Customizing Enterprise Risk Management

Transcription

1 Published on Business Finance ( Customizing Enterprise Risk Management by Joanne Sammer Created 05/01/ :00 When the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its enterprise risk management integrated framework in 2004, the document received a warm welcome from companies looking for better ways to identify and manage the myriad risks they face. And because the framework integrates internal controls and enterprise risk management (ERM), it seemed a perfect fit for organizations looking to leverage the work they were doing to comply with the Sarbanes-Oxley Act of At the very least, the framework has raised awareness at the senior executive and board levels about the need for companies to understand the key risks they face, measure their tolerance for those exposures, develop a process to manage them and ensure that their risk profile is regular-ly updated. "The COSO framework has been a lever that has pushed those efforts further along," says Michael Chagares, a director with Mercer Oliver Wyman, a financial services strategy and risk management consulting firm headquartered in New York City. "It has gotten companies to think about risk in a more strategic way. And if they understand risks better and how those risks align with objectives, they can manage those risks better and close gaps in order to achieve objectives with more predictability and less volatility." But while most observers agree that the framework has had a positive impact on the prevalence and effectiveness of ERM, some experts point out that risk management executives might be tempted to treat the COSO framework as just another compliance requirement or as a shrink-wrapped solution to risk management issues that are complex and unique to each organization. It's neither of those, and companies need to carefully calibrate this risk management tool to get the best results. No Turnkey Solution The COSO ERM framework builds on an earlier tool developed by that organization, its internal control integrated framework, to coordinate risk management, internal controls and enterprise performance management. However, unlike the internal control framework, the ERM framework includes a process for setting objectives. It also helps companies identify exposures and allocate resources to manage them. "Companies get the most benefit from ERM when they evaluate risk as part of strategic planning," notes Miles Everson, a partner in PricewaterhouseCoopers' advisory services practice in New York City. "ERM needs to become part of the way the company runs the business. Therefore, companies should not just add a separate ERM process; they should modify the existing strategic planning process to incorporate ERM." James Lam, president of James Lam & Associates, a risk management consulting firm based in Wellesley, Mass., warns against treating the COSO ERM framework as a turnkey risk management solution. "The usefulness of any framework is to provide structure so that companies can design processes and procedures within that structure to accomplish their goals," he says. "Companies are not well-served by taking the framework off the shelf and fitting their requirements into the framework. The framework needs to be adapted to the company's internal requirements." 1 of 5 11/25/09 10:37 AM

2 For example, in Lam's view, the COSO ERM framework doesn't place enough emphasis on classifying risks or identifying key risk indicators, both of which are instrumental in providing the necessary information to support management decision-making. Many companies will need to modify the framework or develop their own ERM programs to ensure the availability of that information. "The COSO ERM framework alone will not get you to where you want to be," observes Lam. Adapting the Framework For insight into ways to adapt the framework to meet their needs, companies can look to the pioneers -- businesses that implemented enterprise risk management before COSO published its ERM framework. Some of these organizations developed ERM independently; others adapted and expanded the COSO internal control framework to suit their needs. And some gleaned insight from the COSO ERM framework while it was still in the works. When The PMI Group Inc., a Walnut Creek, Calif.-based provider of credit enhancement products and lender services, implemented ERM several years ago, it used the COSO internal control framework as a basis for its efforts. The starting point for the initiative was a clear definition of enterprise risk management and the essential components of an ERM framework, such as various risk categories. The company began implementing the framework within its subsidiaries using a top-down risk assessment that started at the executive level. Then, to make sure it hadn't missed anything, The PMI Group also implemented a bottom-up assessment to determine whether line managers and employees were dealing with risks that required attention but were not apparent at the executive level. The results were gratifying. "When the COSO ERM framework did come out in 2004, we compared it to our own framework, but there wasn't anything that we missed and would consider adding to ours," says Joanne Berkowitz, executive vice president and chief enterprise risk officer. In fact, in Berkowitz's view, the COSO ERM framework doesn't give enough weight to external risks. "If we had used the COSO ERM framework from the beginning of our ERM efforts, we would have had to customize it to focus on our external risks and to develop action plans to address those risks," she says. Whether other companies will have to do that will depend on their industry and the importance of external factors in their success. "In our business, external factors are very important and very industry-specific," she notes. Capital One Financial Corp. used some components of the COSO ERM framework when it began building its ERM process, even though the final version hadn't been released. "The core concepts of the framework were the starting point, and its value was in providing a holistic view of risk management," says Scott Green, managing vice president of operational risk management with the McLean, Va.-based company. "The framework also provided validation as we built the ERM process, and we used it as a tool to check in and make sure we had the key elements covered." He adds that "essentially, we ended up converting the generic framework to something that works for the company." Capital One Financial's approach is not unusual. "Most companies modify the framework and adapt it to their unique circumstances," says Everson. "Every company is different and has different programs and initiatives. The key is to use the framework and the principles to make sure ERM efforts are on target and to gain momentum around identifying, measuring and managing risk." 2 of 5 11/25/09 10:37 AM

3 alt="" border="0" /> A Shared Language Overall, Berkowitz sees significant value in the COSO ERM framework, particularly as a tool to facilitate education and communication about enterprise risk management. "Education is key, and you may have to do a lot of it, depending on the organization," says Berkowitz. "The framework itself makes a good visual and training aid for getting people up the learning curve. When you use it in meetings, people remember it." Part of the power of the COSO ERM framework lies in its ability to stimulate discussion. "The framework can create another form of communication and lead to the valuable exchange of thoughts and ideas," says John Palmer, managing director of Accume Partners, a provider of internal audit and related risk management services headquartered in New York City. "There often has been no such dialogue within businesses before." For Capital One Financial, that was a key benefit. In the process of adapting the framework, the com-pany "created a common language and a common understanding of the key elements that are necessary for success in managing risk," asserts Green. That achievement was crucial to the initiative's success because it helped the organization make risk management part of its overall business strategy rather than a separate tactical activity. "The 3 of 5 11/25/09 10:37 AM

4 framework has also allowed us to put disparate processes into a single context," Green notes. "This way, everyone can see how activities are organized and integrated rather than viewing those activities as unconnected." To make ERM even more relevant, Capital One Financial created a set of scorecards for the six elements that serve as the basis for the company's unique ERM framework. The scorecards provide an overview of the initiative's progress and help the company determine whether managers and executives are fulfilling their ERM obligations. "This provides more actionable insight, and it improves the management of risk for the business," says Green. "It also gives people the opportunity to practice using the framework and to strengthen their understanding of the framework." The Implementation Challenge Using the COSO ERM integrated framework doesn't necessarily make implementing ERM easier. Lam points out that the framework's comprehensiveness can be problematic because a full implementation soaks up a lot of resources. "Companies need to commit the people and systems investment necessary to fully establish the framework within the company," he says. To begin an ERM implementation, it's a good idea to launch a pilot program based on the framework within a few functional areas or business units. Once that's been running for a while, the company can leverage the results and feedback from users to revise the framework and modify the program before rolling it out more broadly in the enterprise. Companies should seek input from managers and employees in various departments throughout the organization before adapting the framework. Limiting the framework's design to serve the needs of specific functions -- finance or internal audit, for example -- may reduce its usefulness for other units that have an interest in the success of the program. During the pilot implementation, the company's focus should be on finding the right balance between qualitative and quantitative data and between objective and subjective inputs when it comes to risk identification and management. "Get feedback about whether the framework is useful to the business units and whether it improves decision-making," advises Lam. For example, in their risk assessment activities, business units can use the framework to make decisions about pricing and product management and to determine whether they need cost-of-risk information. When it comes to risk monitoring, they should use the framework to identify and organize data that will help them make better decisions, such as information about the risks involved in entering a new market or pursuing a particular customer segment. "The best result of using the framework is an improved information flow that gets the right information to the right people so they can make decisions faster and better and ultimately improve the bottom line," observes Trent Gazzaway, managing partner of corporate governance with Grant Thornton LLP in Charlotte, N.C. How quickly a company achieves its ERM objectives once the full program is in place will depend on its structure and the nature of its business, according to Gazzaway. If a company starts out with strong information flows, it will likely achieve results quickly. Organizations with highly complex and decentralized businesses will realize greater benefits than companies with less complex organizational structures, but they may need more time to get there. Once a company begins using the COSO ERM framework to guide its ERM initiative, it should benchmark its efforts against those of a peer group, Everson suggests. "Companies may want to stretch how they define a peer, rather than just looking at competitors," he adds. For example, they may want to define "peers" as businesses that have a similar operating model or a similar percentage of revenue sourced from a particular part of the world. 4 of 5 11/25/09 10:37 AM

5 Above all, when using the COSO ERM framework, companies need to clearly understand what it can and cannot do. "There is a perception that the framework will be everything needed, but that is not the case," says Gazzaway. "The COSO ERM framework can provide companies with the assurance of comprehensiveness, but it doesn't tell you how to do something like risk assessment." Source URL: 5 of 5 11/25/09 10:37 AM