Whereas traditional risk managementA traditional approach that focuses on protecting a company’s tangible assets and the related contractual rights and obligations. approaches focus on protecting a company’s tangible assets and the related contractual rights and obligations, the scope of a new approach called Enterprise Risk Management (ERM)A risk management approach that is more structured and strategic than traditional risk management. ERM is aimed at enhancing and protecting a company’s tangible and intangible assets on an enterprise-wide basis. is much broader. ERM, discussed in greater detail in Chapter 14 "Appendix C: Enterprise Risk Management: Ask the Board ", is more than crisis management or regulatory compliance. It is a tangible and structured approach to addressing organizational and financial risk. It is strategic in focus, aimed at enhancing and protecting a company’s tangible and intangible assets on an enterprise-wide basis. Its basic premise is that uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.For a more detailed discussion of this subject, see Waller, Lansden, Dortch, and Davis (2005) and Chapter 14 "Appendix C: Enterprise Risk Management: Ask the Board ".
Although the management of a company is ultimately responsible for a company’s risk management, the board of directors must understand the risks facing the company and oversee the risk-management process. Best practice suggests that board committees should incorporate risk management into their charters. A company’s governance and nominating committee, for example, can ensure that the company is prepared to deal with risks and crises by evaluating the individual capabilities of the directors, nominating directors with crisis-management experience, and considering the time each director and nominee has to devote to the company. The governance and nominating committee should also work with management to establish an orientation program for new directors and succession plans for key executive officers.
More commonly, however, corporate governance guidelines delegate the responsibility for risk management to the audit committee. Alternatively, a company may appoint a risk-management officer, form a risk-management committee, or assign responsibility to a finance or compliance committee of the board. The responsible committee or group should meet regularly with the company’s internal auditor, the chief financial officer, the general counsel, and the head of compliance and individual business units to discuss specific risks and assess the effectiveness of the company’s risk-management systems.