Enterprise Risk and Compliance
What is Enterprise Risk Management?
Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as:
"A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
In relation to JCU's context and organisational structure, the Board of Directors in the above definition can effectively be interchanged with University Council.
Risks that potentially impact organisations can have varying consequences in terms of financial performance, professional reputation as well as environmental, health, safety and societal outcomes. Therefore, managing risk effectively and holistically helps organizations to perform better in an environment full of uncertainty.
The international standard on risk management, ISO31000:2009 Risk Management Principles and Guidelines defines risk as the "effect of uncertainty on objectives".
James Cook University has developed and approved a Risk Management Policy and aligned its Risk Management Framework and Plan to ISO31000:2009.
Compliance, whilst its own unique, overarching and yet specialised area, is part of Enterprise Risk Management because potential legislative non-compliance presents a risk to the University. See Compliance for further information.
Applying ERM in the real world
Whether an organisation has a strategic plan or more informal objectives, Enterprise Risk Management is a key element in achieving those outcomes. The strategic plan outlines:
- Strategic emphasis or focus areas that have been determined;
- Specific strategic projects or initiatives in the plan period; and
- Financial and non-financial strategic goals and objectives (e.g. University Plan).
Once finalised, it is the role of those responsible for the ERM process to see that risks to all facets of the strategy are identified, analysed, prioritised and addressed in some way. Response to risks may involve risk mitigation, transfer, acceptance or even avoidance.
ERM is therefore a strategic activity that is intended to address all types of risk across all business functions and activities, whether strategic or operational, insurable and non-insurable, current and emerging.
Both strategic and non-strategic risks can be significant. However, strategic risks are generally more challenging because of the higher degree of uncertainty attached to them. Strategic risks actually threaten the organisation's core mission, service or product offering and ultimately the overall business model.
Strategic risks also constitute an ongoing concern rather than being temporary in nature.
Risk Management vs. Enterprise Risk Management
You may be surprised, but there is a significant difference between Risk Management and Enterprise Risk Management. The table below summarises these key differences.
Enterprise Risk Management
|Primarily addresses insurable risks||Addresses both non-insurable and insurable risks|
|Lacks major focus on strategic risks||Focuses on the strategic risks and how to manage them|
|Mostly concerned with annual insurance programme renewals||Is a continuous loop|
|More internally focused||Is internally and externally focused|
|Lacks multi-functional leadership and therefore tends to be more siloed||Involves multi-functional leadership through some form of committee structure (e.g Audit Committee of JCU Council or Futures Committee)|
|Does not generally promote open dialogue and risk awareness||Promotes an open dialogue and risk awareness across the entity|