Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
Enterprise Risk Management Is the Answer to Uncertainty

Release Date: November 2022
pdf download Implications for D&O Litigation From Climate-Related Risk
“We are too much accustomed to attribute to a single cause that which is the product of several, and the majority of our controversies come from that.”

Marcus Aurelius

Risk in Today’s World

We have experienced turbulence and generational events in the short space of the last few years. New and emerging risks are changing risk profiles and testing the effectiveness of traditional risk management.

What is the Response?

Enterprise Risk Management (ERM) is an organization wide framework employing a range of resources with full executive participation and support. Commonly used adjectives to describe the approach are structured, continuous, and consistent. It avoids internal silos and looks at the full spectrum of risks facing an organization and their combined effects.

To examine the meaning of ERM let us start with a definition of risk.

  • Risk is the effect of uncertainty on the achievement of the organization’s objectives.

For a professional service firm therefore, risk is rooted in its practices and people. In this context it is worth mentioning the three lines of defense approach to risk management: line management, risk management and internal audit. ERM goes beyond that.

Role of ERM

ERM dates from perhaps the 1980’s when an awareness developed that traditional risk management had to be extended. Corporate scandals and failures had clearly arisen from factors that were not within the traditional ambit of risk management and lay rather in the realms of management and culture. A broader look at risk was needed. The first Chief Risk Officers appeared, with aviation and financial services being among the early adopters.

Evidence suggested that some significant corporate failures resulted from changes in priorities at the top that led to more aggressive risk taking. Risk management had to extend to enterprise strategy and leadership had to set the direction.

Thus, the Institute of Risk management defines ERM as:

A holistic approach to identifying, defining, quantifying, and treating all of the risks facing an organization, whether insurable or not. Unlike traditional risk management, ERM deals with all types of risk, such as hazard or event risk, operational risk, credit risk, and financial risk.

Other definitions make it clear that it is a process that encompasses strategy and requires senior leadership’s involvement with risks being measured against risk appetite. We will address risk appetite in subsequent articles.

Where Does Traditional Risk Management Fall Short?

Drivers of change often equate to sources of risk. Strategy of course involves judgement and things can go wrong. In this context, an ERM framework can provide an extra level of protection that adds scrutiny and oversight and prepares the organization if something does go wrong.

When things do go wrong the often-cited causes are:

  • Priorities changed and a more aggressive risk-taking culture emerged.
  • Risk Management reports at below Board level and its voice was lacking at crucial moments.
  • Near misses were ignored.
  • Frameworks for managing risk existed but are ineffective or overridden.

Recent external shocks have exposed how many key risks are outside of traditional controls and require an enterprise approach.

In the wake of COVID we are seeing frequent reference to the term resilience, which is intrinsic to the ERM concept. This is the area that includes crisis management and business continuity and gives organizations the ability to continue operations and recover from adversity, while protecting reputation.

What Benefits can be Captured?

  • Good frameworks and processes are only part of the full story. Risk must be actively managed and silo mentalities avoided. Grey swan type events can be avoided, or the response managed.
  • ERM facilitates adaptation to change from several sources: competition, environment, regulations, client needs. Data is captured and can be used to monitor and track risk indicators.
  • Part of the process is to research root causes of past issues and use those lessons to scenario plan for the future. The organization is thereby prepared if things do go wrong.

As we dwell on the experiences of the last few years, risk severity has been a dominant issue but so too has velocity, the speed at which risks manifest themselves and their consequences take effect. Past assumptions have been tested and biases exposed.

The case for ERM is therefore persuasive.

We will explore ERM’s role in creating an effective organizational response to risk in a series of articles.

Read other articles on Enterprise Risk Management.


The Professional Services Practice at Aon values your feedback. If you have any comments or questions, please contact Keith Tracey.

Keith Tracey
Managing Director