Enterprise Risk Management — Integrated Framework :
Any one of a variety of risks could threaten an organization’s success and lead to a decrease in stakeholder value, including: globalization, technology, demands for customized products and services, shifts in regulation, mergers and restructurings, accounting and reporting deficiencies, and complex financial instruments. Leaders must be aware of a holistic approach to risk management and the need for a stronger governance structure.
Today’s organizations are concerned about:
• Risk Management
• Assurance (and Consulting)
“… a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Why ERM Is Important :
ERM supports value creation by enabling management to:
• Deal effectively with potential future events that create uncertainty.
• Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
Enterprise Risk Management — Integrated Framework:
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
The ERM Framework Entity objectives can be viewed in the context of four categories:
The ERM Framework ERM considers activities at all levels of the organization:
• Division or subsidiary
• Business unit processes
Risk management is an activity best undertaken offensively, before disasters strike. When it is done reactively, it can be too late. With the ever-increasing number of risks in business – from cyberattacks to global pandemics – it’s essential that companies adopt a proactive approach to measuring and managing risks in all their forms, and in such an endeavor, the key people involved should be not the PR spokespeople and crisis managers but the management accountants. Thankfully, management accountants have a clear source of guidance on ERM in the form of Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management Framework. IMA is one of five co-sponsors of COSO, which was established to help increase fraud deterrence in organizations. I serve on the COSO Board as lead director.
The COSO framework was designed to give professionals and companies a detailed way of thinking about and acting on ERM that transcends the traditional approach to crisis management. Five components form the backbone of ERM:
· Governance and Culture
· Strategy and Objective Setting
· Review and Revision
· Information, Communications and Reporting
But for these to work, ERM must be linked directly to a company’s overall strategy.
A key part of that process is answering the following questions:
· Do you have documented crisis management plans in place?
· Do you create an environmental scan, including internal and external factors like natural disasters?
· Do you have types of risks identified and prioritized in your risk matrix?
· Do you regularly assess changes in your internal and external environment?
· Do you have a communications process for key stakeholders?
· Do you proactively discuss your comprehensive portfolio of risks?
Discussing the answers to these questions openly is critical. Documenting roles and responsibilities that result is also paramount because it makes clear what is expected from employees and management. Every decision undertaken by key stakeholders is made with the long-term sustainability of the business in mind. This is imperative when crisis hits.
Management accountants often have the clearest line of sight into a company’s finances and supply chains, so they have the most responsibility when it comes to ERM. It is paramount management accountants understand their roles transcend traditional finance. They need to work cross-functionally, with IT, HR and sustainability departments, among others, to gauge non-financial risks across the organization. Factoring these risks into the bigger picture enables them to construct a holistic risk framework. This is the critical role management accountants play in moving ERM from reactive measures to proactive ones.
Process for Establishing an ERM Framework
1. Common language around risk
The risk management function (or equivalent) must establish and educate the organization on common terminology regarding risk. A common definition of risk is – the potential for loss, or the diminished opportunity for gain, which can obstruct the achievement of the firm’s business objectives. Common terminology will facilitate communication across business units.
2. Risk management steering committee
It is important to establish a senior management level committee to provide oversight of the implementation of the ERM Framework. In addition the committee will help delineate the roles and responsibilities within the Framework.
3. Roles and responsibilities
Roles and responsibilities must be clearly defined and understood throughout the organization.
- Board of directors & CEO – have ultimate accountability for all risks. Risk management practices must be discussed periodically and risk management related policies must be reviewed and approved.
- Senior management – design, implement, and maintain an effective Framework. Develop policies and procedures, establish and monitor the risk appetite, and report regularly to the board of directors. Promote a risk-aware culture.
- Business units – identify, assess, measure, monitor, control, and report risks to senior management. Manage relevant risks within the framework established by senior management. Ensure compliance with policies and procedures.
- Support functions (i.e. Legal, HR, IT, etc) – provide support to business units in developing and enforcing policies and procedures.
- Internal Audit & Compliance – monitor and provide independent assurance of the effectiveness of the Framework.
- Risk management – coordinate the establishment of the Framework and provide risk management expertise.
4. ERM methodology
Develop a methodology for the ERM Framework. This should include definitions of key risk terms, descriptions of roles and responsibilities, and clear procedures for risk identification, assessment, measurement, mitigating, monitoring, and reporting.
5. Risk appetite statements
A formally written document that comprises all of the key business areas. The document should take into account the firm’s strategic direction and objectives. It should clearly outline the firm’s capacity to take risk and its tolerance for potential loss. In addition, a risk appetite must be regularly reviewed and approved by senior management and board of directors.
6. Risk identification
This can be completed via risk control self-assessment (RCSA) approach; coordinated by risk management and conducted with subject-matter-experts. This method uses a risk taxonomy to identify applicable risks, inherent risk levels, quality of internal controls, and residual risk levels. The process consists of the following steps:
- Identify applicable risks and describe the business activity that exposes the business unit to the risk. This includes credit, market, liquidity, operational, event, and strategic risk.
- Establish the inherent risk level (H, M, L) and typical annual damage. Inherent risk is anything that prevents the achievement of business objectives without consideration of internal controls. Typical annual damage, if applicable, can be estimated based on subjective judgment of the business unit with consideration to both past (actual losses) and potential future occurrences.
- Assess and rank the quality of internal controls (H, M, L) and reason for the assessment. Internal controls mitigate the inherent risk and involve the implementation of policies, procedures and standards.
- Calculate the residual risk level (H, M, L) which remains after taking into account relevant internal controls. For example, a Medium inherent risk and Low quality of internal controls will result in a High residual risk level.
Note: High, Medium, Low are popular scales in the financial services industry; however, other ranking scales may be used. Another method of identifying risks is to evaluate all processes within the firm and create a list of potential risk sources (known as Business Process Mapping). This step should be completed by the risk management department in conjunction with knowledgeable and well-seasoned employees of various departments within the firm. This method allows for open communication/ discussion and can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. Other techniques include, actuarial models, scenario analysis, external data collection, and comparative analysis.
7. Risk prioritization
Using the results of the RCSA for each business unit, prioritize key risks based on the residual risk levels. Discuss all High residual risks with the risk management steering committee and set risk mitigation plans.
8. Risk mitigation plans (RMPs)
RMPs must be established by taking a risk-based approach to address the areas with the greatest control weaknesses and largest potential for loss. Firms will generally run out of resources before they run out of risk therefore the High risk items must be given priority. Target completion dates and responsible owners must be selected to facilitate the risk mitigation process.
9. Risk monitoring and reporting
Key risks that were identified must be monitored and periodically reported to senior management and board of directors. ERM BenefitsEstablishment of an ERM Framework is not a one-time exercise that only involves a few participants. It is an intensive, dynamic and continuous process that requires firm-wide participation. When implemented successfully ERM will produce many benefits to the organization. An effective ERM Framework will:
- Allow an organization to gain a clear picture of its overall exposure to risk
- Improve firm-wide understanding of risks and controls
- Reduce operational losses
- Improve the deployment of capital
- Align risk appetite and strategy (business objectives)
- Facilitate board and senior management oversight
- Breakdown silos between various departments and across all risks (promote transparency)
- Result in a more efficient use of resources
- Improve regulator, rating agency, and shareholder perception
- Enhance internal control
- Promote a culture of risk awareness
After considering the benefits of implementing an ERM Framework, it is surprising to see that only 36% of institutions participating in Deloitte’s Sixth Global Risk Management Survey had an ERM program in place. Although 72% reported that the benefits of ERM outweigh the costs.
Enterprise risk management implementation is not considered an easy task. It requires organizational agreement/cooperation and a strong senior management team. Although there are clear benefits to ERM, challenges also exist. By examining some of these challenges, organizations will be better prepared to establish their own enterprise risk management programs. Challenges that an organization might run into include:
- Defining a common risk language
- Demonstrating the benefits/value of ERM (e.g. cultural issues)
- Establishing ownership for particular risks and responses
- Identifying risks and quantifying potential damage
- Prioritizing risks across the organization
- Developing RMPs to ensure the risks are appropriately managed
- Risk reporting- deciding what information should be shared and how
- Ensuring RMPs are carried out
- Formulating the risk appetite statements
- Lack of reliable data & insufficiency of technology (MIS)