This is the first in a series of columns dealing with enterprise risk management. On the basis of reader surveys and requests, Compliance Week found that there is a strong demand for more information on this important subject; while most readers have some knowledge of ERM, many continue to struggle in understanding exactly what ERM is, why it’s needed, and how it best works. With that background, the editors asked me to devote several columns to providing clarity. It’s my intention to do just that—and hopefully provide insights into the whats, whys, and hows of enterprise risk management.
This first column outlines what enterprise risk management is (and what it isn’t) and offers some straightforward examples of what ERM looks like in the real world. It is intended to provide clarity, and to that end we need to define a few terms before proceding further, first, what is “risk”?
Future columns will deal with why a company would want an effective ERM process, including the benefits it brings; some of the more effective techniques for applying ERM; where the responsibilities for ERM are best housed; and what methodologies are most effective for implementing an ERM system, including pitfalls to watch out for.
What ERM Is Not
At the risk of putting the cart before the horse, let’s look at some misconceptions of enterprise risk management. The reality is that many people use the term—including board members, chief executives and other senior executives, consultants and others—all too often applying very different meanings.
The term “ERM” sometimes is used in connection with procuring insurance to cover specified risks, dealing in financial instruments such as derivatives, and deciding what new corporate initiatives should be approved. Indeed, managers navigate a wide range of business risks on a daily basis, in doing their best to achieve corporate objectives successfully. But often this is done ad hoc with dramatically varying scopes, results, and consequences. All of this involves some aspect of risk management, but it isn’t ERM.
In many companies, internal auditors assess risks to determine where to devote limited audit resources and to provide important information to management. Often risks are categorized and rated or ranked, sometimes using heat maps or other graphic depictions. These exercises are important both to the audit process and management and to the board. But by definition they are snapshots at a point in time and might or might not form a basis for decision-making on how the risks need to be managed.
What ERM Is
One can look to a number of sources for a definition of ERM. The one many (if not most) knowledgeable users look to is the COSO report, Enterprise Risk Management—Integrated Framework. It defines enterprise risk management, sets out its principles, objectives and components, and offers effective application techniques. The two-volume report is more than 200 pages, and I certainly won’t bore you trying to summarize it here. The report does, however, provide a basis for what will be covered in this series, along with practical, real-world experience in helping companies implement an effective ERM process.
So, what is ERM? Basically, it is a company’s process to identify, assess, and mange risk that could interfere with achieving any of its corporate objectives. In simpler terms, it is a systematic approach to seeing what could mess up a company’s business plans. And once those potentialities are identified, management analyzes the risks and determines what to do to manage them. This may involve taking action to reduce or possibly eliminate the risk or doing nothing if the risk is within the company’s risk tolerances and doesn’t warrant any further action.
As such, ERM involves looking at what could go wrong with a strategic plan, a marketing program, production processes, developing reliable financial statements, adhering to laws and regulations, and myriad other company objectives. Importantly, the process also includes identifying opportunities that exist that can help the company achieve its business goals.
Let’s Talk The Same Language
People talk in terms of “taking a risk,” meaning placing a bet. They use the term “risk” in the context of an outcome, such as “the risk involved in starting a new business line.” Recently, a new term, “positive risk,” is being bandied about.
ERM uses the term “risk” in one way: to mean the possibility that something will happen (that is, an event will occur) with a negative outcome. Note the important word “possibility,” only meaning that an event with a negative outcome could occur—not that something bad has already happened.
When focusing on the possibility of an event with a positive outcome, the term is “opportunity.”
Examples of risk range almost as wide as one’s imagination: a hurricane destroying a crop, production machinery failing, inappropriately disclosing customers’ personal financial information, losing key personnel, overstating revenue in financial statements, customers ignoring a new product launch, or commodity-price fluctuations. Certainly, there even are risks inherent within these risks, such as a new product launch being ignored because incorrect market research data has been used. Risk exists at many levels and needs to be considered at a level that’s pragmatic and manageable.
OK, enough about definitions. Let’s look at what the enterprise risk management process looks like in some real companies.
What ERM Looks Like
ERM will never be exactly the same in any two companies. To be useful, it must fit a company’s strategic direction, organization, and culture. ERM can fit a company with little formality in management style or one with highly structured management processes. Inherent in all ERM processes, however, is the discipline in the process, and that it operates throughout the organization. ERM initially was called “enterprise-wide” risk management; the “wide” was dropped for convenience, but the concept remains. If it doesn’t have the requisite discipline, scope, and function throughout an organization, we call it “risk management” but not “enterprise risk management.”
Enterprise Risk Management—Integrated Framework is built on COSO’s Internal Control—Integrated Framework, which is used for Sarbanes-Oxley Section 404 compliance. The COSO ERM report describes and defines effective ERM, providing principles, components, and application techniques. To really understand what ERM is, readers will need to spend some time with the report. But we can provide a few streamlined examples to give you some idea of the basics of how some companies use it successfully.
Company 1 (financial services): To fit with its face-to-face management approach, and to avoid unnecessary administrative activity, this company’s management decided to deal with risk in its monthly management meetings. A limited portion of each meeting is devoted to identifying new, emerging risks and related opportunities, with qualitative analysis and actions taken then and there to manage the risks or to seize the opportunities, except for those requiring further analysis where assignments are made for subsequent follow-up. This process is in place at all management levels, and risks and related actions are reported upstream through normal in-person communications. One manager is tasked with tracking significant risks and actions, and providing a portfolio view of risk to the CEO and the board.
Company 2 (consumer products): This company’s management decided that somewhat more structure was needed, and began the ERM process in the annual strategic planning and budgeting process. The process was brought to the entire organization, where identified risks and opportunities are considered as part of the ongoing management process, and recorded on a simple, one-page template. Most risks are analyzed qualitatively, although quantitative techniques are used where needed. The template serves as a focal point for managers at every level, as well as an upstream communications mechanism to track risk and action plans on an ongoing basis.
Company 3 (financial institution): This organization uses sophisticated methodology to identify and assess risk. The corporate center takes the lead in risk analysis, quantitatively assessing credit, market, interest rate, liquidity, and other risk categories. Operational risks are considered by managers throughout the organization, and software is used to communicate risk-related information, including summarization where appropriate, establishing accountabilities for agreed-upon actions to manage the risks, and developing portfolio information for senior management and the board for making capital allocation decisions.
Is It Really Worth The Effort?
While simple in concept, implementing an ERM process does take some effort and associated cost. And depending on the extent to which it is built into existing management processes, there can be additional ongoing effort.
But not knowing what risks your company faces is dangerous, and engaging in limited risk-management activities in an undefined or ad hoc manner can lead to unwanted surprises. Imagine driving a car on an unfamiliar back road at night with parking lights only and part of the windshield covered with mud. You know where you want to go, and with all the best intentions you think you know how to get there—but you don’t know what’s out there that could keep you from arriving timely and safely. The result could be as minor as hitting a pothole and popping a flat tire or as disastrous as going too fast around a sharp curve and tumbling off a cliff.
Management needs to know what could keep the company from achieving its business objectives, as well as opportunities to help it get there. On that back road there could be a sign to a new highway that would cut the travel time in half—which the driver could take if only he saw the sign. If you’re not yet convinced of the need for effective enterprise risk management, the next column in this series deals in more depth with why both management and the board need ERM, the drivers for ERM, and the benefits it brings to an organization.
No comments yet