Management sometimes assumes that when they have identified and summarized the top risks to their organization through a Strategic Risk Assessment, they have implemented Enterprise Risk Management (ERM). This is simply not the case. A Strategic Risk Assessment is an important component of ERM – many times used as a starting point – but should not be considered a final destination. Even a sustained process to identify, analyze, and manage strategic risks, sometimes referred to as Strategic Risk Management, should not be considered an end target for ERM.
To truly achieve ERM in your organization, there has to be an ongoing, embeded process that involves senior management and employees at all levels. Ultimately, ERM creates a risk-aware culture in your organization and alignment of risk management activities necessary to understand the key risks to the organization. As you successfully manage the key risks, you are able to protect what the company has earned to date and enhance what it is going to do tomorrow.
Although value can be recognized through identification of strategic risks, a Strategic Risk Assessment or Strategic Risk Management must not be confused with an ongoing, embeded, ERM process, involving employees at all levels.