7 Ways To Use Enterprise Risk Management

Enterprise risk management is something only some project managers encounter. Generally, we manage risk with whoever is overseeing our project. We report risks (and potential responses), then move on to the next thing calling our name—usually whichever thing is screaming the loudest.

But what happens when the company decides to slow down and stop ignoring the stuff lurking between projects and departments? Well, then, that company would technically be dabbling in enterprise risk management. 

Here at A. McBeth, we believe you need to know how to navigate any situation, even one that doesn’t have your best interest at heart. Businesses need to function in order to have projects, so the more you understand how a business is run (or how it’s potentially run), the better you can manage (and protect) your project. 

We’ll be breaking down the concept of enterprise risk management, explaining the process, comparing it to traditional risk management, and laying out the best way to use this concept to your advantage. 

Table of Contents

• What is Enterprise Risk Management (ERM)
• What Risks ERM Addresses
• Components of ERM 
• ERM Process
• How That’s Different From Project-Based Risk Management
• Why You Need (To Understand) ERM
• How to Use ERM
• Drawbacks to ERM

What is Enterprise Risk Management?

Threats and opportunities, also known as risks, can creep up on anyone. Businesses are no exception. There are possible events that are large enough and unknown enough to give even the largest corporations a run for their money. 

Enterprise risk management is the act of stepping away from department concerns and looking at the bigger picture, searching for risks that can affect the company as a whole, and planning accordingly.

It’s a much more holistic approach than traditional risk management.

In general, enterprise risk management is handled by management, and that group’s decisions don’t often make sense for any individual department or segment of the business. The issues they are considering are far too big for that. This is a company-wide effort. 

You can’t just have one department head making decisions that can ripple into another’s territory, so the process is very collaborative. 

One huge benefit to enterprise risk management is the way it enables communication between sectors that doesn’t normally happen. It makes managers look up from the small, unit-specific fires and consider what lies ahead. Then, they have to decide what to manage as a collective actively. 

Enterprise risk management forces companies, businesses, and organizations to take a look at potential risks to the entity as a whole, decide what to address, and make plans to do so. No other type of management strategy requires this, which is why this concept has become so popular in business circles. 

What Does Enterprise Risk Management Address?

There are a lot of topics that enterprise risk management covers, which is one of the benefits of this strategy. Some of the issues covered include

• Compliance
• Legal 
• Strategic
• Operational
• Security 
• Financial 

Enterprise risk management is a great safety net, especially for large corporations that have several fully developed departments that tend to work in their own lanes. 

For example, when the legal department is considering maneuvers for an upcoming lawsuit, someone might think it’s a good idea to reveal information about internal operations, like who attends what meetings, when, and more. Legal might see how relevant that is to the case, but they might not consider how sensitive that data is and how revealing it in a public case could jeopardize the security of their operations. 

Enterprise risk management would require a meeting with the head of legal, the head of security, and all the other department managers. In that meeting, they’d be able to discuss a course of action that doesn’t hang a section out to dry. The path they decide to take forward might hurt legal a little, give security a bit more work, and make everyone else put in some elbow grease, but the threats are handled with much greater care than without enterprise risk management. 

By stepping away and giving management a clear view of all the silos, a management team can better asses threats, protect company assets, and ensure that everyone comes out on the other side. 

Components of Enterprise Risk Management 

Because enterprise risk management works on a bigger scale than traditional, it’s going to have more parts. These include

• The internal environment
• The goals of the organization
• Identifying the risks in specific events
• Risk assessment that determines the likelihood 
• Communication across departments
• Response control
• Regulating activities

As you’ll see, some of the following components will make sense to monitor for some organizations more than others. Regardless, each should be considered. 

Internal Environment 

You could call this aspect the environment. You could call it the culture. You could even call it the risk appetite. Whatever name it earns, this feature is often set in place by management and then carried out by employees. This is true for company cultures with pleasant aspects, like hard-working, cooperative, and encouraging, and it’s true for those with less-pleasant aspects, like arrogance, lack of accountability, and intimidation. 

Organizational Goals

Enterprise risk management best exists in a harmonic balance with the organization’s goals. Therefore, the goals need to be clearly understood when practicing enterprise risk management. Risks associated with predetermined goals might be prioritized. 

Risks In Specific Events

Of course, you have to identify risks, but when some risk-prone event occurs, your approach might have to change. The pandemic is a great example of a risk-prone event that companies and organizations alike couldn’t ever fully prepare for. But they could have taken some precautionary measures that might have eased the burden later. 

Another consideration is how risks can devolve into either opportunities or threats. The contactless ways of the post-pandemic world might work for delivery services as a messy opportunity but could easily destroy a business focused on hosting concerts.  

Determine Likelihood

It’s important to understand how likely risks are to occur. It helps to check with relevant parties to identify patterns. How often does this happen? What brings this event on? What proceeds the event? What follows? Also, look at any residual issues.

Responses

How trouble is handled (and by which person or group) is another important aspect of risk management. None of this planning is useful if people aren’t aware of their roles and required actions. In enterprise risk management, the most common responses to risks are avoidance, reduction, sharing, and acceptance. 

Regulating Opportunities

Identifying opportunities for regulating risk is a great way to mitigate or even avoid risk. Over the last 10 years, many families have incorporated a home security system that screams when someone enters without a code—a prime example of a directive control activity. 

Then there are preventative control activities, which might be the little sign in the yard that says this home is protected by whichever security company. Throughout this process, you’ll be able to identify plenty of both. 

Enterprise Risk Management, The Process

While there is no set structure for any risk management tactic, there is a general flow that makes sense for most organizations. Remember, as this is a firm-wide effort, there will need to be input from all different groups. 

The most common steps of the enterprise management process include

1. Understand the setting
2. Spot the risk
3. Define measurements
4. Integrate the ideas
5. Prioritize risks to address
6. Handle presenting risks accordingly
7. Monitor for more
8. Review the process for potential improvement

1. Get Some Context

Where does the organization sit? Where does it want to be? What are the biggest threats to the organization’s financial and social standings? All of these questions (and more) should be asked of all of the attendees, and all answers should be heard. 

2. Identify Risk

During this step, it’s important that everyone understand that they don’t understand everything. What appears as an opportunity to you might be a grave threat to another. Keep an open mind to what other managers consider threats, even if you don’t agree. 

Also, keep in mind that decisions, considerations, and plans made as a result of these meetings will rarely make sense through the lens of one department. 

3. Analysis & Quantification

Adding metrics helps a lot. Give everyone some kind of tool of measurement. Perhaps there is a time when things remain the same so you can develop a baseline. No matter the theme of the risks, having data that accurately represent your standing is crucial for developing the best path forward. 

4. Integrating

Understanding where you and your organization want to be is half the battle, but once you’ve decided on your destination, gotten everyone on the same page, and created a system of measurement, you’ll be able to start taking action. 

Integration can have a different meaning depending on who you ask. For those in security, it might look like adding background checks to the onboarding process to reduce theft. In legal, it might mean adding to the staff because there is too much documentation to work through for your current team. For operations, it might involve adding checklists into the workflow to reduce mistakes. 

This step can also mean simply integrating enterprise risk management meetings into the day-to-day with more widespread check-ins and data sharing. 

5. Pick Your Priorities

As the management team gets in a grove, they might rearrange the order of attack. Enterprise risk management is about keeping an eye on external and internal risks, which can change and shift with terrifying speed. 

The pandemic, for example, was whispered about long before it was actually on anyone’s radar. During those meetings in the spring of 2020, you might have heard some management talking about keeping an eye on the situation and taking mild preparative measures before things “got real.” 

6. Treat vs. Exploit

Risks can morph into either threats or opportunities. So, depending on what the outcome is, there will have to be a plan for a response in place. For an operations team, there might be a shipment that is heavily anticipated. If the shipment comes early, it’s an opportunity. But if it comes late, then it’s a threat. Each is handled differently and should be planned for. 

7. Monitoring 

Keeping your eyes peeled for risks and, further down the line, for risks that come from responses is a huge part of enterprise risk management. Implementing systems that can filter through day-to-day processes and find potential issues can be extremely helpful in reducing threats and increasing opportunities over time. 

8. Review

Learning from doing is one of the most potent forms of education. So, it makes sense that looking back at how risks were handled would be beneficial for everyone involved. Reviewing risk management efforts after the fact can also give management members a better sense of how the company can address future hiccups. 

How Enterprise Risk Management Differs From Project-Based Risk Management

In the early days, an organization is generally trying to accomplish as much as possible with the least financial output. These efforts tend to look like 1) a lot of delegation and 2) working through what’s left on the plate. As time goes on, issues that are department specific get priority—it’s easier that way. There may be processes and procedures that require another division’s input, but that’s regularly overlooked. 

The same goes for projects. While we say that we watch what’s happening outside our view, that’s actually very hard to do. Projects easily become their own world because they kind of are their own world, and we get swept into that like tree limbs in a tornado. 

So, instead of working through risks from the bottom up, enterprise risk management works the other way. 

Leaders, stakeholders, and management work to identify potential threats that endanger the whole operation, not specific to the project. While traditional risk management might look at supply chain issues and focus efforts on controlling that risk alone, an enterprise-based approach would focus more on the risk to assets and the organization as a whole. 

Why You Need (To Understand) Enterprise Risk Management 

This whole topic might not seem relevant to project managers, but we think you should take another look. Here at A.McBeth, we feel it’s in your best interest to have an idea of what is trending in the business world, even if you believe there is no chance this topic will ever touch your project. 

This risk management strategy is becoming more and more popular every year, especially after the pandemic. 

Every project has an environment that it depends on. Because of that, we suggest you take this idea in stride and check in from time to time. Step back and look at the whole picture. Also, try to understand how your organization handles risk because those actions could easily affect your project and its well-being. 

And as much as we hate to admit it, a lot of things can derail a project. One of those things can easily be a risk that no singular department kept an eye on because it wasn’t “in their territory,” and now the whole company is going down. We’ve all seen it. 

Due to the holistic approach of enterprise risk management, your organization’s responses to risks might seem wrong, but they aren’t looking at the same picture as you. 

Another reason we are discussing this is because it’s just good to know about other kinds of approaches. And this one is definitely on the rise. Organizations are seeing the benefit of assessing risk from the perspective of the entire entity and not just one section. 

Another benefit is simply how useful this is. Enterprise risk management can enable whole companies to set clear expectations that keep everyone up to snuff. It improves team satisfaction because it makes people feel protected. Their livelihood is being cared for in ways they may have never seen before.

That feeling of care encourages trust, which then allows everyone to be more transparent. People speak up and are more aware of risky activity—which further protects everyone.

7 Tips For Using Enterprise Risk Management

1. Determine Risk Philosophy

You and your team need to know how much risk you can handle. This might look like management collecting data on where things stand today. The most common approach includes developing a risk profile and deciding how much each faction can handle. 

2. Create Plans of Action

As a company, how will you protect your assets? Assets can include

• Employees
• Locations
• Money
• Anything that supports operations

Second, how will you protect the future of the organization?

3. Be Creative

Enterprise risk management means big thinking to match the big problems your organization faces. Use this process as a chance to dream up as many hurdles, situations, and circumstances as possible with fellow leadership and how you’d respond to all of them. 

4. Communicate Your Priority

When you’ve dreamed up all your potential scenarios, it’s time to pick out those that pose the greatest threat to your organization. Make sure everyone is on the same page in understanding that these are not obstacles your organization can afford to face. 

Also, discuss both proactive and reactive steps to be taken in the wake of these things. Communicating these can be the difference between a company that steps up to the challenge and one that falls flat.

5. Assign Specifically

Everyone needs to know their roles. For example, when calling out to a crowd, “Someone call 911,” help is rarely called because they assume someone else handled it. Don’t let that happen. It’s much more effective and efficient to come in and yell, “Peggy! Call 911!” You can bet your bottom dollar that Peggy is going to whip out her phone and start dialing. 

The point is that when you assign specific people to specific tasks, you’ll have a much easier time fo things. Everyone will. 

6. Be Flexible

Risks are not stationary. They ebb and flow, and you’ll need to meet each challenge accordingly. Allow your team to be able to make necessary changes and allow these plans to grow with the organization. As you carry out these plans, don’t forget to make more. 

7. Keep Watch & Measure

As you go along, learn how to manage risks and adjust to your ever-changing circumstances, don’t stop having your brain-storm sessions to be sure you guys are always ready for hurdles coming your way. 

Also, once you find your best-fitting metric system, don’t forget to use it. Create standards for enterprise risk management specific to you, your goals, and your needs as a company. Track your progress. 

Common Drawbacks of Enterprise Risk Management

We won’t lie to you. Everything has its cons. No single approach is perfect, and this one is definitely no exception. So, before you go and redo your whole infrastructure, keep these in mind. 

First, creating these systems from the ground up can be expensive. For example, you cannot get a discount code for bringing in a whole legal team. But if your operation warrants it, making that leap can be worth the investment. 

Second, if you have to take regulations into account, that can also be an investment. Handing your operations over to an independent third-party auditor to be sure that the regulatory party doesn’t do it can also mean handing over a big check. 

Third, agreeing across departments on what “risk” really means can be difficult. The head of accounting wants to save money, the head of legal wants to save everyone from lawsuits, and the operations manager just wants fewer headaches. It’’s hard getting all those intentions to line up. 

Finally, enterprise risk management can push organizations into constant defense mode. Because there is such a reliance on estimates and inputs, people can make inaccurate calls. So, the organization as a whole avoids all risks, even ones that can turn into opportunities, because of numbers on a spreadsheet. 

Let New Ideas Find You

It shouldn’t come as a surprise that this idea has been gaining traction, especially since the pandemic. Organizations understand that now, more than ever, they need to be aware of situations that no one thought possible just a decade ago. 

Here at A.McBeth, Inc., we know it’s better to pop our thinking caps open, receive new ideas, and use them on occasion than act like we know everything. Project management is pretty uncomfortable with that attitude. 

That’s why we are offering up new (and old) ideas all month long, so sign up to be notified next time. You don’t want to miss it. 

Please leave this field empty

SIGN UP & NEVER MISS A POST!

If fact, we’ll email it right to you! Get the latest tips and tricks for the most successful project management from project managers.

First name *

Last name *

Email Address *

* Indicates required field.

We don’t spam! Read our privacy policy for more info.

Thank you for subscribing. We'll alert you when we add more great content that you'll want to read.Please check your inbox or spam folder to confirm your subscription.