The Insurance Times 2023, The Insurance Times August 2023

The Holistic approach towards Enterprise Risk Management(ERM)


Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses. The Successful ERM strategies can mitigate operational, financial, security, compliance, legal, and many other types of risks. Enterprise risk management takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence. It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM. ERM, therefore, can work to minimize firm wide risk as well as identify unique firm wide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being silos across a company, a company sees the bigger picture when using ERM. ERM looks at each business unit as a “portfolio” within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit. The Government ambitious plan of PM GatiSakti is the fine example of how ERM is being followed on principle.


Components of ERM:

The COSO framework for ERM identifies eight components:

Internal environment, Objective setting, Event identification, Risk assessment, Risk response, Control activities, Information & communication, and Monitoring.

Internal Environment:The elements that make up the internal environment include things as “an entity’s ethical values, competence and development of personnel, management’s operating style and how it assigns authority and responsibility.” As part of this internal environment, a company will establish its philosophy of risk management.It Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. This includes activities like a risk management policy, setting of risk appetite and risk tolerance levels.

Objective Setting:Involves identifying or understanding what an organization or a division or a department is expected to achieve in long term and its related short term or operational objectives that would enable achieving the strategic objectives.Determine the organization’s risk appetite. Identify and prioritize risks through a risk assessment. Prioritize risks based on their potential likelihood and impact. Develop a plan for risk mitigation or acceptance.

Event Identification:During event identification, management identifies potential events that could affect an entity’s ability to achieve its objectives. An event is an incident or occurrence that emanates from either internal or external sources.Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment:Risk assessment is the iterative process of risk identification, analysis, and evaluation. The objective is to provide sufficient information at appropriate intervals for risk-informed management decisions. The steps to access the risk are:

  • Identify hazards.
  • Assess the risks.
  • Control the risks.
  • Record your findings.
  • Review the controls.


Risk Response: Leadership’s response or action towards the existence of a risk. There are different approaches, including: Avoidance – eliminate the conditions that allow the risk to exist. Reduction/mitigation – minimize the probability of the risk occurring and/or the likelihood that it will occur.Since project managers and risk practitioners are used to the four common risk response strategies (for threats) of avoid, transfer, mitigate and accept, it seems sensible to build on these as a foundation for developing strategies appropriate for responding to identified opportunities.

Control Activities:Control activities are performed at all levels of the entity, at various stages within the business processes, and over the technology environment. They may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Control activities are the policies, procedures, techniques, and mechanisms that help ensure that management’s response to reduce risks identified during the risk assessment process is carried out. In other words, control activities are actions taken to minimize risk.

Information & Communication:Information, communication, and reporting is one of the key components of the COSO ERM framework. Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously.

Monitoring:Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. The scope and frequency of separate evaluations depend primarily on the assessment of risks, effectiveness of ongoing monitoring, and rate of change within the entity and its environment. Monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. The results should be recorded and reported externally and internally, as appropriate. Once risks are identified, assessed, and a response is decided upon, the organization will then need to monitor risk(s) to see what has changed and how it impacts the organization.

Methodology in ERM: There are five basic techniques of risk management:

  • Loss Prevention and Reduction.
  • Transfer (through Insurance and Contracts)


Avoidance:Risk avoidance is one risk treatment (or risk control) strategy in enterprise risk management (ERM). Avoidance means taking some action to prevent the risk from occurring. For instance, you may shut down a site or facility in bad weather to avoid the chances that someone might get hurt.Risk avoidance means completely eliminating any hazard that might harm the organization, its assets, or its stakeholders; and removing the chance that the risk might become a reality. This strategy aims to deflect as many threats as possible to avoid their costly consequences.

Retention:Retention refers to the assumption of risk of loss or damages. This expresses how a party, usually a business, handles or manages its risk. When a business retains risk, they absorb it themselves, as opposed to transferring it to an insurer.Retention of risk is the net amount of any risk which an insurance company does not reinsure but keeps for its own account. The reinsurer will indemnify the ceding company against the amount of loss on each risk in excess of a specified retention of risk subject to a specified limit. Examples include:

  • When a business owner determines the cost associated with loss coverage is less than that of paying for partial or full insurance protection. …
  • When a given risk is uninsurable, is excluded from insurance coverage, or if losses fall below insurance policy deductibles.


Spreading: Spread risk means the risk of loss on a position that could result from a change in the bid or offer price of such position relative to a risk free or funding benchmark, including when due to a change in perceptions of performance or liquidity of the position.The spread of risks refers to whether or not the risks assumed by the company are spread out or are they concentrated in one type of risk, such as earthquake insurance in California. If the latter is the case, the company is vulnerable to one natural catastrophe that could impact the solvency of the company.

Loss prevention and Reduction: When risk cannot be avoided, the effect of loss can often be minimized in terms of frequency and severity. For example, Risk Management encourages the use of security devices on certain audio visual equipment to reduce the risk of theft. Loss control (a.k.a. risk reduction) can either be effected through loss prevention, by reducing the probability of risk, or loss reduction, by minimizing the loss. Loss prevention requires identifying the factors that increase the likelihood of a loss, then either eliminating the factors or minimizing their effect.

Transfer through Insurance contracts:Risk transfer is a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another. One example is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer. When a policyholder takes out insurance from an insurance agent, they transfer financial risks to the insurer. In exchange for doing this, the insurance companies often charge a fee, or the insurance premium. Another way to transfer risk is through indemnification clauses in contracts. The most common way to transfer risk is through an insurance policy, where the insurance carrier assumes the defined risks for the policyholder in exchange for a fee, or insurance premium, and will cover the costs for worker injuries and property damage.

Benefits of ERM for the organisation: The effective ERM can be a boon to the business enterprises and the same can accrue the following benefits.

  • Consistent and Efficient Operations.
  • Security Confidence.
  • Increased Employee and Customer Satisfaction.
  • Healthier Financials.
  • Increased Risk Transparency.
  • More Focused Risk Analysis and Reporting.
  • Increased Resource Usage Efficiency.
  • Healthier Perspective of Risk
  • Managing Risk Leads to More Efficient, Consistent Operations.
  • Risk Management Helps Businesses Identify and Avoid Unapparent Risks.
  • A Good Risk Management Strategy Can Help Protect the Brand.
  • Proactively Addressing Problems Can Boost Customer Satisfaction.



Strategies of ERM:Risk data and infrastructure are mechanisms for making sure we have good information to manage risks. Common strategies that are used in ERM include safety policies, ethical regulations, quality assurance, data-driven decision-making, contingency planning, risk education, and stress testing.The basic methods for risk management—avoidance, retention, sharing, transferring, and loss prevention and reduction—can apply to all facets of an individual’s life and can pay off in the long run. The ERM process includes five specific elements – strategy/objective setting, risk identification, risk assessment, risk response, and communication/monitoring.


Conclusions on ERM: ERM is a practical model that helps prioritize all risks and brings focus to decisions and activities. Over time, implementing ERM will build resilience and preparedness for all stakeholders.The long-term survival of an organization depends on the ability to manage risks. The intensifying competition in the global markets has forced managers to focus on maintaining a strong risks management program by establishing values.Those using risk analysis results provided by others should pay particular attention to the understanding of dependence displayed by their analysts and totally reject any probabilistic analysis that suggests a failure to deal with dependence in an appropriate manner.Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These risks stem from a variety of sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *