Enterprise Risk Management Addresses Risks and Opportunities for Organizations

Corporate Partners | June 04, 2012

Enterprise Risk Management (ERM) addresses the risks and opportunities affecting value creation and preservation within an organization. Categories of enterprise risks include governance, strategy, operations, infrastructure and external.

At the 2012 Ziegler LeadingAge National Senior Living CFO Workshop, Sue Ulrey, Partner, CliftonLarsonAllen, presented a session on the Enterprise Risk Management Model. Enterprise Risk Management (ERM) addresses the risks and opportunities affecting value creation and preservation within an organization and is more specifically defined as:

“Enterprise risk management is a process effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” (Committee on Sponsoring Organizations of the Treadway Commission)

Broadly speaking, ERM begins with clarifying the organization’s needs and expectations of enterprise risk management. With that framework, management and directors need to identify and assess the organization’s drivers of enterprise value, quantitative and qualitative, as well as its enterprise risks.

Enterprise risks fall into five broad categories:

  • Governance (ethics, oversight);
  • Strategy (succession planning, reputational);
  • Operations (quality standards, cost management);
  • Infrastructure (finance, insurance); and
  • External (regulatory, economic conditions).

For senior living providers, these might include patient care risks, such as preventing falls and ensuring accurate medication to payment related risks from Medicaid and Medicare, or risks from national and local economic factors.

After risks are identified, they are quantified by both probability of occurrence and severity of impact. Then, the organization can decide whether it needs to tolerate, transfer, avoid, or mitigate the risk. Certainly, the goal of ERM is not to avoid all risks. According to Ulrey, rewarded risk can drive value, whereas unrewarded risk can destroy value. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow value.

Finally, implementing ERM requires determining the level of reporting needed by executive management and board directors, as well as establishing communication and monitoring protocol. This may include risk ‘dashboards’ that consolidate risks across the entire enterprise and increase the focus of directors and executives, enabling better decisions relative to risk thresholds, risk appetite and risk tolerance.

According to Ulrey, “ERM is not about the bells and whistles, but about creating a culture of risk management within the organization.”

Prepared by Amy Castleberry, CFA, Senior Vice President, Ziegler