FOR MANY, TODAY'S PUBLIC sector management challenge is greater than at any time in our lives. That is certainly true in the United States, but is also true for much of the developed and developing world. Decades of deficit spending resting on the belief (or at least the hope) that “investments” would result in increased productivity generating revenues greater than costs have failed to come true. National governments have awoken, even if slowly, to the recognition that nations, just like individuals, cannot spend indefinitely at a rate higher than incoming revenues. While local governments may not be able to engage in deficit spending, they are nevertheless impacted by national governments that do so.

We have long heard the calls from leaders and consultants to “do more with less.” Yet such a goal requires productivity to increase faster than the rate of reduction in budgets. For most of our lifetimes that was feasible. Increasingly, however, it appears that budget challenges are making such a goal no longer credible. Given our introduction of the concept of value-based management, this battle cry should change to “do more of value with fewer resources.” While perhaps not as memorable, this phrase is much more meaningful in terms of solutions to the challenges that lie ahead.

Leaders must be driven not by a focus on spending less or doing more, but rather on creating increased stakeholder value through the balancing of results sought, resources available, and risks accepted.

Risk management, as indicated in the discussion of the value-based management framework in Part One, is an inherently critical element of any decision-making process that seeks to maximize stakeholder value. While balancing desired results and available resources/budget will always be part of the decision process, too often risk is left out of serious consideration. It is important to understand the challenges to meaningfully incorporate risk considerations in business decisions. However, before beginning that discussion, it is vitally important to define exactly what we mean by “risk.”

Risk is a very commonly used term, but a term that can mean considerably different things once one gets into the details of its definition. For the purposes of this book, we choose to use the word “risk” as defined in the international risk management standard ISO 31000: “the effect of uncertainty on objectives.” Defining a word such as “risk” in advance of a discussion using that term is important because many organizations and individuals have defined that term in different and inconsistent ways. The average person might think of a risk as a threat to safety or achieving an objective, in contrast to a possible opportunity or benefit. However, in defining risk as uncertainty, we are including both the downside (i.e., threat) and the upside (i.e., opportunity) associated with such uncertainty. Given that some degree of uncertainty is involved in almost every business decision, why does it not always naturally occur as part of the decision-making process?

There are many reasons for the traditionally diminished role of risk management in management decision-making. Thinking seriously about risk is not something that many decision makers have learned as a practice. They (1) simply ignore risk either because of a lack of awareness or concern of the uncertainty in achieving a desired objective, or (2) they briefly consider risks and assume them to be negligible and unworthy of serious consideration. Some decision makers may recognize that risks exist, but simply bypass proactively addressing risks and instead take a reactive approach that deals with risks only after they transition into adverse events (if a threat). Such decision makers also do not integrate an uncertain upside to risk (opportunity) as part of their decision-making process.

Additionally, many organizations – particularly those in government – desire not to acknowledge the existence of risk in delivering services to and on behalf of their various stakeholders. This unwillingness to address risks to the public thus transfers over into an unwillingness to manage those risks as part of planning and operations. This narrow-sighted approach to risk management in the public sector must cease if government leaders are to maximize the value delivered in exchange for limited resources. Pretending to their constituency that we live in a riskless world will come back to haunt many government leaders if risks are not consciously and proactively managed.

THE EVOLUTION OF RISK MANAGEMENT

Whether primitive humans were managing the risk of attack by adversaries or wild animals, the concept of risk – and the effort to manage that risk – is as old as humankind. Early examples of a more formal approach to risk management can be seen in the Code of Hammurabi (circa 1755 BCE), which provided the underpinnings of maritime insurance contracts. The concept of risk and considering how to manage that risk further developed over the centuries. Marine insurance appeared in Italian port cities as early as the twelfth century, and an organization in Belgium in 1310 was the first in that country to offer marine insurance for their merchants. The establishment of the Fire Office in London, possibly the first company offering fire insurance, was a likely response to the Great Fire of London in 1666. The development of probability theory in the seventeenth and eighteenth centuries allowed for the calculation of quantifiable risks, which did much to formalize the practice of risk management and open it to a much larger area of application.

Despite an ability to trace the concern over risk in a very broad sense dating back several millennia, the focus until the mid-twentieth century was generally on insurance-related risk – those risks that could be insured by transferring to another party. The development of modern risk management focused on organizational functions beyond insurance has been a much more recent occurrence.

The trail to financial risk management was blazed by the actuarial profession beginning in the mid-nineteenth century. However, risk in the eyes of the actuarial and accounting professions maintained a relatively narrow and limited focus. In the 1950s there were no textbooks on the broader topic of risk management, and no university courses offered on the subject. The first book published on what we think of as risk management nowadays in the broader business context was Risk Management in the Business Enterprise, written by Robert I. Mehr and Robert A. Hedges in1963. This book appears to have been the first formal use of the term “risk management.” Moreover, the book was the first to propose steps to the risk management process that can be seen reflected in the various risk management standards of today. These proposed steps were:

1. Identifying loss exposures
2. Measuring loss exposures
3. Evaluating the different methods for handling risk:
   • Risk assumption
   • Risk transfer
   • Risk reduction
4. Selecting a method
5. Monitoring results

Financial risk management developed rapidly beginning in the 1970s with the use of derivatives to manage insurable and uninsurable risks, and many additional practices developed in the remaining years of the twentieth century. While much of the development of risk management in this period took place in the arena of finance and insurance, other areas developed strong risk management practices and procedures as well, such as engineering.

In 1995, Australia and New Zealand jointly published the world's first formal risk management standard, AS/NZS 4360. This standard considered risk as applicable to all endeavors, not only finance and insurance. Members of the committee that developed AS/NZS 4360 included communities of interest as diverse as the Australian Computer Society, Australian Customs Service, the Australian Department of Defense, Australian and New Zealand engineering associations, universities, and others. In short, this initiative included a broad cross-section of society that had a strong interest in and need for effective risk management. In 2004, the United Kingdom's HM Treasury published “The Orange Book: Management of Risk – Principles and Concepts.” Both AS/NZS 4360 and the HM Treasury Orange Book highly influenced the creation in 2009 of the International Organization for Standardization's risk management standard, ISO 31000. This standard was subsequently updated in 2017.

As risk management has matured over the past half-century, so, too, has the general concept of “risk” grown. As noted, early risk management was focused on insurable risk – that risk that could be transferred to another party in exchange for a risk premium. In more recent years, however, the concept of risk has increasingly focused on the idea of uncertainly, rather than simply potential loss. This important distinction recognizes that we may often knowingly and willingly take on the acceptance of loss in order to have the opportunity for gain.

No race car driver can take on the possibility of a win without considering the possibility of car damage or even bodily harm. How much risk such a driver undertakes depends in part on how much risk he or she is willing to take. A lower degree of risk would yield a lower chance of bodily harm, but also a lower likelihood of winning. We all typically face decisions on a daily basis of balancing the upsides and downsides of uncertainty (even if without such impactful consequences), but we recognize this should always be an upside benefit to taking on a potential for downside consequences. This broader definition of risk as uncertainty, rather than threat or loss, ensures that this balancing act is part of the decision-making process.

TRADITIONAL RISK MANAGEMENT

The management of risk in various functional areas has become increasingly sophisticated over the years. Whether concerned about fraud, financial reporting misstatements, expected return on investments, inability to accomplish program requirements, adequately managing cyber-security, or countless other needs, the necessity to manage risks to achieving specific objectives has become broadly recognized. Not until the 1990s, however, did risk management begin to be considered broadly across the organization and not limited to specific functional or programmatic areas of concern. Australia and New Zealand jointly developed and published the first risk management standard, AUS/NZS 4360, in 1995. This standard in turn directly led to the international risk management standard ISO 31000 published in 2009. In the meantime, COSO developed and published the COSO ERM-Integrated Framework in September 2004, and the United Kingdom published the Treasury Orange Book in October 2004.

THE RISK MANAGEMENT PROCESS

While these various risk management standards are all unique and have slightly different approaches and terminology for elements of the risk management process, their description of the risk management process can generally be portrayed as illustrated in Figure 6.1. This figure was developed by the US's White House Office of Management and Budget and is influenced by both the United Kingdom Treasury Orange Book and ISO 31000. The two outside rings are typical for a federal agency, but should be adapted for a state or local government organization. While this diagram is not intended to be prescriptive, it does illustrate the steps that are typically included in the risk management process:

1. Establish the Context. Consideration must be given to the internal and external environments relative to the organization in which risks are to be managed. Depending on the objectives and associated risks to be considered, the subject organization could be a large agency, a division or other organizational element of the agency, or even a smaller subcomponent of an agency for narrowly focused objectives and associated risks.

   Examining an organization's external context (i.e., outside the boundaries of the specific organization in question) may include factors such as an understanding of the influence of the social, cultural, political, legal, regulatory, financial, technological, economic, and competitive environments. It will also include an understanding of the key drivers and trends affecting the objectives of the organization: the relationships, perceptions, values, and expectations of external stakeholders; and contractual relationships and commitments.

   

   The organization's internal context may include but not be limited to vision, mission and values, governance processes, organizational structure, strategies and policies, capabilities (such as budget allocation, time, people, processes, and technologies), relationships with internal stakeholders, organizational culture, and contractual relationships and commitments. The context also includes consideration of the organization's risk appetite, which forms the basis for evaluating acceptability of risks to the organization's objectives.

   Defining the organization's objectives and the overall risk appetite for achieving various objectives is an important part of the context. Clearly defining objectives is a critical element of establishing the context, because the identification of risks to achieving objectives – the purpose of the following step in the risk management process – cannot be achieved until the organization first establishes what those objectives are intended to be.

   Also, along with understanding what objectives the organization seeks to accomplish, an understanding of the level of risk the organization finds appropriate in seeking to accomplish those objectives is essential. This appropriate level of risk to be accepted by an organization, which is known as “risk appetite” and was mentioned above, can be defined as the amount and type of risk that an organization is prepared to pursue, retain, or take. A risk appetite statement is a higher-level statement that broadly considers the levels of risk that management deems appropriate.

   Establishing and communicating an organizational risk appetite is a critical and often missed step in the risk management process. A risk appetite is the basis for judging whether or not an existing risk is at an acceptable level, and whether or not further risk treatments are appropriate. If that risk appetite is not clearly defined and used to guide decisions across the organization, different managers will make risk treatment decisions in different and inconsistent ways. The level of risk an organization is willing to take in pursuit of objectives is not a trivial matter and should not be an ad hoc process exercised by individuals inconsistently across the organization.

   The “appropriate” level of risk should be determined after considering tradeoffs between the upside potential for new opportunities versus the downside potential for adverse impacts. This is not a “one-size-fits-all” proposition. For example, the United States knew full well in the 1960s that seeking to land a man on the moon was fraught with great risk. However, the upside opportunity for new knowledge was deemed greater than the downside possibility of loss, including the loss of human life. It would be inappropriate to take such risks for most other ventures. An individual starting up a small business typically wants reasonable assurance that they will profit from their venture. Lacking such expectation, such individuals might be more inclined to work as an employee for another company that has decided to take such business risks.

   While the overall risk an organization finds appropriate to accept in pursuit of objectives should be considered and communicated across the organization, this level of risk may appropriately vary from one part of the organization to another. For example, an organization may be compelled to knowingly accept large uncertainty in pursuit of certain program objectives, as the upside potential is much greater than the downside. Scientific research and exploration is an area of human endeavor that easily falls into this general category. At the same time, the organization may have a far lower risk appetite for cyber-security or the loss of personally identifiable information (PII). It is thus appropriate – and often critical – to tailor an overall enterprise risk appetite statement to various functional or programmatic areas of the enterprise. This tailoring, however, should be a coordinated process that incorporates enterprise stakeholder interests, and is not done on an isolated basis by individual functional or program managers having no awareness of or commitment to the overall enterprise risk appetite.

   A related consideration for the context step is risk tolerance. Risk tolerances set the acceptable level of variation around specific objectives. Risk tolerance is thus focused on specific objectives and is typically quantifiable in setting measurable boundaries for acceptable variation in those objectives.

2. Initial Risk Identification. Using a structured and systematic approach to recognizing where the potential for undesired outcomes or opportunities can arise relative to organizational objectives.

   Once the context has been established, elements at all levels of the organization should identify risks to achieving objectives set for their particular part of the organization. There are numerous risk identification techniques, such as:

   • Brainstorming
   • Interviews
   • Checklists
   • Structured “What-if” Technique (SWIFT)
   • Scenario Analysis
   • Fault Tree Analysis (FTA)
   • Bow Tie Analysis
   • Direct Observations
   • Incident Analysis
   • Surveys
3. Analyze and Evaluate Risks. Considering the causes, sources, probability of the risk occurring, the potential positive or negative outcomes, and then prioritizing the results of the analysis.

   Once risks are identified, they must be analyzed in terms of their likelihood of occurrence and the impact if those risks do transition into actual events. In practice, the risk identification and risk analysis steps frequently overlap, as the techniques for identifying risks often yield insight into the likelihood and impact of the risk. In addition to the techniques identified under Initial Risk Identification, various specialized techniques relevant to particular types of risks (e.g., credit, information technology, engineering, project management and others) may be used, often enabling more quantifiable analyses.

   After risks are analyzed for likelihood and impact, they must be evaluated by comparing the identified risks to the established risk appetite, and prioritizing those identified and analyzed risks in terms of potential treatment. This prioritization takes into account the level of risk compared to the risk appetite.

4. Develop Alternatives. Systematically identifying and assessing a range of risk response options guided by risk appetite.

   Based upon the risk analysis and evaluation, various options are considered for treating any particular risk. Options for treating risks can be categorized into one of four categories:

   1. Avoid. An entity can choose to avoid the activities that create the risk. For example, accepting cash payments for goods or services has inherent risk. Some people are willing to lie, cheat, and steal to take cash. One way to address that risk is to stop accepting cash payments. In recent years, the airlines have virtually all decided to avoid the risk of cash payments for various items on planes, in part to reduce the administrative cost of handling cash. If you want to purchase a meal or an alcoholic beverage on a plane, you must pay for it with a credit or debit card.
   2. Mitigate. An entity can elect to implement procedures to reduce the risk. For example, if you gamble at a casino and give the dealer a 100-dollar bill, it will almost certainly be immediately deposited in a lockbox under the table, and the dealer will alert someone that a bill is being deposited. Cash moving about is still a risk, of course, but that risk is reduced by getting higher-value bills off the tables quickly. Also, in a casino, all activity is closely monitored through a video system, whereby everything is watched and recorded in real time. Risk mitigation can focus on reducing the likelihood of an event occurring, the impact of the event if it does occur, or both.
   3. Share or transfer. A homeowner will be required by a mortgage company to insure his home against fire. This action shares the risk of a home fire with the insurance company, who will bear the risk of repairing fire damage in exchange for an insurance premium. Sharing risk often is beneficial when the likelihood of an adverse event is small, but the potential impact is unbearable without significant damage to the organization.
   4. Accept. There will be frequent occasions when reducing the risk not only reduces the threat of an adverse action, but simultaneously reduces the opportunity to achieve beneficial results. Anyone interested in playing a competitive game, for example, may mitigate the risk of a loss through training and experience. However, they ultimately must accept a level of risk of a loss if they are to enjoy the thrill of the competition.
5. Respond to Risks. Making decisions about the best option(s) among a number of alternatives, and then preparing and executing the selected response strategy.

   There may be a number of options developed in the prior step to potentially address any particular risk. In responding to a risk, choices are made by the organization as to how to treat a particular risk. Key considerations in determining the selected treatment include both (1) whether or not the risk treatment will reduce the treated risk to within the organization's risk appetite, and (2) the return on investment when considering the level of risk reduction versus the cost of achieving that reduction. Generally, risk treatments are selected that ensure risks stay within the risk appetite, and that maximize the return on investment in treating the risk. Treatments should never cost the organization more to implement than the increased value offered by reducing risk.

   It must be noted that even when risks are within the risk appetite of the organization, there may be times when further treatment of the risk will generate a positive return on investment (ROI). This occurs when further treatment of a risk yields benefits in excess of the costs of additional treatment.

6. Monitor and Review. Evaluating and monitoring performance to determine whether the implemented risk management options achieved the desired level of remaining risk.

   Starting down the road to implementing a risk treatment by applying the preceding risk management steps is essential. However, it is then required that risk treatment plans are monitored on a timely basis to ensure schedules for treating risks are met, and that the proposed risk treatment is actually implemented and achieves the intended result. This requires periodic monitoring of risk treatment plans to ensure plans are progressing on schedule to meet desired deadlines, or changes are made as needed to achieve intended results.

   A final and critical element of managing risk is a consistently used approach to documenting risks and risk treatments. For this purpose, organizations typically use what may be referred to as a risk register or risk profile. Too many organizations, however, fall into the trap of simply listing risks. Identifying a risk is but a small part of the risk management process. Meaningful risk management requires all of the following:

   1. The specific objective that is at risk
   2. The specific risk to achieving the objective without treatment (i.e., current state)
   3. The likelihood of the risk occurring in its current state
   4. The impact of the risk, should the risk in its current state transition into an actual event
   5. The current relative rating of the risk, considering the combined effects of likelihood and impact
   6. The proposed risk treatment if the current level of risk is not considered acceptable
   7. The proposed risk likelihood after completion of the risk treatment
   8. The proposed risk impact after completion of the risk treatment
   9. The proposed risk rating after completion of the risk treatment
   10. Responsible party for taking action on risk treatments
   11. Target date for completion of the risk treatment

   Typically, a register will list risk vertically as rows in the register, while the above elements of the register serve as columns.

   The risk register/profile plays a critical role in risk management by allowing management to see all key risks at once to:

   1. Understand the current overall level of risk to the organization's objectives
   2. Compare risks to the organization's risk appetite
   3. Prioritize risks for potential treatment
   4. Document (at a summary level) risk treatments for specific risks
   5. Set targeted risk remaining after treatment
   6. Establish accountability for risk treatment (by individual or organizational element)
   7. Establish targeted date of completion for proposed risk treatment

   Moreover, having all key risks documented in a consistent manner using the above elements will enable risk managers across the organization to consider risk treatment in a consistently documented manner. This will become critical if the organization choses to implement enterprise risk management, as discussed below.

7. Continuous Risk Identification. Must be an iterative process, occurring throughout the year to include surveillance of leading indicators of future risk from internal and external environments. This includes evaluation of prior risk responses to ensure they were successful in meeting the targeted level of risk. If not, the risk management process would be repeated for these risks and risk responses.

Finally, risk management is not a one-time activity. New risks constantly arise that may not have been evident or even present when organizational risks were previously reviewed. Because the environment within which every organization operates is constantly changing, new risks are constantly arising. It is thus essential for organizations to understand that risks must be identified and managed on an ongoing basis.

How frequently risks to objectives should be reviewed, as well as how frequently existing risk treatment plans are reviewed, is dependent on the nature of the organization and the environment within which it operates. Rapidly changing environments – whether that change is a result of political environment, advancing technology, changing financial conditions, or other considerations – means the organization's risks should be reviewed more frequently. Typical public sector organizations review organization-wide risks on a quarterly or semiannual basis. Organizations operating in a rapidly changing environment, or where risks must otherwise be tightly controlled, will want to monitor organization-wide risks on a more frequent basis.

Just as risks change over time, so do organizational risk appetites. Whether due to a change in the external environment within which an organization operates, a new strategy for achieving results, or simply a difference in leadership, the organization's stated risk appetite should occasionally be reviewed. While there is no prescriptive timeline for such a review, and the “ideal” frequency of review is certainly related to the rate of change in the organization's environment, it is suggested that the risk appetite statement initially be reviewed on an annual basis, with that frequency being revised as deemed appropriate.

THE ROLE OF INTERNAL CONTROLS

Certainly, no discussion of risk management would be complete without including the role of internal control. However, the relationship between internal control and the broader topic of risk management is frequently misunderstood.

Just as with risk management, the concept of internal control can be traced back many centuries to ancient Egypt and Babylonia. Written records were kept, and an elaborate system of internal controls required that the records of one official agreed with those of another. Accounts were audited by officials, and gross irregularities were severely punished, even by death. Over the years, internal controls have been an important element of ensuring the accuracy of record keeping. Stated in terms of risk management, internal controls have helped limit the risk of incorrect or inaccurate records. For this reason, internal controls have become an important element of the accounting and audit profession.

The American Institute of Accountants (AIA, now the AICPA) was the first to offer a definition of internal control in 1936: “Those measures and methods adopted within the organization itself to safeguard the cash and other assets of the company as well as to check the clerical aspects of the book-keeping.” This definition was broadened and made more binding on the accounting and audit profession in a number of revisions in subsequent years.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the “Internal Control – Integrated Framework.” The document defined internal control as:

a process, effected by an entity's Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations

The 1992 COSO document was a major step forward in formalizing the concept of internal control as having much broader applicability to risk management than accounting and auditing. Moreover, the COSO framework contained the following five control components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

These elements of internal control clearly influenced formalization of the broader elements of general risk management reflected in AS/NZS 4360, the UK HM Treasury Orange Book, and ISO 31000.

It is important to recognize, however, that the context of internal control in which these control components are set is narrower than that intended in the referenced risk management standards. At their core, internal controls are focused on controlling risks internal to the organization or created within or by the organization. Any major new initiative, especially those calling for innovation and addressing new challenges, will face significant risks. As noted in Figure 3.2, we must always consider both reactive change and proactive change. Internal controls typically have a major role in managing reactive change, because we are generally seeking to manage or improve how we do business in today's environment. Improving the processes we have in place to meet today's needs is a key element of reactive change, and an area in which internal control is critical.

However, most organizations face many risks far beyond the boundaries of their current operations and processes. Strategic decisions such as which line of business an organization should pursue, how well customers will accept new product or service offerings, what impacts possible future regulatory changes will have on a business or government organization, and even the likelihood of a future economic recession are all potential risks, but not ones for which controls can be established. In short, control of such risks is often not within the ability of the organization to manage. At best, one can only hope to influence in some manner such external risks. Even if controls cannot be set in place for such risks, however, it is essential that these risks be considered in the decision-making process and decisions and actions adjusted accordingly.

THE EVOLUTION OF ENTERPRISE RISK MANAGEMENT

If the above description of the risk management process is pertinent to the good practice of risk management in general, what then does the concept of enterprise risk management (ERM) add to the discussion? More specifically, what is the difference between traditional risk management and ERM? To answer this question, we can begin with a short history of what prior generations felt might be missing from traditional risk management. Perhaps the first visualization of the concept of ERM was from Gustav Hamilton, the risk manager for Sweden's State Company Limited. In 1974 he created a “risk management circle” in which he sought to graphically describe all elements of the risk management process (see Figure 6.2). This is the earliest known effort to show the interconnectedness of various categories of risk across the organization.

It would be almost two decades later, however, before the idea of an integrated approach to the management of risk, including strategic risks, was formally addressed. This occurred in 1992 in a journal article titled “A Framework for Integrated Risk Management in International Business” by K.D. Miller. This paper clearly laid out the much broader landscape of risk in general beyond that of internal control. General environmental uncertainties such as political instability, government policy instability, social uncertainties, and natural uncertainties were included. So, too, were various industry uncertainties, such as market uncertainties. While such risks cannot generally be managed through internal controls, it is important to note that while they may be “strategic,” they can impact every level of the organization. Risk managers at every level of the organization thus need to be thinking of management risk external to their immediate environment, as many of those risks will be unaffected by internal control. In 1995, James Deloach further added to the literature with his journal article “Managing Business Risk: An Integrated Approach,” published by the Economist Intelligence Unit.

While K.D. Miller addressed the need for “integrated risk management,” the earliest located record of the term “enterprise risk management” was in a paper so titled and published in 1996 by Glyn A. Holton. That paper, however, was arguing for the need to exercise risk management across all of the business enterprise, but made no mention of the need to integrate these risks into an enterprise-wide, portfolio view of risk. In 2000 the first book titled Enterprise-Wide Risk Management was written by James Deloach.

It should be clear that the evolution of ERM has occurred largely over the last two decades. However, what specifically does ERM add to the traditional risk management process to support any organization – public sector or private sector – in meeting the needs of their various stakeholders?

PRINCIPLES AND PRACTICES OF ENTERPRISE RISK MANAGEMENT

A key contribution of ERM is improved linkage between organizational strategy and performance by managing risk as a portfolio across the organization. Such an approach brings with it a requirement to have in place a supportive governance process and organizational culture. A recurring assessment of ERM practices will aid the organization on opportunities to further improve and benefit from the potential advantages of ERM over traditional risk management practices. Following are some key elements necessary for meaningful implementation of ERM.

• Strategy and Performance. The key distinction between traditional risk management and ERM is that the latter seeks to manage risk in a holistic, collaborative fashion across the entire organization. This more collaborative approach is intended to optimize the ability of the overall organization to deliver maximum stakeholder value by ensuring organizational strategy is directly linked to and informed by the tradeoffs of results sought, resources allocated, and risks accepted across the enterprise. In contrast, traditional risk management is often focused on meeting lower-level organizational, functional, or programmatic needs without consideration of how to balance those needs with resource availability and risk appetite across the overall organization. This more integrated approach to considering risk facilitates the use of consistent best practices across the organization. Perhaps more importantly, however, ERM facilitates a discussion horizontally across all elements of the organization to ensure that decisions on managing risks are aligned with top organizational strategy and stakeholder value.
• The portfolio management of risk. Linking risks across the organization in a manner that maximizes value aligned with strategic priorities requires a portfolio management approach to risk. Most individuals who invest in retirement plans are already engaged in portfolio management, whether they realize it or not. The typical investment will seek to balance risk and reward by diversifying their investments across a number of individual investments. The ultimate goal is not to maximize the return on any single investment, but for the portfolio of investments overall. To accomplish this, an individual may invest some of their retirement funds in stocks, other funds in bonds, and yet other funds in other opportunities, all in an effort to balance risks with overall rate of return. So, too, should organizations seek to maximize their overall return on investment by balancing delivery of products or services, available resources, and acceptable risks. This portfolio view of overall organizational risk is central to the concept of ERM.
• Governance. ERM requires communication across organizational, functional, and programmatic boundaries. This in turn requires an ongoing collaboration across those boundaries to prioritize risks and associated risk treatments in a manner that maximizes benefits for the overall enterprise. Such an integrated approach to management of risk across the enterprise requires a governance structure that enables such a cross-organizational communication and prioritization of risk management consistent with organizational strategic goals and objectives. An effective governance structure for ERM will support the integration of internal controls with broader risk management concerns horizontally across the enterprise, and vertically from the lowest levels of the organization (where many risks originate) up to the top of the organization (that must ultimately ensure management of the most critical risks).
• Culture and Organizational Change Management. Perhaps the largest challenge to overcome in the effective implementation of ERM is not the development of policies, training, implementation of risk management processes, or governance. Such tasks are relatively straightforward and achievable for most organizations. Experience has instead shown that the largest challenge to implementation is typically changing behaviors of individuals that impede effective ERM implementation. ERM requires transparency across the organization in sharing with others the risks that each portion of the organization faces. Without such transparency, judgments made on prioritizing risks and risk treatments in a portfolio approach across the organization is not feasible. Ensuring the necessary organizational culture to apply and benefit from ERM will often require an awareness-building program across the organization on the need for effective risk management, the value of a strategically aligned portfolio approach to risk management enabled by ERM, the establishment of appropriate governance processes, and the modification of individual performance incentives (where appropriate) to motivate a willingness to identify, share, and manage risks for the benefit of the overall organization.
• Monitoring Progress. Full implementation of ERM can be a long-term journey, particularly because of the organizational behavioral change management challenges that must be overcome in many cases. It can thus be useful to assess the level of maturity of an organization's ERM program at any point in time, and then to monitor progress over time in the adoption of ERM good practices. Some organizations use a simple four- or five-point scale, beginning with only ad hoc actions on managing risks, up to an integrated ERM program closely linked to strategic planning, budget allocation, performance measurement, and so on. However, it is quite likely that one of the elements of a successful ERM program may be more relatively mature than other portions. For example, policies for ERM could be relatively mature, organizational elements have a strong awareness of risk and need to manage that risk, yet detailed procedures are lacking or the organization culture seeks to contain the management of risk in close organizational silos. Regardless of how sophisticated an ERM maturity model may be, it is important that organizations self-assess to understand how far down the road to ERM they have traveled, and which next steps should take priority.

RISK AND MORE

As we have stated, organizations need to maximize stakeholder value, and doing so requires a careful balancing of the risks accepted, results sought, and resources allocated for any particular objective. We began our more in-depth discussion of these three considerations with this chapter's focus on risk. The choice to discuss risk first was not that it was more important than the other two; all three considerations are equally important. If we are to generalize among these three balancing factors, perhaps the easiest differentiator is that risk is the least understood of the three and the most frequently ignored in decision-making. It is thus appropriate that we began with risk. However, there are of course results (performance) and resources (cost) to consider. Chapter 7 will discuss the results management element of the three Rs: the management of activities within the end-to-end business processes designed to set and achieve a particular result