There are numerous theories about what constitutes a solid ERM program. While theories are important, they are often difficult to put into action. This blog covers 10 practical guidelines that are feasible ways to ensure your organization's ERM program is as robust as possible.
The unprecedented levels of business complexities, ever-changing geopolitical scenarios, latest regulations and laws, and the increasing stakeholder demands have made managing enterprise risks a crucial priority among CEOs, CFOs, and other members of any company’s C-suite.
Over the last years, investors have made it a point to look into companies’ risk management policies and procedures. In most industries, boards of directors are expected to review the competence of their respective organizations’ risk management processes. Most organizations have audit and risk committees who oversee risk management systems in organizations.
The significance of enterprise risk management is palpable. Risks that have a huge impact on corporations today have become virtually manageable and foreseeable. Directors and senior executives have every reason to use enterprise risk management as a handle in ensuring that unnecessary losses are managed.
Enterprise risk management (ERM), in a nutshell, can be viewed as a way of aggregating, managing, and reporting on the all the possible risks a company faces, making feasible the consolidation of all risk information.
Most corporations adhere to the standard ERM definition outlined by the United States’ Committee of Sponsoring Organizations of Treadway Commission (COSO). In Enterprise Risk Management—Integrated Framework (2004), COSO defines ERM as a process designed to:
Identify potential events that may affect the organization.
Manage risk within the organization’s risk appetite.
Provide reasonable assurance regarding the achievement of the organization’s objectives.
The COSO definition outlines eight interrelated components of enterprise risk—internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
Of course, risk management is not a linear process wherein one component is affected by what comes before it. It is multidirectional and iterative, which means any component can influence the other.
Of late, ISO 31000:2009, Risk Management: Principles and Guidelines has become a well-accepted industry standard. Simple in its approach and designed to supplement existing management systems, the standard has made the appreciation and uptake relatively simpler for companies. It provides principles, frameworks, and a process for managing risk. Any organization, regardless of size, sector, and activities will do well to make use of ISO 31000 to increase chances of attaining objectives, determining organization opportunities and threats, and effectively allocate and use resources for risk treatment.
The 2015 Report on the Current State of Enterprise Risk Management: Update on Trends and Opportunities by the American Institute of CPAs, which is based on survey responses from 1,093 business executives from a number of industries and different types and sizes of organizations, provides detailed insights about the state of maturity of their organizations' ERM practices. The report highlights that there appears to be a disconnect between the recognition of today’s high-risk business environment and organizations’ decision to invest in ERM.
While 59 percent of companies believe that the volume and complexity of risks have extensively changed in the last five years, only 25 percent of these companies feel they have a complete ERM process in place.
According to the same report, despite 68 percent of executives stating that calls for increased senior executive involvement in risk oversight, only 23 percent describe their organization’s level of ERM maturity as “mature” or “robust.”
These facts point out that organizations appear to be struggling to integrate their risk oversight with their strategy development and execution. ERM must begin to be viewed as a top priority strategic tool that provides a unique competitive advantage.
The need to revisit your company’s ERM culture and improve it through an advanced ERM training is only pertinent.
Published by the Economic Intelligence Unit, here are 10 practical lessons learned from the current financial crisis that companies can use to help address perceived weaknesses in risk identification, assessment, and management:
1. Risk management must be given greater authority.
Risk managers’ opinions and concerns take a back seat when the opportunity for profit arise.
To be relevant and effective, risk managers need to be an independent function with sufficient authority to efficiently challenge risk-takers.
Companies should be wary if risk professionals are given due authority in the organizations. There should be balance between the authority for risk management and the profit-making objective.
2. Senior executives must lead risk management from the top.
Risk management can only gain sufficient attention in an organization if senior-level managers lead and support it.
Risk management should be the role of senior management, elevating the authority of risk management and allowing this risk to focus on filtering through the organization to build a pervasive risk culture.
3. Institutions must review the level of risk expertise in their organizations.
Organizations must ensure that sufficient risk expertise is in place. Of course, it would make sense to use the right ERM framework suited to the industry you are in. Experts must be equipped with the tools and information to comprehend and cover the company’s risk appetite and positions. Also, there should be channels of communication to ensure that risk information is passed to the right individuals.
4. Model output with human judgment.
There is a recent trend for quantitative techniques replacing human judgment in measuring risk.
Quantitative models, no matter how sophisticated, are always limited by the quality of data, oftentimes magnifying small input errors. Thus, people need to remain responsible for making risk management decisions.
5. Stress testing and scenario planning can help executives respond properly to events.
Stress testing and scenario planning—always important tools in risk management are regaining importance as some of the problems with quantitative models have come to light.
These techniques can help companies understand the impact of severe but plausible scenarios and prepare for highly unexpected events.
To be effective, stress testing should be integrated with a company’s overall risk management processes and have sufficient involvement from the board and senior management.
6. Incentive systems must be constructed to reward long-term stability.
Incentives have to be carefully designed so that they do not encourage pursuing short-term profit without regard for long-term costs. This is a key area for reform, as there has been a mismatch between short-term incentive structures and long-term risk exposures.
7. Risk factors should be consolidated across all the institution’s operations.
Companies need to look at risk on a firm-wide level to be able to identify and aggregate risks, as examining risks in silos can make it difficult to understand the interaction among risks. There should be a risk culture where risk is a concern for all employees, and there’s a clear and frequent communication across organizational boundaries.
8. Companies should ensure appropriate reliance on data from external providers.
There has been a criticism of credit rating agencies for their risk pricing models and their delay in downgrading securities.
Many question credit-rating agencies due to the inherent conflict of interest that exists, since they are paid by issuers to rate their securities. These concerns highlight the need for companies to address overdependence on credit ratings and to supplement ratings with their own continuously updated analyses.
Companies should consider the extent to which they rely on external sources of risk information and their understanding of any limitations.
9. A careful balance must be struck between centralization and decentralization of risk.
There should be a central, independent risk function to set risk appetite, implement and monitor controls, provide oversight of a firm’s risk position, and aggregate risk information.
There should also be risk management embedded in regional or business units for each profit center to take ownership of its own risks so that a risk culture is instilled throughout the organization.
10. Risk management systems should be adaptive rather than static.
Assumptions about risk should be questioned and updated, feeding observations from the real world back into the system on a regular basis. This enables risk management to correct inherent weaknesses and recognize and respond to changing business conditions.
By regularly monitoring changes, a company can adjust its overall risk appetite and risk limits for individual lines of businesses appropriately.
The key to taking ERM efforts to the next level lies on the ability of risk professionals in sharing and comparing practices with other advanced ERM professionals. APEX Global Learning offers a two-day Enterprise Risk Management training—a detailed workshop for chief risk officers, risk management team leaders, and members from organizations with advanced ERM effort for gaining new strategies for new benchmarking of ERM techniques with.