Enterprise risk management

This chapter discusses some fundamental issues related to enterprise risk management (ERM). A key issue is how to best structure and plan the ERM in situations involving risk and uncertainties. We argue that it is essential to make a distinction between three types of risk management: enterprise risk management, task risk management and personal risk management; and implement a structure where the enterprise risk management overrules both the task and personal risk management. The discussion is based on a “modern” perspective on risk highlighting knowledge and uncertainties beyond probabilities.

A common principal objective for a (profit-based) organization is to maximize the value but at the same time avoiding HSE (health, safety and environment) and integrity incidents. Often there is a weak link or no clear link between the principal objective and the subgoals in the organization. In addition, interdependencies between goals could generate inconsistencies and lower levels of performance than expected. Increasing the ambition set for the overall performance of the organization may lead to higher risk seen in relation to lower-level objectives. There is clearly a hierarchy of objectives, and concentrating on risk management in the sense of meeting objectives without understanding this hierarchy could lead to poor results, in the sense that the risk management on a lower organizational level shows excellent results, all goals met, but without having contributed to the main overall performance and objectives of the organization.

This chapter addresses this issue. We aim to bring new insights to the topic by making a distinction between three types of risk management: enterprise risk management, task risk management and personal risk management, and adopting a “modern” perspective on risk highlighting knowledge and uncertainties beyond probabilities. The chapter is to a large extent based on Aven and Aven (2015).