RMSS Logo
Sign In  |  Register    
News > In The News > What is Enterprise Risk Intelligence and is it just a passing fad? An article by Andrew Howarth, CEO
 

What is Enterprise Risk Intelligence and is it just a passing fad? An article by Andrew Howarth, CEO

Date: 24.01.16 - Sunday

A number of key concepts/acronyms have emerged in relation to the area of risk management within organisations:

  • ERM (Enterprise Risk Management)
  • GRC (Governance, Risk and Compliance); and
  • ERI (Enterprise Risk Intelligence).

 

ERI is the most recent concept to emerge and some have posed the question as to whether ERI is just another fad or buzzword or if it is more than that...

ERI is not GRC or ERM. ERI encompasses more than these two concepts and is emerging as an active business practice around the world as organisations begin to realise the value of integrating the previously disparate functions of compliance, event/incident and risk management. In order to understand why the term encompasses significantly more than GRC and ERM, it is necessary to truly define the term.

 

Enterprise Risk

Rather than simply a strategic focus on senior management or board reports, Enterprise Risk should incorporate every aspect of the organisation. Other terms that use the word ‘enterprise’ commonly make the assumption that it represents only the larger, inherent risks, major loss events, or significant compliance breaches summarised in a high level and conceptual manner.

However, simply producing an unchanged risk register of 12 or 15 issues, month after month, does not provide a true picture of an organisation’s position. In true ERI, ‘Enterprise’ is inclusive of all strategic and operational risks, events and compliance obligations of the entire organisation.

 

Risk Intelligence

The recognition of risk intelligence as a business process is central to understanding what ERI really means. ‘Risk Intelligence’ is:

  • how an event/incident (a risk that eventuated) informs us about how effective our organisation’s risk management actually is;
  • the method of identifying breaches in compliance obligations as a risk;
  • the approach of risk assessing compliance obligations in order to prioritise the breach and corrective actions; and
  • the technique of escalating events on the basis of risk (potential outcome) not just severity (actual outcome).

Integrating this critical ‘intelligence’ from the three disciplines makes each function significantly more effective and valuable to the business than operating them in isolation.

ERI should not be confused with GRC, which tends to be centred around the Governance, Risk and Compliance processes of finance and IT controls. GRC is an umbrella philosophy that includes risk management, governance, and compliance, and ERI includes some of this without question.  However ERI is actually the next step beyond what basic GRC delivers, encompassing the full collaboration and analysis of event, risk and compliance management processes, including the integration of all risk categories and the permeation of the compliance process across all obligations. GRC is more of a platform for illuminating governance and compliance risk.

 

ERM is not about being compliance or regulatory-driven. It’s about strategically assessing and managing risk to ensure the effective use of resources to maximise risk reduction. ERM includes identifying the risk appetite, assessing risk, integrating risk management in daily decisions, and monitoring risks. ERM is more of a methodology for managing the entire spectrum of risk, but it does not fully encompass the event and compliance functions across an organisation.

 

Hence, ERI is not the same concept as GRC or ERM and is more than just a fad or a buzzword. Best Practice organisations internationally are accepting the need to integrate previously disparate business processes and are recognising the value of embracing true Enterprise Risk Intelligence.