Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM)

What is Risk?

Risk can be viewed as the combination of the probability of an event and the impact of its consequences. Events with a negative impact represent risks that can prevent value creation or erode existing value. In order to deliver value to the stakeholders, we must understand the types of risks faced by the organization and address them appropriately and Enterprise Risk Management (ERM).

Basically, risks to the Company’s success can be grouped into four categories: (1) Strategic, (2) Operational, (3) Compliance, and (4) Financial & Reporting.

So  Specific examples of each type of risk are included in the table below.

Risk Types Examples


  1. Reduction in business vitality
  2. Loss of intellectual property & trade secrets
  3. Competition for talent
  4. The negative impact on reputation/loss of Trust-mark
  1. Disruption of product supply
  2. Counterfeiting
  3. Inefficient use of resources/increased product cost
  4. Physical property/damage/disruption
  5. Discontinuation of global data flows
  1. Environmental
  2. Employee health & safety
  3. Clinical trial subject/patient safety
  4. Product quality/safety issues
  5. Selling and promotion of the products
  6. Protection of personal data in accordance with global data protection requirements
  7. Local tax and statutory laws
Financial & Reporting
  1. Currency exchange, funding & cash flow, credit risk
  2. Financial misstatement (including violation of the Sarbanes Oxley Act)

What is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a common framework applied by business management and other personnel to identify potential events that may affect the enterprise, manage the associated risks and opportunities and provide reasonable assurance that the Company’s objectives will be achieved.

So, Through this approach to risk management, we can:

  • Ensure prompt resolution of internally identified risk to compliance with laws and regulations to maintain the provision of quality products, protect patient safety, and ensure appropriate relationships with customers.
  • Support “simplification” strategies to ensure effective use of resources,  So enable an optimized approach to auditing and identification/remediation of compliance issues and promote reporting and monitoring across compliance functions.
  • Enable improved decision-making, planning, and prioritization through a structured understanding of opportunities and threats.
  • Support value creation by enabling management to deal effectively with future events that create uncertainty, pose a significant risk or opportunity, and respond in a prompt, efficient, and effective manner.
  • Support the growth drivers of creating value through innovation, extending the global reach with a local focus, executing with excellence, and leading with purpose.

Business leaders are accountable for managing risks affecting their businesses. So Risk management functions are responsible for identifying, assessing, and presenting those risks to the business leaders for recommended actions.

Risk management professionals continuously strive to innovate and develop solutions to identify and mitigate risk more effectively. So, Select risk management functions are listed below along with the areas of risk for which they have responsibility.

Components of Enterprise Risk Management Framework

The Enterprise Risk Management Framework is made up of six process components derived from the Committee of Sponsoring Organizations of the Tread-way Commission ERM Framework.

Objectives are set by the Executive Committee in alignment with the Enterprise’s Strategic Framework and are cascaded throughout the organization:

First, Event Identification & Risk Assessment:

As part of the strategic planning process and day-to-day management of the business, functional leaders identify internal and external events that may affect the achievement of the Company’s objectives. So Risk management function personnel help identifies and assesses these risks through their expertise, formal assessments, and analysis of business intelligence and trends.

Second, The Risk Response:

A response is determine based on the overall risk exposure. Considered as a function of likelihood and impact of the occurrence. So Risk responses may include avoiding or evading, accepting, reducing, and sharing or transferring risk.

Third, Control Activities:

Control activities are established to ensure that risk responses are carried out effectively and consistently throughout the organization. So This involves formalizing risk response in the Company policies, ensuring clear accountability, utilizing self-assessment and monitoring tools, and designing controls into the systems and critical business processes.

Fourth, Information & Communication:

Information and communication channels are in place to make the organization aware of risks that fall into their area of responsibility and expected behavior and actions to mitigate negative outcomes.

Finally, Monitoring:

Management reviews, as well as assurance activities, such as testing, auditing, and assessments, are in place to ensure that risks are effectively identified and assessed. And that appropriate responses, controls, and preventive actions are in place.

While no risk management system can ever be absolutely complete, the goal is to make certain that identifies risks are manage within acceptable levels.

Contact Us