Appendix C
Enterprise Risk Management
Tracy, Grace and several other managers asked if I could provide them with more technical information about enterprise risk management (ERM). Tracy said, “I know that you simplified much of the details, and I appreciate that. Can you provide information for us to obtain a deeper understanding of this emerging best practice?”
For Tracy, Grace and anyone who would like a little more information about ERM, enjoy this appendix, starting at its overall purpose and inception. Based upon a career spent analysing risk and leadership’s impacts, I offer the following view, especially for auditors and CFOs.
Purpose of ERM
ERM enables an organisation’s leaders to deal with any uncertainty that harms a firm’s value, which are aspects of the entity that shareholders and other stakeholders are interested in protecting.
The Committee of Sponsoring Organizations of the Treadway Commission and ERM’s Inception
ERM represents a fundamental shift in the way businesses must approach everyday risk. As our economy becomes more service and technology driven and globally oriented, businesses cannot afford to let new, unforeseen areas of risk remain unidentified or ignored. We now have more guidance on the implementation of a consistent ERM structure from the Commission of Sponsoring Organizations of the Treadway Commission’s (COSO’s) ERM framework. The framework defines and describes ERM and provides a standard against which businesses can assess their ERM programme and determine how to improve it. This effort began in 1984 when COSO first addressed the issue of internal controls and inherent risks to respond to excessive frauds, scandals and audit failures.
In 2004 COSO crafted this definition of global and holistic risk management: “Enterprise risk management is a process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be with his risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
In 2009 COSO then issued the framework Enterprise Risk Management—Integrated Framework. This framework builds upon the 1992 report that addressed auditing internal control. The updated ERM framework was written by PricewaterhouseCoopers on behalf of COSO. This guideline contains key concepts and components of effective risk management, such as philosophy, risk appetite and looking at risk as a portfolio.
COSO more recently issued a white paper, Strengthening Enterprise Risk Management for Strategic Advantage, that it believed would be a helpful resource and that articulates the strategic value of effective ERM. A second white paper, Effective Enterprise Risk Oversight: The Role of the Board of Directors, discusses four core responsibilities of boards in the oversight of their organisation’s processes.
Lessons from M&M Candy
M&M candy is one thing universally loved and enjoy. Their catchphrase years ago was, “Melts in your mouth, not in your hands.” The concept was that the protective shell insured that the inner chocolate would not bleed out in the warmth of your hands.
ERM applies a protective cover at multiple levels that works to detect, deflect and defend against all pesky perils that move towards your firm. Firm value is the vulnerable centre you want to protect most of all.
The entire organisation is moving towards some sort of reward, usually in the form of capturing opportunities that turn into revenue and growth or another important result. However, in addition to the costs associated with opportunity, risks are all around you. All sorts of risks, represented by the lightning bolts in Figure C-1, occur from many sources, such as
the status quo.
the unknown.
just being in existence.
Your risks could harm firm value. Your ERM culture and methodology work to deflect, defer and minimise most of the risks. Although some of the risks will break through this protective shell, your organisation is strong enough to deal with those few risks that get past the ERM structure, as shown in Figure C-1.
ERM is designed to be just like an M&M with the hard shell. As shown in Figure C-2 ERM provides a protective coating to the core, which is your firm’s value.
Success Requires ERM
Effective risk management is a critical component of any winning management strategy. Properly designed, a risk management programme allows an organisation to actually take on additional risk while more securely growing. Options for treatment of exposure to loss include avoidance, reduction, contractual transfer, insurance transfer and retention. The most effective treatment of risk usually involves the application of more than one of these methods. Experienced coordination of the selected methods of treatment is essential to effect real change and accurately monitor results.
Because no one organisation can house the broad scope of expertise needed to address the full spectrum of risk faced in an evolving economy and marketplace, it is essential to enrol and engage employees in your organisation to be part of the risk management programme. This works to bring about success through a holistic firm wide awareness.
Finance’s Role in ERM
Finance managers and auditors must recognise that their role includes providing assurance that controls are in place for detecting and monitoring problems. Both COSO’s recent framework and the Sarbanes-Oxley Act of 2002 (SOX) created a new role for the professional accountant. The accountant is a key member of the firm’s ERM team. Becasue a significant business risk could arise from nearly every action undertaken by the firm’s employees, the accountant needs to be aware of the causes and contributors to costly risk.
Changes are on the horizon for members of the accounting profession regarding risk management, as well as their clients and employers. Firms can either voluntarily establish a viable risk management programme, or it will be mandated on them. The organisations and laws that now require a formal risk management programme be implemented include
Standard and Poor’s (May 2008).
the Securities and Exchange Commission (March 2010).
federal financial reform legislation (July 2010).
Henry Ristuccia, a leader in Deloitte & Touche’s governance and risk management practice, was interviewed in the article “Rethinking Risk” in the January 2009 issue of CFO magazine about what public accountant auditors look for when auditing their clients for compliance with the rule regarding risks. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?” Today’s auditors must understand ERM’s impact on their clients because of both COSO and SOX requirements. This concern for compliance applies to both internal auditors and those employed to keep the financial records.
How to Apply ERM
ERM is a very effective strategy that any firm can use to manage a wide variety of risks, running the gamut from strategic risks to financial risks. The difference between ERM and more traditional methods of managing risk is that ERM calls for high-level oversight of a company’s entire risk portfolio, rather than the “silo” approach discussed in chapter 5, “WHEN Is It Appropriate to Plan for Risk?” The outdated and ruinous “silo” method is built on the hope that individual managers alone will identify and oversee specific risks.
These are a few of the key decisions your firm’s leader must make early on when implementing a risk management programme:
Who leads it?
What sorts of risk are included in the analysis?
What happens after a risk is assessed?
How is the risk reported?
How will the risk be followed up?
What is the tipping point between accepting a risk and doing something?
What are the employees’ roles in assessing and monitoring risk?
ERM centralises all risk management under a chief risk officer (CRO) position or a risk committee that supports the individual risk owners to help each one of them identify how much risk the entire entity can tolerate, formulate mitigation strategies and otherwise capture advantages of risk opportunities.
Meanwhile some large firms have created a CRO position to monitor and manage risk. Other firms have opted for a decentralised approach. Some CFOs embrace the holistic approach of risk management so much that they tell the senior leaders that appointing a CRO is not necessary. Virgin Mobile chose to decentralise that function. CFO John Feehan said in the same CFO magazine article previously mentioned that his firm’s relatively small size of 400 employees allows it to take a hands-on approach to risk by “perceiving risk management as part of our daily life. We don’t separate it out as a separate function; it’s just a part of how we manage every aspect of the business.”
A growing number of risk management experts are urging their companies and clients to shift away from risk management specialists and move towards having a broader base of employees involved in managing risk. Proper risk management is done by gathering information from the various people overseeing risk areas and using the combined knowledge to determine the threats to the organisation, their financial impact and the effectiveness of the firm to handle such risk. The goal, of course, is to determine the appropriate amount of capital you need to protect yourself from risk. The risk committee is the champion for the information gathering efforts.
Risk requires absorbing, hedging or transferring risk and applying capital to it, which is money that could be spent in other parts of the business. This view of throwing dollars at risk or the cost of ERM, in effect, helps the organisation’s leaders determine the right amount of capital that should be directed towards risk.
ERM’s Global Risk Plan
Within the ERM structure or framework, the firm establishes a risk definition and the tolerance levels (the cost you cannot afford), as well as the policies and procedures required to assess and measure the risk and create systems for monitoring. While implementing ERM your leaders need to conduct a regular check-in to determine the easiest, best and cost effective ways to answer these questions for risk.
For risk strategy
What is our organisation’s ERM strategy?
How is the ERM strategy communicated and executed throughout our company? For risk ownership
How does each division, unit or team contribute to meeting our goals of the ERM strategy?
How are our teams and the individuals involved held accountable for success?
For risk identification
What is our organisation’s definition of risk?
What are our organisation’s top five risks?
For risk ranking
What is the estimated probability for the top five risks?
What are the financial consequences to our company?
Which risks are material?
How should our identified risks be prioritised?
For risk treatment (mitigation and abatement)
How are these risks currently managed?
Is the approach effective, or is there an alternate approach?
For risk solutions
What risk management processes are appropriate based upon the findings of the preceding elements?
What risk-addressing action plans should be in place?
How are risks to be monitored?
ERM- Self-Sustaining Evergreen Process
Effective risk management has gone from an attitude of, “I would like to do,” to a frame of mind of, “We must do this.” It is something you want employees to think about. This requires making it a self-perpetuating system. You accomplish this by emphasising that ERM is a continuum.
Figure C-3 is a visual view of the ERM continuum. It starts with defining risk then moves to providing employees with tools to identify risk. From there ERM requires using tools to do risk scoring and cost valuation while ensuring that someone owns the responsibility for the many people managing the risk. The next two steps include employing a protocol for risk recovery and defining specific action plans for learning from the risks taken. Notice this continuum follows the continuous six steps that we will be following in this book’s main content to create a risk and balanced culture.
ERM and Controls
Your firm must implement sufficient controls within each process to ensure that the risk will likely be detected. An efFective risk process
gathers and compares actual and forecast information.
measures the potential risk.
calculates the cost.
suggests alternatives or options to minimise the risk.
Risk controls should be integrated into your firm’s operational and financial controls because the two systems overlap. An effective control process
runs on a transparent and an auditable platform.
forces a clear separation of roles and responsibilities.
incorporates business processes that enforce compliance for both external regulatory issues and internal policy compliance.
ERM and People
Studies have shown that successful managers have a propensity for taking risk. At the same time the driving force behind risky and rash decisions is risk aversion. This occurs because when making decisions, people in both business and life tend to focus more on what they could lose rather than what they could gain.
This drive for success and risk clashes with your internal cultural structures. Pressures that arise from financial accountability often block or send messages to managers to not take risks. As a direct result only a crisis forces most managers to take anything more than an ordinary risk.
Bureaucratic corporate cultures in larger organisations discourage risk taking. Managers in big companies take fewer risks than managers in smaller companies. When making a risky decision many managers have trouble figuring out how much data is sufficient and how much is overkill. Greed and jealousy cloud rational judgement and can lead to risky behaviours that have nothing to do with taking a risk.
In the end how often you have successfully risked and “won” in the past affects your ability to take a risk in the future.
Strategic Risk Management
The strategic management of risk taking is the latest twist on ERM. Strategic risk management is a process of identifying, assessing, and managing risks and uncertainties that are affected by internal and external events that could inhibit an organisation’s ability to achieve its strategy and strategic objectives. Its ultimate intent is to create and protect shareholder and stakeholder value, and it is a primary component and necessary foundation of ERM. In risk management you must understand the risks that shape your firm’s corporate strategy and the chosen tactics to implement that strategy.
Companies are adopting strategic risk management because they recognise that a great strategy will lead to sustainable success. The primary function of the board of directors is to oversee the development of strategy and its ethical execution. As risk management becomes a key agenda item for boards, connecting the strategy to the risk management effort is a natural progression. In strategic risk management an organisation must define and assess those key risks that can prevent it from achieving those strategic plans. This is accomplished by establishing key performance indicators, along with key risk indicators.
The steps of strategic risk management generally match those of ERM
Step One. Assess the maturity of the organisation to achieve a deep understanding of the strategy and related risks.
Step Two. Gather views and data on strategic risks.
Step Three. Review the process for identifying risks in the strategy setting process.
Step Four. Review the process for measuring and monitoring the organisation’s performance.
Step Five. Develop an ongoing process to periodically update the assessments of strategic risks.
ERM and Growth
One strategic goal common to numerous organisations is growth. Although not a strategy by itself, the other global strategies embarked on by the executive team will hopefully lead to sustainable and ethical growth. However, as you realise, growth carries costs you may not be able to afford.
Risk in Emerging Markets
According to the Multilateral Investment Guarantee Agency’s report, World Investment and Political Risk 2010, over the next three years the most commonly cited political risks while doing business in developing nations include
breach of contract (51%).
regulatory changes (43%).
transfer and convertibility restrictions (41%).
not honouring sovereign guarantees (32%).
civil disturbance (31%).
expropriation (22%).
terrorism (19%).
war (10%).
Onward
As a direct result of the damage to the U.S. financial systems, boards and executives are taking risk management seriously. However implementation of risk management is in a very immature stage, particularly in small and mid-sized organisations.
Companies are just starting to become aware and proactive in revisiting risk management, but the transformations are slow in coming. At long last corporate directors in some industries have elevated risk awareness as something that must be on the executive team’s continuing agenda. Risk management has taken many forms: simple awareness, informal programmes and corporatewide ERM.
A survey sponsored by CFO magazine and conducted by Towers Perrin found that companies are more interested in systematic solutions to risk management than they have been in the past. Nearly half the respondents expect to implement broad changes to their risk management policies and practices that will affect both the shop floor and board. The jury is still out on whether ERM will be part of every organisation’s culture.