Risk management is a systematic process of identifying and assessing company risks and taking actions to protect a company against them. The task of the risk manager is to predict and enact measures to control or prevent losses within a company. The risk-management process involves identifying exposures to potential losses, measuring these exposures, and deciding how to protect the company from harm given the nature of the risks and the company's goals and resources. Some risk managers define risk as the possibility that a future occurrence may cause harm or losses, while noting that risk also may provide possible opportunities. By taking risks, companies sometimes can achieve considerable gains. However, companies need risk management to analyze possible risks in order to balance potential gains against potential losses and avoid expensive mistakes.
THE EVOLUTION OF RISK MANAGEMENT
The field of risk management emerged in the mid-1970s, evolving from the older field of insurance management. The term risk management was adopted because the new field has a much wider focus than simply insurance management. Risk management includes activities and responsibilities outside of the general insurance domain, although insurance is an important part of it and insurance agents often serve as risk managers. Insurance management focused on protecting companies from natural disasters and basic kinds of exposures, such as fire, theft, and employee injuries, whereas risk management focuses on these kinds of risks as well as other kinds of costly losses, including those stemming from product liability, employment practices, environmental degradation, accounting compliance, offshore outsourcing, currency fluctuations, and electronic commerce.
In the 1980s and 1990s, risk management grew into a vital part of company planning and strategy and risk management became integrated with more and more company functions as the field evolved. New areas of risk management began to emerge in the 1990s, providing managers with more options to protect their companies against new kinds of exposures. According to the Risk and Insurance Management Society (RIMS), the main trade organization for the risk management profession, among the emerging areas for risk management were operations management, environmental risks, and ethics. As the role of risk management has increased to encompass large-scale, organization-wide programs, the field has become known as enterprise risk management (ERM).
TYPES OF RISK
Risk managers need to be aware of the types of risks they face. Common types of risks include automobile accidents, employee injuries, fire, flood, and tornadoes, although more complicated types such as liability and environmental degradation also exist. Furthermore, companies face a number of risks that stem primarily from the nature of doing business. In Beyond Value at Risk (1998) Kevin Dowd sums up these different types of risks companies face by placing them in five general categories:
- Business risks or those associated with an organization's particular market or industry
- Market risks or those associated with changes in market conditions, such as fluctuations in prices, interest rates, and exchange rates
- Credit risks or those associated with the potential for not receiving payments owed by debtors
- Operational risks or those associated with internal system failures because of mechanical problems (e.g., machines malfunctioning) or human errors (e.g., poor allocation of resources)
- Legal risks or those associated with the possibility of other parties not meeting their contractual obligations
Environmental risks constitute a significant and growing area of risk management, since reports indicate the number and intensity of natural disasters are increasing. For example, the periodical Risk Management reported that there were about five times as many natural disasters in the 1990s as in the 1960s, and the 2000s seemed to continue this trend. In 2004, three major hurricanes hit the state of Florida, and a tsunami caused death and incalculable devastation in the Pacific Rim. Hurricane Katrina, which hit the Gulf Coast in 2005, was the costliest hurricane in U.S. history. Analysts expect that the twenty-first century will be just as bad as or worse than the past. Some observers blame the rising number of natural disasters on global warming, which they believe will cause greater floods, droughts, and storms in the future. Whatever the cause, it is clear that natural disasters are wreaking expensive havoc.
Any given risk can lead to a variety of losses in different areas. For example, if a fire occurs, a company could lose its physical property such as buildings, equipment, and materials. In this situation, a company also could lose
revenues, in that it could no longer produce goods or provide services. Furthermore, a company could lose human resources in such a disaster. Even if employees are not killed or injured, a company would still suffer losses because employers must cover benefits employees draw when they miss work.
ASSESSING RISKS ASSOCIATED WITH DOING BUSINESS
One way managers can assess the risks of doing business is by using the risk calculator developed by Robert Simons, a professor at the Harvard Business School. Although the risk calculator is not a precise tool, it does indicate areas where risks and potential losses exist, such as the rate of expansion and the level of internal competition. Using the risk calculator, managers can determine if their company has a safe or dangerous amount of risk. The risk calculator measures three kinds of internal pressures: risk stemming from growth, corporate culture, and information management. Rapid growth, for example, could be a risk and lead to losses, because if a company grows too quickly, it may not have enough time to train new employees adequately. Hence, unchecked growth could lead to lost sales and diminished quality.
Managers can assess the increased risk associated with growth by determining if sales goals are set by top management without input from employees. If a company sets sales goals in this manner, then it has a high level of risk in that the goals may be too difficult for employees to meet. In cases where employees feel extreme pressure in trying to achieve goals, they may take unnecessary risks. Similarly, companies that rely heavily on performance-based pay also tend to have higher levels of risk.
To assess risk arising from corporate culture, managers should determine what percentage of sales comes from new products or services developed by risk-taking employees. If the percentage is high, then the amount of risk is also high, because such a company depends significantly on new products and the related risks. In addition, a corporate culture that allows or encourages employees to work independently to develop new products increases company risk, as does a high rate of new product or service failures.
Finally, managers can determine business risks resulting from information management by determining if they and their subordinates spend a lot of time gathering information that should already be available. Another way of assessing these risks is by managers considering whether they look at performance data frequently and whether they notice if reports are missing or late.
RISK MANAGEMENT METHODS
Company managers have three general options when it comes to choosing a risk manager:
- Insurance agents provide risk assessment services and insurance advice and solutions to their clients.
- Salaried employees manage risk for their company (often chief financial officers or treasurers).
- Independent consultants provide risk-management services for a fee.
Because risk management has become a significant part of insurance brokering, many insurance agents work for fees instead of for commissions. To choose the best type of risk manager for their companies, managers should consider the company's goals, size, and resources.
Risk managers rely on a variety of methods to help companies avoid and mitigate risks in an effort to position them for gains. The four primary methods include exposure or risk avoidance, loss prevention, loss reduction, and risk financing. A simple method of risk management is exposure avoidance, which refers to avoiding products, services, or business activities with the potential for losses, such as manufacturing cigarettes. Loss prevention attempts to root out the potential for losses by implementing such things as employee training and safety programs designed to eradicate risks. Loss reduction seeks to minimize the effects of risks through response systems that neutralize the effects of a disaster or mishap.
The final option risk managers have is to finance risks, paying for them either by retaining or transferring their costs. Companies work with risk managers insofar as possible to avoid risk retention. However, if no other method is available to manage a particular risk, a company must be prepared to cover the losses; that is, to retain the losses. The deductible of an insurance policy is an example of a retained loss. Companies also may retain losses by creating special funds to cover any losses.
Risk transferring takes place when a company shares its risk with another party, such as an insurance provider, by getting insurance policies that cover various kinds of risk that can be insured. In fact, insurance constitutes the leading method of risk management. Insurance policies usually cover (a) property risks such as fire and natural disasters, (b) liability risks such as employer's liability and workers' compensation, and (c) transportation risks covering air, land, and sea travel as well as transported goods and transportation liability. Managers of large corporations may decide to manage their risks by acquiring an insurance company to cover part or all of their risks, as many have done. Such insurance companies are called captive insurers.
Risk managers also distinguish between preloss and postloss risk financing. Preloss risk financing includes financing obtained in preparation for potential losses, such as insurance policies. With insurance policies, companies pay premiums before incurring losses. On the other hand, postloss financing refers to obtaining funds
after losses are incurred (i.e., when companies obtain financing in response to losses). Obtaining a loan and issuing stocks are methods of postloss financing.
During the implementation phase, company managers work with risk managers to determine the company goals and the best methods for risk management. Generally, companies implement a combination of methods to control and prevent risks effectively, since these methods are not mutually exclusive, but complementary. After risk management methods have been implemented, risk managers must examine the risk management program to ensure that it continues to be adequate and effective.
EMERGING AREAS OF RISK MANAGEMENT
Beginning in the 1990s and continuing into the twenty-first century, risk managers have started focusing on new types of risks and have begun using new methods of risk analysis. As the authors of Making Enterprise Risk Management Pay Off (2002) noted at the beginning of the 2000s, “As businesses worldwide enter the twenty-first century, they face an assortment of risks almost unimaginable just 10 years ago.”
Risk managers of corporations have started focusing more on verifying their companies' compliance with federal environmental regulations. According to Risk Management, risk managers began to assess environmental risk such as those arising from pollution, waste management, and environmental liability to help make their companies more profitable and competitive. Furthermore, tighter environmental regulations also goaded businesses to have risk managers check their compliance with environmental policies to prevent possible penalties for noncompliance.
Companies also have the option of obtaining new kinds of insurance policies to control risks, which managers and risk managers can take into consideration when determining the best methods for covering potential risks. These nontraditional insurance policies provide coverage of financial risks associated with corporate profits and currency fluctuation. Hence, these policies in effect guarantee a minimum level of profits, even when a company experiences unforeseen loss from circumstances it cannot control (e.g., natural disasters or economic downturns). Moreover, these nontraditional policies ensure profits for companies doing business in international markets, and hence they help prevent losses from fluctuations in a currency's value.
Risk managers can also help alleviate losses resulting from mergers. Stemming from the wave of mergers in the 1990s and 2000s, risk managers became a more integral part of company merger and acquisition teams. Both parties in these transactions rely on risk management services to determine and control or prevent risks. On the buying side, risk managers examine a selling company's expenditures, loss history, insurance policies, and other areas that indicate a company's potential risks. Risk managers also suggest methods for preventing or controlling the risks they find.
Finally, risk managers have been called upon to help businesses manage the risks associated with increased reliance on the Internet. The importance of online business activities in maintaining relationships with customers and suppliers, communicating with employees, and advertising products and services has offered companies many advantages, but it has also exposed them to new security risks and liability issues. Business managers need to be aware of the various risks involved in electronic communication and commerce and include Internet security among their risk management activities.
ENTERPRISE RISK MANAGEMENT (ERM)
As the field of risk management expanded to include managing financial, environmental, and technological risks, the role of risk managers grew to encompass the organization-wide risk embodied in ERM. This approach seeks to implement risk awareness and prevention programs throughout a company, thus creating a corporate culture able to handle the risks associated with a rapidly changing business environment. Practitioners of ERM incorporate risk management into the basic goals and values of the company and support those values with action. They conduct risk analyses, devise specific strategies to reduce risk, develop monitoring systems to warn about potential risks, and perform regular reviews of the program.
The development of ERM was spurred by sudden and dramatic changes in the business environment. As the authors of the 2008 New Frontiers in Enterprise Risk Management note, the development of ERM was “encouraged by traumatic recent events such as 9/11 and business scandals to include Enron and WorldCom.” Passage of the Sarbanes-Oxley Act of 2002 provided the concrete impetus for a number of large firms to implement enterprise risk management. Passed in the wake of scandals involving accounting compliance and corporate governance, the act required public companies to enact a host of new financial controls. In addition, it placed new, personal responsibility on boards of directors to certify that they are aware of current and future risks and have effective programs in place to mitigate them. “Fueled by new exchange rules, regulatory initiatives around the globe, and a bevy or reports that link good corporate governance with effective risk management, attention is turning to ERM,” Lawrence Richter Quinn noted in Financial Executive. “[Some executives believe that it] will
save companies from any number of current and future ills while providing significant competitive advantages along the way.”
In late 2004 the London-based Treadway Commission's Committee of Sponsoring Organizations (COSO) issued Enterprise Risk Management-Integrated Framework, which provided a set of “best practice” standards for companies to use in implementing ERM programs. The COSO framework expanded on the work companies were required to do under Sarbanes-Oxley and provided guidelines for creating an organization-wide focus on risk management. According to Financial Executive, between one-third and one-half of Fortune 500 companies had launched or were considering launching ERM initiatives by the end of 2004.
While companies face a host of different risks, some are more important than others. Risk managers determine their importance and ability to be affected while identifying and measuring exposures. For example, the risk of flooding in Arizona would have low priority relative to other risks a company located there might face. Risk managers consider different methods for controlling or preventing risks and then select the best method given the company's goals and resources. After the method is selected and implemented, the method must be monitored to ensure that it produces the intended results.
Risk management is best used as a preventive measure rather than as a reactive measure. Companies benefit most from considering their risks when they are performing well and when markets are growing in order to sustain growth and profitability.
SEE ALSO Strategic Planning Tools Succession Planning
Barton, Thomas L., William G Shenkir, and Paul L. Walker. Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management. Upper Saddle River, NJ: Prentice Hall, 2002.
Crouhy, Michel, Dan Galai, and Robert Mark. The Essentials of Risk Management. New York: McGraw-Hill, 2006.
D'Arcangelo, James R. “Beyond Sarbanes-Oxley: Section 404 Exercises Can Provide the Starting Point for a Comprehensive ERM Program.” Internal Auditor (October 2004).
Dowd, Kevin. Beyond Value at Risk. New York: Wiley, 1998.
Lam, James. Enterprise Risk Management: From Incentives to Controls. Hoboken, NJ: John Wiley, 2003.
Mills, Evan. “The Coming Storm: Global Warming and Risk Management.” Risk Management (May 1998): 20.
Moeller, Robert. COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework. Hoboken, NJ: Wiley, 2007.
Quinn, Lawrence Richter. “ERM: Embracing a Total Risk Model.” Financial Executive (January-February 2005).
Olson, David L., and Desheng Wu, eds. New Frontiers in Enterprise Risk Management. Berlin: Springer-Verlag, 2008.
Simons, Robert. “How Risky Is Your Company?” Harvard Business Review (May 1999): 85.
Telegro, Dean Jeffery. “A Growing Role: Environmental Risk Management in 1998.” Risk Management (March 1998): 19.
White, Larry. “Management Accountants and Enterprise Risk Management.” Strategic Finance (November 2004).
"Risk Management." Encyclopedia of Management. 2009. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1G2-3273100256.html
"Risk Management." Encyclopedia of Management. 2009. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1G2-3273100256.html
Risk management involves identifying, analyzing, and taking steps to reduce or eliminate the exposures to loss faced by an organization or individual. The practice utilizes many tools and techniques, including insurance, to manage a wide variety of risks. Every business encounters risks, some of which are predictable and under management's control; others are unpredictable and uncontrollable. Risk management is particularly vital for small businesses, since some common types of losses—such as theft, fire, flood, legal liability, injury, or disability—can destroy in a few minutes what may have taken an entrepreneur years to build. Such losses and liabilities can affect day-to-day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt a small business. But while many large companies employ a full-time risk manager to identify risks and take the necessary steps to protect the firm against them, small companies rarely have that luxury. Instead, the responsibility for risk management is likely to fall on the small business owner.
The term is a relatively recent evolution of the term "insurance management." The concept of risk management encompasses a much broader scope of activities and responsibilities than does insurance management. Risk management is now a widely accepted description of a discipline within most large organizations. Basic risks such as fire, windstorm, employee injuries, and automobile accidents, as well as more sophisticated exposures such as product liability, environmental impairment, and employment practices, are the province of the risk management department in a typical corporation. Although risk management has usually pertained to property and casualty exposures to loss, it has recently been expanded to include financial risk management—such as interest rates, foreign exchange rates, and derivatives—as well as the unique threats to businesses engaged in E-commerce. As the role of risk management has increased, some large companies have begun implementing large-scale, organization-wide programs known as enterprise risk management.
Businesses have several alternatives for the management of risk, including avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or loss prevention, involves taking steps to prevent a loss from occurring by such methods as employee safety training. As another example, a pharmaceutical company may decide not to market a drug because of the potential liability. Assuming risks simply means accepting the possibility that a loss may occur and being prepared to pay the consequences. Reducing risks, or loss reduction, involves taking steps to reduce the probability or the severity of a loss, for example by installing fire sprinklers.
Transferring risk refers to the practice of placing responsibility for a loss on another party by contract. The most common example of risk transference is insurance; it allows a company to pay a small monthly premium in exchange for protection against automobile accidents, theft or destruction of property, employee disability, or a variety of other risks. Because of its costs, the insurance option is usually chosen when the other options don't provide sufficient protection. Awareness of, and familiarity with, various types of insurance policies is a necessary part of the risk management process. A final risk management tool is self-retention of risks—sometimes referred to as "self-insurance." Companies that choose this option set up a special account or fund to be used in the event of a loss.
Any combination of these risk management tools may be applied in the last step of the process, implementation. This step, monitoring, involves a regular review of the company's risk management tools to determine if they have obtained the desired result or if they require modification. Tools in that process include maintaining a high quality of work; training employees well and maintaining equipment properly; installing strong locks, smoke detectors, and fire extinguishers; keeping the office clean and free of hazards; backing up computer data often; and storing records securely off-site.
RISK MANAGEMENT IN THE INTERNET AGE
Small businesses encounter a number of risks when they use the Internet. Increased reliance on Web-based operations demands that small business owners decide how much risk to accept and implement security systems to manage the risk associated with online business activities. Conducting business online exposes a company to liability due to infringement on copyrights, patents, or trademarks; charges of defamation due to statements made on a Web site or by e-mail; charges of invasion of privacy due to unauthorized use of personal information or excessive monitoring of employee communications; liability for harassment due to employee behavior online; and legal issues due to accidental noncompliance with foreign laws. In addition, businesses connected to the Internet also face a number of potential threats from computer hackers and viruses, including a loss of business and productivity due to computer system damage, and the theft of customer information or intellectual property. If the small business is publicly traded, the requirements of the Sarbanes-Oxley Act, specifically record retention, including the archiving of computer-based records, apply as well.
In the early 2000s new forms of insurance coverage emerged to cover risks businesses run in cyberspace, and this branch of protection is expected to develop along with new risks as they emerge. In the meanwhile attentive care to e-commerce implementation, the installation of firewalls, and effective disciplines inside the business can largely prevent serious problems. As pointed out elsewhere in this volume (see Computer Crimes ) the largest risks most business run these days are from actions of employees inside the company.
ENTERPRISE RISK MANAGEMENT
In the 1990s, the field of risk management expanded to include managing financial risks as well as those associated with changing technology and Internet commerce. In the early 2000s, the role of risk management began to expand even further to protect entire companies during periods of change and growth. As businesses grow, they experience rapid changes in nearly every aspect of their operations, including production, marketing, distribution, and human resources. Such rapid change also exposes the business to increased risk. In response, risk management professionals created the concept of enterprise risk management, which was intended to implement risk awareness and prevention programs on a company-wide basis.
The main focus of enterprise risk management is to establish a culture of risk management throughout a company to handle the risks associated with growth and a rapidly changing business environment. Writing in Best's Review, Tim Tongson recommended that business owners take the following steps in implementing an enterprise-wide risk management program: 1) incorporate risk management into the core values of the company; 2) support those values with actions; 3) conduct a risk analysis; 4) implement specific strategies to reduce risk; 5) develop monitoring systems to provide early warnings about potential risks; and 6) perform periodic reviews of the program.
Finally, it is important that the small business owner and top managers show their support for employee efforts at managing risk. "To bring together the various disciplines and implement integrated risk management, ensuring the buy-in of top-level executives is vital," Luis Ramiro Hernandez wrote in Risk Management. "These executives can institute the processes that enable people and resources across the company to participate in identifying and assessing risks, and tracking the actions taken to mitigate or eliminate those risks."
see also Business Insurance; Computer Crimes
Anastasio, Susan. Small Business Insurance and Risk Management Guide. U.S. Small Business Administration. Available from http://www.sba.gov/library/pubs/mp-28.txt. Retrieved on 22 May 2006.
Hernandez, Luis Ramiro. "Integrated Risk Management in the Internet Age." Risk Management. June 2000.
Hommel, Ulrich, Michael Frenkel, and Markus Rudolf. Risk Management: Challenge and Opportunity. Springer, 2005.
Lam, James. Enterprise Risk Management: From Incentives to Controls." John Wiley & Sons, 2003.
O'Neill, David T. "Guard Against Cyber Exposures: New e-commerce risk insurance offers coverages beyond your standard policies." Risk Management. April 2003.
Sandgrove, Kit. The Complete Guide to Business Risk Management. Grower Publishing, 2005.
Tongson, Tim. "Turning Risk into Reward." Best's Review. December 2000.
Williams, Kathy. "How is Your Company Managing Risk?" Strategic Finance. September 2005.
Hillstrom, Northern Lights
updated by Magee, ECDI
"Risk Management." Encyclopedia of Small Business. 2007. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1G2-2687200507.html
"Risk Management." Encyclopedia of Small Business. 2007. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1G2-2687200507.html
Risk management is a term that pervades a number of different areas of human interest. At the ultimate level of risk management, political leaders and government officials must assess the risk of natural disasters, terrorist attacks, and nuclear war—events that threaten human existence. For public health officials and hospital administrators, risk management entails the reduction of mortality due to disease and infection. For transportation safety engineers, risk management focuses on preventing or reducing deaths and injuries caused by accidents. Insurance companies and their customers view risk management as entailing the assessment and mitigation of various types of risks, often with the goal of reducing the costs of insuring against such risks.
For bankers and lenders, risk management involves credit analysis and techniques such as currency hedging and interest rate swaps that reduce credit and lending risks. For the business manager, risk management necessitates the assessment of future market fluctuations both on the sales and supply sides of an enterprise and creating plans to mitigate the effects of these fluctuations. In sum, risk management addresses the possibility that future events may cause adverse effects and entails an attempt to mitigate the impact of these effects.
Risk management draws upon knowledge and skills derived from various disciplines, including statistics, economics, psychology, sociology, epidemiology, biology, engineering, toxicology, systems analysis, operations research, decision theory, and international relations. Because of the wide diversity of risk management topics, this entry addresses only a small portion of the total, concentrating on risk management from the perspective of higher levels of a business enterprise. The specific risk management techniques will not be addressed, but the focus will instead be on components of risk management that are important to business enterprises. Ultimately, risk management can provide assurance to shareholders, creditors, employees, customers, and other interested parties that a business is being well managed, and it can provide important evidence about compliance with relevant laws and government regulations.
An important contribution to the field of risk management for business enterprises has been provided by the Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission). The Treadway Commission was created in 1987 in the wake of several major financial frauds. The sponsoring organizations include the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors.
In 1992 COSO issued the report Internal Control—Integrated Framework, which has become the most widely recognized framework for internal control in the United States. Section 404 of the federal Sarbanes-Oxley Act of 2002 requires the management of public companies to issue annual internal control reports which include a statement that management is responsible for establishing and maintaining an adequate internal control structure, as well as procedures for financial reporting, and is to make an assessment of the effectiveness of the internal control structure and the procedures for financial reporting.
Section 404 also requires the company's independent auditor to issue a report on management's assessment of internal control. Public Companies Accounting Oversight Board (PCAOB) Standard No. 2 specifically recognizes the COSO Internal Control—Integrated Framework as establishing the criteria for effective internal control over financial reporting.
ENTERPRISE RISK MANAGEMENT
Because the Sarbanes-Oxley Act and the COSO Internal Control—Integrated Framework are directed primarily toward internal control and transparency in financial reporting, COSO became concerned that there was a need for a broader framework to identify, assess, and manage enterprise risks. Consequently, in 2004 COSO issued Enterprise Risk Management: Integrated Framework. This document is not intended to replace the COSO internal control framework. Rather it incorporates the internal control framework and recommends that companies use the enterprise risk management framework to both satisfy their internal control needs and to develop a more complete risk management process.
According to COSO, the underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. Because all entities face uncertainty, the challenge for management is to determine how much risk to accept. COSO defines enterprise risk management as:
a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004)
Several aspects of this definition are underlined, namely that risk management is an ongoing process undertaken by people at various levels of an organization. Furthermore, risk management is a strategic process that looks at the risks facing an entity from a portfolio perspective. Finally, risk management is geared toward providing reasonable assurance to entity management and directors that risks will be managed, and that any risks assumed are related to the objectives of the entity.
COSO believes that enterprise risk management should focus on achieving an entity's strategic, operating, reporting, and compliance objectives. Strategic objectives are defined as high-level goals related to the mission of the entity. Operating objectives focus on effective and efficient use of resources. Reporting objectives deal with reliability of reporting, and compliance objectives involve compliance with laws and regulations. The COSO framework sets forth eight interrelated components for enterprise risk management:
- Internal environment —The tone of an organization and how risk is viewed by the people in the organization
- Objective setting —Objectives must exist before management can identify risks that may affect those objectives
- Event identification —Internal and external events that may pose risks must be identified
- Risk assessment —Risks are analyzed from both the perspective of likelihood and impact
- Risk response —A decision to avoid, accept, reduce, or share the risk
- Control activities —Establishing policies and procedures so that chosen risk response is carried out
- Information and communication —Information about risks and procedures is communicated throughout the organization
- Monitoring —Enterprise risk management is monitored and changes are made as needed
The enterprise risk management framework envisions the objectives of the enterprise and the components of risk management as being arranged in a matrix, so that there is an intersection between each objective and each component. For example, in the area of operations, there is an intersection with internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring. This matrix is then extended to encompass entitylevel, division-level, and business-unit-level risk management objectives and components.
The extent to which the COSO framework will become seen as an exemplar of risk management for business enterprises is still unclear. Nevertheless, the authority of COSO and its sponsoring organizations makes it important for business managers to be aware of the provisions of the framework if they are to be fully conversant with enterprise risk management.
see also Insurance ; Investments
Beasley, Mark S., and Elder, Randal J. (2005). The Sarbanes-Oxley Act of 2002: Impacting the accounting profession. Upper Saddle River, NJ: Pearson Prentice-Hall.
COSO. (1992). Internal control—Integrated framework. New York: Committee of Sponsoring Organizations of the Treadway Commission.
COSO. (2004). Enterprise risk management: Integrated framework. New York: Committee of Sponsoring Organizations of the Treadway Commission.
National Commission on Fraudulent Financial Reporting. (1987). Report of the National Commission on Fraudulent Financial Reporting. Washington, DC: Author.
Rowe, William D. (1988). An anatomy of risk. Malabar, FL: Robert E. Krieger.
C. Richard Baker
Baker, C.. "Risk Management." Encyclopedia of Business and Finance, 2nd ed.. 2007. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1G2-1552100271.html
Baker, C.. "Risk Management." Encyclopedia of Business and Finance, 2nd ed.. 2007. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1G2-1552100271.html
1. A systematic and disciplined approach to assessing the significance in terms of safety of the complete set of risks that may occur with a system.
2. An assessment in quantitative or qualitative terms of the damage that would be sustained if a computer system were exposed to postulated threats. A quantitative risk analysis may ascribe a probable financial loss if each specified threat successfully exploited each possible vulnerability of the system.
JOHN DAINTITH. "risk assessment." A Dictionary of Computing. 2004. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1O11-riskassessment.html
JOHN DAINTITH. "risk assessment." A Dictionary of Computing. 2004. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1O11-riskassessment.html
"risk management." A Dictionary of Nursing. 2008. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1O62-riskmanagement.html
"risk management." A Dictionary of Nursing. 2008. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1O62-riskmanagement.html
"risk assessment." A Dictionary of Nursing. 2008. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1O62-riskassessment.html
"risk assessment." A Dictionary of Nursing. 2008. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1O62-riskassessment.html
JOHN DAINTITH. "risk management." A Dictionary of Computing. 2004. Encyclopedia.com. (August 26, 2016). http://www.encyclopedia.com/doc/1O11-riskmanagement.html
JOHN DAINTITH. "risk management." A Dictionary of Computing. 2004. Retrieved August 26, 2016 from Encyclopedia.com: http://www.encyclopedia.com/doc/1O11-riskmanagement.html