The Analysis of Enterprise Risk Management

Subject: Risk Management
Pages: 16
Words: 2833
Reading time:
11 min
Study level: PhD


In the contemporary business circumstances, numerous risks of various kind exist (Weldon, 2018). Therefore, there is an evident need in a decision-making method that would help organizations to manage their risks efficiently (Gatzert & Martin, 2015). Lam (2014) has developed such an approach, which is known as the Enterprise Risk Management (ERM) framework. This paper aims to employ communication and presentation skills in order to develop organization-wide information regarding risk management best practices. The primary purpose of this essay is to analyze the current state of ERM, elaborating on the framework’s characteristics, peculiarities of implementation, best practices, and other aspects that are included in Unit 6 learning outcomes. As the result of the conducted analysis, it is expected to prove the following thesis: ERM is one of the most efficient and applicable frameworks for managing organizational risks (Verver, 2018; Wynn & Brinkmann, 2016).

Primary Characteristics of Enterprise Risk Management

Definitions of ERM

Despite the fact that Lam (2014) created a highly elaborated and comprehensive enterprise risk management (ERM) framework, there were numerous attempts to define and develop the ERM method. Lam (2014) cites the following definition of ERM, provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO): “ERM is a process … designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives” (p. 53). Another definition was developed by the International Organization of Standardization (ISO 31000): risk is the “effect of uncertainty on objectives,” and risk management refers to “coordinated activities to direct and control an organization with regard to risk” (Lam, 2014, p. 53). However, Lam (2014) develops his definition: ERM is “a comprehensive and integrated framework for managing key risks in order to achieve business objectives, minimize unexpected earnings volatility, and maximize firm value” (p. 53). Further, in the paper, ERM refers to the latter definition.

The Influence of ERM on Organizations

According to Lam (2014), the implementation of ERM has a significantly positive impact on organizations, primarily on such aspects as organizational effectiveness, risk reporting, and business performance. As Bromiley, McShane, Nair, and Rustambekov (2015) mention, the primary advantage of ERM is that it allows organizations from various spheres and area to address their risks comprehensively and coherently because, according to Lundqvist (2015), traditional risk management and corporate governance systems have proved themselves to be insufficiently effective in managing emerging risks and threats of the contemporary business sphere.

Additionally, Gatzert and Martin (2015) state that ERM allows organizations “to manage corporate risks in a holistic manner as opposed to the silo-based perspective in traditional risk management frameworks” (p. 29). Also, Brustbauer (2016) mention that the implementation of ERM is highly beneficial for small and middle-sized firms in terms of gaining competitive potential. Therefore, it is possible to state with certainty that ERM is a well-recognized approach that is supported by numerous researchers and scientists.

The Role of the Chief Risk Officer

Further, it is essential to elaborate on the role of the Chief Risk Officer (CRO), as the person in this position is directly responsible for the successful implementation of ERM practices. As Lam (2014) states, the significance of CRO’s role is largely accepted in various risk-intensive businesses such as financial institutions, energy firms, and non-financial corporations. As it is mentioned by Bromiley et al. (2015), the findings from empirical research indicate that there is a positive relationship between the company’s value and the appointment of a CRO.

Gatzert and Martin (2015) argue that the CRO is primarily responsible for the appropriate coordination and functionality of the ERM implementation. The authors also mention that a CRO should ensure an effective and efficient integrated risk management and communicate possible risks to the executive board and shareholders (Gatzert & Martin, 2015). Thus, it is evident that hiring a CRO for an organization is the first step in the direction of positive changes in organizational risk management (Lundqvist, 2015).

Components of the ERM Framework

Lam (2014) mentions seven key components of the ERM framework, which are the following: corporate governance, line and portfolio management, risk transfer and risk analytics, data and technology resources, and stakeholder management. Each of the mentioned components represents a complex set of practices, requirements, and tools for managing particular aspects of organizational structure, in which risks are involved. Despite the fact that other scholars also analyze and discuss the structure of the ERM framework, Lam (2014) appears to have the most profound and comprehensive observation of the ERM’s structure since other authors usually focus on particular components of the ERM framework without observing it on the larger scale. It is also appropriate to mention that Lam (2014) considers corporate governance, risk analytics, and stakeholder management to be the most important aspects of ERM. The importance of corporate governance is also highly recognized by Weldon (2018).

The Implementation of ERM Models

ERM Practices and Corporate Governance

When discussing the implementation of ERM models in organizational practice, it is of high importance to elaborate on the role the corporate governance. As it was mentioned in the previous subsection, the role of corporate governance is immense since it is directly connected with the top management of any organization, usually represented by the board of directors. The primary role of corporate governance in a company is to establish an overall, top-down risk management strategy, which includes the identification of “the organization’s risk appetite” and “establishing the organizational structure of the ERM framework” (Lam, 2014, p. 62). Also, Weldon (2018) argues that in the contemporary political climate, the role of adequate corporate governance is highly significant due to the changing business environment and social issues.

Requirements for the ERM Implementation

Additionally, it is worth mentioning that there are certain requirements for the implementation of ERM practices in organizations. The first important step is to develop a profound understanding of governance structure and policies, which distribute the responsibilities for making particular risk management decisions between the stakeholders within the organization (Lam, 2014). There are three primary aspects in this category: risk governance, ERM policy, and risk compensation linkage (Lam, 2014). Regarding the aspect of risk governance, it is appropriate to mention that Ittner and Keusch (2015) consider the influence of the board of directors’ risk oversight to be generally positive, but the authors also state that the board of directors in some organizations lacks the time and ERM skill in order to efficiently manage risks.

ERM Maturity Model

Among several models that exist in the sphere of ERM practices, Lam (2014) identifies the ERM Maturity Model as one of the most efficient and useful for the majority of organizations. This model comprises five stages that should be implemented consequently: (1) definition and planning, (2) early development, (3) standard practice, (4) business integration, and (5) business optimization (Lam, 2014). After identifying scope and objectives for the implementation of ERM in the first stage, the organization moves on to performing annual risk assessments, coordinating risk identification, and providing risk education for the board of directors (Lam, 2014).

The most important aspect of the third stage is the more precise quantifications of risks (Lam, 2014). On the two final stages of the ERM Maturity Model implementation, the organization expand the scope of ERM and to integrate ERM into strategic planning process (Lam, 2014). It is also critical to mention the Business Intelligence model described by Wynn & Brinkmann (2016), which is efficiently used in the German healthcare insurance industry.

Corporate Risk Culture

It is possible to state that corporate risk culture is one of the critical aspects that facilitate the efficiency of the implementation of ERM models into practice. As Bromiley et al. (2015) state, there is an evident need in more clear and precise definition of corporate risk culture. According to Lam (2014), risk culture is “an intangible but powerful force that shapes the values, beliefs, norms, and ultimately the risk management behavior of individuals and groups within an organization” (p. 378). The establishment of strong risk culture in an organization as a means of developing more efficient ERM practices is also recognized in the research by Gatzert and Martin (2015).

The Role of Corporate Board of Directors

In this section, it is essential to elaborate more on the role of the corporate board of directors in terms of their impact on the efficiency of ERM implementation. Previously, the importance of corporate governance was identified (Lam, 2014; Weldon, 2018). As it is pointed out by Lam (2014), the increased involvement of directors’ board in the implementation of ERM initiatives is largely determined by the global financial crisis of 2008. As the result, the process of restructuring governance roles as well as risk policies and limits are currently carried out in numerous organizations. Weldon (2018) argues that in the contemporary political and social climate, largely affected by legislation enacted by the Trump Administration, organizations and companies should be more socially responsible. Gatzert and Martin (2015) consider the decision-making independence of the board of directors to be an important factor in effective ERM.

Currently Performed Board Risk Governance Practices

Another aspect that is highly important for the purposes of this paper is board risk governance practices that are currently implemented in organizations from various industries. The first practice that is identified by Lam (2014) is the creation of risk committees of the board. As it mentioned by Gatzert and Martin (2015), the performance of risk committees in the organization is considerably connected with the increased return on equity index. It is also recognized by Lam (2014) as well as Gatzert and Martin (2015) that hiring a CRO in addition to the existing risk committee in the organization usually appears to be significantly beneficial. However, Lam (2014) provides the statistical data that indicates that boards members with CRO background constitute a very small portion of the overall number of board members in organizations. Therefore, it is appropriate to recommend that the inclusion of more CRO-experiences senior managers into boards of directors will positively influence the ERM organizational performance.

The Most Efficient Risk Assessment Practices

The Methodology of Risk Assessment

According to Lam (2014), risk assessment is another highly important aspect of the ERM framework that should be performed in organizations. The methodology of risk assessment represents a complex set of actions, which are divided into four phases. The first phase sets the foundation for the future risk assessment actions (Lam, 2014). The second stage includes such aspects as risk identification, assessment, and prioritization (Lam, 2014). The third phase focuses more deeply on the following actions: quantification of risk, management of risk, identifying risk tolerance levels, and developing strategic action plans (Lam, 2014). The fourth phase involves the integration of risk assessment results to business practices, scenario analyses as well as dashboard reporting, which will be discussed later in more details.

Best-Practice Companies and Their Risk Assessment Tools

Lam (2014) argues that there are best-practice companies, particularly The Global Risk Network, whose risk assessment tools are examples of highly efficient ERM. It is argued that one of the best practices is “the ability to integrate various risk assessments and opinions of the experts” (Lam, 2014, p. 414). Secondly, it is mentioned that the reporting methods should be integrated and effective (Lam, 2014). Thirdly, it is of high importance to conduct the analysis of the interdependencies between various types of risk because it creates a holistic approach to the problem (Lam, 2014). Finally, the example of The Global Risk Network’s 2007 report exemplifies the final important quality of an effective risk assessment tools, which is the ability to predict emerging risks (Lam, 2014).

The Differences between Traditional and Dashboard Reporting

Distinguishing Aspects

As it is mentioned by Lam (2014), risk information reporting and risk transparency were identified in the 2011 Deloitte study as the aspects of ERM with the highest priority. However, it is argued by Lam (2014) that numerous companies still rely on traditional reporting approach while it is more efficient to implement dashboard approach.

There are several differences between these two methods. First of all, the approach to analysis is different since traditional reporting represent risks in silos while dashboard reporting provides a more integrated perspective on risks. Secondly, the traditional method relies primarily on historical data and internal information, but the ERM approach gives an opportunity to look forward and predict emerging risks (Lam, 2014). Thirdly, reporting flexibility is significantly higher in the dashboard approach as it allows creating both high-level risk analysis and granular information for functional units (Lam, 2014). Finally, it is of high significance to mention that the overall principle of interaction with information is different in these two approaches (Lam, 2014). Traditional reporting method could be compared with reading a book while reading a dashboard report is more similar to searching information on the Internet. Therefore, it is possible to state that dashboard reporting is a more comprehensive and advanced method of reporting risks.

Key Risk Indicators and ERM Functionality

The development of key risk indicators (KRI) is a significant aspect of dashboard reporting. Lam (2014) mentions five primary areas of concern in the context of KRIs: policies and regulations, strategies and objectives, previous losses and incidents, stakeholder requirements, and risk assessments performed by the company (Lam, 2014). Each of the mentioned aspects serves as a risk indicator, by which a CRO or risk committee can report the probability of risk. Also, the question of ERM functionality should also be considered in dashboard reporting, by including such aspects as statistical calculations, the linkage between qualitative and quantitative data, risk accountability, and several others (Lam, 2014).

Common Mistakes Related to Dashboard Reporting

Further, it is important to discuss common mistakes that occur during the dashboard reporting process. First of all, the mere integration of risks is not enough because it is critical to breaking down organizational silos (Lam, 2014). The scope of the dashboard reporting’s implementation is significantly broad, and thus it is important to focus only on essential risk factors (Lam, 2014). Thirdly, the quantification of risks is often omitted while it is one of the most important aspects of an efficient dashboard report (Lam, 2014).

The Evolution of Dashboard Reporting

In addition to the discussion of the most common mistakes, it is also critical to state that dashboard reporting is in the process of continuous evolution. As it is mentioned by Lam (2014), in the recent decade, the focus of researchers and scholars in the area of ERM has shifted toward the facilitation of communicating risks to principal organizational stakeholders. Another aspect of dashboard reporting that will continuously improve is the inclusion of the majority of essential data into reports. Additionally, the time period of developing a report will diminish in the course of time from monthly to daily reports.

Conclusion and Recommendations

In conclusion, it is essential to restate the thesis about the enterprise risk management framework as one of the most efficient and comprehensive approaches to managing organizational risks. It appears that the analysis, which was conducted in this paper, largely supports the previously identified thesis. Referencing various scholarly literature on the topic has helped in developing meaningful conclusions about the peculiarities of ERM implementation, as well as in identifying ERM approach as well-recognized and widely used risk management method. The most important provision that could be retrieved from the conducted analysis is that ERM is a holistic risk management framework that can provide organizations with an advanced understanding of how to assess and manage various risks.

Recommendations for the Implementation of Dashboard Reporting

In addition to the developed conclusion, it is possible to recommend dashboard reporting as the practical tool that should be implemented in the majority of organizations. This recommendation is also based on the conducted analysis of the ERM framework. Dashboard reporting provides the board of directors and top management of an organization with relevant, actual, and concise information about the risks that the company could face. As it was identified previously, traditional reporting method shows significantly poorer outcomes in terms of risk assessment and reporting due to its nature. Dashboard reporting appears to be more advanced and comprehensive approach to communicating risks to principal organizational stakeholders.

Benefits and Limitations of the Chosen Reporting Utility

Since the dashboard approach was recommended for the implementation in organizations, it is essential to observe its benefits and limitations. As it is evident from the conducted research, the advantages of this method are numerous. First of all, dashboard reporting reflects the global changes in the area of information perception, being more suitable for the use in the modern globalized world. Secondly, dashboard reporting is capable of predicting the emerging risks, which is highly important quality for the overall ERM initiative. Thirdly, the structure of such reports is flexible enough to present the gathered information to all principal stakeholders without losing the quality of the report. The primary limitation of the recommended reporting method is that it is not always possible to reduce the amount of gathered data, which produce lengthy reports.


Biener, C., Eling, M., & Wirfs, J. H. (2016). The determinants of efficiency and productivity in the Swiss insurance industry. European Journal of Operational Research, 248(2), 703-714.

Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long Range Planning, 48(4), 265-276.

Brustbauer, J. (2016). Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34(1), 70-85.

Gatzert, N., & Martin, M. (2015). Determinants and value of enterprise risk management: Empirical evidence from the literature. Risk Management and Insurance Review, 18(1), 29-53.

Ittner, C. D., & Keusch, T. (2015). The influence of board of directors’ risk oversight on risk management maturity and firm risk-taking. Web.

Lam, J. (2014). Enterprise risk management: From incentives to controls (2nd ed.). London, England: Wiley.

Lundqvist, S. A. (2015). Why firms implement risk governance–Stepping beyond traditional risk management to enterprise risk management. Journal of Accounting and Public Policy, 34(5), 441-466.

Verver, J. (2018). Risk management trends for 2017. Web.

Weldon, M. N. (2018). Corporate governance, compliance, social responsibility, and enterprise risk management in the Trump/Pence era. Transactions: The Tennessee Journal of Business Law, 19(1), 14.

Wynn, M. G., & Brinkmann, D. (2016). Exploiting Business Intelligence for strategic knowledge management: A German healthcare insurance industry case study. International Journal of Business Intelligence Research, 7(1), 11-24.