Skip to main content

Busting Three Myths About Enterprise Risk Management

By Samantha Beavers

In view of escalating geopolitical tensions, rapidly changing ecosystems and increasing ransomware attacks, organizations of every kind are dashing to build resilience and minimize potential losses. In response, many have turned to the enterprise risk management (ERM) paradigm to chart a course forward.

Putting an organization’s strategic priorities at the helm, ERM introduces a robust, proactive and holistic approach to risk management. By developing a top-down, enterprise-wide view of significant risks impacting organizational strategy, the paradigm allows entities to strengthen their risk oversight amidst rapid change. 

Accordingly, ERM has gained significant momentum in recent years, with the demand for ERM professionals growing steadily. Still, there are a handful of myths and misconceptions surrounding the framework and causing hesitation amongst various entities. 

Myth #1: ERM Proponents Assume Organizations Aren’t Managing Risks

One common misconception about ERM is that its proponents believe that any entity not utilizing the paradigm isn’t managing their risk – or not well, at least.

However, this is misleading. After all, ERM proponents recognize that managing risk is an unavoidable part of running a business. The urge to embrace ERM, then, doesn’t assume that organizations aren’t doing this – or even that traditional risk models offer no benefits. Rather, ERM proponents suggest that compared to traditional models, ERM has fewer limitations.

Specifically, more traditional risk management models tend to take a “siloed” approach. Here, organizations assign various business unit leaders with the task of managing risks related to their particular areas of responsibility. The Chief Operating Officer (COO), for example, is charged with managing risks associated with a company’s production and distribution, whereas a Chief People Officer (CPO) manages risks associated with talent acquisition and retention.

The goal of this model, of course, is for organizations to have all their bases covered – and to give those with the greatest expertise responsibility for risks in their domain.

Unfortunately, risk management is never this simple. Sometimes, risks on the horizon don’t fit neatly into one particular silo and go undetected by leaders until it’s too late. Other times, a risk event emerges that impacts multiple silos at once. This can cause significant problems, especially if only one silo leader – who is focused only on the risk’s impact to their particular business unit – has it on their radar. Moreover, one silo’s particular risk response may have unintended consequences for other parts of the organization.

Additionally, organizations using this approach may overlook risks originating outside the organization – or be unaware of risks related to their strategic goals.

By contrast, ERM’s enterprise-wide approach leads organizations to strengthen their overall risk oversight and leverage risk insights to add strategic value.

Myth #2: ERM Only Takes Some Risks into Consideration

In the ERM process, organizations begin by outlining their strategic initiatives and core business drivers. Using the entity’s strategic plan as a starting point, ERM seeks to identify, monitor and manage emerging risks that may impact the entity’s future success – whether positively or negatively. 

According to some, this must mean that ERM strictly emphasizes strategic risks, with no concern for other types of risks – like operational, compliance and reporting risks.

In reality, however, ERM considers risks of every kind. The difference between traditional risk management models and the ERM paradigm, then, is not which kinds of risks are managed, but which lens is used to manage them.

Applying a distinctly strategic lens to the risk management process, ERM takes into consideration all types of risks that may derail or further an enterprise’s strategic success. After taking these various risks into consideration, management then determines which are most important at the current time. For many organizations, this means generating a list of its top 10 risks. 
With ERM’s enterprise-wide mindset, then, organizations are more likely – not less – to consider a wide variety of potential risks.

Once it understands its top risks, the entity then evaluates how to manage them with the strategic objectives still in view. This includes considering how to reduce risk exposure and how to minimize the impact, should a particular risk event occur. And to further its strategic initiatives, an organization may even be willing to embrace a certain degree of risk.

Myth #3: ERM Is a Cure-All for Every Risk Event

Another misconception is that because ERM aims to identify all types of risks, it shields organizations against every negative risk event. In the real world, however, no risk management paradigm can offer this – no matter how robust, proactive or comprehensive it is.

For this reason, ERM proponents do not claim that the framework can predict every threat or prevent every unfavorable outcome. Rather, they suggest that given the many shortcomings of traditional risk management, ERM puts organizations in a better position to respond and pursue long-term resilience.

The coronavirus pandemic is perhaps the best evidence for this. Even organizations embracing ERM were vulnerable to the pandemic’s social and economic fallout. Using ERM, however, these same organizations were able to rebound quickly, manage the pandemic’s impact to the business and think proactively about the future.

And with its emphasis on strategy, ERM not only allows organizations to do damage control once risks have come to fruition – it also equips them to identify new opportunities and risks worth taking to gain a strategic advantage.

What this means is that ERM is not a silver bullet, cutting through the chaos and complexity of today’s business environment with a simple, foolproof solution. Instead, it’s like a secret sauce driving the company’s overall, long-term success. 

Reality Check

By understanding what ERM is – and isn’t – organizations are better prepared to mature their risk management capabilities and strengthen core operations in an ever-changing world.

To learn more about how NC State’s Master of Management, Risk and Analytics concentration equips graduates in risk management and data analytics practices, click here.

This post was originally published in Master of Management Risk & Analytics.