Based on the enterprise risk management (ERM) philosophy, risks that may affect the organization’s strategies must be identified, quantified, and managed. In the ERM model, risks are not managed in “silos” but in a harmonized fashion. The goal is to reduce the cost of risk management, and increase the effectiveness of risk management while supporting the organization’s strategy. The organization’s strategy may very well change from year to year, or even quarter to quarter. Therefore, the risks factors may also change. For example, if the organization decides to adopt a new strategy to expand globally into Asia and it previously only operated domestically, the risks factors will change - significantly. 

In addition, if the organization is following ERM best practices, it’s “approach” will remain constant:

• Risk Identification: What is the specific risk that is threatening the organization’s objectives?


• Risk Measurement: The risk must further be quantified. Typically the risk is given a value that is the product of potential impact times the probability of occurrence.


• Risk Mitigation: Based on the trade-offs, what is the most efficient and effective way to eliminate or manage the risk?


• Risk Monitoring: Because risk factors change in terms of potential impact, and probability of occurrence, they must be monitored as necessary. For example, if bad weather is a serious risks to an organization’s shipping lanes, before and during hurricane season, the treat of a storm must be monitored continuously.

Therefore, while specific tactics for managing a specific risk factor may change depending on the risk factor’s characteristics, the environment, and the organization’s strategic direction, overall the organization adheres to the ERM framework.

Generally, the traditional risk silos do have specialist who are adept at managing risk for their respective domains within familiar contexts. However, risk management is not an exact science. And, the tools and techniques for managing risk, both downside and upside, is still evolving. At this stage to expect practitioners, even those considered “specialists”, to know “exactly” how to deal risks is not realistic or prudent.

Managing risk under the ERM model is different in several important respects:

1. Risk factors must be managed in a holistic manner to ensure maximum benefit to the organization as a whole. This may mean some traditional silos are not optimized in order for another one to be, if it means the organization as a whole gains more benefit.


2. Risk is viewed as either a positive or negative impact on the organization (Banks, 2003).


3. Cross-functional teams are utilized to ensure the organization’s overall objectives are achieved efficiently and effectively, while individual departmental objectives are subordinated.


4. Supports specific organizational strategies: This is considered the most important critical success factor under the ERM model.

Also, it is important to note traditional risk management was focused on managing insurance to transfer risk. The ERM model is much broader in scope with a key objective to lower the organization’s volatility; thereby increasing shareholder value.

- Deon Robinson