Enterprise Risk Management (ERM): What It Is and Why You Should Care Part 1

Written by Content Team | Published on April 8, 2022


Every decision we make involves some sort of risk. People take a risk every time they cross a busy street without waiting for the light to turn green, when they lift a heavy piece of furniture, or when they make an investment decision.

But how do we define an enterprise-level risk?

In this article, we will examine the nature and implications of enterprise risk for modern organizations. We’ll describe the underlying goals and objectives of enterprise risk management (ERM), explore some ways your organization can benefit from it, and consider the steps you can take to implement it.

We will also look into how an automated software escrow solution can not only help you minimize enterprise risk, but also improve your processes and cut back on costs.

So let’s get into it!


What is Enterprise Risk?

Enterprise-level risks generally have to do with a company’s financial, strategic, operational, and even customer-facing functions. 

All organizations have to manage risks in order to stay in business. Most business leaders would say that managing risk is just a normal part of running a business. So if risk management is already on the agenda in these organizations, what’s the point of ERM (enterprise risk management) as a standalone business unit or initiative?

To answer this question, first, we have to look into how risk management is traditionally addressed in companies.


The traditional approach to risk management.

Traditionally, organizations manage risks by requiring business unit leaders to manage distinct risks within their areas of responsibility. So for example, the CTO is responsible for managing risks related to the organization’s IT operations, the CFO is responsible for managing risks related to financing and cash flow, the COO is responsible for managing risks in production and distribution, the CMO is responsible for risks as they relate to customer relationships and sales, and so on.

This approach is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing or elevating risks within their respective silo.
Though this approach may make perfect sense in theory, in practical application, it has many limitations. This, in turn, may mean that there are significant risks on the horizon that may go undetected by management and that might affect the organization.
So let’s take a look at some of the limitations of traditional approaches to risk management:



Limitations of the traditional approach to risk management.

  One of the limitations of the silo or stove-pipe approach is that, quite often, the focus of traditional risk management is centered around identifying and responding to risks of operational nature internally. As a result, there is minimal focus on risks that might emerge externally from outside the business. For example, a business may not be monitoring a competitor’s move to develop a new technology that has the potential to significantly disrupt how products are used by consumers. This would affect their bottom-line and market share in the long run, putting them way behind their competitors.

Another limitation is that risks don’t follow your business’ organizational chart and, as a result, there may be risks that “fall between the silos”. In other words, in case there’s ever a risk that does not capture the attention of any of the silo leaders, this risk will go unnoticed until it triggers a catastrophic risk event. Needless to say, this is not a great risk management strategy.
Then there are, of course, the risks that affect multiple silos in different ways. So while a silo leader might recognize potential risk and take the necessary steps to remedy it, he or she might not realize the significance of that risk to other aspects of the business. In the long run, this can have a catastrophic effect on the organization if it were to occur and remain unaddressed, thus impacting several business functions simultaneously.
Or consider there’s a risk that gets recognized by a silo owner on time. In good faith, the silo owner logically decides to respond in a particular manner to a certain risk affecting his or her silo; however, in doing so, that response triggers a significant risk in another part of the business. For example, your IT function may decide to tighten IT security protocols to respond to certain cyber risks in a way that customers find confusing and frustrating, which may ultimately lead to loss of business.
These are just some of the many risks that a company’s traditional approach to risk management may very well fail to foresee. And unfortunately, some organizations still fail to recognize these limitations in their approach before it’s too late.
So the question is: What can you do about it? Read about it in Part 2