All Risks are not Enterprise Risks
Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.
This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.
An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission. No serious undertaking has 75 classes of events that could stop them in their tracks.
A serious undertaking might have 5 such risks. Usually less. Things that in spite of the best efforts of management could stop them in their tracks. There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.
What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks. To make sure that a new potential trouble is not creeping into that top 10. To make sure that they are not accidentally taking on much more of those risks. To find ways to mitigate that first group of top risks. To make sure that the controls on that second group of top risks are still sufficient. And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.
Dave Sandberg likes to classify risks into three classes:
- Risks that threaten the earnings of the firm
- Risks that threaten the capital of the firm
- Risks that threaten the promises of the firm
A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm. They should be the concern of the top executives of the firm. Those risks should be the concern of the directors of the firm.