What makes enterprise risk management (ERM) different from project or team-based approaches to risk management?
While many of the principles are the same, there are some core differences that you should consider as you introduce risk management on an enterprise-wide basis.
In this article, we’ll look at the ways that ERM builds on and differs from the kind of risk management approach you might be used to from managing projects.
ERM covers the whole organization
The most obvious difference is that risk management approaches in a project environment look at risk as it relates to the project. Perhaps that might extend in PMO environment to risks that affect the program or portfolio.
Enterprise Risk Management (ERM), on the other hand, looks at all risks facing the business. There are lots of potential areas of the organization that face risk that might not be actively engaged in a project. For example, there could be PR-related risk, or potential challenges to do with business continuity. Unless those areas are involved in a current project, the risks may go undetected.
ERM makes sure that the risks facing any area of the organization are understood and actively managed.
ERM manages interrelated risk
Most project management approaches consider risk management as something to do to each individual risk. The largest projects may integrate risks to see what the impact may be of several risks happening at the same time, and to better understand the relationship between them. But in our experience, most project managers stop at evaluating the individual risk and coming up with a management plan to address it.
Risk isn’t a standalone event. While you can manage risks individually – and successfully – you can broaden and mature your response to risk if you look at what the combined impact of risks could be.
ERM does this by prioritizing and evaluating risks as part of an interdependent portfolio. No risk is considered an individual silo. Instead, each risk sits within its own context, and also within the context of the risk portfolio and wider business.
Often, the combined impact of several risks is different from the sum of those individual risks. That could be a greater or lesser exposure, depending on how the risks intertwine with and influence each other.
This rounded, holistic view of enterprise risk helps you compare and contrast different responses, as well as often making it easier to address complexities.
ERM evaluates risk in context
Project risk management looks at risks in relation to the project. How will this risk stop us meeting our commitments? How will it affect deliverables? The project context is everything.
ERM takes a different approach. It looks at each enterprise risk in relation to the rest of the business. It takes the whole organization into account, looking at the impact on systems, stakeholders, processes, socio-political structures within the organization and external conditions such as market response.
ERM is part of business decision-making
Managing uncertainty at a project level affects the decisions regarding that individual project – maybe the program or portfolio if the risks are substantive.
ERM provides data to input into decision-making across the business at the most strategic level. The combined risk portfolio sets the limits on the risks the organization is prepared to take. Project and operational decisions can be made with an understanding of how the risk portfolio will change as a result. Perhaps that means some projects are postponed until other risky initiatives are completed. Perhaps executives choose to take on work with an uncertain outcome precisely because the overall risk portfolio shows that now is a good time.
Embedding ERM in the process for defining strategy leads to greater clarity, fewer missteps and a better understanding of where the business is at.
ERM provides the basis for shared understanding
Finally, adopting an enterprise approach gives the organization a shared risk vocabulary and common processes. Everyone across the business will be measuring, evaluating and talking about risk in the same way, which makes it easy to compare the relative impact of risk across different teams.
The processes that go alongside implementing ERM make it easy for you to audit the work involved. This is valuable to provide internal reassurance that risk is being adequately managed at all levels.
The bottom line is that Enterprise Risk Management (ERM) gives you a competitive advantage. It’s a mature way to manage internal and external influences on your projects and business, and it’s possible to implement from the ground up or as a top-down approach depending on where you are in your risk management maturity journey.
Have you thought about how to tie together all the risk management processes in your organization? Standardizing and ‘enterprising’ them will pay dividends in terms of relevant management information and assurance for your company.