Featured Product
This Week in Quality Digest Live
Risk Management Features
James Chan
Start the transition to preventive maintenance
Erin Vogen
Eight steps to simplify the process
Matthew Barsalou
How failure modes and effects analysis became commonplace
Meg Sinclair
100% real, 100% anonymized, 100% scary
Pierre-Nicolas Disser
The benefits of third-party insight

More Features

Risk Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Recognized among early adopters as a leading innovation for the life sciences industry
Handle document, audit, and concerns management more effectively
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance

More News

Greg Hutchins

Risk Management

21st Century Leadership—Enterprise Risk Management

Like quality, risk can be managed to facilitate good decisions.

Published: Monday, April 19, 2010 - 12:15

I think we now live in an era when many of the concerns in running organizations are being reframed in terms of risk, which suggests that risk professionals are likely to rise to the top.”

(Source: “Managing Risk in the New World,” Harvard Business Review, October 2009)

My basic message is that 21st century leadership is all about making smart decisions under uncertainty, extreme volatility, constrained resources, increasing needs, and lack of full information. Borrowing Marshall Goldsmith’s term, I believe that the 21st century mojo of leadership will be all about making the tough decisions that need to be made in an economy running at a trillion-dollar deficit.

Twenty-first century leaders who understand, embrace, and execute smart political, financial, environmental, and stakeholder decisions will prevail and succeed. The 21st century leadership and management rubric will revolve around risk/cost/benefits involving enterprise risk management (ERM).

So, what is the “new normal?”

“The world is so integrated today. We no longer have direct control over our destinies, either individual or corporate. We are swimming in a sea of change and risk management can add stability to our lives.”

Dennis Arter, author, futurist


Many business rules and leadership assumptions have changed radically post-September 2008—the official period of the U.S. financial meltdown. I would almost say that most business rules have been reset. Harvard Business Review says that leaders need to understand and manage within the constraints of the “new normal.” Let’s look at some of the implications of the “new normal.”

We’ve experienced a number of “Black Swan Events”—low-likelihood, but high-consequence and even catastrophic events. September 11, 2001, was epochal in how it changed society as well as public safety decision making. There has been a sustained recession. The stock market lost trillions of dollars in market capitalization. Major companies went into dizzying tailspins because of financial fraud and massive overspeculation. A number of market bubbles also burst, all of which have resulted in overwhelming uncertainty.

Risks arise from uncertainty and the inability to plan, execute, and ultimately control events. So, “what if” questions and “how to” responses involving risk are now part of the fabric of every management discussion in companies as well as governments.

Most senior management decision making today is made through a risk filter. In the public arena, federal, state, and local agencies are focusing on risk and homeland security. In public-held companies, board-level and senior management decisions are based on a risk analysis, because of increased board- and executive-level accountability, increased financial reporting transparency, increased due diligence, reporting regulations of the U.S. Securities and Exchange Commission and the New York Stock Exchange, and a number of other reasons.

Figure 1: Upside risk/downside risk

Uncertainty and risk

In Against the Gods: The Remarkable Story of Risk (Wiley, 1998), author Peter L. Bernstein says that the mastery of risk-based decision making is the foundation of modern life and it’s what divides modern from ancient times. These are pretty strong words. Let’s look at a few definitions of risk:

Risk—uncertainty of outcome, whether a positive opportunity or negative threat, of actions and events. It is the combination of likelihood and consequence, including perceived importance of a positive and negative event, which may involve a hazard, improvement, or new opportunity.

Risk—possibility that an event will occur and adversely affect the achievement of objectives

Risk—a situation or circumstance that creates uncertainties about achieving program objectives 

There are a several critical points regarding these risk definitions:

  • Risk is tied to an organization’s ability to meet business objectives.
  • Risk represents an upside of capitalizing on an opportunity and a downside of an unwanted event (see figure 1).
  • Risk has two critical elements: consequence and likelihood.
  • Risk is all about uncertainty, chaos, instability, being out of control, and the unusual.


What’s risk management?

“Risk is the watchword for this millennium. It’s at the forefront of management thinking in the areas of homeland security, health care, and supply risk management.”

Dick Gould, a Fellow of the American Society of Quality (ASQ)


Risk, like quality, can be managed to facilitate good decisions. Let’s look at the following definitions of risk management:

Risk management—an organized, systematic, decision-support process that identifies risk, assesses or analyses risks, and effectively mitigates or eliminates risks to achieving the program objectives

Risk management—all the processes involved in identifying, assessing, and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress

Figure 2: Management focus

What’s enterprise risk management?

“Although regulatory compliance continues to be a ‘hot button’ issue for product sales, organizations are looking for solutions that can help them better manage multiple forms of risk.”
(Source: Gartner Group)

Enterprise risk management, or ERM, has been defined as a process affected by an entity’s top management and other personnel, applied strategically and across the enterprise, which is designed to identify potential events that may affect the entity. ERM helps determine and manage risks to fall within the entity's risk appetite, and provides reasonable assurance regarding the achievement of the entity's objectives.

Why is ERM the leadership and management model for the 21st century? In an uncertain world, the logic goes somewhat like this: Increasing threats and uncertainties lead to unknown events and unknowable risks, which can only be prevented, predicted, or maybe preempted through enterprise risk management.

The underlying premise of ERM is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents risk and opportunity, with the potential to erode or enhance value. ERM provides a decision-making framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.

House of risk

A few years ago, I had to provide testimony on a technology audit. I needed to pull findings together into a visual ERM model, which eventually was called the “House of Risk.” It was composed of the following elements:

Governance: The vision, mission, culture, and philosophy of the business, including sustainability, profitability, stewardship, etc.

Risk management: Consists of the enterprise activities to manage opportunities and to mitigate potential adverse events.

Compliance: Consists of the activities to demonstrate adherence to laws, regulations, and policies.

Assurance: Consists of providing confidence that the organization is complying with laws, regulations, and policies.

Technology: Consists of infrastructure of technical processes and tools to ensure that enterprise governance, risk, compliance, and assurance are effective.

Figure 3: House of Risk

Connecting the dots

Enterprise risk management integrates an enterprise view of governance, risk, compliance, process variation, and product nonconformance. Figure 3 offers a depiction of the enterprise view, which is able to explore, prevent, predict, mitigate, and even preemptive bad things from occurring.

The Toyota auto recalls illustrate the perfect storm of the unthinkable and the unknown. Who in the world anticipated that the exemplar of auto quality, inventor of the Toyota Production System (lean management), and many quality tools, would lose so much brand equity built around quality? Toyota had all the lean management and Six Sigma tools and data. However, Toyota didn’t connect the dots to the enterprise risk level. If they had, Toyota may have been able to anticipate, mitigate, and preempt the recall and substantial dilution of its quality brand equity.

As risk decision making has increased, there is now a sense of realization that activity, process, or project-based risk mitigation does not work—much like fixing or correcting the symptom of a quality problem results in recurring problems. Many managers realize that the root cause solution to a chronic or systemic quality problem is through enterprise risk management. Enterprise risk management in many ways is analogous to total quality management (TQM).

ERM and TQM share some similarities

  • Both grew to prominence as a result of policy circumstances, TQM as a result of Japanese competitiveness and ERM as a result of financial excesses in corporate America and homeland security.
  • Both share common concepts and techniques, but use different words for them.
  • Both offer similar methodologies and the current preferred risk management framework based on ISO 31000.
  • Both follow a similar deployment mechanism.
  • Both follow a capability maturity model curve.
  • Both focus on variance from targets or objectives.
  • Both are process based.
  • Both have a hard technical side and soft people side.


The differences between the two are also revealing.

  • ERM is proactive, preventive, preemptive, and even predictive, and is specifically focused on the future. TQM seems reactive, specifically focused on the past.
  • ERM is relatively in its infancy, while TQM is a mature technology.
  • ERM has a governance and enterprise focus. TQM, even Six Sigma, has a tactical focus, largely emphasizing execution and metrics


Why should quality leaders and professionals learn risk management?

“You’re at risk in your quality career.  Risk can be about how your job is going to be outsourced or somehow fundamentally changed. What can you do about it? Learn cutting-edge technologies. Be prepared. Don’t wait, your future depends on your making smart decisions now.”

Gerry Brong, futurist, writer, academician


What’s the new normal in your business? What’s been reset? What was the previous baseline and what is it now? Specifically look at your treasured leadership and management assumptions. Are they still valid? If not, what’s the new reset for you?

Quality has fundamentally changed. Quality leadership and professionals must take a hard look at their role in this new business environment, assess their current skill set, determine what they need to learn to be relevant contributors of value, and make a smart decision of where they will be in the near future. I suggest that you learn and do ERM.


About The Author

Greg Hutchins’s picture

Greg Hutchins

Greg Hutchins is an engineer, certified enterprise risk manager, and the founder of the Certified Enterprise Risk Management Academy, Made in the U.S.A., WorkingIt.com, and Quality + Engineering.