The Big Picture - Enterprise Risk Management Services
Internal Auditor, June, 2001 by Christy Chapman
Enterprise risk management takes a holistic look at risk and helps organizations manage it to achieve the greatest possible gains. Senior members of top accounting firms share their insights on this new approach that promises great rewards.
GOOD BUSINESS IS ALL ABOUT RISK: BUSINESS GROWTH CANNOT occur without introducing new risks; business objectives cannot be achieved without placing assets at risk; and business rivalries cannot be won without "out-risk-taking" the competition.
These tried-and-true maxims have never been more widely embraced, as more and more entities approach risk from a value perspective. Today's risk-seeking organizations view risk like an unruly child, hoping to tame its destructive tendencies while at the same time harnessing all the potential that such a powerful force surely holds.
Enterprise risk management (ERM) has recently emerged as one such method for managing risks more strategically. By holistically looking at all of the risks the organization faces and considering how they affect the overall accomplishment of goals, ERM helps organizations better handle their risks to achieve the greatest gains at the lowest cost.
The Big Five accounting firms are some of ERM's strongest advocates. Involved in holistic risk-management approaches since the germination stage, these firms have witnessed the problems, the mistakes, and the successes that have occurred along the way. They bring invaluable expertise to internal auditors who, in this new, risk-tolerant environment, are being asked to take a more active role in risk management.
Partner, Assurance and Advisory Services Center, KPMG
The goal of our ERM effort is to help clients gain competitive advantage by looking at how risks might impede the achievement of strategic objectives and then working to establish a system to keep that from happening. For that system to work, ERM must be intrinsically linked to the entity's business strategy, which encompasses an organization's established vision, mission, and objectives; its process for defining operational imperatives; and its philosophies, policies, plans, and initiatives for growth and development.
We begin by linking the organization's risk strategy and structure to the overall business strategy. The risk strategy provides guidance for the risk activities within a company. It can set the tone for aggressive or conservative approaches, dictate how measuring and monitoring activities are carried out, and provide a "bird's-eye view" for management and the board.
The risk structure provides the means for executing the risk strategy and embedding it within the organizational culture. As such, it assigns the roles and responsibilities for risk. In some organizations responsibility is centralized in the chief risk officer (CRO), who is charged with understanding the risks at all levels of the organization, ensuring that everyone is addressing risk appropriately, and communicating the risk situation to senior management and the board. Other organizations decentralize responsibility by using a risk committee or by pushing ownership down to the division or operating unit level. Regardless of the approach, the goal is to make risk everyone's business.
Having a business-appropriate risk structure and strategy helps companies identify and assess their risks as well as optimize, or manage, those risks. In addition, such architecture will ultimately enable the measuring and monitoring of risk from a business perspective on an ongoing basis.
Most organizations recognize risk assessment as a highly useful process for identifying, categorizing, and assessing critical risks based on their likelihood of occurrence and magnitude of impact. But these same organizations are unsure of what to do with the information once they've acquired it. They find it impossible to track and address all of the risks they've identified, or they have no idea of how to translate the information into specific action steps that add value to the organization.
A business-focused ERM program addresses this problem by developing a risk portfolio. Risks are considered in groups, based on how they relate to one another. Within these groups, one or more risks may rise or fall when other risks rise or fall. This awareness of impacts and interdependencies affords a better understanding of which risks are critical and therefore require more attention.
ERM also helps organizations translate their assessments into value-added actions through risk optimization. Upon identifying a risk within a particular business process, we determine how the risk affects the business objectives of that process. Depending on management's current responses to that risk, we develop a plan describing how best to manage that risk so that value is optimized. Controls or limits may be added for risks that exceed the organization's risk appetite. Or, a better approach might be to lessen excessive controls or even expand the risk if existing controls provide additional risk capacity. By employing a variety of tactics, risk managers can begin to affect corporate performance and shareholder value.
Once the risks have been identified and managed from a business strategy perspective, the resulting risk activities must be measured and monitored from that perspective as well. This is where internal auditors can play a significant role by aligning their resources with key risks and by helping the organization determine whether it is implementing good strategy in those areas. They can assess the effectiveness of implementation schemes and monitor whether the ensuing policies and procedures are being followed. Internal auditors can also help determine what information is usable and useful to management and work with business owners to define how to obtain that information on a regular basis.
These methods help our clients become more proactive by filtering the amount of information so that they can focus on the risks with the highest impacts in the context of their strategic objectives. ERM is the lens that helps business leaders see how business opportunity can be tied to risk management in a way that creates value.
Operational Effectiveness Practice Leader of Global Risk
Management Solutions, PricewaterhouseCoopers LLP
A successful ERM program builds a competency throughout the organization for identifying and understanding risks and provides a methodology for assessing those risks. It effectively communicates what the risks are and how they are managed from a central point, so that the enterprise can understand the risks occurring in the component parts of the organization and determine what they mean to the entity as a whole. The end results are (1) an enterprise level view of risk that is appropriate for strategic consideration and (2) comfort to management and the board that the organization is effectively managing risks.
Effective ERM is concerned not only with the hazard side of risk, which focuses on managing the impact after a problem has occurred, but also with the uncertainty and opportunity aspects of risk. Organizations must be able to identify, assess, and anticipate risks before they become crises. Perhaps more importantly, organizations should look for the opportunity in risk, for ways to enhance their business as a result of the risk issue.
Most boards and CEOs want three things from their ERM programs: a proactive approach that focuses on more than just the hazards; a truly holistic discussion of the various risks in terms of how the organization should operate and what they as board members and senior management should be concerned about, rather than a compendium of risk reports from all business units; and more robust ideas about how to better run their businesses.
Our business risk management framework, called ORCA, addresses these issues by providing a holistic language and methodology for thinking and communicating about risk throughout the organization. The O stands for organizational objectives, which provide the starting point for identifying and understanding risk. One reason many ERM reports do little more than list the various business unit risks is that the people doing the reporting don't understand the overall direction of the organization. They are unable to connect their individual problems to the overall strategic mission of the business.
Risk -- the R in our acronym -- is defined as any issue having an impact on the organization's ability to achieve its objectives. Control -- the C -- of these risks is determined by looking at them from the hazard, uncertainty, and opportunity points of view.
The last letter, A, stands for alignment. The organization must ensure that all risk management and control activities are the right ones in the context of the entire company. Often a risk management device is placed over a specific risk in the bowels of the organization that keeps the organization as a whole from meeting its objectives.
We encourage several activities that help ensure the ERM program offers a truly enterprise-wide view and is built into the business. First, we suggest that senior management and the board participate annually in a facilitated strategic risk assessment exercise during which they articulate organizational strategy, operating objectives, elements of consideration from key stakeholders, and primary risk concerns. That information is synthesized by the CRO, who sends his team of risk leaders out into the organization to train everyone on ORCA and to facilitate risk assessments, making sure to introduce the concerns of senior management and the board.
We also look for ways to embed risk management within normal business processes that are external to the ERM program. At the end of business units' quarterly financial operations or strategic planning reports, for example, we ask business unit leaders to name any issues and changes on the horizon that will affect their business.
In the end, effective risk management is about people performing better. We've found that the ORCA framework promotes a daily discipline and focus by putting staff members through a discrete exercise that forces them to think outside the box. And because it is built into the way the organization conducts its business, it isn't something that people do once and never again. It's something they are constantly doing.
Global Leader of Strategic and Enterprise Risk Consulting, Arthur Andersen
We view ERM as a process for elevating organizational risk management so that it becomes a strategic weapon. It is a method for increasing the organization's capacity to build and improve its risk management capability by ramping up the organization's risk sensitivity to change. We see ERM as a continuous journey, rather than as a finite destination.
Organizations define ERM differently, because true ERM is driven by the organization's strategies, objectives, cultures, risk appetites, and available resources. There is no one-size-fits-all approach to ERM. That said, we do believe that any ERM project must begin with five essential actions: establishing an oversight structure; defining a common language and framework; targeting risks and processes; establishing goals, objectives, and a uniform process; and assessing risk management capability.
A key task in establishing the oversight structure is crafting a shared vision of risk management's role, given the organization's business strategy. Additional oversight activities include developing a compelling business case for ERM; establishing a risk management oversight committee; assessing whether the level of support staff is adequate for the oversight committee to accomplish the vision; and defining staff functions and responsibilities.
A common risk language and framework is essential for enabling busy executives operating at Web speed to quickly get on the same page when communicating about risk. When customizing such a language, organizations should break the business down into operating, management, and support processes. This process classification scheme supplements the risk language and serves as a useful tool when assessing the sources of risk.
The common language, which is built around business risks and processes, provides the basis for targeting. The organization must identify the products, risks, and processes that require the most attention based on the organization's business strategies and objectives.
It's impossible to look at everything, so we must look at the most important things. Three questions to ask are (I) what are the relevant business and product groups? (2) what are the key business processes? and (3) what are the priority risks? After developing the risk profiles, the next steps are to source how, why, and where the risks originate and to measure the severity, likelihood, and financial impact of risk. Going through this targeting exercise solidly aligns the achievement of business objectives with the management of risks.
Next, it is necessary to define specific risk management goals and objectives, develop overall risk management policies and guidelines, and customize a uniform process outlining the essential tasks of risk management. Goals and objectives provide a "big picture" view of how to organize the firm's risk management. Risk management policy defines the roles and responsibilities that make every manager accountable. A uniform risk management process provides consistent methods for assessing, managing, and monitoring risks across the enterprise. An important part of this uniform process includes methods for measuring success. As the organization progresses toward its goal of enhancing the value-added nature of risk management, it must be able to determine whether its risk management capabilities have improved.
The final task for starting the ERM journey is to assess the organization's current risk management capabilities, which include the processes, people, reports, methodologies, and technologies needed to implement a particular strategy. Documentation of the current state of risk management is used as a baseline to identify needed improvements. Key questions include: Who owns the priority risks and processes that have been targeted? What is the risk management capability of those priority risks and processes? What is our desired capability? What is our change enablement plan for accomplishing improvements?
Completing these five tasks gives us a good start on the path toward total ERM. But it is not an easy journey, and internal auditors can play an important role. They can be risk educators and facilitators. They can also serve as integrators by participating in the development of the common language, framework, and uniform process. Internal auditors can help coordinate the development and gathering of information about risk and the organization's risk management capabilities. They can play their traditional evaluator role, emphasizing not compliance issues, but the quality of business risk management processes.
Finally, internal auditors can help lead their companies to take a fresh look at risk management. It's unlikely that the methods most in use today help managers harness their company's full potential. A cultural shift is vital, and internal auditors who can make that adjustment in their own minds have a truly valuable part to play in elevating risk management to a strategic level.
National Practice Leader for Enterprise Risk Management, Deloitte & Tauche LLP
We describe enterprise risk management as a radar system that is both forward-looking, to identify issues on the horizon, and inward-looking, to ensure that the systems and processes were counting on to protect us are actually working. Also key to ERM is the principle that risk management is everyone's job, which enables organizations to better prevent, detect, and correct problems. Finally, ERM takes an enterprise-wide, cross-functional view of the organization, because that's where the real ship sinkers lie.
We separate the risk management cycle into four stages. Stage one involves identifying, assessing, and prioritizing risks. Unfortunately, in many organizations, the best-controlled risks are often the ones that are easiest to control, not those that are most important. Establishing standard criteria for determining which risks are mission critical or essential to growth plans avoids such problems.
During this stage, we also help the organization prepare for catastrophic risk. When assessing the risks, we identify the worst-case scenario that would result if a particular risk were to occur. We then put systems in place that enable quick detection and correction of that crisis.
Stage two addresses plans for assuring the effectiveness of the systems designed to protect the company and for further mitigating priority risks. Key actions include aligning internal and external audit efforts based on a coordinated, risk-based assurance agenda. It also involves allocating resources to priority areas where risk mitigation must be improved.
Stage three involves monitoring, reporting, governance, and oversight. Because absolute assurance is impossible, it's necessary to require greater levels of assurance from operating management. Without the necessary information, it's difficult to govern. Risk management scorecards and metrics are methods that support an improved approach to governance.
The final stage deals with the organization's sustainable capability and continuous improvement. This implies a systematic approach to post-mortem analyses, so that the organization learns from what worked and what didn't after they've encountered a particular risk. It also requires effective communication within the organization for sharing such knowledge to prevent re-occurrence and accelerate goal achievement.
We've found that many ERM endeavors fail because they lack a comprehensive risk management architecture. If a firm doesn't have a picture of what the completed system is to look like, it will likely have difficulty connecting the different pieces.
Our model for this architecture begins with the foundation on which the rest of the process is built. Risk management policies and practices, a risk framework with common definitions and a common language, and a risk information system enabling tracking and monitoring are a few elements that make up the foundation.
The next component is the governance structure, which assigns primary responsibility for risk to operating management and oversight roles to executive management and the board. Methods for distilling and communicating risk information back to the executive and board level are an important part of this structure. Such reports should identify the most significant risks, describe how they are being managed, and provide an assertion of reasonable assurance based on the use of systematic, disciplined, and consistent approaches, including stress testing and validation.
The final two supporting elements of our risk management architecture are operating management and internal auditing. Operating management's risk and control self-assessment activities obviously are a crucial part of effective ERM, as are internal auditing's consulting and assurance work. Besides providing assurance, internal auditing takes on a significant advisory role in ERM environments.
For example, internal auditors can help organizations determine how best to mitigate risks and how to build and improve controls. Internal auditors should also challenge operating management to determine if risks have been properly identified, if assessments are robust, and if the controls that operating management claims to be in place are in fact effective.
Building this sort of system into the way the organization operates sets the stage for sustainable capability. Many organizations are great at launching initiatives, but poor at maintaining them. We advise our clients not to view ERM as an initiative, but simply as the way they're going to do business.
Americas Operations Director of Business Risk Solutions, Ernst & Young
ERM helps the organization, especially the board, audit committee, and executive management, clearly understand and effectively manage the risks that matter to shareholder value. One key to Ernst & Young's approach is our enterprise-wide RiskUniverse, which is a comprehensive view of all the risks that could impact the organization. Four major categories of risk make up the first level of our prototype universe: strategic, operations, knowledge, and financial. Supporting those four areas are 14 components, which are in turn supported by 47 subcomponents, all of which are interrelated. Some organizations follow our blueprint precisely; others customize it by adding or subtracting components to fit their needs. This RiskUniverse gives people structure and information so that they are able to think about risks that they may have never considered.
While the RiskUniverse is a key ingredient of our approach, it is only one small piece of our overall ERM framework. We've identified six major components of effective ERM: a risk strategy, risk management processes, appropriate culture and capability, risk management functions, enabling technologies, and governance. Organizations that are doing great in one or two areas often think that they have implemented ERM, but in fact all six components must be in place and functioning well.
First, a company must have a definite strategy for managing risk that is based on a common risk universe clearly linking all activity from the perspective of risk to shareholder value. Secondly, the specific risk management processes, like risk assessments, risk treatments, and monitoring, must be effective and efficient across the enterprise.
Key to an appropriate culture and capability is a common language and understanding of risk. People's opinions differ regarding what risk is and what it means to the organization, so it's important to provide training on the organization's view so that consistency is achieved. The embedding of risk management principles into employee and organizational performance measures also helps promote such consistency. Another culture and capability issue involves executive-level support and commitment. Success absolutely depends on having a visible, top-level champion who really believes in the effort and actively demonstrates that support.
There also should be integration of the current risk management functions, such as internal auditing, legal compliance, insurance, and foreign exchange risk management. In some cases, structural changes, such as centralizing responsibility for ERM in a CR0 position, may be appropriate.
The technology to support ERM must be operational as well. Enterprise-wide risk databases, Web-enabled educational programs, early warning systems, and risk modeling techniques are some electronic tools that organizations consider essential to their success. Finally, governance devices, such as direct interface with the audit committee and the board and use of enterprise risk committees, should be in place.
Organizations that can get all six elements working together in an ERM effort will reap significant benefits. For example, ERM forces organizations to address the contributing factors that are often behind the incidences of risk. The primary reason an organization faces a likelihood of some "bad thing" happening is because there are a multitude of individual "bad things" already occurring across the organization. As organizations better manage their risks, they can more clearly see the inefficiencies, redundancies, incapabilities of people, and lack of effective systems that are placing the organization at risk. As those hindrances are removed, immediate, tangible benefits accrue.
Effectively initiating and embedding ERM into an organization requires an executive level champion preferably reporting directly to the CEO and board. This individual may come from finance or operations, depending on the industry and culture of the organization. For most companies, it will be difficult for the leader of internal auditing or any other risk management function to successfully drive this type of change as part of their current role.
That said, internal auditors and other risk management specialists can play a critical role in ERM if they possess proven methods and processes that others in the organization can use to better manage risk. Their level of involvement will vary from organization to organization, depending on the capability of the risk management functions, the respect the functions command, and the culture of the company.
Contributing writer CHRISTY CHAPMAN is the former executive editor of Internal Auditor.
COPYRIGHT 2001 Institute of
Internal Auditors, Inc.
COPYRIGHT 2002 Gale Group
Bibliography for: "The Big Picture - enterprise risk management services"
Christy Chapman "The Big Picture - enterprise risk management services". Internal Auditor. FindArticles.com. 31 Oct, 2009.
Institute of Internal Auditors, Inc.
COPYRIGHT 2002 Gale Group