Because organizations face increasingly sophisticated risks, enterprise risk management (ERM) and operational risk management (ORM) have emerged as crucial components of a comprehensive risk mitigation strategy.
But what's the general difference between the two?
Enterprise risk management (ERM) focuses on a holistic view of risk across the entire organization. It entails identifying, assessing, and managing enterprise-wide risks. It also seeks to align risk management with strategic objectives, enhancing decision-making and optimizing resource allocation.
On the other hand, operational risk management (ORM) narrows its focus to risks associated with day-to-day operations. It identifies and mitigates risks within specific processes, systems, and activities. ORM aims to ensure operational resilience, protect assets, and maintain business continuity.
Today, we will delve deeper into the differences between ERM and ORM, highlighting their unique scope, objectives, and key components.
What is enterprise risk management?
ERM is a comprehensive framework that addresses an organization's aggregate risk, encompassing operational, strategic, financial, and compliance risks. This holistic approach ensures that risk management is not siloed but integrated into every level of decision-making, aligning with the organization's overall strategy and objectives.
ERM's scope is broad, involving senior management and the board, and focuses on long-term, strategic risks that can impact the organization's ability to achieve its goals.
Here's a breakdown of what ERM entails:
ERM doesn't just focus on individual risks in silos. It takes a big-picture view of all types of risks an organization might face, including financial, strategic, operational, reputational, environmental, and even technological. ERM isn't also limited to specific departments. It applies to all organizational levels and units, from the executive boardroom to the frontline employees.
- Mitigate negative impacts: ERM aims to minimize the potential harm caused by identified risks. That involves developing strategies to prevent, avoid, or reduce the likelihood and severity of their occurrence.
- Optimize risk appetite: ERM isn't just about eliminating all risks. It's about finding the right balance between taking calculated risks and protecting the organization's value. That means understanding how much risk the organization will tolerate in pursuing its goals.
- Enhance decision-making: By providing a clear picture of the risk landscape, ERM helps leaders make decisions that are less susceptible to surprises and setbacks.
- Risk identification: Pinpointing all potential threats that could impact the organization.
- Risk assessment: Evaluating the likelihood and potential impact of each identified risk.
- Risk response: Developing and implementing strategies to mitigate, avoid, or transfer risks.
- Risk monitoring: Continuously track and evaluate the effectiveness of implemented risk management strategies and adapt them as needed.
Risk appetite and strategy are also two intricately connected pillars of effective ERM. Understanding and aligning them ensures organizations strike the right balance between seizing opportunities and avoiding pitfalls.
Let's delve deeper.
What is Risk Appetite?
It defines the overall level of risk an organization is willing to accept to achieve its strategic objectives. It's not a static number but a dynamic concept influenced by the organization's culture, environment, and long-term goals. It also acts as a guardrail, guiding decision-making by defining acceptable risk levels for various activities and initiatives. A well-articulated risk appetite fosters a proactive and transparent risk management culture, encouraging responsible risk-taking.
How does Risk Appetite relate to Strategy?
- Strategic objectives drive risk appetite. Ambitious, growth-oriented strategies may necessitate a higher risk appetite to navigate competitive landscapes and explore new markets. Conversely, a risk-averse strategy might involve a lower appetite for volatility and prioritize stability.
- Risk appetite informs strategic choices. Understanding risk appetite equips an organization to assess strategic options' potential risks and rewards. It helps prioritize initiatives, allocate resources, and design effective risk mitigation strategies.
- Misalignment between the two can lead to suboptimal outcomes. An overly cautious risk appetite could hinder growth, while an aggressive one might expose the organization to unacceptable losses.
Integrating risk appetite into ERM ensures risk management processes are aligned with strategic objectives. Risk assessments, mitigation plans, and monitoring activities are tailored to the organization's risk tolerance. When leaders understand the risk appetite, they can make informed decisions about resource allocation, project approval, and crisis response. That fosters transparency and accountability throughout the organization.
Risk appetite must also adapt to the organization's strategic direction and external environment. Regular review and calibration are essential to ensure its continued relevance and effectiveness.
- A tech startup pursuing rapid growth might have a higher risk appetite for launching innovative products, accepting the potential for higher failure rates.
- A financial institution focused on stability and client trust might have a lower risk appetite for investment strategies, prioritizing security over high returns.
Balancing risk appetite and strategy is an ongoing challenge. Organizations can navigate risks effectively by understanding this critical relationship and integrating it into ERM, seize opportunities, and achieve their long-term goals. Explore more about the pillars of ERM here.
What are the types of enterprise risk?
Enterprise risk refers to the various threats that can impact an organization's ability to achieve its objectives. These can be internal or external within the organization's operations — outside factors like the market, economy, or environment.
Operational risk refers to the potential for losses or failures resulting from inadequate or failed internal processes, people, systems, or external events. Some examples of operational risk include:
- People risk: Human error, negligence, or lack of proper training can lead to mistakes, accidents, and fraud.
- Process risk: Flawed or inefficient processes can create bottlenecks, delays, and non-compliance issues.
- System Risk: Technological failures, software glitches, or cyberattacks can disrupt operations and compromise data.
- External events: While not strictly internal, natural disasters, power outages, or supply chain disruptions can impact your day-to-day functioning.
Impact of operational risks
While seemingly small compared to grand strategic threats, operational risks can have a significant impacts:
- Financial losses: Disruptions, inefficiencies, and errors can lead to lost revenue, increased costs, and fines.
- Reputational damage: Service failures, data breaches, or safety incidents can erode public trust and brand image.
- Regulatory problems: Non-compliance with regulations can attract penalties and legal repercussions.
- Competitive disadvantage: The inability to deliver efficiently and reliably can give your competitors an edge.
Operational risk management is typically decentralized across business units. However, ERM provides aggregated visibility and sets organizational policies. Effectively managing operational risk provides operational resilience and enables achieving strategic goals.
Financial risk encompasses the possibility of experiencing monetary losses or a decline in financial performance due to various internal and external factors. It also involves balancing potential growth and expansion with the ever-present threat of financial instability. Here's a closer look at the different aspects of financial risk:
- Credit risk: The risk of borrowers (individuals or organizations) failing to repay loans or other financial obligations, leading to losses for lenders, banks, and investors. That can impact the entire financial system, as the failure of one borrower can snowball into bigger economic issues.
- Market risk: The risk of financial losses due to fluctuations in the prices of various assets, like stocks, bonds, currencies, and commodities. That can affect any organization or individual holding these assets, and factors like market volatility and economic uncertainty can amplify its impact.
- Liquidity risk: The difficulty of quickly selling assets or raising cash to meet financial obligations. That can affect businesses during times of crisis or unexpected expenses, as they might not have readily available funds to cover their needs.
- Operational risk: The risk of losses due to failures in internal processes, systems, or people within the financial sector. That includes human error, system glitches, cyberattacks, and fraudulent activities, which can disrupt operations and lead to financial losses.
Impact of financial risk
Financial risks can have various consequences for organizations and individuals, depending on the severity and type of risk encountered. Some potential impacts include:
- Reduced profits or increased losses: This can negatively impact an organization's financial stability and growth prospects.
- Damage to reputation and creditworthiness: Financial difficulties can erode investor confidence and make it harder to secure loans or funding.
- Operational disruptions and compliance issues: Financial irregularities can trigger regulatory scrutiny and legal consequences.
- Job losses and market instability: Severe financial risks can lead to layoffs, business closures, and economic downturns.
Strategic risk management involves identifying, assessing, and taking steps to minimize or control the exposure to these risks. Strategies can include diversifying investments, maintaining adequate cash reserves, using hedging techniques, managing credit exposure, and conducting regular financial analysis to anticipate and respond to these risks effectively.
The goal is to protect the company’s financial health and stability, ensuring it can meet its financial obligations and pursue its business objectives.
Strategic risk refers to the risks that could impact or impede an organization's ability to achieve its strategic goals and objectives. Unlike operational or financial risks, strategic risks deal with the big picture, impacting your organization's core objectives and long-term direction.
They question the fundamental assumptions upon which your strategies are built.
Types of strategic risks
- Market shifts: Emerging technologies, changing consumer preferences, or new competitors can radically alter the landscape you operate in, rendering your current strategies obsolete.
- Misaligned goals: If your internal objectives lack cohesion or conflict with external realities, achieving overall success becomes challenging.
- Execution failures: Even the most brilliant strategies can come undone by poor implementation, resource shortages, or lack of agility.
- Disruptive innovation: A paradigm shift in your industry can render your existing offerings irrelevant, requiring immediate adaptation or risk being left behind.
Impact of strategic risks
The consequences of failing to address strategic risks can be severe, including:
- Lost market share and revenue: Your competitors who adapt faster might leave you scrambling.
- Reduced profitability or even losses: Misaligned strategies can lead to wasted resources and missed opportunities.
- Reputational damage: Failing to keep pace with change can harm your brand image and public trust.
- Internal instability and employee churn: Employees may become disengaged or frustrated if they see the organization heading in the wrong direction.
Strategic risk is significant because it directly impacts an organization's core mission and objectives. Unlike operational risks, which can often be mitigated through specific controls, strategic risks require a broad, forward-looking approach involving aligning strategy, culture, and operations.
Effective strategic risk management involves continuous business and external environment monitoring, flexibility in strategy formulation, and a willingness to adjust as circumstances change.
What are the components of enterprise risk management?
The COSO Enterprise Risk Management Framework defines eight interconnected components that build a strong foundation for effective organizational risk management. Let's dive into each one:
The internal environment sets the tone for how risk is viewed and addressed within the organization. It encompasses factors like:
- Organizational culture: Risk-averse, compliance-oriented, or innovative?
- Ethics and values: How does the organization handle ethical dilemmas and potential misconduct?
- Governance structure: How are decisions made and responsibilities allocated?
- Management philosophy: How does leadership approach risk-taking and risk mitigation?
Objective setting involves defining the organization's goals and objectives across various areas and providing direction for risk identification and assessment. Objectives should be:
- Specific: Clearly defined and measurable.
- Measurable: Progress can be tracked and assessed.
- Achievable: Realistic and attainable.
- Relevant: Aligned with the organization's overall mission.
- Time-bound: Have set deadlines for achievement.
This proactive stage involves pinpointing potential risks that could impact achieving objectives. Sources of potential risks include:
- Internal: Processes, systems, people, and culture.
- External: Market, economic, technological, and environmental factors.
- Emerging: New threats and unforeseen challenges.
Once identified, risks need to be evaluated in terms of:
- Likelihood: How probable is the event to occur?
- Impact: What are the potential consequences (financial, reputational, operational)?
By prioritizing risks based on these factors, the organization can focus resources on the most critical threats.
Risk response defines how the organization will respond to identified risks, including options like:
- Avoidance: Eliminating the risk.
- Mitigation: Reducing the likelihood or impact of the risk.
- Transfer: Shifting the risk to another party (e.g., insurance).
- Acceptance: Accepting the risk based on its low likelihood or manageable impact.
These are the ongoing processes and procedures implemented to manage and mitigate risks, ensuring compliance and achieving objectives. Examples include:
- Internal controls: Financial, operational, and IT controls to prevent errors and fraud.
- Compliance programs: Ensuring adherence to laws, regulations, and ethical standards.
- Technology solutions: Risk management software, security measures, and data backups.
Information and communication
Information and communication ensure relevant risk information flows effectively across all levels of the organization, facilitating informed decision-making and collaboration. Key aspects include:
- Clear communication channels: Upward, downward, and lateral communication.
- Transparency and openness: Sharing risk information without fear of repercussions.
- Reporting and escalation procedures: Timely reporting of identified risks and concerns.
Monitoring involves continually monitoring risks and control activities, evaluating their effectiveness, and adapting strategies as needed. That includes:
- Regular monitoring and testing: Ensuring controls are functioning as intended.
- Emerging risk awareness: Staying vigilant for new threats and changes in the risk landscape.
- Review and adaptation: Updating the ERM framework based on lessons learned and changing circumstances.
Together these components provide a comprehensive and strategic approach to managing risks across the enterprise. To learn more about the 8 components of ERM, click here.
What is operational risk management?
ORM is more specific, dealing with the risks arising from an organization's day-to-day operational activities. These risks include process errors, system failures, external events, and human factors. ORM is typically more technical and granular, focusing on identifying, assessing, monitoring, and mitigating risks that could disrupt the business's normal functioning. It is an ongoing process and is often the responsibility of middle management, operational heads, or dedicated risk officers.
Here's a breakdown of what ORM entails:
Unlike ERM's broad view, ORM zooms in on the risks associated with your organization's core processes and activities. That includes things like:
- Human error: Mistakes made by employees, like data entry errors or accidental system outages.
- System failures: Technical glitches, cyberattacks, or power outages that disrupt operations.
- Process inefficiencies: Weaknesses in your workflows that lead to delays, rework, or errors.
- External events: Natural disasters, supplier disruptions, or regulatory changes that impact your operations.
- Minimize disruptions: ORM aims to prevent or minimize the impact of operational risks on your business continuity. That means ensuring your core processes can continue functioning even when things go wrong.
- Improve efficiency: By identifying and addressing inefficiencies, ORM can help you streamline your operations and make them more cost-effective.
- Enhance compliance: Strong ORM practices can help you comply with relevant regulations and avoid costly fines or penalties.
- Risk identification: Pinpointing all potential threats that could disrupt your operations.
- Risk assessment: Evaluating the likelihood and potential impact of each identified risk.
- Risk control: Implementing measures to prevent, mitigate, or transfer risks. That could include things like:
- Developing robust procedures and controls: Having clear guidelines and processes can help prevent human error and system failures.
- Investing in technology: Implementing reliable technology and security systems can help to mitigate the risk of cyberattacks and system outages.
- Training employees: Providing employees with proper training can help them to identify and avoid operational risks.
- Risk monitoring: Continuously tracking and evaluating the effectiveness of implemented risk controls and adapting them as needed.
What is the difference between the two?
ERM and ORM are crucial to protecting organizations from potential pitfalls, but their scope and focus differ. Here's a breakdown of their key differences:
ERM takes a holistic view of all risks that could impact the organization, from strategic decisions to day-to-day operations. That includes financial, market, operational, reputational, and compliance risks.
ORM focuses on risks from executing an organization's core processes and activities. That often encompasses human error, system failures, fraud, and other operational hiccups.
ERM aims to optimize risk appetite by balancing potential rewards with potential losses. That involves identifying, assessing, and prioritizing organizational risks and implementing strategies to mitigate their impact.
ORM primarily focuses on eliminating or minimizing operational risks through strong controls and risk management practices, ensuring smooth and efficient operations without jeopardizing the organization's overall goals.
ORM can be seen as a subset of ERM, contributing to the overall risk management framework. While ORM deals with individual operational risks, ERM considers how these risks might impact the bigger picture and affect the organization's stability and success.
ERM provides the overarching framework for managing all risks, including operational risks. It sets the risk appetite and priorities for the organization, guiding the implementation of effective ORM practices.
- ERM: A company considering a new market expansion would analyze the potential financial risks, regulatory challenges, and competitive landscape before deciding.
- ORM: A bank would have robust measures to prevent fraud, cyberattacks, and human error in its financial transactions.
- Complementary: While distinct, ERM and ORM work hand-in-hand. Effective ORM strengthens the overall ERM framework, while a strong ERM framework guides and prioritizes ORM efforts.
- Collaboration: ERM and ORM teams should collaborate to ensure a comprehensive and aligned approach to risk management. Common risk language and information sharing are crucial for this collaboration.
To summarize, ERM provides a bird's-eye view of all organizational risks, while ORM delves deeper into the details of operational risks to ensure smooth and safe day-to-day operations. Both functions are vital for managing a resilient and successful organization.
How can ERM and ORM work together?
While ERM and ORM have distinct roles, their collaboration is crucial for effective risk mitigation and strategic success. Here's how they can work together:
- ORM to ERM: Operational risks identified and assessed at the ground level in ORM inform ERM about the specific threats impacting day-to-day operations. This granular data helps ERM prioritize risks and allocate resources for mitigation effectively.
- ERM to ORM: High-level strategic risks identified by ERM are communicated to ORM teams. This context helps them understand how operational risks might contribute to or exacerbate broader organizational risks, leading to more targeted control measures.
Joint planning and strategy
- Sharing risk language: Risk language bridges communication gaps between different departments, levels, and teams. Building and sharing consistent terminology simplifies risk reporting and analysis across the organization. That enables coordinated planning and resource allocation for managing shared risks.
- Integrated risk management plans: By combining insights from ERM and ORM, organizations can develop comprehensive risk management plans that address both strategic and operational risks and their interdependencies.
Strengthening risk culture
- Top-down and bottom-up approach: ERM sets the overall risk appetite and risk management framework, while ORM implements it at the operational level. This combined approach fosters a strong organizational risk culture, where everyone is responsible for identifying, reporting, and mitigating risks.
- Continuous improvement: ERM and ORM practices should be regularly reviewed and updated based on new information, changes in the operating environment, and lessons learned from incidents. This ongoing collaboration ensures continuous improvement in the overall risk management system.
Here are some real-world examples of how ERM and ORM work together:
A bank identifies a strategic risk of entering a new market (ERM). ORM then assesses the operational risks associated with opening branches and providing financial services in that market, such as cyberattacks, fraud, and regulatory compliance issues. This combined analysis helps the bank decide about entering the market and plan for operational risk mitigation.
A manufacturing company identifies a process inefficiency in its production line (ORM). This operational risk might contribute to a strategic risk of production delays and lost revenue (ERM). By working together, ORM and ERM teams can implement process improvements to address the operational risk and mitigate the potential impact on the organization's strategic goals.
ERM and ORM are excellent tools for building a robust risk management framework. Working together provides a comprehensive and integrated approach to identifying, assessing, and mitigating risks that threaten an organization's success.
What are the crucial levels of risk?
In risk management, there are three critical levels of risk: Level 1 (the lowest category representing routine compliance and operational risks), Level 2 (the middle category representing strategy risks), and Level 3 for unknown risks.
Level 1 risks are mistakes made during routine, standardized processes that could make an organization vulnerable to substantial information and financial losses and litigation.
These vital processes could include protecting important data and assets, updating and maintaining tax and financial accounting systems, and ensuring disaster and backup recovery, privacy, and information security.
They can also include internal controls that prevent negligence, fraud, and other legal and regulatory liabilities.
Organizations can minimize the impact of Level 1 risks through:
- Establishing standard operating procedures.
- Creating internal controls can include delegating duties and empowering the internal audit team to monitor operating processes.
- Identifying and assessing potential compliance breaches.
Level 2, called strategy risks, often involves information technology, human resources, environmental, reputation, and financial risks. Developing a framework for systematically identifying, managing, and mitigating the risks to an organization's strategic objectives is crucial in managing strategy risks effectively.
This framework can include:
- Identifying risks or challenges that may hinder the organization from reaching its goals.
- Finding a quantifiable method to measure progress toward targeted performance.
- Establishing an early warning risk assessment system for adverse risks.
- Setting funding priorities to mitigate or prevent the most likely strategic risk incidents.
Level 3, described as the "unknown unknowns," refers to the unpredictable, unprecedented situations that cause existential risk. Often, active discussions of unlikely events and their outcomes, or tail-risk meetings, are crucial in managing level 3 risks. Such discussions help leadership teams identify whether an organization's strategy can survive the disruptions caused by the "unknown unknowns."
Fortify your defenses with 6clicks
Our solutions are designed to empower enterprises with the tools they need to implement effective risk management strategies, whether at the enterprise-wide level or within specific operational domains.
How our solutions empower you:
- Unified data platform: Effective risk management has one enemy: siloed data. Our software compiles risk data from various sources across ERM and ORM. That provides a holistic view of your risk landscape and allows informed decision-making and prioritization of mitigation efforts.
- Streamlined processes: Manual risk management tasks are tedious and prone to errors. Our software automates workflows, from risk identification and assessment to reporting and mitigation monitoring. That frees up your resources for strategic analysis and proactive risk prevention.
- Improved communication and collaboration: Managing communication barriers between ERM and ORM teams is essential. Our software facilitates collaboration through shared dashboards, reporting tools, and communication platforms, fostering a unified approach to risk management.
- Enhanced governance and compliance: Our software helps you comply with relevant regulations and internal policies. It tracks audit trails, manages controls, and ensures adherence to compliance requirements, minimizing legal and reputational risks.
- Predictive analytics: Our advanced solutions leverage data analytics to identify emerging risks and predict potential threats before they materialize. This proactive approach allows you to take pre-emptive action and minimize the impact of disruptions.
Our insights into your risk management approach can significantly enhance your organization's ability to effectively identify, assess, and mitigate risks.