Full Text

Corporate scandals and diminished confidence in financial reporting among investors and creditors have renewed corporate governance as a top-of-mind priority for boards of directors, management, auditors, and stakeholders. At the same time, the number of companies trying to manage risk across the entire enterprise is rising sharply. So, we ask, how can enterprise risk management (ERM) be integrated effectively with corporate governance?

RISK, ERM, AND GOVERNANCE

To begin, business risks, of course, are uncertainties that can impinge on a company's ability to achieve its objectives and can result in many interdependent outcomes-some negative, some positive. Moreover, risks are a function of severity and likelihood; they may or may not manifest themselves. If they do, a variety of exposures is possible.

Business risks relate to business objectives because risk taking is a prerequisite to success-without risk, there is no reward. Accordingly, some risks must be exploited to take advantage of strategic opportunities. Conversely, risks that threaten success must be mitigated. These risks include threats of problems occurring, such as misappropriation of assets, or opportunities not occurring, such as a failure to achieve strategic goals.

Meanwhile, ERM-a structured and disciplined approach to help management understand and manage uncertainties-encompasses all business risks using an integrated and holistic approach. A report from the Institute of Internal Auditors (IIA) captures the essence of ERM: "The goal of ERM is to create, protect, and enhance shareholder value by managing the uncertainties surrounding the achievement of the organization's objectives."1 The professional literature indicates that ERM is relatively well understood, especially by the companies striving to implement it.

Finally, corporate governance is a process a board carries out to provide direction, authority, and oversight of management for the company's stakeholders.2 Unfortunately, directors, management, internal and external auditors, and risk managers do not understand corporate governance well-especially from a day-today perspective. They sometimes consider it a nebulous topic: It "means different things to different people."3 Moreover, while the board of directors is the owner of the governance process, day-to-day guidance and oversight by the board clearly is not feasible; the board must rely on other parties-executives, managers, and auditors-to help it fulfill...