Enterprise Risk Management (Preview)

14 Part 1 – Concepts and Methods Conventional Risk Management Prior to the 1990’s, risk management as a functional discipline was mostly focused on risks that could result in damage to property, injuries, loss of income and legal liabilities. Such a focus is commonly referred to as conventional risk management also known as traditional risk management. It involves an emphasis on risks that are undesirable and that can only result in negative outcomes. In addition, conventional risk management is typically not focused on the analysis of disruptive trends, nor does it associate risk with opportunities and the potential for positive outcomes. Conventional risk management considers risk in the context of threats and negative consequences that should be eliminated as much as possible. For instance, it focuses on insurable hazards such as fires, flooding, earthquakes and windstorms that can damage property and cause injuries. It is also concerned with the health and safety of employees, customers and the general public. It involves avoiding losses and liabilities related to workplace injuries, unsafe products and industrial accidents. It also includes plans to maintain business continuity, contain the effects of interruptions when they occur, and resume activities back to normal operations as soon as possible. Operational efficiency is also part of conventional risk management. Operational efficiency has to do with preventing errors and waste, and improving productivity and quality by managing operational risks. In addition, physical security and information technology security are part of conventional risk management. They involve controlling access to premises and computer systems, and maintaining the integrity of information. Conventional risk management is also associated with methods for managing financial risks, particularly in relation to cash management, accounts receivable, working capital and long term debt. Finally, conventional risk management also includes the prevention and detection of crime, fraud or theft by suppliers, employees or customers. Conventional risk management is conducted within separate management functions and business units. They include workplace health and safety, quality management, infor- mation technology security, financial management, insurance, legal services and fraud investigations. These disciplines involve professional expertise that address specific risks. They are conducted independently of one another. They are important to organizational success, but are not directly related to organizational goals, strategies and objectives. Conventional risk management is often described as risk management in functional silos, because activities and information are not integrated to provide a comprehensive view of risks at the enterprise level. In addition, conventional risk management does not have direct linkages with strategic planning, decision making and performance management. Contemporary Risk Management In the late 1990’s, many organizations began to broaden the scope of their risk mana- gement to include all risks that can result in positive or negative outcomes. This gradual shift led to contemporary risk management , which involves focusing more attention on risks relating to the achievement of goals, strategies and objectives. Organizations began to realize that risk management includes much more than the mitigation of threats and the management of conventional risks. These risks must be managed, but their management