• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Enterprising your risk management

January 05, 2022

What makes enterprise risk management (ERM) different from project- or team-based approaches to risk management?

Well, while many of the principles are the same, there are some core differences that you should consider as you introduce risk management on an enterprise-wide basis.

Here, we’ll look at the ways that ERM builds on and differs from the kind of risk management approach you might be used to from managing risks.

ERM covers the whole organisation

The most obvious difference is that risk management approaches in a project environment look at risk as it relates to the project. Perhaps that might extend in PMO environment to risks that affect the program or portfolio.

Enterprise Risk Management (ERM), on the other hand, looks at all risks facing the business (both internal and external). There are lots of potential areas of the organisation that face risk that might not be actively engaged in a project. For example, there could be PR-related risk, or potential challenges to do with business continuity. Unless those areas are involved in a current project, the risks may go undetected.

ERM makes sure that the risks facing any area of the organisation are understood and actively managed.

ERM manages interrelated risk

Most project management approaches consider risk management as something to do to each individual risk. The largest projects may integrate risks to see what the impact may be of several risks happening at the same time, and to better understand the relationship between them. But in my experience, most project managers stop at evaluating the individual risk and come up with a management plan to address it.

Risk management isn’t a standalone process. While you can manage risks individually – and successfully – you can broaden and mature your response to risk if you look at what the combined impact of risks could be.

ERM does this by prioritising and evaluating risks as part of an interdependent portfolio. No risk is considered an individual silo. Instead, each risk sits within its own context, and also within the context of the risk portfolio and wider business.

Often, the combined impact of several risks is different from the sum of those individual risks. That could be a greater or lesser exposure, depending on how the risks intertwine with and influence each other.

This rounded, holistic view of enterprise risk helps you compare and contrast different responses, as well as often making it easier to address complexities.

ERM evaluates risks in context

Project risk management looks at risks in relation to the project. How will this risk stop us from meeting our objectives? How will it affect deliverables? The project context is everything.

ERM takes a different approach. It looks at each enterprise risk in relation to the rest of the business. It takes the whole organization into account, looking at the impact on systems, stakeholders, processes, socio-political structures within the organisation and external conditions such as market response.

ERM is part of business decision making

Managing uncertainty at a project level affects the decisions regarding that individual project – maybe the program or portfolio if the risks are substantive.

ERM provides data to input into decision-making across the business at the most strategic level. The combined risk portfolio sets the limits on the risks the organisation is prepared to take. Project and operational decisions can be made with an understanding of how the risk portfolio will change as a result. Perhaps that means some projects are postponed until other risky initiatives are completed. Perhaps executives choose to take on work with an uncertain outcome precisely because the overall risk portfolio shows that now is a good time.

Embedding ERM in the process for defining strategy leads to greater clarity, fewer missteps and a better understanding of where the business is at.

ERM provides the basis for shared understanding

Finally, adopting an enterprise approach using ISO31000 standard as reference gives the organisation a shared risk vocabulary and common processes. Everyone across the business will be measuring, evaluating and talking about risk in the same way, which makes it easy to compare the relative impact of risk across different teams promoting conformity to same set of risk management standards. 

The processes that go alongside implementing ERM make it easy for you to audit the work involved. This is valuable to provide internal reassurance that risk is being adequately managed at all levels.

The bottom line is that Enterprise Risk Management (ERM) gives you a competitive advantage. It’s a mature way to manage internal and external influences on your projects and business, and it’s possible to implement from the ground up or as a top-down approach depending on where you are in your risk management maturity journey.

Have you thought about how to tie together all the risk management processes in your organisation? Standardising and ‘enterprising’ them will pay dividends in terms of relevant management information and assurance for your company.

Lebogang Mothopi is based in Johannesburg. He works, with governments, businesses and organisations to improve their risk management practices and programmes using ISO31000 Standard as reference. 

Tags: Lebogang Mothopi
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson