3 Fundamental Components of Any Enterprise Risk Management Plan

Nicholas J Price
4 min read

Trying to control the risks taken in the course of business has been around forever. Who knows what the first insurance policy taken out was! However, Enterprise Risk Management (ERM) is a specifically codified set of practices instituted in the United States since the 1990s by which entities set out to manage and control all of the potential risks to their business.

The most common cross-sector definition of ERM is “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

This post is to introduce the basics of an effective means of risk management. Assessing, managing and minimizing risk is, of course, a huge topic that we can introduce with only the briefest of summaries. For simplicity’s sake, we’ll break ERM into three of its major components: operations risk, financial risk and strategic risk.

  1. Operations Risk Management

    The purest form of risk is business hazards, which are damages to property, liability and so on that can’t be planned for. Since whole insurance industries exist to take care of hazards, we’ll jump straight to operational risk. The international capital framework generated by the Basel II Accords defines this as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” including legal liabilities.

    Examples of operations risk might include the potential damages of employee turnover, management oversight or poor IT design, and so on. Since they can’t be planned for, like hazards, they are considered a pure risk. Managing them requires identification of risks in all operations through surveys, workshops and a framework of risk assessment. Once this is in place, a whole corporate governance structure must be put in place to manage operational risks.
  2. Financial Risk Management

    ERM became obligatory after the legendary financial scandals perpetrated by leaders of companies like Enron and WorldCom when, in response, the US Congress included a clause in the Sarbanes-Oxley Act of 2002, part of which required internal control systems as at publicly traded companies.

    Financial risks emerge from the effects of markets on an entity’s assets and include risks to credit, price and liquidity. Since these risks, unlike hazards or operations risk, can, to a certain extent, be projected and planned for, they’re considered a speculative risk. It’s usually the job of the CFO and their department to be on top of them.
  3. Strategic Risk Management

    Looking at strategic risk requires you to step back from the nitty-gritty of your business’ operations and finances to its future growth and development. It could be put this way: while ERM strategies in operations and finances will help you do things right, strategy risk management is more focused on getting your entity to do the right things.

    The company that has the best budgeting and the most efficient operations will go bust if no one wants its products. Turnover and redundancy of products are a natural part of the business cycle, and risk management helps you to handle that.

    Examples of poor (or entirely absent) risk management abound in technology. Think back over a decade ago to the appearance of the first-generation iPhone. While iPhones and comparable devices would not become ubiquitous right away, Apple’s marketing created an instant demand for this functionality for which other manufacturers of cell phones had simply not been prepared and with which they had no idea how to cope. This ephemeral technological advance netted Apple billions of dollars while its competitors were thrown into crisis.


By this point, you can see that risk management strategies are important enough that they have to be implemented and monitored at the highest levels of your entity. These practices are not only legally required, but effectively stand between your entity and business failure.

Diligent’s software is intended to assist your business development from the highest strategic planning on your board on down to the middle-level management and employees charged with implementing best practices for operations risk. We have a number of reliable and elegant solutions that will allow you to assess and manage all of the different kinds of business risk. We hope to be your first entry point into a safe and effective strategy to incorporate management of risk across your whole entity. Please call us to discuss our solutions.