In its simplest form, Enterprise Risk Management (ERM) is the holistic business approach an entity uses to manage the various threats and opportunities it encounters while accomplishing its mission. Risk is defined as any event that impacts a company's ability to meet its objectives (losses and opportunities). So, creating an enterprise level system to manage risk (an ERM system) allows an organization to transparently communicate business risk to internal and external stakeholders.
ERM helps organizations manage risk within their risk tolerance as defined by the Company Officers and Board of Directors and provides reasonable, predictive assurance regarding the achievement in broad categories including Strategic, Operations, Reporting and Compliance organizational objectives.
While traditional ERM typically includes a core focus on financial risks, operational risks are also an important attribute. Operational risk covers Environment, Health and Safety (EH&S), maintenance, supply chain, and other key areas. The risks are identified through incident analysis or an operational risk assessment that focuses on potential high impact events and not simply outcome-based incidents. This leads to the identification of potential failures in a series of controls that can result in a top level event and eventually consequences.
Risk management decision and actions should come from a balanced response framework that has proactive, reactive, and learning characteristics. To get started, most companies create a risk registry. Within the risk registry, companies can then rank corrective actions to prioritize them according to risk level. In addition, OS can rationalize disparate risk rankings to create a level playing field.
Compliance by its nature and by necessity constrains Operations – the engine that drives financial performance and enables business strategy. Companies need to ensure they are in compliance to continue to have a license to operate. To get there you need a balance of sufficiency of controls and quality of controls. An effective compliance management solution is part of the Operational Sustainability, LLC® (OS) approach to an ERM framework.
The OESuite™ software suite from OS enables companies to create a risk registry and to address ERM through a comprehensive framework. Users can drill down to see what is contributing to risks and any related consequences. The key to proactive risk management is the interoperability created by the integration of OESuite™ modules such as CAPA,Task and Compliance Manager, Performance Management, and Process Risk Management. OS offers risk templates to expedite configuration and the software does allow users to manually input risks, but the real power comes from its ability to detect risks as new threats arise, a key benefit of integration. OESuite™ allows stakeholders to get automated alerts when envelopes and limits are exceeded, elevating risks beyond the defined risk tolerances in the organization's risk registry. Risks can then be mitigated by taking corrective actions as needed. Risk controls can be monitored proactively through reporting and views.