Digital Transformation » Systems & Software » Enterprise risk management

Given the increased emphasis on strict compliance, better corporate
governance and more effective risk management post-Sarbanes-Oxley, boards and
senior management believe they need greater assurance that business risks are
being identified and controlled. As a result, company spending on risk
management is continuing to grow, especially with regulators now more keen to
hand out stiffer financial penalties and seek criminal convictions.

According to accountants Ernst & Young’s latest report, Managing Risk
Across the Enterprise: Building a comprehensive approach to risk, leading
companies achieve a practical and balanced approach to risk through two main
objectives: recognising the value of executing solid compliance and risk
management activities to prevent most problems and to reduce their impact; and
leveraging risk management activities to help them improve their business.

Main challenges
However, the report adds that companies face three key challenges in trying to
implement an effective enterprise-wide risk management process:
• Risk assessments are carried out by numerous business and functional areas,
sometimes overlapping, with little or no alignment, co-ordination or leverage;

• The company’s risk coverage activities, especially outside of financial
reporting, may not focus on the most important areas because of limitations in
the risk assessment process or through a shortage of appropriate skills to
assess and monitor key risk areas; and
• The volume and disparity of risk reports from across the enterprise overwhelms
directors and executives, who, as a result, feel apprehensive and exposed.

Risk premiums
But overcoming these challenges can pay dividends, says E&Y. According to
the report, investors are willing to pay a premium for effective risk
management. A survey carried out by the accountancy firm last year of 138 of the
world’s largest institutional investors found that 82% are willing to pay a pr
emium on share price for companies that demonstrate effective risk management

Furthermore, says E&Y, ratings agencies have expanded their assessments
within some regulated industries to include more qualitative factors around risk
management. This is because both investors and ratings agencies believe that
effective risk management is likely to improve corporate governance and
compliance, as well as reduce earnings fluctuations through “governance
surprises”, thereby increasing stakeholder confidence. Added to that, they
believe that better strategic and financial decisions are made within companies
when a structured consideration of risk is built into existing activities and is
a key part of the decision-making process.

To improve risk assessment and risk management, E&Y – like the remaining
Big Four firms and corporate governance associations – recommends that companies
opt for an enterprise risk management (ERM) approach. This practical approach is
based on a framework that embeds risk management in an organisation to help
achieve its business objectives by protecting the business and helping the
business perform more effectively. This framework assesses key risks and risk
management performance and improves the way risks are managed.

Manage the risk
An enterprise risk management approach relies on three components:
1. Enterprise risk assessment
The organisation builds a clear picture of its most significant risks.
2. Risk management performance assessment
The organisation carries out a risk management performance assessment to
determine if the level of risk management performance across the organisation is
3. Building a comprehensive approach to risk
The organisation identifies areas where its focus on identifying and controlling
risk needs to be improved and decides how these improvements should be carried

This is achieved by:
• Embedding enhanced activities to manage risk within existing functions and
• Enhancing framework components that support co-ordination and alignment; and

• Developing plans to improve and monitor significant risks.

An enterprise risk management approach will only succeed if it is embedded
throughout the organisation and becomes part of the company’s usual compliance
and defence mechanisms. It also depends on the effectiveness of executive
management, the board and the audit and risk committees to oversee that the
strategy is taking hold.

E&Y says that an effective ERM framework has four defence layers that
create a network of risk management activity across the organisation. These are:

Business operations – These groups manage risk as a part of
everyday activities and serve as the first line of defence against risk;
Support – This group may have primary ownership of certain
entity-level risks, but it also provides risk management support for other
groups. These support functions form the second line of defence and back up
business operations that are faced with significant risk;
Monitoring and risk functions – This group provides guidance
to the business operations and support functions on how to improve the
effectiveness and efficiency of risk management and control activities. It
confirms that risk management is being discharged effectively within the
business operations and support functions; and
Oversight – Made up of the board, executive management and
the audit and risk committees, this group has the highest level of
accountability for risk management within the organisation and assures
stakeholders that ultimate responsibility for sound corporate governance and
risk management stays at the top of the organisation. Executive management is
responsible for proper management of risk across the organisation, while the
board oversees its efforts to manage risk effectively on behalf of the
organisation’s stakeholders.

Useful links
To read a copy of the E&Y report, go to,
then click on the issues & perspectives drop down menu and select overview,
then risk.

For more on enterprise risk management, go to
and click on the business solutions drop down menu.