Enterprise risk management: A progressive approach

Size: px

Start display at page:

Download "Enterprise risk management: A progressive approach"

Elmer Gilmore
5 years ago
Views:

1 Enterprise risk management: A progressive approach

2 Background The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has commissioned and published standards on enterprise risk management titled Enterprise Risk Management Integrating with Strategy and Performance. This framework is as an update to the earlier framework, Enterprise Risk Management Integrated Framework (2004), and is a welcome change given the evolving expectations of boards, the rapid changes in the business environment, technology advancement and complexity of risks. This article aims to explore the changes in and expectations of the new enterprise risk management (ERM) framework by looking at some of the common myths which have emerged in the past few months since the publication of the new ERM framework. As per the 2017 guidelines, ERM is defined as [t]he culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value. Before decoding this definition, let us look at the rationale behind the new ERM framework and some myths surrounding it, before coming back to the definition in order to understand the changes and its impact. Change drivers A glance at the definition reveals a few obvious drivers behind the need for changing the 2004 ERM framework. That said, it is important to understand the background as well as some of the other less obvious drivers. The new ERM framework was developed over a period of three years and took into consideration feedback from some of the largest and most complex businesses across the world. The COSO ERM team conducted surveys and research on the expectations from an ERM function and the challenges faced by an ERM function in working effectively. These efforts led to the development of a more evolved and future-oriented ERM framework. Some of the key drivers are listed below With the change in governance requirements, stakeholders across the organisational value chain are seeking greater transparency and accountability. There is a need for more insight-driven decision making to understand the risks and capabilities that provide a business edge. As businesses evolve and become complex along with corresponding risks, boards expect more from their organisation s ERM practices and capabilities. There is greater reliance on information and communication from the ERM functions. The risk function is expected to support optimisation of business opportunities quickly. Businesses expect the ERM framework to drive improvements and not just offer protection. In light of recent events, learning, adaptation and deployment of risk strategies are expected to occur quickly.

3 Myths The 2017 ERM framework is surrounded by its fair share of speculation and myths. Some of the critical ones are addressed below. The 2017 ERM framework is an enhancement of the 2013 Internal Controls Framework and is hence similar to the 2013 framework: The most common misconception around the 2017 framework is that it is similar to or an improvement of the 2013 framework. In reality, the 2017 framework is nowhere close to the 2013 one. The latter focuses on internal controls, whereas the 2017 framework focuses on risks at an enterprise level. It is much broader and addresses risk at a different level. On the other hand, the 2013 framework is more about principles and practices from a governance perspective and provides guidance around the same. The 2017 ERM framework is actually an update to the 2004 ERM framework. This change in standards will require organisations to scrap the existing ERM framework: The 2017 framework is exhaustive and future-oriented. Adopting this new framework will mean leveraging the existing ERM framework and enhancing it with the additional elements that have been highlighted in the new framework. The new framework talks about 5 components (and 20 underlying principles): Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, Information, and Communication & Reporting. The third component (Performance) is where a large percentage of organisations would have made efforts in the past few decade(s). However, for more holistic ERM implementation, each component and its underlying principle would need to be embraced. Source: Enterprise Risk Management Integrating with Strategy and Performance An ERM function cannot be integrated with other functions, is a dedicated function and needs to be independently enforced: The new ERM framework quite clearly articulates the role of the ERM function through its 5 components and 20 principles. Of the 5 components, component 2, namely Strategy & Objective-Setting, explains through its principles how risk management and risk management practices need to be integrated within the business. In fact, it highlights the importance of involving the risk management function in the strategic decision-making process in order to unlock potential business value. ERM is a one-way practice of risk assessment and reporting, owned and managed by the ERM function, which requires significant investment: The 2017 ERM framework requires a big mind-set shift from the earlier understanding and experience. It will possibly require some to unlearn past ERM practices and require business and risk professionals to fully grasp ERM in its new avatar. Like the previous myth, this myth necessitates a broader and integrated approach towards risk management. To draw a parallel, information technology (IT) had traditionally been viewed as a function which helps drive the organisation to conduct its business that is, a support function. Over the last few years, this has completely changed and IT has become a core function. ERM frameworks and practices have also matured over the past few years and are no longer the responsibility of one function. Risk management is not only about risk assessment and is certainly not about reporting alone.

4 Instead of focusing only on the investments required from a resource or technology perspective, organisations should look at enhancements in risk culture, which have gained tremendous interest in recent years. Risk culture should be viewed as a critical element for every organisation to achieve its strategic and business objectives. In recent years, there have been models where an efficient and effective ERM function is supported by mature ERM practices and often operates on lean investments and leverages the business functions in its ERM activities. ERM is about risks and protecting value: The traditional concept of ERM was about identifying risks in the business environment and addressing them through mitigating controls. The new framework completely changes this view and puts risk management right up the value chain and as part of board room discussions. Component 2, namely Strategy and Objective-Setting, talks about integrating risk management with strategy formulation/discussion and thus puts this myth to rest. This is a big step up as the risk management function is expected not just to protect existing value but also to participate in important discussions in order to unlock the potential of opportunities by taking into consideration the capabilities the organisation is geared to demonstrate. Risk appetite is only about monitoring tolerance breaches: Traditional approaches focus on gathering data/ information, assessing it and measure it against set thresholds to identify a breach or potential breach. The new framework urges organisations to go beyond this approach and integrate risk appetite discussions into the decisionmaking phase. This allows the business to consciously consider risks and their impact, and create a measuring mechanism to derive value from this exercise. The new framework involves deeper analysis of breaches to understand how and where the strategy or the implementation of the strategy resulted in the breach rather than just reporting on risk appetite values. A business cannot talk itself out of risks; instead, it needs to analyse and assess them and take action. Risks result from absence of control or existence of ineffective controls, are about quantification of losses and can be measured only with models, and are bad and should be reduced to zero: Interestingly, risks are good, as without risks, no organisation would be able to achieve its growth objectives. Risk management is not about eliminating all risks but understanding them better and taking decisions which will result in actions which help the organisation achieve its objectives. Many organisations define risk as the absence of control or ineffectiveness of control instead of looking at it as a challenge to achieving business objectives. Treating risks as absence of control results in building long/bulky risk repositories which are often difficult to manage and communicate to the business teams. Key takeaways and considerations from the new 2017 ERM framework The new 2017 framework, Enterprise Risk Management Integrating with Strategy and Performance, provides a tremendous opportunity for organisations of every size and complexity to unlock potential through their risk management functions. This framework allows risk professionals to take risk management practices to a new level and make them a critical part of their organisation s strategic objectives. We have highlighted some key elements which will define the risk management functions of the future: The new ERM definition introduces culture, involvement in strategy setting and creating value as part of the risk management agenda. The enhanced framework will lead to a positive outlook towards risk management by preparing businesses for the future and helping them to understand and decode how risks impacts business in a positive manner. A hurdle most organisations will need to tackle is changing the traditional mind-set of risk managers and business functions so that they begin to view risk as a strategic opportunity to achieve business objectives more effectively. A hurdle most organisations will need to tackle is changing the traditional mindset of risk managers and business functions so that they begin to view risk as a strategic opportunity to achieve business objectives more effectively. Risk management will no longer be about merely reporting information; rather, it will be about focusing on an issue and understanding where it is occurs, why and what are the challenges to overcoming the same. Increasing involvement of risk managers in the achievement of an organisation s business objectives will mean that risk managers know the business better than business personnel who look at it in silos. Risk management is not just about creating a hedging strategy against a risk but also converting that risk into an opportunity. In conclusion, the future of risk management is changing for the better by moving away from silos. The expectations of the board and senior management are increasing with the changing business environment and this presents risk professionals an opportunity to walk with the business to achieve the ultimate organisational objectives. Innovation in risk practices with use of technology and enhancing risk awareness through conscious efforts towards building an organisation s risk culture will be the focus for the coming years.

5 About PwC At PwC, our purpose is to build trust in society and solve important problems. We re a network of firms in 158 countries with more than 236,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India s service offerings, visit PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see for further details PwC. All rights reserved Contact Us Vivek Iyer Partner Financial Services- Risk Assurance Services M: vivek.iyer@pwc.com Vivek Iyer is a Financial Services Risk Assurance leader based in Mumbai. He has over 13 years of experience with specialization in governance, risk and compliance in financial services space.vivek has worked with most of the leading organizations in BFSI space and also regularly works back with the regulators on matters of industry importance in the Banking and Capital Markets domain. Dnyanesh Pandit Director Financial Services-Risk Assurance Services M: dnyanesh.pandit@pwc.com Dnyanesh Pandit has over 13 years of experience in Governance, Risk and Compliance in public and private companies across Banks, NBFC s and Insurance companies. He has also been part of multiple, large and complex risk transformation projects across public and private sectors in India, USA, Middle east and Asia. pwc.in Data Classification: DC0 This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take PricewaterhouseCoopers Private Limited. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity. PD/Jan

Technology Consulting Logistics Analytics Solutions

Technology Consulting Logistics Analytics Solutions www.pwc.in Logistics sector: Shifting patterns Transportation and logistics are currently confronted with many challenges, which bring risks as well