 |
 |
 |
|
Enterprise Risk Management ERM—Learning by example By Michael J. Moody, MBA, ARM The past five or six years have witnessed a significant change in corporate America. Much of this change has occurred because of a number of highly visible financial failings of several Wall Street darlings. As a result of these problems, one of the most profound changes is that the board of directors is now being held increasingly accountable for the financial results of their organizations. In order to place appropriate pressure on the directors who should be monitoring the financial results of their companies, a variety of recent regulations, laws, and mandates have placed this oversight responsibility squarely on the board’s shoulders. Of course this personal liability has meant that the directors now have “skin in the game.” As a result, directors are looking to risk management more than ever to assure themselves that the proper processes and controls are in place to make certain that stakeholders’ interests are maintained. In order to fulfill this role, risk management has had to take a much broader view of the organization. The approach has become known as enterprise risk management (ERM). The last 12 to 18 months have seen an increasing number of businesses in most industry segments begin to embrace ERM. And while any numbers of studies have confirmed this conceptual interest, some organizations continue to struggle with implementation. First things first As a result of the implementation roadblocks, several early ERM adopters and a number of consultants are beginning to advance suggestions regarding this portion of the process. One such consulting firm is Protiviti, a leading provider of independent risk management consulting and internal audit services. Among other things, Protiviti regularly provides consulting and advisory services to help organizations identify, assess, measure and manage financial, operational and technology related risks. Recently, Protiviti released a new publication, Guide to Enterprise Risk Management: Frequently Asked Questions. The Guide provides an in-depth view of the ERM process, giving insights, as well as ideas and strategies to those that are responsible for ERM design and implementation. This handy reference tool is far-reaching in its application and covers a wide variety of topics that directly relate to the earlier ERM Framework specified by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (www.coso.org). Among the topics that are covered in detail in the Guide are how to conduct a risk assessment to prioritize risks, how to build a compelling business case for ERM and the role of executive management in ERM. However, it’s the “Getting Started” section of the Guide that may offer the most value to those trying to implement an ERM program for their company. Setting the foundation The “Getting Started” section of the Guide outlines five key implementation steps, which are designed to offer practical suggestions to show movement in the early stages of ERM development. One of the points that is stressed throughout this section of the Guide is the importance of securing and maintaining senior management support. The steps are: 1. “Conduct an ERM assessment to determine and prioritize critical risks. The assessment must identify and prioritize a company’s risk as well as provide quality inputs for the purpose of formulating effective risk responses.” It is important to remember that the responses include information about the current state of capabilities around managing the priority list of risks. For the purposes of the risk assessment, it should span the entire organization, including critical business units, important functional areas and business processes. According to the Guide, this step would encompass the objective setting, event identification and risk assessment section of the COSO ERM Framework and must provide a holistic, portfolio view of the organization’s risks. It should be noted that if the company has not properly identified and prioritized its risks, ERM would become a tough sell for senior management because the value proposition can only be generic and, as a result, lacks specific usefulness. 2. “Articulate the risk management vision and support it with a compelling value proposition using gaps around the priority risks.” This is one of the most important steps in the implemen-tation process because it will provide the economic justification for moving forward. Among the key issues involved in this step is the develop-ment of a shared view of risk management in the organization and the capabilities desired to manage its key risks. Once the current state of each priority risk is determined, an assessment of the desired state will need to be completed. The objective of the assessment is to identify the gaps, and then put forth a strategy to close the gaps for the priority risks. To be useful, according to the Guide, the vision should be grounded in specific capabilities that must be developed to improve risk management performance and achieve management’s selected goals and objectives. 3. “Advance the risk management capability of the organization for one or two priority risks.” This step is directed at improving an organization’s risk management capability in a specific area where management knows improvements are needed. This would mean that a good starting point may be within a compliance area such as corporate or governance initiatives like Sarbanes-Oxley or Basel II. 4. “Evaluate the existing ERM infrastructure capability and develop a strategy for advancing it.” The Guide notes that it takes discipline to advance the capabilities around managing critical risks. They also note that the policies, processes, organization and reporting that instills that discipline is called “ERM infrastructure.” The primary purpose of this is to eliminate significant gaps between the current state and the desired state. The infrastructure is important because it facilitates the establishment of a fact-based understanding of the organization’s risks and risk management capabilities. It also ensures ownership over the critical risks. Additionally, this step helps drive closure of significant gaps. 5. “Update the assessment for change and advance the risk management capabilities for key risks.” By now, management has advanced its capabilities for one or two risks as outlined above and it is in a position to broaden the focus to other priority risks. This step will necessitate the updating of the organization’s risk assessment to reflect any changes and determine the current and desired states for each priority risk using the organization’s business strategy as a guide. At the end of the day, the objective is to advance the maturity of the capabilities around managing the priority risks. By following these steps, an organization can begin to address the implementation of an ERM program. While implementation begins modestly, it addresses the most critical risks and then builds on the success with those priority risks. Another way to look at implementation Another view of this all-important implementation phase was provided by James Lam during a recent Webcast. Lam, who is regarded as the first Chief Risk Officer, has consulted with more than 30 organizations on ERM implementation and provided what he considers as his critical do’s and don’t’s regarding ERM implementation. First on his list is “Don’t let the regulatory tail wag the dog—ERM is about management, not simply compliance.” He says that regulations are a blunt instrument that deal with the past, while risk management must direct its attention to the future. In addition, regulation deals primarily with risks, while management takes a broader view and deals with both risks and reward. At the end of the day, he notes, regulatory compliance is a necessary but insufficient condition for success. Next, he says, “Don’t boil the ocean, but rather focus the ERM process on what is most important.” He thinks that you should begin implementation by identifying the most critical risks. It is counter-productive to move step-by-step through all risks facing the organization. This takes too long and only delays the implementation process. Just focus attention on the top of the waves—the major risks facing the company—or the process can become bogged down. With regard to the key risks, Lam says, “Don’t just tell me; show me—quantify risk through effective key risk indicators.” These key risk indicators will vary from organization to organization, but they can come from such things as the company’s strategies and objectives delineated in its business plan or performance metrics. Additional indicators can come from regulations and policies, actual loss and incident data, or stakeholder requirements including investors or business partners. Lam also believes that it is important not to produce volumes of data and reports, but rather develop an ERM dashboard that summarizes the important information. Most experts realize how difficult it is to move past the implementation phase of any ERM program. When all of the risks an organization faces are included in the initial stages, the process becomes daunting at best. A far better idea is to view the implementation phase as a journey that will not be completed overnight. The ideas that have been advanced above make a good starting point for this journey, so that a company can begin the ERM process and then build on the success of dealing effectively with a few priority risks. There is simply no way to complete the implementation stage overnight. * The author |
|
|||||||||||||
| ||||||||||||||
