Risk Management Strategies

There are various risk management strategies which can be applied in isolation or in combination:

Sr. No.

Risk management strategy



Tolerate/Accept the risk

®    There may be certain risks which are considered minor as their impact and probability of occurrence is low and such risks are accepted as a cost of doing business.

®    These risks should be periodically reviewed to ensure its impact remains low.


Terminate/Eliminate the risk

®    Certain risks can be easily eliminated by addressing cause like if a risk is associated with a technology then this risk can be eliminated by replacing technology with better one.


Transfer/Share the risk

®    In this risk is transferred or shared with trading partners, suppliers, insurers etc.


Treat/mitigate the risk

®    It involves implementing controls to prevent the risk from manifesting to prevent the risk from manifesting itself or to minimize its effects.


Turn back

®    In cases where the probability or impact of the risk is very low, then management may decide to ignore the risk.



Some important and basic facts about ERM:

       Implementation of controls requires us to adapt a holistic and comprehensive approach.

·         Ideally it should consider the overall business objectives, processes, organization structure, technology deployed and the risk appetite.



·         Overall risk management strategy has to be adapted considering business objectives, processes, structure, and technology and risk appetite.


·         Overall risk management strategy should be designed and promoted by the top management and implemented at all levels of enterprise operations as required in an integrated manner.


·         Regulations require enterprises to adapt a risk management strategy, which is appropriate for the enterprise.


·         How controls are implemented would be dependent on the overall risk management strategy and risk appetite of the management.


·         The type of controls implemented in information systems in an enterprise would depend on this risk management strategy.


·         In an IT environment, it is important to understand whether the relevant IT controls are implemented.


·         The Sarbanes Oxley Act (SOX) in the US, which focuses on the implementation and review of internal controls as relating to financial audit, highlights the importance of evaluating the risks, security and controls as related to financial statements.



ERM may be defined as;

“A process, affected by an entity's Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

What kind of company should apply ERM?

The underlying premise of Enterprise Risk Management (ERM) is that every entity, whether for profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. 

Is there any relation of ERM with IT risks and controls?

It is important for management to ensure that the enterprise risk management strategy considers implementation of information and its associated risks while formulating IT security and controls as relevant.

IT security and controls are a sub-set of the overall enterprise risk management strategy and encompass all aspects of activities and operations of the enterprise.

Benefits of Enterprise Risk Management

No entity operates  in  a  risk-free  environment,  and  ERM  does  not  create  such  an environment. Rather, it enables management to operate more effectively in environments filled with risks. 

ERM provides enhanced capability to do the following:



1. Align risk appetite and strategy:


·         Risk appetite is the degree of risk, on a broad- based level that an enterprise (any type of entity) is willing to accept in pursuit of its goals.

·         Management considers the entity’s risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy and in developing mechanisms to manage the related risks.


2.       Link growth, risk and return:


·         Entities accept risk as part of value creation and preservation, and they expect return commensurate with the risk.

·         ERM provides an enhanced ability to identify and assess risks, and establish acceptable levels of risk relative to growth and return objectives.


3. Enhance risk response decisions:


·         ERM provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance.

·         ERM provides methodologies and techniques for making these decisions.


4.  Minimize operational       surprises and losses:

·         Entities have enhanced capability to identify potential events, assess risk and establish responses, thereby reducing the occurrence of surprises and related costs or losses.

5. Identify and manage cross-enterprise risks:

·         Every entity faces a myriad of risks affecting different parts of the enterprise. Management needs to not only manage individual risks, but also understand interrelated impacts.


6.      Provide integrated responses to multiple risks:



·         Business processes carry many inherent risks, and ERM enables integrated solutions for managing the risks.


7.       Seize opportunities:


·         Management considers potential events, rather than just risks, and by considering a full range of events, management gains an understanding of how certain events represent opportunities.


8.       Rationalize capital:

·         More robust information on an entity’s total risk allows management to more effectively assess overall capital needs and improve capital allocation.


Enterprise Risk Management Framework

ERM provides a framework for risk management which involves identifying events relevant to the objectives, assessing them in terms of magnitude and likelihood, determining a response strategy and monitoring progress.

ERM framework consists of eight interrelated components.

These components are derived from the way management runs a business, and are integrated with the management process.

ERM is a risk-based approach, which includes the methods and processes used by organizations to manage risks. ERM provides a framework for risk management which involves;?

        Identifying potential threats/risks.?

        Determine it’s consequences/impact?

       Implement controls to mitigate risks

These components are as follows:



1.       Internal Environment:


·         The internal environment encompasses the tone of an organization.

·         It sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

·         Management sets a philosophy regarding risk and establishes a risk appetite.

·         The internal environment sets the foundation for how risk and control are viewed and addressed by an entity’s people.


·         The core of any business is its people. Their individual attributes, including integrity, ethical values and competence and the environment in which they operate. They are the engine that drives the entity and the foundation on which everything rests.

2.       Objective Setting:


· Objectives should be set before management can identify events potentially affecting their achievement.

·  ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity’s mission/vision and are consistent with the entity’s risk appetite.

3.       Event Identification:


·      Potential events that might have an impact  on the entity should be identified.

·   Event identification includes identifying factors internal and external that influence how potential events may affect strategy implementation and achievement of objectives.

·  It includes distinguishing between potential events that represent risks, those representing opportunities and those that may be both.

· Opportunities are channeled back to management’s strategy or objective-setting processes.

· Management identifies interrelationships between potential events and may categorize events to create and reinforce a common risk language across the entity and form a basis for considering events from a portfolio perspective.

4.       Risk Assessment:


·   Identified risks are analyzed to form a basis for determining how they should be managed.

·  Risks are associated with related     objectives that may be affected.

·   Risks are assessed on both an inherent and a residual basis, and the assessment considers both risk likelihood and impact.

·  A range of possible results may be associated with a potential event, and management needs to consider them together.

5.       Risk Response:


·        Management selects an approach or set of actions to align assessed risks with the entity’s risk tolerance and risk appetite, in the context of the strategy and objectives.


·       Personnel identify and evaluate possible responses to risks, including avoiding, accepting, reducing and sharing risk.

6.       Control Activities:


·       Policies and procedures are established and executed to help ensure that the risk responses management selected are effectively carried out.


7.       Information & Communication



· Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities.

·    Information is needed at all levels of an entity for identifying, assessing and responding to risk.


·    Effective communication also should occur in a broader sense, flowing down, across and up the entity.

· Personnel need to receive clear communications regarding their role and responsibilities.


8.       Monitoring:


· The entire ERM process should be monitored, and modifications made as necessary.

· The system can react dynamically, changing as conditions warrant.

· Monitoring is accomplished through ongoing management activities, separate evaluations of the ERM processes or a combination of the both.

Request for DEMO Talk to Our Expert