a clear evidence for mitigation of risk in case of Split Rock Energy and able to manage unexpected blackout in case of United Illuminating company. These case studies corroborates that ERM is an inevitable process for increasing shareholders value in any company and it has to be efficiently introduced and managed to reap higher benefits from ERM.

The senior management should be committed for the risk management and they have to foster a risk culture in their company. The risk management team should be dedicated to play a vital role in risk evolution, dissemination of information and monitoring of risk in the organisation.

It has been now established that ERM do play a significant role in risk identification, elucidation and mitigation, avoidance, dissemination of information and monitoring the risk control process and to improve overall performance of company resulting in enhanced value to shareholders.

List of References

Atkinson William. (2004). Enterprise Risk Management in Wal-Mart. Web.

Banham Russ. (2004). ‘Enterprising views of Risk Management: Business can use ERM to manage a wide variety risks.’ Journal of accountancy, vol 197,(6) p.65.

Brenner, Joel. (2001) ‘ISO 27001: Risk Management and Compliance”. Risk Management journal.

Carroll, Roberta.( 2001) Risk Management Handbook for Health Care Organisations San Francisco:Chicago Jossey Bass.

Dennis Applegate and Ted Wills. (1999) ‘Struggling to incorporate the COSO recommendations into your audit process? ‘Internal Auditor published by The Institute of Internal Auditors.

Exposure draft (2008) Guidance on Monitoring Internal Control Systems. Web.

Fletcher, Geoffrey H. (2007} ‘It’s our Business, Too: A Book That Examines Large-Scale Corporate Failures.’ T H E Journal, Vol 34, (1). p.44.

First Energy. {2007)’Risky Business: Employing Enterprise Risk Management-First Energy Case Study’ Business Source Complete 55-63.

Fonterra Co-operative Group Limited. (2007) ‘Risky Business: Employing Enterprise Risk Management-Fonterra Case Study’ Business Source Complete. EBSCO. 65-74.

Reding, Kurt F (2004) ‘Aligning corporate governance with enterprise risk management’ Management Accounting Quarterly.

Slywotzky, A., & Drzkik J. (2005) Countering the biggest risk of all. Harvard Business Review. 39(2) 78-88.

Split Rock Energy (2007). ’Risky Business: Employing Enterprise Risk Management-Split Rock Energy Case Study’ Business Source Complete. EBSCO. 75-82.

The United Illuminating Company. (2007) ‘Risky Business: Employing Enterprise Risk Management-Split Rock Energy Case Study’ Business Source Complete. EBSCO.83-89.