Enterprise Risk Management: Developing a Model for Organizational Success White Paper January 2009
Overview Less than a decade ago, Enterprise Risk Management (ERM) was an unfamiliar concept. Today, the issue is quickly ascending the agendas of senior executives and shareholders alike, as corporate scandals and globalization challenge the status quo; and regulators publish new and updated requirements. Enterprise Risk Management is a structured approach to aligning strategy, processes, people, technology, and knowledge to identify and manage uncertainties and risk. Providing a comprehensive, integrated framework that enables organizations to proactively manage business risk, ERM achieves balance between business needs and risk thresholds to increase competitive advantage and shareholder value. ERM definitions tend to vary from source to source, but all contain common themes: a standard risk management process, an integrated view of risks, and a focus on relating risks to business objectives. What has prompted such an unprecedented interest in ERM in recent years? Some of the main drivers include: Loss of integrity of audit and financial reporting Increased regulatory pressure for risk information Accelerated speed of product and service innovations Use of open networks in business transactions Alignment of the organization to anticipate and leverage opportunities Decreased confidence in the accuracy / integrity of system solutionsincreased security risks Volatile market conditions Increased shareholder scrutiny 1
ERM Framework: A Roadmap for Managing Risks In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formalized the ERM process with its landmark publication, Enterprise Risk Management Integrated Framework. The official COSO definition of ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. There are infinite variations; one easy to understand version is ERM is a company s process to identify, assess, and manage risks that could interfere with achieving any of its corporate objectives. The definition reflects some fundamental concepts about ERM, including that it is: A process, ongoing and flowing through an entity Affected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit Designed to identify potential events that, if they occur, will affect the entity Designed to manage risk within the organization s risk appetite Able to provide reasonable assurance to an entity s management and directors Geared to achievement of objectives in one or more separate, but overlapping, categories. Figure 1: COSO ERM Framework Figure 1 shows the COSO ERM framework as a three-dimensional cube. An entity s business objectives can be put into four separate but overlapping categories (Strategic, Operations, Reporting, Compliance) shown on the top surface. 2
The eight components of ERM are shown on the facing surface: Internal environment establishes an entity s risk culture and considers all aspects of how an organization s actions may affect it. Objective setting reflects the risk appetite of the entity a high-level view of how much risk the board and management are willing to accept. Risk tolerance the acceptable level of variation around objectives is aligned with risk appetite Event identification differentiates risks and opportunities, with events having a negative impact representing risks and those having a positive impact representing opportunities. It addresses how internal and external factors combine to influence the risk profile. The risk assessment component assesses risks based on likelihood of occurrence and impact, both on an inherent and residual basis. Risk response requires management to decide if it will avoid, accept, reduce or share risk based on the entity s risk appetite, cost vs. benefit of potential risk responses, and the degree to which a response will reduce impact and/or likelihood. Control activities establish and implement policies and procedures to ensure that risk responses are effectively executed Information and communication ensures that relevant information is identified, captured, and communicated enabling people to carry out their responsibilities Monitoring ensures that the ERM program remains effective over time Both the objective categories and the components of ERM are applicable to every level of the organization, from the entity level down, as shown on the side surface of the cube. For ERM to be operating effectively, all eight components of ERM must be operating effectively across all four objective categories at all levels of the organization. Think of the COSO framework as a Rubik s Cube. 3
Implementing an ERM Approach ERM is a continuous process guided by the Executive Committee of the company and overseen by the Board of Directors. The charter for ERM must emanate from senior management since it is they who will establish the risk appetite and related guidelines for the entity and for each line of business. Companies can develop their own ERM framework or accept an established one, such as the COSO ERM framework. The nine key steps in the ERM process are shown in Figure 2. Figure 2: ERM - A Continuous Process Following are important points to consider when implementing the ERM process: The ERM process starts with setting objectives at all levels of the organization and ensuring their alignment. Determining risk appetite is a top-down exercise, starting with the board of directors, the executive committee, and business unit leaders. It establishes how much risk the entity is willing to accept in the aggregate, by business units, by geography, by product lines, and by function. Establishing a risk framework includes training employees at all levels of the organization in the concepts, definitions, and terminology of the accepted framework so that everyone shares a common language and understanding for identifying, assessing, and managing risks Assessing and Managing Risks There are various tools and techniques available for identifying and assessing risks, such as, scenario analysis (what if), modeling, regression analysis, historical loss and event data analysis. There are also subjective evaluations by experienced professionals. Typically, risks are assessed along two dimensions: frequency of occurrence and business impact. Critical risks have relatively high frequency of occurrence and high business impact and require immediate risk mitigation response, such as additional controls. High business impact and low probability risks require contingency planning since they may or may not ever occur (Figure 3). Some examples of these risks are illustrated in Figure 4. 4
Figure 3: Approach to Risk Assessment and Management Figure 4: Example of a Call Center Risk Assessment 5
The building blocks of ERM architecture, shown in Figure 5, reinforce the fact that commitment to implement ERM must come from the top of the organization. Acceptance of a framework provides a common language so that directors, executives, and the rank and file can talk about risk management without any confusion or misunderstanding. Process Management Figure 5: Building Blocks of an ERM Program While managing risk is everyone s responsibility, accountability for the ERM process both during and after implementation must reside with a specific individual. Often, this person is designated as the Chief Risk Officer (CRO). The scope of the CRO role can vary, but this position is ultimately responsible for supporting development of the ERM program, and directing the various processes that flow out of that program. Employees must be trained in the ERM framework and in the methodologies, techniques, and tools to be deployed. ERM must be managed as a process and not as a point in time evaluation. Its importance and continuous nature should be reinforced by integrating ERM into job descriptions, performance evaluations, and compensation and incentive programs. Finally, the ERM program should be monitored by the internal audit function to ensure its effectiveness over time in meeting organizational objectives. 6
The Way Forward Depending on where an organization is in the risk management continuum (see Figure 6), establishing an ERM infrastructure could be a phased, multi-year effort. It is important that senior management recognize this, and create a focused roadmap to get from where they are to where they want the organization to be. Final Thoughts Figure 6 As you evaluate the appropriateness of ERM for your company, remember that: Regulators and rating agencies are increasingly suggesting that a Risk Management Program be put in place Critical to the process is analyzing, documenting, and monitoring identified risks. Management then needs to determine and document the appropriate risk response. New risks based on strategic direction, event identification and new or enhanced products and services should be addressed as an ongoing monitoring step An effective risk management program is driven from the Board of Directors; and Executive Management and must be embraced by the entire organization. 7
With an integrated methodology, approach, and effective tools, your company should be well positioned to implement a comprehensive ERM program that accomplishes its goals of identifying potential events that may affect the business, and managing risk within your company s risk appetite to provide reasonable assurance for achieving organizational objectives. Establishing a risk management function with central accountability such as the CRO within the organization is key to creating a successful ERM program. This function will drive the ERM process and the various components and dimensions involved in effective enterprise risk management (see Figure 7). Figure 7 Among the many important considerations for this function are the following: What should the function be accountable for, and how will it be organized? Will it be centralized, decentralized, or matrixed? What skill sets are needed in this department, and how will success be measured? What relevant processes and tools are required to enable the risk management function to effectively do its job? And finally, what, how, and to whom will this function report and communicate? This document is for general guidance only, and is not intended to be a legal analysis or a substitute for legal or other professional advice. Please consult with a professional to obtain appropriate information and advice regarding your specific situation. 8