In one form or another, enterprise risk management has always been an essential part of an organization’s operations. But that is arguably more true today than ever before.

Expanding business risks and regulations, growing awareness by media and stakeholders, and increased focus on corporate sustainability all make risk management a top business priority today, said Dave Anderson, vice president of GRC business strategy at SAP.

Anderson

Anderson and numerous other risk-management experts at the third annual Compliance Week conference in Washington last month shared some best practices for developing an effective risk-management program.

“Enterprise risk management is really about having a vision of how to see risk management fitting into your organization as opposed to your organization fitting into enterprise risk management,” said John Farrell, head of the enterprise risk management practice for KPMG. Most organizations, he said, don’t step back and ask why they are doing risk management.

A truly effective risk-management program begins with the development of a framework. This is particularly essential given that every organization’s program will be different. “There is no one size fits all,” said John Rostern, director of technology risk management at Jefferson Wells International.

As a starting point, some of the questions experts recommended asking include:

What is our strategy? Have we built the right strategy?

Who is the target audience for our work?

What is it that we need to gather information about, and at what level?

What are the guiding principles of the program?

What are the guiding objectives of the program?

Farrell

“Once you step back and understand the purpose of the program, it allows you to step back and decide who should do what to what extent and how many people in your organization should get involved,” said Farrell. “Risk committees are really important to organizations today to really get the quality of information up.”

As with much else in governance, tone at the top is critical. “Management needs to be playing an ongoing, aggressive role,” said Bruce McCuaig, chief risk officer for governance, risk, and compliance software firm Paisley.

Schwab

But tone at the top is not everything, noted Christine Schwab, vice president and chief risk officer of Dominion Resources. “It is important that our CEO and CFO care about this, absolutely, but all of your leaders have to engage to get true value added,” she said. “I don’t need anyone on my team who doesn’t see the value of this.”

Schwab also cautioned companies to choose a risk-management leader wisely. “They’ve got to be facilitators,” she said. “Facilitating is not something all people are good at.” In addition, she said, choosing a candidate who has worked at the organization a long time and has credibility is more important than hiring somebody who knows the technical aspects of risk management.

Getting on the Same Page

McCuaig

After you’ve put a framework in place, you want to make sure every department within an organization is on the same page by establishing a “common language of risk and control,” McCuaig said. That means establishing common definitions, standards, and methodologies in all risk areas—strategic, operating, compliance, and reporting risks. “That, to me, is one of the greatest problems with convergence,” he said.

ERM DRIVERS

Role of ERM in Today’s Business Environment

Governance

Facilitate better corporate stewardship over strategic priorities and non-financial aspects of performance

Meet Credit Rating agencies’ expectations with regards to risk, to ensure “no surprises”culture

Meet enhanced securities exchange listing requirements

Meet SEC requirements: 10-K description of “Risk Factors”in plain English

Satisfy evolving risk-based capital adequacy frameworks, e.g., Basel II

Strategy

Beyond regulation: provides a competitive advantage versus industry peers

Re-align strategy through evaluation of prioritized risks

Link to risk: cannot develop strategy without understanding enterprise risks

Performance

Improve accountability and transparency through coordinated enterprise risk monitoring and reporting

Reduce cash flow volatility using derivatives, insurance or improved controls

Allocate and evaluate capital based on risk-based performance

Reduce costs through risk consolidation and cross-functional efficiencies

Source

KPMG & TIAA-CREF (June 5, 2008).

Andy Anderson, chief audit executive at Axis Capital, added that what makes convergence so difficult is that organizations usually have a whole series of risk assessments going on in their organization, each with a very different and distinct purpose. In addition, most departments have their own definitions of the phrase “risk management,” Anderson said. “And they’re comfortable with them. They believe everybody understands what they mean by that word.”

Timmons

Often times, however, that’s not the case. “It’s the things that we think are there, that we think we have documented that we take for granted,” said Dale Timmons, managing director of UHY Advisors. “If they’re not on paper, and they’re not communicating in a standard way, then you’re probably not as in sync as you think you are.”

Valerie Radford, managing director of risk management at TIAA-CREF, understands this well. Not until TIAA-CREF first developed a centralized, independent risk-management function in 2003, she said, did the company realize that its internal auditors had a much different idea of risk assessment than the finance and compliance teams.

That detachment, in turn, drove many other inconsistencies, including who talked to whom within the organization. Auditors, for example, only talked to senior management, while compliance only talked to managers and process owners. “So we had this disconnect,” Radford said. “We were both saying we were doing risk assessment, but we really weren’t doing the same thing.”

The overall goal of good risk management, Andy Anderson said, is to devise a single process that’s looked at from many different perspectives, and to come up with solutions in a much more efficient and direct manner.

“It’s a little bit like herding cats,” Timmons said. “We’re all independent. We all have our own way of thinking. We’ve all been successful at what we do, and how you pull that all together to be accountable as an organization is very important.”

Websites

We are not responsible for the content of external sites