In this second post, I give my proposed definition of both Enterprise Risk Management and Risk Assessment. They are not a reflection of the actual usage of the terms; instead, they are recommendations for what the terms should denote:
Definition of Enterprise Risk Management
Enterprise Risk Management: A distributed process of risk assessment applied to strategy and operations, in all domains, in support of corporate goals and values.
This definition has the following elements:
1. It does not mention opportunity. Proper identification and development of opportunity require a formal innovation program. [For support of innovation by risk professionals, see: Creating Value: Risk Manager as Innovator.]
2. It relies on the definition of risk given in the standards – that is, uncertainty is associated with goals of the entity. This includes the goals expressed in professional and ethical values.
3. It is not limited to the private sector.
4. It is not limited to a review of “exposures to loss” in a handful of risk categories driven by commercial insurance.
5. It depends upon the efficacy of a specific core practice – risk assessment (defined below).
6. Risk assessment must be distributed; i.e., it is not an isolated function. Otherwise, you will not “embed” risk methods in all management practices and build a risk-aware culture.
7. The process is applied to both strategy and operations.
8. The process is applied not just in finance, but in every domain and line of business.
Next, my recommended definition of risk assessment supports the above idea of ERM.
Definition of Risk Assessment
Risk Assessment: The comprehensive identification and analysis of, and response to phenomena that could prevent the achievement of goals, or compromise values, of a researched and planned program.
The thoughts behind this definition are as follows:
1. The process includes the risk management steps set out in the standards: to identify and assess the risks, and then respond to them by either monitoring, treating or avoiding.
2. Response to risk is included in the definition, because the assessment tool (risk register) converts to a management tool, in which new risks are stated and progress on treatment is tracked.
3. The process has to be comprehensive. The exercise is multi-disciplinary, contemplating many categories of risk.
4. The process is focused on the goals of the entity, capturing every supporting activity, asset and resource.
5. The term “values” denotes guidelines for how the organization wishes to behave and interact with stakeholders. Risk inheres in non-performance of professional codes; governance rules; an economic philosophy; ethical principles, and so on.
6. The goals and objectives have to be set out in a documented plan, whether it is a strategy; operation; project; technical or administrative process; policy implementation; or program design; etc.
7. The plans in question must be well informed by research and environmental scan. You cannot make worthwhile plans unless you have (a) clarified your goals, values and vision of the future; and (b) researched the trends, emerging conditions and new developments in your field.
High quality risk assessment is NOT a substitute for research and informed planning.
The definitions of Enterprise Risk Management and Risk Assessment given here form the basis of an efficient risk management regime.
[Updated 08 Dec 2012]