Enterprise Risk Management

What is ERM?

  • The management of risk across the whole organization with every function evaluating its risk on a regular and consistent basis.
  • …. a process, effected by management, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the company, and manage risks to be within its risk appetite, to provide reasonable assurance regarding achievement of company objectives.

Why ERM is important?

ERM enables management to:

  • Deal effectively with potential future events that create uncertainty.
  • Respond in a manner that reduces the likelihood of downside outcomes and increase the upside.

Problem with Risk

  • Risk are rarely managed well enough
  • Many critical risks are not identified at all.
  • Surprises recur too frequently.
  • Risks tend not to be well recorded.
  • Risks are seen as problems not opportunities.
  • Risk Management is not regarded as a business process.


Risk Category by Robert S. Kaplan and Anette Mikes

Category I: Preventable Risks.

These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.

Respons: Avoid or eliminate occurrence cost effectively

Control Model: Link to Business Process, SOP, Internal Control, Application, Code of Conduct, Culture, Compliance, etc.

Category II: Strategy Risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. CNOOC accept the high risks of drilling several miles below the surface because of the high value of the oil and gas.

Respons: Reduce likelihood and impact cost effectively

Control Model: Link to Strategic Objective of Balanced Scorecard and KRI (Key Risk Indicator).

Category III: External Risks. Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.

Respons: Reduce impact cost effectively if risk event occur.

Control Model: Insurance, hedge, sharing, etc.


Mapping ISO 31000 vs Kaplan


Risk Management; ISO 3100



Level of Risk

Likelihood Rating



Leave a Reply

Your email address will not be published. Required fields are marked *