 |
 |
 |
|
Enterprise Risk Management ERM advancements Insurance, banking, and energy carve out their ERM strategies By Michael J. Moody, MBA, ARM Organizations around the world are now beginning to gain a better understanding of the benefits of adopting a holistic view of risk management. This holistic view, known as enterprise risk management (ERM), has spread from a simple, conceptual vision to a reality in many companies in just a few short years. This rapid growth is due to a number of different factors; however, one key factor is regulatory compliance. It has been estimated that organizations will spend more than $28 billion for compliance efforts in 2006, with the lion’s share going to Sarbanes-Oxley compliance. As a result of the compliance issue, many see both risk and compliance as part of the overall ERM effort. Forrester Research, a 23-year-old market research company that provides advice on technology’s impact on business and consumers, indicates that increased risk and regulatory pressures have required organizations to develop a consistent approach to implementation and oversight. The firm says there are five results that will emerge from the convergence of risk and regulation that include: • “Develop a culture of ethics and control by centralizing corporate governance and communicating policies and procedures.” • “Improve confidence in the organization’s operational and financial integrity.” • “Maintain accurate and timely risk information that enhances visibility, measurement, control, and sharing of risk across the organization.” • “Accurately measure risk and compliance through a consistent and systematic approach, as opposed to disparate approaches that are reactively managed.” • “Measure risks not only at the system or project level, but also at the business process and business unit level and from the organization-wide view of risk management.” It is clear from a review of these results how important information technology (IT) will be to the long-term advancement of ERM from both a risk and regulation standpoint. The role of IT in ERM Clearly, the IT area of any organization accounts for a significant amount of risk within its own operational sphere. One only has to look at the results of recent troubles with the leaking of personal information regarding employees and/or customers, computer access problems and computer crashes, etc. However, IT’s role in ERM is equally critical. It is now apparent that successful implementation of ERM involves an environment that is heavily predicated on the vital need for timely, accurate and secure information. Thus far, IT’s role in ERM has been largely reactive and limited to meeting compliance requirements. However, IT is now being redefined into a central role in ERM—one that facilitates the process by automating risk management and measurement processes. Among other things, IT must be able to translate raw data into usable, actionable, human readable information that management can use for decision making. This redefined role has resulted in a movement where technology is used to provide risk management dashboards, business intelligence, and business process management, as well as to identify and manage risk in real time and monitor the results. This change will require IT to move past managing its own departmental risks, to becoming a critical part of the overall ERM process. In order to move beyond the current situation, it is important that IT move from the current reactive approach to a proactive position. It has been suggested by some experts that IT managers begin thinking of themselves as “information custodians.” In this role, IT managers can then begin to gather, protect and monitor the information that is at their disposal preparatory to delivering the right information at the right time to those involved in the ERM decision-making process. In order for ERM to fulfill its promise of enhancing shareholder value, it is vital that IT has the data and information that will be required to provide appropriate counsel to management. Over the next few years, advancement within the IT area will greatly assist the chief risk officer (CRO) in providing meaningful input to the organization’s strategic risk management development. A close working relationship between the CRO and the head of IT—one that is proactive and forthcoming—will go a long way to assuring this vital link. Specialized ERM programs In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provided guidance to many organizations when it released the Enterprise Risk Management—Integrated Framework. Subsequent to the release, the publication’s authors at PricewaterhouseCoopers (PwC) indicated that the Framework was written as a starting point. They have repeatedly pointed out that it was designed to provide an overview by describing essential components, principles, and concepts of the ERM process for all organizations. It has never been considered as a “paint-by-numbers” approach to ERM. In fact, PwC has indicated that specific industries will need to modify the Framework to their particular needs. One of the first industries to adopt the ERM principles spelled out in the Framework was the banking industry—spending much time and effort to modify the Framework’s fundamental concepts to the unique characteristics of banking. Then came the insurance industry, which has been actively fine-tuning the ERM concept to its needs as well. Now a third industry segment is developing a specialized approach to ERM. That industry is the energy industry. Recently, a group of energy industry ERM professionals has established its own industry group known as the Committee of Chief Risk Officers (CCRO). The group notes that CCRO has been established to provide information and support to ensure that its members advance the best ERM practices for their companies. The group indicates that its online portal “CCRO Online” was designed to provide “a wide range of interactive online tools and media to advance professional knowledge.” Among other things, CCRO Online provides access to industry white papers, a quarterly newsletter, online seminars and training, as well as various opportunities for professional advancement and communication. It is important that other industry segments follow the lead of CCRO and begin fine-tuning the COSO ERM Framework to suit the specific needs of their trade. This is a necessary step to assure acceptance of ERM by industry leaders. Conclusions ERM continues to attract the attention of boards of directors and senior executives of companies around the world. At this point, growth of the ERM concept has been well documented over several industry segments, namely banks, insurance companies and now the energy industry. In addition, other industry segments are now working to establish a common approach to ERM for their segment. Much of the upcoming growth will come as a direct result of the effective utilization of state-of-the-art IT advancements. Integrating these various IT applications will continue to be a challenge to most ERM practitioners. However, it will be a key to gaining and maintaining the information needs of a growing enterprise risk management program. It is expected that major product development in the ERM/IT area will be forthcoming over the next 12 to 24 months. It is easy to see why ERM is having such a major impact on organizations, and why its growth will continue. According to Forrester, ERM growth appears almost assured. The research company indicates that by the end of 2007, “75% of the Fortune 1000 organizations will have established a formal enterprise risk management office with a CRO or equivalent role.” For many organizations it is no longer a question of “if,” but rather “when.” * The author |
|
|||||||||||||
| ||||||||||||||
