What is an Enterprise Risk Profile?
Enterprise Risk Management (ERM) is a strategic approach to security management through the use of risk management principles. This management philosophy can be applied to any area of risk including operational, financial, security, compliance, legal risks, and more. Examples of security risks include physical security, cybersecurity, information security, investigations, loss prevention, organizational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk management, and workplace violence prevention. A holistic ERM program can be designed based on the COSO enterprise management framework which identifies the following eight core components of how a company should approach creating ERM practices1:
- Internal environment. The organization’s internal environment is the corporate culture and atmosphere set by the employees.
- Objective setting. The organizations must set objectives that support the mission and goals of the organization, and they must be aligned with the company’s risk appetite.
- Event identification. Organizations must identify important areas of the business and associated events that may have dire outcomes, such as natural disasters or regulatory changes.
- Risk assessment. The ERM framework details the steps of assessing risk by understanding the financial impact of risks.
- Risk response. The organization can respond to risk by:
- Avoiding risk
- Reducing risk
- Sharing risk
- Accepting risk
- Control activities. The organization can take actions to create policies and procedures to ensure that management carries out operations while mitigating risk. These control activities include preventative control activities and detective control activities.
- Information and communication. Organizations consult information systems to access data captured that would be useful for management to understand their risk profile and management of risk.
- Monitoring. The organization can consult an internal committee or an external auditor to review policies and practices.
In order to develop a risk profile for use in ERM, organizations need to consider, at least, four different categories of risk2:
Strategic risk. Strategic risks are usually external and can include competitors, customers, innovation, technology, and regulation.
Operational risk. Operational risks pertain to future events impairing the effectiveness of the business model. This assessment could look at the loss of vital components and the organization’s resilience.
Financial risk. Financial risks pertain to cash flows and risks not being managed cost-effectively.
Compliance/legal risks. Compliance/legal risks are the risks of noncompliance with laws, regulations, and internal policies that result in fines, penalties, lost revenue, increased cost, reputation loss, and more.
1 COSO, 2020, “Compliance Risk Management: Applying the COSO ERM Framework”
2 DeLoach, 2016, “Understanding Your Risk Profile”