This is the third column in my series on enterprise risk management. The first described what ERM is, aimed at providing clarity around what ERM is really all about; last month we discussed the “why” of ERM—that is, why companies are moving forward with an ERM initiative, providing insight into the impetus for ERM and the benefits it brings.
In this column we set forth some of the techniques companies successfully use to get optimum benefit from their ERM processes. In digesting this “nuts and bolts” information on how ERM is applied, readers can expect to gain a better sense of the nature of ERM and how it works in the real world.
Please note that this column does not address how to implement an ERM process—that is, what needs to be done to initiate, build, and deploy ERM. Stay tuned for a future column to read about that.
ERM Application Techniques
There’s an almost infinite number of techniques that businesses use in applying ERM, making it impossible to present anything other than a very small sampling in this column. Many of the techniques are described in the Application Techniques volume of COSO’s Enterprise Risk Management—Integrated Framework, which presents more than 100 pages of highly effective ERM techniques. It’s organized around the Framework’s eight components, and describes and illustrates how the techniques are used. For readers looking for further guidance in applying ERM, I recommend spending time with that material. (Full disclosure: having played a major role in the report’s development, I may be somewhat biased.)
In the space available here, let’s look at just a few of the examples provided in the COSO ERM report.
Internal Environment. It’s become well understood that the internal environment—akin to the control environment in internal control—is the foundation on which an effective ERM process rests. Among the techniques available to ensure a strong internal environment is the risk-related culture survey, which enables management to gain insight into how well the company’s risk-management philosophy is integrated into the organization’s culture.
Well-constructed surveys allow management to keep its finger on the pulse and trends of the organization, which is especially helpful during times of change. The results—which can be in numerical or “heat map” form—provide directional indicators of areas of strength and weakness in an organization’s culture, and a basis for management to zero in on where attention is needed to deal with shortcomings. An example of how survey questions can be presented and interpreted is included in the Application Techniques volume of the COSO ERM report, page 8.
Objective Setting. ERM involves establishing how much risk a company is prepared to take, stated in qualitative or quantitative terms as its “risk appetite.” One technique illustrates how, in setting its business objectives, a company views capital at risk versus return in relation to its risk appetite. A company can show this relationship in graphical form with return on the vertical axis and capital at risk on the horizontal, with linear depiction of its target risk-return profile. Within the profile are business units or strategic initiatives showing the current state of risk return, and the target state.
This technique is illustrated in the Application Techniques volume (page 18), where a company strives to diversify its business initiatives to earn a return that lines up along its target profile. The graphic explicitly shows where the company currently is and where it wants to go, reflecting how much risk it’s prepared to take on. It helps to align the company’s objectives with its risk appetite, providing a basis for establishing risk tolerances.
Event Identification. With ERM, management identifies potential events that could affect the company, and determines whether they represent risks or opportunities affecting the company’s ability to implement strategy successfully and achieve its objectives. In addition to considering individual potential events, management needs to consider the effect of multiple, related events. To gain insight into interrelationships, some companies use event-tree diagrams, also known as “fishbone diagrams.” These diagrams provide a means by which to identify and graphically represent uncertainty, generally focusing on one objective and how multiple events affect its achievement.
An example in the Application Techniques volume (page 31) focuses on a company’s objective of achieving a 30 percent gross margin on sales. The fishbone diagram identifies internal and external factors that drive factors and events affecting product demand and cost of production, which in turn affect achievement of the 30 percent margin objective. With this depiction of the relationships, management is positioned to better understand and deal with those primary drivers and related factors and events.
Among other event identification techniques are use of event inventories, facilitated workshops, interviews, questionnaires, surveys, process flow analysis, leading event indicators, escalation triggers, and loss event data tracking.
Risk Assessment. Risk assessment allows management to consider what effect potential events may have on achieving the company’s objectives. Management assesses events from two perspectives—likelihood of occurrence and impact—and normally uses a combination of qualitative and quantitative methods to measure the effect and any of a number of different methods to portray the assessment. Risk maps, for example, may take the form of heat maps or process charts that plot quantitative or qualitative estimates of risk likelihood and impact.
One example depicts assessment of risks relating to the objective of retaining high-performing employees. Likelihood of the event occurring is shown on the horizontal axis, its potential impact on the vertical, with risk factors presented on the grid in the form of “bubbles” representing estimated ranges. You can see the graphic on page 49 of the Application Techniques volume. This portrayal enables management to focus its attention on developing responses to those risks that are most significant, in turn enhancing its ability to achieve the stated objective.
Risk-assessment techniques can be used to focus on either inherent risk, residual risk, or both, and allow management to assess the effect of a single event on multiple business objectives. Among the techniques available are such qualitative techniques as ranking and questionnaires, and quantitative approaches such as probabilistic techniques (value at risk, market value at risk, loss distributions, and back-testing) and non-probabilistic techniques including sensitivity analysis, scenario analysis, stress testing, and benchmarking. Also available are techniques for risk and capital attribution used to estimate the amount of capital required for accepted risks, portraying risks with heat maps or numerical presentations, and techniques for entity-level views of risk.
Risk Response. ERM involves management’s determination of how it plans to respond to risk, either by avoiding it altogether, reducing it, sharing it, or simply accepting the risk and selecting a response that brings residual risk within desired risk tolerances. Management also identifies opportunities that might be available.
To give a sense of the myriad actions management might take in responding to risk, risk avoidance could include disposing of a business unit, product line, or geographical segment, or deciding not to engage in new initiatives or activities that would give rise to the risks. Risk reduction might include diversifying product offerings, establishing operational limits, enhancing business processes, strengthening management’s involvement in decision making and monitoring, rebalancing asset portfolios to reduce exposure to specified types of losses, and reallocating capital among operating units.
Sharing risks might involve such actions as obtaining insurance coverage for significant unexpected loss; entering into joint ventures, partnerships, or syndication agreements; hedging risks through capital market instruments; outsourcing business processes; or sharing risk through contractual agreements with customers, vendors, or other business partners.
And then there is making an informed decision to accepting the risks, which might involve “self-insuring” against loss, relying on natural offsets within a portfolio, or determining that the associated risk already conforms to risk tolerances.
Ultimately, management takes an entity-wide, or portfolio, view of risk, determining whether overall residual risk is within the entity’s risk appetite. This is an integral part of ERM and can be depicted in one of several ways. One example illustrated in the Application Techniques volume (page 62) shows, by major risk, the inherent risk, related risk responses, and the residual risk in terms of affect on the company’s earnings per share. Another example (page 61) presents a graphic with frequency of occurrence on the horizontal axis, impact on operating earnings as the vertical, and major event categories in quantitative form via arrows within the grid. These techniques present valuable information to senior management and the board in readily understandable terms.
The Application Techniques volume also presents techniques related to the other COSO ERM components—control activities, information and communication, and monitoring—but with space constraints here, readers will need to look to the COSO ERM report.
Bedtime Reading
When giving presentations on ERM, I sometimes say tongue-in-cheek that the COSO ERM report is a sure cure for any attendees with a case of insomnia. Well, while that may be true, the report indeed does have a great deal of important information on how companies are successfully using ERM techniques. So readers are well advised to also find some daylight hours to take a good look at what’s there.
My next column in this series will deal with where responsibilities for ERM best are placed—what works, and what doesn’t. Interestingly, an approach often initially desired by management won’t do the job. With all due modesty, I believe the column is worth waiting for.
No comments yet