Enterprise Wide Risk Management: Explained
- November 19th, 2007
What is Enterprise-Wide Risk Management?
Looking at Risk Management from a Health & Safety point of view have changed over the past few years to include Environmental aspect and impact (hazard & risk) management as well. Lately it has been broadened to include Information Security risks (ISO27001), Food risks (ISO22001), HIV & AIDS risks (SANS16001) and Business Continuity (ISO25001). Overseeing the risk of an entire organization is the cherry on top of any risk management system. This is where the term “enterprise-wide risk management” comes from. Other similar, well-worn expressions are “integrated risk management” and “holistic risk management solutions”?
Enterprise-wide risk management (EWRM) is defined as a structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.Institutions are finding that they need to manage risk in a more proactive way to avoid losses and gain advantage in an increasingly competitive environment.
The traditional approach to risk management, driven largely by regulatory pressure and the desire to avoid losses, is no longer considered sufficient. Quit recently, risks were, managed on a departmental basis, eg by the H&S department or the Financial department. These departments then focused mainly on policies, procedures, methodologies and systems and separately on operational management, financial control and financial risk management. A gap occurred in terms of sharing of information throughout the organization, and applying risk management principles to the management practices of the company. EWRM should identify how the organization as a whole could be affected by risks and what actions should be taken to avoid major losses. The EWRM approach is illustrated below:
ARTICLE: October 05, 2006
BP Oil Pipeline Leak: A Cry for Enterprise Risk Management
Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken.
The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting ‘catastrophe’ show that BP’s problems should have come as no surprise to management”According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. “The mantra was, Can we cut costs 10 percent?” he recalls.How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis.
There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.
The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.Quantitative analysis is expensive and very focused in applicability.
Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. Benefits of ERWM•
EWRM can make a major contribution towards helping an organization manage the risks to achieving its objectives. The benefits include:
– Greater likelihood of achieving those objectives;
– Consolidated reporting of disparate risks at board level;
– Improved understanding of the key risks and their wider implications;
– Identification and sharing of cross business risks;
– Greater management focus on the issues that really matter;
– Fewer surprises or crises;
– More focus internally on doing the right things in the right way;
– Increased likelihood of change initiatives being achieved;
– Capability to take on greater risk for greater reward and
– More informed risk-taking and decision-making.
How to Conduct an ISO/OHSAS Audit
I would like to give you a glimpse of how I normally conduct an ISO/OHSAS audit (without indicating that this method is perfect or totally correct).
April 13th, 2011 & Filed in Management SystemsSix Mistakes Managers Make with Occupational Health & Safety
A manager is not without fault and is not a perfect species, and despite our best intentions we often also make mistakes and slip-ups that can have a big impact …
March 17th, 2011 & Filed in SHEQ LeadershipInside ISO31000 – Risk Management Systems
During the previous article we started to unpack ISO31000: Risk Management – Principles and Guidelines standard. We looked at the framework encompassing the …
February 16th, 2011 & Filed in Management SystemsAmputations Related To The Workplace
Amputations are widespread in the workplace. Most of all workplace amputations occur in the manufacturing sector. The rest occur in construction, agriculture, wholesale, retail and service industries.
November 17th, 2010 & Filed in Health & Safety