A model for process oriented risk management

Every enterprise can be affected by risks with potential impact on their single organizational parts or on their organizations as a whole. The awareness of consequences deriving from threats, omissions or adverse events drives enterprises to support risk management programs whose aim is to reduce undesirable consequences. The need to identify, assess, and manage risks has motivated organizations to develop integrated frameworks to improve enterprise risk management. ERM is a framework designed by the Committee of Sponsoring Organizations of Treadway Commission (COSO, 2004) that helps business to assess and enhance their internal control systems. COSO defines ERM as “... a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regard in the achievement of entity objectives”. The literature about risk proposes various techniques to identify and classify risks in different fields of knowledge or descriptions of various innovative approaches for managing risks. For example, in (Alberts&Dorofee, 2009) two approaches for managing risks are compared: tactical risk management and systemic risk management. Tactical risk is traditional, bottom-up analysis defined as a measure of the likelihood that an individual potential event will lead to a loss coupled with the magnitude of loss. This approach has the limit that does not readily scale to distributed environments. In contrast to the bottom-up analyses employed in tactical risk management, systemic risk management approach starts at the top with the identification of a program’s key objectives. Once the key objectives are known, the next step is to identify a set of critical factors, called drivers that influence whether or not the key objectives will be achieved. In order to minimize the impact of risks Enterprise Risk management frameworks typically includes four major areas corresponding to the achievement of enterprise objectives: