Stephen J. Mallory ICD.D FCIP CRM BA
Risk and Insurance Industry Executive, Experienced Board Member, and Risk & Governance Committee Chair; Instructor of Risk Management at the Institute of Corporate Directors in the Master's in Financial Accountability Program at York University, and with the Governance Professionals of Canada
Following the financial crisis of 2008–2009, much criticism was directed toward boards for failing to properly oversee risk. Not only did the lack of risk management and oversight contribute to a massive erosion of corporate value, but boards, including independent directors, were exposed to much anxiety and personal liability. Since then, boards have devoted more attention to risk management and to their board charters, which in many cases hold them responsible to oversee the management of the principal business risks of their organizations. Not surprisingly, ERM has since become a popular discipline practiced around the globe and recommended by the governing bodies for numerous industries, including notably in the financial services, healthcare, and government sectors. National accounting institutes now guide constituents on managing and overseeing risk, such as with the Chartered Professional Accountants (CPA) of Canada's “A Framework for Board Oversight of Enterprise Risk” first introduced in 2012 and since updated.1
Director institutes are now routinely training new board members on overseeing risks, and university-level risk-related undergraduate and masters business programs are now offered around the world to students of all ages. In the last decade, risk-related offerings by professional services firms have become widely available. Online material is available to assist interested leaders in overseeing and managing risks, such as at North Carolina State University (NC State), which publishes volumes of risk research, openly accessible at no charge for any interested parties.2 Further, various simplified frameworks are available to guide organizations on setting up formalized risk management, such as the recently rereleased ISO 31000:20183 and COSO's Enterprise Risk Management Integrated Framework, updated in 2017.4
With so much awareness, education, and information available, formalized risk management should now be readily adopted by most organizations worldwide, and the business world should be well prepared for the next financial crisis. Yet the statistics indicate otherwise. The 2018 survey of 484 corporations across the United States, prepared by the American Institute of Certified Public Accountants' (AICPA) and NC State's ERM Initiative, reveals that while “most boards of directors (68%) are putting pressure on senior executives to increase management involvement in risk oversight … [yet only] … thirty-one percent of organizations (48% of the largest organizations) have complete ERM processes in place.”5 Moreover, “Only 29% of the organizations' board of directors substantively discuss top risk exposures in a formal manner when they discuss the organization's strategic plan.…” The statistics are similar in Canada and in other industrialized countries. The good news is that increased adoption has occurred from a decade ago when the practice of ERM was in its infancy. Those astute leaders who are implementing ERM are not only taking positive action to mitigate potential erosion of entity value, but they are reducing the potential liabilities of directors and executives alike. But further progress is required.
So why is the implementation of ERM so slow in coming? In my experience from having served on boards, including as risk committee chair, and from having instructed ERM to hundreds of board members and senior executives, the answer is simple: Leadership from the top results in effective risk management, yet many directors and executives don't understand ERM, nor can they determine if it is fully in place in their organization, nor do they know how to implement it. Hence, if ERM isn't understood, it can't be led. Consider the workings of a properly functioning audit committee at the board level, with most members well-schooled in finance, likely having led and managed senior finance executives. These audit committee directors have held finance jobs and are well equipped to oversee financial executives at the management level. In the risk world however, fewer leaders have had risk-related jobs and are less qualified to implement and oversee a practice they've never learned.
While much excellent material has been written in academia about ERM in philosophical and conceptual terms, little has been written on the practical steps necessary for simple implementation and oversight of ERM at the board and executive levels. Take, for example, the widely heralded article by Robert Kaplan, cocreator of the famous Balanced Scorecard management system, entitled “Managing Risks: A New Framework,”6 published by the Harvard Business Review. Kaplan categorizes three levels of risk, giving readers a high-level conceptual approach to risk management. Readers of the Kaplan article will conclude that his approach is innovative but also needed is a more practical guide on how to easily actualize these excellent concepts. Short of taking crash courses, directors and executives simply do not have time to read through hundreds of academic pages on technical risk management details, nor do they typically have the experience in ERM to translate conceptual models into actionable steps. Needed is a summary of best practices, a step-by-step outline of the core fundamentals so that board members know how to fulfill their role in risk oversight, and executives know what to manage.
In short, ERM is a complex subject, but this chapter provides a concise summary for board members of what they need to understand, steps to oversee risk management, and the role management must play for ERM to work.
In overseeing risk management at the board level, directors need to ensure that processes are in place to identify, measure, and manage key risks. Hence, to effectively undertake this responsibility, the board must understand, at least at a high level, the mechanics of ERM. This section explains how ERM works and read in conjunction with the Appendix to this chapter, the Gap Study, capsulizes ERM into five ERM Elements and four ERM Fundamentals. To assist the board in determining what practices are in place, it is suggested that management complete and present to the board the Gap Study for a snapshot of current risk management practices, or lack thereof.
As with other corporate systems, organizations often deploy a “framework” to guide the implementation and maintenance of ERM. The world's two leading risk frameworks differ in approach, but both prompt focused priority on those risks which are most impacting on organizational objectives/goals. Risks which don't significantly impact organizational objectives are less important. The definition of “risk” from the International Standards Organization (ISO) was derived after consultation and input from many countries globally and is stated as “the effect of uncertainty on objectives”3 This definition is contained in the ISO standard referred to as ISO:31000:2018, and is one of ISO's most purchased documents/standards globally. Similarly, “COSO” (Committee of Sponsoring Organization), a popular standard in the United States used frequently by large financial institutions, defines ERM as “a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.…”4 Notice the focus (emphasized by the writer) within both standards on those key risks which impact objectives. Impact on objectives is a key determinant of the importance of a risk.
The Risk Polygon model in Figure 31.1 shows the top risks of ABC Corporation (a fictitious company) each aligned with the corporate objective these risks could most impact. A polygon is a multisided object; hence if the organization has three corporate objectives, the Risk Polygon becomes a triangle, and if the entity has eight corporate objectives, the Risk Polygon becomes an octagon, and so forth. In Figure 31.1, ABC Corporation has five corporate objectives; hence its Polygon becomes a pentagon, with each corporate objective shown inside the center. Outside the Polygon are the key risks most impacting that objective.
From Figure 31.1, each corporate objective should be measurable via specific metrics and/or KPIs, such as “Net Annual Operating Income > X%,” or “> 90% Employee Engagement.” Key definitions are highlighted in bold in the following two paragraphs.
Following a Risk Identification exercise, the executives of ABC Corporation align each risk next to the ABC objective which such risk is most likely to impact. Next, through engaging in a Risk Assessment exercise whereby the entity rates the numeric Impact of each risk on the corresponding objective and considers the Likelihood of the event, risks are ordered in priority from 1 to 20. Risks are also rated based on the Perceived Effectiveness of Control Plans. A Risk Register is created with risks prioritized by Severity, usually with a focus on the Top 10. This exercise is repeated on a scheduled basis. A Risk Polygon is created and becomes a simple, easy to understand snapshot of the Risk Register for use by the board executives, the executives, and the risk practitioners (CRO, risk manager, or dedicated executive risk champion). A Corporate Risk Profile report is created periodically (such as annually) to summarize the state of risk at the entity. Now with everyone on the same page, the organization can analyze the Polygon, determining things such as: Interconnectivity of Risks and which risks may cascade and impact more than one objective; Risk Clock Speed, the time available to anticipate and react to an occurrence)1; the Risk Controls needed to mitigate the key risks; who are the Risk Owners for each key risk, ideally the executives of the organization; and the numerous other “Actions” (shown in the Appendix, Gap Study) necessary to oversee and govern the risks of the organization. Depending on the complexity, risk software is utilized to roll up, monitor, comply with requirements and timelines, and report on risk.
Roles of board and management are often documented in a Framework or ERM Policy (a document approved by board defining roles, purpose, mandate, timing and format of board reporting, and Risk Appetite). The board then designates a board committee which has the appropriate expertise, and such committee(s) oversees the activities and actions it considers to be material. Risk committees at the board and management levels can plan the quarterly activities they wish to focus on via annual calendars. A Qualified Risk Director often leads board risk oversight.
Board risk oversight is one of five ERM Elements, essentially five components of successful ERM programs. Proper board risk oversight requires ensuring that the other four elements are in place. The five elements are described in brief below and are also listed in checklist form in the Appendix, the Gap Study, which lists “Actions” for each and shows who is responsible (i.e., board or management). Please see Figure 31.2.
The following four ERM Fundamentals, essentially basic requirements for risk program survivability, need to be in place to ensure that risk management is sustained7 over the long term:
Board risk oversight is typically mandated in an entity's board charter, or within a board committee charter (i.e., often Audit or Governance). Board charters often use language such as “The Board shall oversee the management of the organizations principal business risks….” Hence, the board's role in ERM is generally to oversee and understand the executive team's processes, and this requires that the board perform its duties via a structured approach, enlisting directors with the required skillsets.
This section defines for boards seven key “Actions” (what to do) with a corresponding “Approach” (how to do it) in setting up risk oversight at the board level. Also listed is “Responsibility” (i.e., whether board or management is responsible for each Action). Effective board risk oversight is one of the five elements of ERM and must occur simultaneously while the other four elements are being coordinated.
Table 31.1 DICO's Role of Board and Management in ERM
Source: Deposit Insurance Corporation of Ontario (DICO), “Enterprise Risk Management framework, January 2018, Standards of Sound Business and Financial Practices.”12
The Board of Directors Governs the Risk Profile of the Credit Union | Management Takes Action to Manage the Risks to an Acceptable Level |
Oversees of ERM framework, gains assurance on its effectiveness | Develops processes to implement Enterprise Risk Management in the credit union |
Establishes, approves, annually updates governing policy on Enterprise Risk | Assigns responsibilities for risk ownership, monitoring of risk, risk reporting |
Articulates risk appetite/risk tolerance in policy | Identifies process to develop risk profile |
Gains understanding of overall risk profile of credit union at inherent and residual levels | Implements processes to develop risk profile and to assess the severity of each risk |
Gains understanding of significant risks at inherent and residual levels | Implements processes to determine risk responses are in place and identify if further action required |
Understands level of risk absorber (capital) in relation to aggregate residual risk of credit union | Determines level of risk absorber (capital) in place, make recommendations where it is not sufficient |
Approves acceptance of residual risks or direct additional risk response action where residual level is in excess of established risk appetite/tolerance | Reports to board on the risk profile of the credit union including significant risks at the inherent and residual level |
Gains assurance that management has undertaken the risk responses as outlined | Takes action, monitors to ensure risk responses operate effectively and continuously |
Monitors risk indicators for known significant risks on quarterly basis and more frequently on specific risks when issues arise | Presents periodic reports to board which present risk indicators and level of risk by categories |
Monitors emerging risks and discuss implications with management | Presents information to board on emerging risks |
Another simple test is the “RIMS Risk Maturity Model”13 available from the Risk and Insurance Management Society (RIMS). Organizations can take this quick survey to determine how deeply entrenched ERM is in their organization. Per Adrian Castillo Cisneros, enterprise risk manager for CEMEX, a global building materials company, “Our organization has benefited from RIMS by using the RIMS Risk Maturity Model. With that tool, we found out the areas of opportunity we still have, along with our current status (half-way to full maturity).”
A more formal approach is to have internal or outside experts create a roadmap outlining which of the steps (such as those in this chapter) have been completed and which new steps are to be scheduled in the future.
ERM requires a top-down effort, with management leading the process and the board supporting and overseeing the important steps. This requires proactivity and a good understanding of the key Elements and Fundamentals. An example of the need for board proactivity is with cybercrime—this risk currently tops the risk registers of many organizations. Despite regular news stories such as ransomware attacks that are freezing sophisticated computer systems of major organizations, and reports of the increased presence of state-sponsored cyberterrorism, 44 percent of the 9,500 executives surveyed in PwC's 2018 Global State of information Security Survey say they don't have an overall information security strategy.14 The solution for boards of directors as proposed by PwC is to “focus on getting the right information and building relationships with the company's tech and security leaders so you get a better sense of whether management is doing enough.” Reducing the exposure to cyber risks requires active management by the organization and is enhanced by a deep dive by the board.
Like with effective cybercrime mitigation, effective control of other top risks is best driven by a deep understanding by the board and a regular liaison with management. For executives, ERM is a structured and systematic discipline which can align the entire organization to manage its risks. Leadership from the top results in empowerment to the risk practitioners. Strong support from the chair and CEO is a critical starting point needed for building a successful and lasting ERM program.
This chapter and the Risk Polygon methodology outline best practices, key “Elements,” and important “Fundamentals,” which if adopted will lead to better preservation of organization value, more predictability, and enhanced likelihood of attaining organizational objectives.
A starting point is to use the Gap Study in the Appendix at the end of this chapter to benchmark the state of ERM at your organization versus the best practices addressed in this chapter.
Stephen (Steve) Mallory ICD.D, CRM, FCIP, brings close to 10 years of experience on Canadian Federal Government (Crown) Corporation boards. He served from 2012 to 2017 on the board of VIA Rail Canada including as chair of the Governance, Risk and Strategy Committee, and was on the Pension Investment Committee. Previously he served from 2008 to 2012 as a director with the Standards Council of Canada and sat on the Audit Committee. He led board risk oversight on both boards and has served since 2011 on Canada's CSA/ISO/TC262 Project committee: Risk Management.
He teaches Enterprise Risk Management at the Institute of Corporate Directors across Canada; at York University in Toronto in the Master's Financial Accountability program; and with the Governance Professionals of Canada.
Steve is principal of Directors Global Risk Consulting Inc., a Toronto-based firm which provides enterprise-risk-management advice for organizations located across Canada. He also advises clients at Benson Kearley IFG, a top Canadian insurance brokerage. Prior to founding his own firm in 2007, he served as CEO and region head within two of Canada's largest insurance brokerages.
Steve is regularly quoted in business publications and has led various charitable initiatives, including funding for water wells supplying nourishment to 15,000 people in Africa.
Special thanks to the following people who have provided extra support, advice, and guidance in the writing and review of this chapter, and/or who have provided inspiration on the subject of ERM: Andrew Poprawa, Regulator and Independent Director and Board Chair; Michael Murphy, Risk and Internal Audit Professional; William Thomson, Independent Director and Board Chair; John Fraser, Risk and Internal Audit Professional and worldwide leader in ERM.
This Gap Study is a tool for boards and executive teams to gauge if the key steps and best practices in ERM exist at their organization and/or on their boards. The Gap Study checklist should be completed by an internal or outside expert to compare existing behaviors versus ideal/best practices, reporting back to the board and executives. This Appendix also serves as a summary of the Five Elements.
Element | Action | Primary Responsibility | Current Practice at Our Organization | |
Element #1: EDUCATION | ||||
Education | Educating Directors and Executives | Providing opportunities for Risk Education for Executives and Board members | Board & Management | |
Education | Learning on Topical Matters | Introduction of Executive Team & Board to ERM, regular updates to ERM/Pre-Reading/Case Studies | Board & Management | |
Element #2: PROCESS | ||||
Process | KPI's & Objectives | Determine KPI's for Entity Objectives | Board & Management | |
Process | Stakeholders/Context | Identify Stakeholders, understand “Context” via SWOT or other Environmental Risk Analyses | Management | |
Process | Risk Identification | Process used to identify organization's risks | Management | |
Process | Risk Assessment | Process used to assess the organization's Risks | Management | |
Process | Risk Controls/Risk Response Plans | Creation and maintenance of Risk Control Plans to mitigate top risks | Management | |
Process | Risk Owners | Assigning accountability to Executives for controlling key Risks | Management | |
Process | Corporate Risk Profiling (CRP) & Risk Register | Create periodic CRP reports with a Risk Register, to be used for reporting to Board and to Executive Team | Management | |
Process | Monitoring/Key Risk Indicators (KRI's) | A process to oversee, track, and measure significant matters and key risks, to be summarized in Reporting to Board and Management. | Management | |
Process | Reporting to Management | Reporting to the Management Risk Committee on Risk Matters by internal or external subject matter experts | Management | |
Process | Risk Technology | Utilize a risk technology platform for managing risk, reporting, and tracking accountability in Control Plans | Management | |
Process | Implementing ERM/Roadmapping | Implementing ERM and planning the rollout the rollout | Management | |
Element #3: GOVERNANCE | ||||
Governance | Frameworks/ Standards | Utilize a leading Best Practice “Risk Standard” to guide implementation | Management | |
Governance | Management Risk Committee | Set up, formalize, and actualize the Executive Teams structure for managing risk | Management | |
Governance | Board Reporting | Develop/Update/Utilize Board Reporting tools such as: Risk Polygon; Risk Registers; KRI's (Key Risk Indicators) for reporting quarterly/semi-annual or on another basis | Board & Management | |
Governance | ERM Policy | Develop/Update the organizations “ERM Policy” Statement | Management | |
Governance | Guiding Principles | Develop/Update “Guiding Principles” as an Addendum to ERM Policy | Management | |
Governance | Risk Roles | Develop/Update, actualize risk roles for Board, Executive Team and in-house Risk Practitioners, as outlined in ERM Policy | Board & Management | |
Governance | Risk Culture | Build a culture of risk management in the organization | Board & Management | |
Governance | Risk Appetite & Risk Tolerances | Develop/Update Risk “Appetite” and “Tolerances” | Management | |
Element #4: OVERSIGHT | ||||
Oversight | Qualified Risk Director | Ensure the board has at least one director who is experienced in ERM and who can lead board risk oversight | Board | |
Oversight | Protecting Independent Directors | Create opportunities for ID's to question the risks and processes of the company | Board | |
Oversight | Board's Role in Risk | Formalize and actualize the Boards Role in Risk Oversight, including approving Appetite and the ERM Policy | Board & Management | |
Oversight | Board Risk Committee Structure | Set up a Board Risk Committee and/or subcommittee | Board | |
Oversight | ERM Maturity, Board Oversight | Using the “GAP Study” and “Road Mapping” to determine progress in developing ERM | Board & Management | |
Oversight | Executive Compensation | Align Executive Compensation with performance on Risk Management milestones | Board & Management | |
Oversight | Board Workshops | Board risk workshops, giving directors an opportunity to review, comment and input on the Corporate Risk Profile and other elements of ERM | Board & Management | |
Element #5: STRATEGY | ||||
Strategy | Establishing Entity Objectives (Metrics based) | Establish formal Objectives with Measurable KPI's | Board & Management | |
Strategy | Oversight of Risk Alignment with Strategic Objectives | Overcoming Operational Bias and Alignment of Risks with the key “Strategic” Objectives | Board & Management | |
Strategy | Key Decisions/Risk Assessments | Key Decisions of Management require a corresponding Risk Assessment | Board & Management | |
Strategy | Strategic Plan/ Risk Component | Include a risk component in the strategic planning process | Board & Management | |
Strategy | Performance Management | Assess risks relating to Performance, Budgeting, Score-carding | Management |