Enterprise Risk Management

A recurring theme

As ERM acceptance grows, non-responding firms face competitive disadvantage

By Michael J. Moody, MBA, ARM

Enterprise risk management (ERM) has continued to mature over the past five or six years. During that time, numbers of interested groups and associations have tried to add to the general ERM knowledge base. One of the earliest proponents of ERM was the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Not only did the committee foster a strong commit­ment to ERM, it also inked the first ERM blueprint for assisting organizations in designing their own programs. The publication, Enterprise Risk Management—Integrated Framework, was presented in September 2004.

At the time, the Framework was the only formal document that fully explained ERM in detail and showed how all of the various parts fit into the whole. Subsequent to its publication, it has become the industry standard for many organizations struggling to design and implement an ERM program. Since that time, numerous other organizations have advanced similar guides for ERM. However, for the vast majority of organiza­tions, COSO remains the recognized standard.

Something new

Since the publication of the Framework, COSO has not been too actively involved in risk management. Part of the reason for this is the fact that COSO’s primary mission involves developing frameworks and guidelines within the accounting/auditing industry segment. However, COSO recently introduced a couple of important papers that deal directly with critical ERM issues. While both of the papers deal with the timely issue of involvement by the board of directors with risk oversight, each comes from a different perspective.

The first paper, Strengthening Enterprise Risk Management for Strategic Advantage, highlights four specific areas where COSO believes that senior management at most corporations can do a better job of educating their boards to increase their understanding of risk management generally and, more specifically, what the board’s oversight responsibilities should be. By using additional educational endeavors, management should be able to enhance the board’s critical risk oversight capabilities.

COSO points out that it will be difficult to have effective oversight “unless the board and management fully understand the level of risk an organization is willing and able to take.” COSO also notes the importance of both management and the board achieving a shared philosophy and appetite in order to accomplish key organizational objectives. The real importance of understanding this risk philosophy, according to COSO, “is that it is reflected in the ways risks are considered in the development of the entity’s high-level strategies and objectives.” But equally important is that both management and the board must be able to determine how risks are considered in day-to-day operations to achieve the organization’s long-term objectives and strategies.

Developing an understanding of the organization’s specific risk management practices is the second area addressed in the report. Here COSO indicates that a full understanding of risk management is still a work in progress in most corporations. As a result, for many organizations, “Risk management is ad hoc, informal, and implicit, thus leaving executives and boards with incomplete views of the entity’s top risk exposures.” This, the paper says, indicates that the senior management should immediately review its “existing risk management process with the board.”

Then, according to COSO, “The board can then challenge management to demonstrate the effectiveness of those processes for identifying, assessing and managing the organization’s most significant risk exposures.” This is important because these are the risks—the enterprise risks—that are likely to affect the achievement of the organization’s objectives.

The board must then review the organization’s portfolio of risk in relation to their company’s risk appetite. “Ultimately, management and the board need an understanding of the entity’s portfolio of top risk exposures affecting the objectives so that they can determine whether it is in line with the stakeholder’s appetite for risks.” Such a review typically means significant increases in board agenda time and also includes information packets that clearly demonstrate an integrated strategy and operational initiatives with enterprise-wide risks. This will strengthen a board’s ability “to gain comfort that risk exposures are consistent with overall stakeholder appetite for risks.”

The final area that is addressed has to do with apprising the board of the most significant risks as well as the related responses. COSO rightfully points out that risk is constantly evolving. And the paper indicates that one of the goals of the risk management process is “to provide timely and robust information about risks arising across the organizations.”

As a result, this creates a high demand for recent and relevant risk information. In order to provide this type of information, an organization needs regular updating by management of key risk indicators that are linked to the overall objectives. These are the types of data that will enhance “board oversight of key risk exposures for preservation and enhancement of stakeholder’s value.”

Competitive advantage

In its second paper, Effective Enterprise Risk Oversight, COSO states that a number of external factors require more board involvement. For the past several years it has been noted that organizations that adopt a more enterprise approach to risk management would gain a significant competitive advantage. However, COSO points out that this advantage is slowly dissipating as more and more companies begin to move toward ERM. And while many experts can justify the movement toward ERM based on building a business case, outside influences are forcing the issue for many companies. Several recent actions have increased the profile of risk management, and while most are a direct result of the financial meltdown, they highlight the board’s expanded responsibilities for risk oversight.

Among the actions noted by COSO is the recent New York Stock Exchange’s corporate governance rules that require audit committees to discuss risk assessment and risk management policies. It also mentioned the change in the credit rating agencies’ approaches that now incorporate an assessment of enterprise risk management processes “as part of their overall corporate credit rating analysis.” Additionally, it also noted that Securities and Exchange Commission Chairman Mary Schapiro has indicated, “Potential new regulations may be emerging for greater disclosures about risk oversight practices of public companies.”

In addition, legislation has been introduced in Congress that would mandate the creation of board risk committees. Finally, in response to risk management failures associated with the current financial mess, signals from a wide variety of local and national regulatory agencies “suggest that there may be new regulatory requirements or new interpretations of existing requirements placed on boards regarding their risk oversight responsibilities.” Bottom line is that there is a limited amount of time where ERM will continue to be a competitive advantage. Soon it will be the standard operating procedure, and firms not yet up to speed with ERM will have a competitive disadvantage, according to COSO.

Conclusion

The responsibility of boards of directors has been made clear. They are charged with overseeing the direction of the corporation and safeguarding the interest of the stakeholders. However, now more than ever, the expectations regarding boards are at all-time highs. In many instances, boards are being asked if they could have done a better job in overseeing the management of their firm’s risk exposures. Frequently, an additional question is: “Could improved board oversight have prevented or at least minimized the impact of the financial crisis?”

COSO notes, “The challenge facing the board is how to effectively oversee an organization’s enterprise-wide risk management in a way that balances managing risk while adding value to the organization.” COSO suggests that as ERM moves to a “more mature business operating model,” boards will need to rise to the challenge of effective risk oversight.

Both of the previously cited papers have painted a clear picture of a board’s risk oversight responsibilities. Coupled with several others, these publications provide significant evidence that, without question, boards of public corporations no longer can conduct business as usual. The push in 2010 will be to require that a board become more active regarding risk oversight, and those that fail to follow this approach will open themselves to significant hardships.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.