“Risk” and its associated consequences have become far more prevalent in business recent years. Risk management covers everything from Business Modelling to Occupational Health & Safety Programs. We are all very aware of how much risk management has changed in the financial services sector and how it has resulted in a renewed focus by lenders on cashflow generation and potential threats to business profitability.

The following paper reviews the concepts of Enterprise Risk Management ( ERM) as it has evolved and looks and how it can benefit companies irrespective of industry or size.An entire industry that has developed around risk, publications such as The Journal of Risk Management, The Journal of Operational Risk and Risk Analysis are examples of how the paradigm has become a structured and performing industry .

The Institute of Risk Management [1] (IRM), delivers specific training related to industry and general application. It defines the 3 main areas of Risk Management as

  1. Financial
  2. Strategic
  3. Operational



These are probably the most documented and understood of the 3 risk categories as they are the easiest to quantify and measure. Leverage, cashflow, budgets and liquidity are all intrinsically linked to this category of Risk. Most CFO’s are overtly aware of these risks and can understand their implications.

Risk management should “try and reduce the impact of threats we don’t understand”. The system failure in the financial markets in 2008 was seriously contributed to by the fact no forecasting models identified the economic crisis that “ could “ occur . Furthermore, the crisis was more pronounced as a result of the risk management models the banks adopted in its wake.

Black Swan events are low probability, high impact events; but they are becoming more and more commonplace. The world is getting smaller and the interdependence of different economic systems on each other is becoming more obvious. Economic systems are more connected than ever due to :

  1. The effects of one market e.g. in China will have repercussions from many other markets e.g. US, Russia, India
  2. The US based on its reaction to foreign threats and its ability to invade potential foreign threats create a dramatic imbalance in global markets
  3. Off shoring e.g. where businesses outsource some operations to other counties as labour is cheaper.
  4. The world is increasingly dependent on states troubled with considerable political risk e.g. Saudi Arabia and Iran, Nigeria, Russia and Venezuela. (Brenner [2])

With this in mind, it is evident why the make- up of an effective risk strategy must contain both socio-economic and political elements. Consideration must also be given to the way a potential threats are framed, for example including best and worst case scenarios provides a psychological bridge between statistics and influence (Feynman)[3]. The point is that we need to be careful in the way we present information, a great deal of risk analysis is based on a quantitative format and the modelling that flows from it must have a clear understanding of the context. The information must help decision makers make informed choices, prioritise and distinguish between alternative courses of action.



Strategic risk concerns itself with the elements that affected the chosen direction of the organisation and its key stakeholders. It is driven by the internal and external events or scenarios that could inhibit an organisations ability to achieve its strategic objectives.

Strategic Risk focuses on the most consequential and significant risks to shareholder value (Frigo et al)[4].This is also the area of greatest development in that last 5 years. Academic papers all point to the need for organisations to move away from the traditional assessment of strategic risk by a quantitative formula and develop a more cognitive approach. Risk while owned by the Chief Risk Officer (CRO) is still the responsibility of each operational manager. In essence it needs to be owned by all the functional elements of the business.


Practitioners’ believe that it is more difficult for companies to measure strategic risk than financial risk[5]. For example, the decision by Gillette to reinvest heavily in R&D to develop the next generation in disposal razors was a large strategic risk that could have been worthless if customer sentiment had not embraced the innovation.

Operational Risk


Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events (Basel)[6].

The basic objective of risk management is to attempt to reduce the probability of a negative event occurring or in the event it does to minimise the effect. There is a wide variety of quantitative models that are available in the financial services and insurance industries. These models quantify uncertainty in business by attributing values to

  1. Hazard
  2. Exposure

They assess the probability of occurrence, by developing a complex formula that ultimately prioritises these potential threats and present them in a Risk Matrix Assessment (RMA).

While these models are limited in general application the concepts on which they are based do have general application. Essentially a business needs to assess the vulnerability and impact of a scenario on the business through a people integrated model for risk identification and mitigation.

Most business risk advisors agree that ERM needs to become actively involved in the day-to-day classification, ownership and management of risk. There is an underlying acceptance that risk management should also be an integral part of the budgeting process.

An interesting change over the last few years is that practitioners now promote the “pushing down of the risk management process into the lower levels of a business. This is to try and ensure the risk management becomes an integral part of the operational process”[7]

ERM is now an active component in

  1. Investment and disinvestment
  2. Budgeting and Forecasting
  3. Strategic Planning
  4. Corporate Process/Systems introduction
  5. Capital projects
  6. Performance Management






Risk management has evolved from a sense of crisis management into a forward-looking, enterprise-wide approach to risk. Today, “Risk Masters” are focusing on creating a risk management culture that understands the business, delivers insight from data analysis, and takes a proactive approach with compliance. It has become more prevalent in recent years due to the range of catastrophes from the credit crises and the resulting tsunami of consequential regulation. A recent practitioner survey of clients found that 98% of surveyed respondents reported an increase in the perceived importance of risk management at their organization in recent years.


Practitioners have not been slow to recognise changes and promote their models to aid in this metamorphosis. Effectively, business needs to focus on any potential threat to their effectiveness. Compliance and regulation are no longer sufficient goals.


The drive should be for risk management to become a distinct competitive advantage.


To be good at it requires


  1. An ability to demonstrate the benefits from investments in Risk Management e.g. tie the outcomes from risk management more directly to business outcomes and tangible cost reductions
  2. Skilled staff to develop the analytical models
  3. Embedding risk analytics in management processes
  4. Good systems integration
  5. Good quality internal and external data


The conflict as with all things is the willingness of business to pay for effective management techniques. Will the focus for the most part be on compliance with regulation, and risk as a function of financial modelling?


Will competitive pressures cause require firms to actively manage risk in all aspects of their business to improve their P&L and reduce their cost of capital increase and even negative pressure on share value ?


If you would like to explore further how an effective ERM approach to a specific project or strategy can benefit your business or simply to comment on the article please don’t hesitate to drop me a mail shane@cantwellconsulting.ie





[1] http://www.theirm.org/

[2] Brenner, I., (2005), Managing Risk in an Unstable World. HBR

[3] Feynman, R., (1965) The Character of Physical Law. The British Broadcasting Corporation.

[4] Frigo, L. & Anderson, J. (2011) What is Strategic Risk Management? Strategic Finance

[5] Kaplan et al, (2009), Managing Risk in the New World, HBR

[6] “Basel II: Revised international capital framework”.

[7] Accenture, (2013) Global Risk Management Study: Risk Management for an Era of Greater Uncertainty