BOX 6-1
Enterprise Risk Management

Risk is the potential any action or inaction has to result in an undesir-able outcome. The concept of enterprise risk management comes from the financial services industry, but has been adapted for use in a variety of businesses, as well as in running governments and universities. The Committee of Sponsoring Organizations of the Treadway Commission defined enterprise risk management as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004, p. 2).

The principles of enterprise risk management allow any type of organization to assess areas where it has exposure to harm and evaluate the extent of the danger. Assessing mitigation strategies is an important part of enterprise risk management, as is financial and administrative planning against the organization’s risk profile. The advantage of an enterprise-wide risk management assessment (as opposed to a functional or discipline-based assessment) is that the organization’s management gains a framework that presents the connected relationships between decisions and then allows it to integrate their responses to multiple threats (COSO, 2004). The use of enterprise risk management can guide staffing and training decisions. Over time, the use of enterprise risk management can help the organization transition from a culture of responding to crises when they happen to predicting and preventing them (Protiviti Inc., 2006).

data available. Over time the agency may develop data sharing relationships with its counterpart agencies abroad. The FDA may also want to collaborate to develop its own risk assessment tool.

A number of organizations have supported a risk-based approach to food and medical product regulatory strategy. The Pew Health Group encouraged using risk to guide inspections (Pew Health Group, 2011), as have industry spokespeople (Vijay, 2011). The committee’s recommendation is also consistent with the 2010 Institute of Medicine report Enhancing Food Safety that argued for consistency in applying a risk-based food safety system (IOM, 2010).

In understanding the committee’s emphasis on enterprise risk management it is important to consider that this is a way to manage the agency’s enterprise. That is to say, a way to manage everything the agency does. Enterprise risk management is a strategic perspective to set priorities for the



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement