Skip to main content

Understanding Enterprise Risk Management

April 25, 2024

by Jake Taylor and Brent Warner

Businesses today face ever-increasing and changing risks. How do we compete in a world of artificial intelligence? How do we attract, hire and retain top performers? How do we keep our finger on the pulse of changing laws and compliance matters that impact our business?  

Considering these individually may seem like an overwhelming task, but a common tool is available that can help bring it all together in a meaningful way.  

What is Enterprise Risk Management? 

Enterprise risk management (ERM) is a systematic approach to identifying risks associated with running a business, assessing their likelihood and potential impact, and developing strategies to manage and mitigate those risks. While approaches to implementing an ERM program vary, the fundamental steps are often similar. 

Gain an understanding of your mission, vision and values and how that combination drives your strategic goals.  

Start here before you dive into risks. The driving force behind implementing an ERM program comes back to how you can successfully achieve your strategic goals. 

Design (or borrow) an ERM framework.  

There are many existing ERM frameworks where you can look for guidance. The COSO ERM framework is a popular framework used by many ERM practitioners. Also popular is the AS/NZ – ISO 31000 ERM framework. You do not have to prescribe to these, or any other framework completely, but you are encouraged to borrow from multiple frameworks and craft your own, tweaking along the way as you mature the ERM process. 

Identify and document your risks.  

Review materials already at your disposal – corporate strategic plan, board minutes, etc. – to understand what leadership is focusing on. Interview key leaders, such as board members, to gauge what stakeholders have on their mind related to risk. As you identify risks, it is important to note that risks will be internal, external or both.  

External Risk: The risk of finding the right talent during a tight labor market could be driven by market conditions outside of your control.  

Internal Risk: Once you find and hire the right talent, failure to train, develop or compensate those employees could cause you to lose them. 

Rank the risks you have identified.  

Likelihood, impact, speed of onset and speed of response are common factors used to score and rank risks.  

This is a crucial step as it helps prioritize what could be a long list of identified risks. Likelihood criteria could be developed on a 1 to 5 scale. For example, one means the organization has successfully responded to the risk before, management has action plans in place, systems are effective through the risk, and employees are minimally impacted.  

Conversely, five means the organization has never faced the risk and is untested, systems could fail, and the event has a severe, negative impact on all employees.  

Impact criteria are also developed to score risks across various categories, such as financial, legal, regulatory or reputational. 

Consider scoring how fast the risk event could occur and how quickly the organization can respond to the risk. The COVID-19 pandemic sprang up overnight. This was a risk not seen by many organizations, and they responded as quickly as possible. How many of these scenarios do you think you can identify as part of an ERM risk assessment? 

Socialize the risks identified.  

Using the factors and their scores noted above, you should rank them from high to low as a means for focusing your stakeholder’s review on the highest ranked risks. At this point, you may also ask, “Is there anything on this list that surprises you?” Or “Is there anything not on the list that you expected to see?” 

Develop action plans.  

When going through an ERM process, it is important to not make this a one and done exercise. Your organization will not find value if you do steps 1 to 5 and put the binder up on the shelf. Assign owners to top risks, produce action plans on how to manage and mitigate risks, and ensure you monitor progress on an ongoing basis.  

Regular updates to the Board on the status of ERM is an effective way to keep risk owners accountable for actively managing their risks. Risk owners should work with those developing the organization’s ERM model to produce key risk indicators. These indicators tell you if a risk is increasing, decreasing or staying the same. For example, if a not-for-profit organization notices an increase in turnover rates with staff who have long-lived relationships with large donors, how does that impact donor retention or turnover? Does that increase the risk that donors may take their charitable means elsewhere? 

Next Steps on Your ERM Journey 

Any organization can benefit from implementing an ERM program and can flex it to meet your needs, budget or resources. As you think about going down the ERM path, it is important to remember to: 

Assign an ERM owner and champion. Who will help send the message throughout your organization that ERM is important? 

Determine your risk tolerance. Are your leaders aligned on risk tolerance and accept a common definition of risk as it relates to your organization? 

Develop a game plan. Great software applications exist that can help you manage this effort, but you can just as easily do it using good, old-fashioned Excel. Plan out your ERM journey and stick to it. 

Most importantly, utilize the ERM process to help you achieve your goals, grow your business, and be better positioned to turn risks into potential opportunities. 

Jacob Nelson Taylor, CPA (licensed in MN) and Brent Warner, CPA (licensed in IN), CIA, CRMA are leaders in CLA (CliftonLarsonAllen LLP)’s value and risk services practice. They can be reached at Jacob.taylor@claconnect.com and brent.warner@claconnect.com, respectively. To learn more about the benefits of effective risk management, attend the ASCPA’s Not-for-Profit Conference in June. Visit ascpa.com/npc to see the full agenda and register.