Enterprise Risk Management versus Basic Risk Management

Enterprise Risk Management versus Basic Risk Management

Basically, there is no organization in the business world that is not faced with risks which challenge business. For this reason, there is need for firms to employ best practice in order to be successful. Coupled with a much-needed cohesive team and infrastructure, these would help address the financial, operational, strategic, and hazard risks often faced.

In a basic risk management setting, such efforts of dealing with risks are departmentalized and the focus is mainly on hazard risks. With this approach an organization is not able to effectively draw comparisons among the possible risks and therefore determine how they interact with one another. As such, evaluating the cumulative effect of the risks on an organization becomes an uphill task. Conversely, the comparison and evaluation of risks faced by an organization is done in a more holistic manner in an Enterprise Risk Management (ERM) setting. This is usually done by a Chief Risk Officer (CRO) or a specified senior executive (Fraser, & Simkins, 2010).

However, it should be noted that both methods of risk management are the same for by default they both seek to address risks faced and minimize any adverse effects resulting from losses and missed opportunities. In fact, ERM is largely an extension of basic risk management, although some differences stand out. A major one is in strategic application. In Enterprise Risk Management approach, the effort towards risk management is enterprise-wide. Therefore, any departmental or functional autonomy for encouraging continuous review and relevant support for the most value-based goals of an organization is superseded. This is to say that in basic risk management, risks are addressed at departmental levels. As a result, there is failure by this approach to address and define risks collectively throughout an organization as each department may do this differently (Mehta,2010). In addition, whereas basic risk management tends to focus on hazard risks, ERM involves management of all risks that affect an organization’s ability to achieve its objectives, regardless of the kind of risks being taken into consideration. This approach is carefully benchmarked and reviewed to give an organization an edge to stay focused and lay emphasis on key areas of survival and prosperity. Another major difference between the two approaches is in terms of performance metrics. In ERM, there is an emphasis on result-based performance evaluation throughout the organization. These results are used to determine whether a risk management method employed was effective in achieving its business goal, such as maximizing investment or asset returns. In this regard, ERM is specifically beneficial as it maximizes possible opportunities for growth and minimizes any expected organizational losses. This increases asset value and expected income, reducing residual uncertainty across the entire organization. This is unlike basic risk management that focuses on isolated incidents of risk (Hampton, 2009).

While some organizations have highly talented and qualified representatives who handle their individual functional risks, others prefer managing risks across the entire enterprise. More often than not, the latter are uniquely and highly profitable (International Organization for Standardization, 2009).

Figure 5 (Brannan and Taylor paper) explanation

The figure summarizes ERM in a health care industry setting. In the figure, it is illustrated how the model’s risk focus and management is enterprise-wide, an approach that would facilitate an organization’s success in achieving its profitability and performance targets. In the figure, multiple risks have been taken into consideration simultaneously. It is visible that risks regarding legal issues, research, reputation, client satisfaction, medication safety, quality of services, and operations among others have been considered.

A Strategy Matrix has been developed. For instance, in order to improve or ensure medication safety, the issue of expired medication supplies has been factored in. True to the model’s approach, risk comparison and evaluation has been done, in a very holistic way, the result of which is enlightenment on how the risks generally interact and relate with one another .In an effort to reduce infections, what role will use or disuse of non-calibrated/non-verified equipment play? How is this related to medication safety? Will non-existent/insufficient documentation affect communication? If documentation is poor, how will this impact on the organization’s ability to correctly identify patients the next time they visit? So as to ensure patient safety and satisfaction, the figure attempts to deal with physician/staff competency. This would be done by use of proper and efficient validation methods and procedures. Interestingly, this still has a direct relation to unfamiliarity with EM procedures or violation of patient confidentiality since competent staff would be expected to have a better understanding of these issues. In addition, proper storage areas and methods would directly contribute to medication safety and overall patient safety and satisfaction. In addressing issues like staff competence and safety medication, any legal matters that may potentially arise from such are avoided (Olson, & Wu, 2010).

In summary, the figure explores numerous areas within a health care facility that could be sources of risk, and in relating each risk with the other ensures an enterprise-wide risk management. It addresses issues that are emphasized by National Patient Safety Goals (NPSGs) and in so doing minimizes risks associated with statutory and regulatory non-compliance. Strategic, operational and human resource risks have been generally assessed.


Figure 2 (University of Regina document) explanation 

In figure 2 on Risk Heat Map and Corresponding Treatment, it is clear the University of Regina has employed the various components necessary for effective establishment and application of ERM. Risk impact on set objectives has been assessed and it is clear this is done with direct consideration on the context within which the institution is operating at any given time. Risk, trend, and event identification has been done. As such, consideration has been done for any events that might hinder the institution from achieving its objectives, be they long-term or short-term. The risk analysis has been done, on grounds of risk and likelihood to occur, factors that directly dictate the management action to be taken. From the figure, any events that would have ‘grave’ consequences like complete loss of critical data, loss of lives, very significant financial fraud and disruption of graduation have a high risk tag on them and would therefore call for more immediate and high level attention and action. Conversely, events with less risk and impact would be merely monitored.

Risk Heat Map Analysis of some of JCAHO’s Actions

Of JCAHO’s top ten actions, five are chosen for analysis. These include Expired Medications or Supplies, Improper Storage/Clustered Areas, Inability to Validate Physician/Staff Competence, Violations of Patient Confidentiality, and Insufficient/Non-existence Documentation. The analysis is based on likelihood and impact. The risk management action to be taken is directly proportional to the projected impact on the enterprise objectives. To be considered will be the effect of each on statutory and regulatory compliance, reputation, patient safety, and financial implications. The analysis is tabulated as follows:


·         Statutory and regulatory non-compliance attracting fines>$6 M

·         Isolated or multiple loss of life

·         Dented reputation lasting>24 months




Considerable attention and






Risks must be monitored and managed








·         Statutory and regulatory non-compliance attracting fines<$6 M

·         Significant health effects to one or more

·         Dented reputation lasting 6-12 months



Risks might be accepted but must be monitored



Some management effort worthwhile







·         Statutory and regulatory non-compliance attracting fines<$ 200 000

·         Isolated mild health effects

·         Slightly dented reputation lasting <3 months



Cope with risks


Cope with risks but monitor them


Risks must be managed and monitored


Note: In the Risk Management Action header column of the table, the likelihood in the sub columns moving from left to right is low, medium and high in that order.


Executives Research Foundation.Olson, D. L., & Wu, D. D. (2010). Enterprise risk management models. Heidelberg: Springer.

Fraser, J., & Simkins, B. J. (2010). Enterprise risk management. Hoboken, N.J: Wiley.

Hampton, J. J. (2009). Fundamentals of enterprise risk management: How top companies assess risk, manage exposures, and seize opportunities. New York: American Management Association.

International Organization for Standardization. (2009). ISO 31000: Risk management : principles and guidelines = management du risque : principles et lignes directrices. Geneva: ISO.

Mehta, S. (2010). Enterprise risk management: Insights & operationalization. Morristown, N.J: Financial