All Risks are not Enterprise Risks

Some Enterprise Risk management programs feature lists of 75 or more risks that the ERM program attends to.

This approach to ERM drastically reduces the potential power of ERM to help to focus attention to Enterprise Risks.

An Enterprise Risk is a class of events that could severely damage the capability of the enterprise to achieve its mission.  No serious undertaking has 75 classes of events that could stop them in their tracks.

A serious undertaking might have 5 such risks.  Usually less.  Things that in spite of the best efforts of management could stop them in their tracks.  There are probably another 5 or so risks that are potentially that serious, but that the firm has, for the most part, under control.

What Enterprise Risk Management is about is a constant effort to pay attention to those 10 or so top risks.  To make sure that a new potential trouble is not creeping into that top 10.  To make sure that  they are not accidentally taking on much more of those risks.  To find ways to mitigate that first group of top risks.  To make sure that the controls on that second group of top risks are still sufficient.  And to make sure that there are not any secondary risks outside of this list that are very highly correlated with the Enterprise Risks.

Dave Sandberg likes to classify risks into three classes:

  • Risks that threaten the earnings of the firm
  • Risks that threaten the capital of the firm
  • Risks that threaten the promises of the firm

A well managed firm will attend to all three types of risks, but the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm.  They should be the concern of the top executives of the firm.  Those risks should be the concern of the directors of the firm.

Explore posts in the same categories: Risk

Tags: ,

You can comment below, or link to this permanent URL from your own site.

3 Comments on “All Risks are not Enterprise Risks”

  1. riskviews Says:

    Choices are necessary. It is not useful to make everything the highest priority. Clarity of priorities is one of the things that a risk manager needs to be successful.

    Choose your own labels to communicate those priorities.

  2. Ck6 Says:

    Every exposure the firm faces presents a measurable in the ERM program. The weight assigned to the measurable might be open for discussion, but all exposures have to be monitored.

    The comment:

    “… the Enterprise Risks are the risks that threaten capital and promises that should be the concern of the Enterprise Risk Management program of the firm.”

    forgets that income is capital on the balance sheet.

  3. Andrew Howe Says:

    As ever an interesting and clear post. For the first time I can recall I find something with which to disagree. It could be “just” nomenclature.

    From my reading and understanding ERM is primarily a way of
    doing risk management. There are various claims made for ERM:

    1) That is take a “holistic” rather than a “silo-based” approach. I think that’s justified even if the literaure is a bit lightweight in justifying this claim and saying what it means in practice.

    2) That is it as much about upside as downside. I’d very much like this to be true, though I think there’s limited evidence, again especially in the litereture. I believe a better way of thinking about this is to consider “1 in 5” rather than “1 in 200+” risks, to look at earnings as much as captial and to think top down strategy rather than bottom up risks. Then ERM is as much about the middle of the curve as the tail. Uncertainty rather than risk. See the excellent Matthew Leitch for more.

    3) That it almost by definition adds value. This is of course nonsense and very few people have said what they mean by “add value” – Bill Panning being a commendable exception. To be clear, I *do* think that, done well, ERM should add value. But I don’t want that to be vague or defensive, as if to justify my role.

    What I haven’t heard before – and what this article seems to put forward – is that ERM is about managing a subset of (large) risks termed “enterprise risks”. Don’t get me wrong, the concept of a big focus on your largest risks – the ones with the capcity to wreck the form – is absolutely right. I just think we do ourserves no favours by calling them “enterprise risks”. I might prefer to call them strategic risks and in turn constrast that with strategy risks.

    Incidentally there’s an excellent paper from AIRMIC/Cass business school on these type of risks. It needs to be paid for, but even the (free) summary is invaluable.See

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: