Risk Management Article

Enterprise Risk Management and the Road to Success Submitted by: Carl Burch, CMA, CIA Finance and Accounting Lecturer Moscow, Russia [email protected]

Introduction In our last article we discussed the five components of internal control, including: 1)

Control Environment,

2)

Risk Assessment,

3)

Control Activities,

4)

Information and Communication, and

5)

Monitoring.

We discussed how all of these components are interrelated and necessary for the establishment of a strong internal control system. It’s through internal control that management is able to control and direct operations; thereby having reasonable assurance that objectives will be achieved. It is ultimately the achievement of objectives that makes companies successful. This will be true whether companies are operating in China, US, UK, or even Russia. Now, we want to turn our attention to the subject of Enterprise Risk Management (ERM).

Why Enterprise Risk Management? The underlying basis of every company is to create value for its owners. If value is not created, then it’s not likely the company will be able to survive. But, in order to create value companies have to take on some amount of uncertainty. Now, this uncertainty incorporates both risks and opportunities, with the potential to erode or enhance value. The purpose of establishing an enterprise risk management process is to give management a way in which they are able to effectively deal with this uncertainty associated with risks and opportunities. Management can then determine how much risk the company is willing to take on as it strives to create value.

COSO’s Enterprise Risk Management – Integrated Framework COSO’s Internal Control – Integrated Framework established the above mentioned internal control components in order to help companies assess and improve their internal control systems. The result of the recent accounting scandals of Enron, WorldCom, Tyco, Parmalat, etc. caused companies to put more focus on risk management. But, to do this management needed a framework to help them more effectively identify, assess, and manage risk. To meet this demand, COSO developed the Enterprise Risk Management – Integrated Framework. Enterprise risk management differs from risk management in that ERM represents a more “integrated and holistic perspective” on risks facing the company. The ERM framework simply became an expansion of COSO’s Internal Control framework, not a replacement.

1

Whereas, COSO’s Internal Control framework has five components, COSO’s ERM framework has eight components. These components are listed below with a brief description of each component: 1)

Internal Environment. This would include the tone at the top, management’s tolerance for risk, and oversight by the board.

2)

Objective Setting. Objectives must first exist before management can identify the events that might affect their achievement.

3)

Event Identification. Internal and external events that can affect the organization’s objectives must be identified

4)

Risk Assessment. Risks must be analyzed and assessed for the likelihood and impact on the objectives.

5)

Risk Response. Management then has to select responses to the risks.

6)

Control Activities. These are the policies and procedures in place to help ensure that risk responses are carried out in an effective manner.

7)

Information and Communication. Relevant information about risks has to be communicated so people can carry out their responsibilities.

8)

Monitoring. The entire ERM program has to be monitored and modifications made if necessary. Monitoring can be ongoing, or it can be a separate evaluation.

While COSO’s ERM framework is one of the most comprehensive frameworks, it certainly is not the only one. A number of different ERM frameworks have been suggested by various professional organizations and consulting firms (i.e. IMA, Standards & Poor’s, Basal Committee on Banking Supervision, etc.), but the essential components of these frameworks are similar. These ERM frameworks differ only in the language they use to describe the components and in the number of specific steps. When implementing an ERM process, a company may choose a more common framework that fits its culture, management philosophy, needs, and size. The basic components found in most ERM frameworks are (see exhibit A): 

Setting objectives,



Identifying risks,



Assessing risks,



Treating and Controlling risks, and



Communicating and monitoring risks.

2

EXHIBIT A: Continuous Risk Management Process SETTING OBJECTIVES

COMMUNICATE & MONITOR

IDENTIFY RISKS

CONTROL RISKS

ASSESS RISKS

TREAT RISKS

Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration, pg. 17.

Setting Objectives The first step in the ERM process is the setting of objectives. Objectives are simply what an entity strives to achieve. Objectives can be short-term, or long-term, or they can be quantitative (numeric), or qualitative (non-numeric). Objectives should be: 

Specific: Objectives should be precisely defined.



Measurable: The method of measuring the objective should be defined.



Agreed to: All interested parties need to agree to the objectives.



Realistic and Attainable: Objectives must realistic and they must be attainable. If they’re not, then they are superfluous.



Timely: Objectives should be specific as to when they are to be achieved.

Note: As we can see, objectives should be SMART. A direct benefit of ERM is that it may reveal some objectives that are not clear or understood by those responsible to achieving them. It’s recommended that time be taken in an effort to clarify the objectives before moving on to the next step – identifying risks.

Identifying and Assessing Risks The next step in the ERM process is the identification of risks. The goal in this step is to produce a list of risks and then assess them. There are a number techniques used to identify risks. Some of these techniques are shown in Exhibit B. In the process of using the list, it may be necessary to use more than one item on the list. The key is to make sure that as many risks are identified as possible. If some risk fail to be recognized, this could result in problems for the company.

3

EXHIBIT B: Risk Identification Techniques INTERNAL INTERVIEWING and DISCUSSION: 

Interviews.



Questionnaires.



Brainstorming.



Control Self-assessment and other facilitated workshops.



SWOT analysis (Strength, weaknesses, opportunities, and threats).

EXTERNAL SOURCES: 

Comparison with other organizations.



Discussion with peers.



Benchmarking.



Risk consultants.

TOOLS, DIAGNOSTICS, and PROCESSES: 

Checklists.



Flowcharts.



Scenario analysis.



Value chain analysis



Business process analysis.



Systems engineering.



Process mapping.

Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration, pg. 19.

Once the risks have been identified, the next step is risk assessment. With risk assessment we are in essence asking: “What can go wrong here?” and “What assets do we need to protect?” According to the COSO study, Internal Control – Integrated Framework, risk assessment is summarized in the following way: “Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.”

A key to ERM is to know which risks the company can control and which risks it cannot control. This is the purpose of the risk assessment stage. Another key is to know which risks can and cannot be measured. “Knowing the importance of a risk through risk assessment can lead to better management and resource allocation. Further knowing how that risk interrelates with other risks in the company can enhance the ERM process.”1 1

Statements on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration, pg. 18-19.

4

Once management has gone through the assessment part of the ERM process, the next step is the most difficult – treating and controlling the risks.

Treating and Controlling Risks Once the risks have been assessed, management must then decide how it is going to manage them. In the ERM process there should be a conscious decision about risk. There are different actions that management can take for any given risk, including: 

Transfer the risk to another party. This can be done through signing a long-term contract with a supplier. You transfer the risk of future price increases.



Avoid the risk. This is generally the not most desirable thing to do, but in some cases, it may be unavoidable.



Reduce the negative effect of the risk. This might include hedging, or some other method.



Accept some or all of the consequences of the particular risk. You take on the risk because you know that if you are successful, you will indeed be very successful.

In this stage, the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled later. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss vs. a risk with high loss but lower probability of occurrence can often be mishandled.

Communicating and Monitoring Risks This is the final stage of the ERM process. In this final stage, management has the responsibility to review and make necessary changes in order to mitigate potential risks that can hinder the achievement of objectives. The goal of ERM is not to become risk adverse, but to develop and implement a system whereby risk-related information is able to flow downward, across, and up the company. In regards to monitoring, activities should periodically reassess risk and the effectiveness of controls to manage risk.

Conclusion Enterprise risk management can be a powerful management tool, but implementation will require education and training of managers at all organization, including the board. But, there are limitations to ERM. Like human judgment is still required, and human judgment in regards to risks thus leading to errors or mistakes.

its successful levels of the any program, can be faulty;

A major weakness to the ERM system is that two or more people can collude together, or management can override ERM decisions. Thus, even with the best of ERM systems, “these limitations preclude a board and management from having absolute assurance as to the achievement of the company’s objectives.”2 In regards to Russia, it is mostly the larger organizations that have implemented ERM at this time. But, unfortunately, it seems that most of these companies have done so because of some external requirement (Sarbanes Oxley, etc.) reason and not because it is something that they actually believes provides benefit. In time this attitude should change as more Russian managers start seeing the benefits of ERM.

2

Enterprise Risk Management – Integrated Framework, Executive Summary, September 2004.

5

Below is a list of best practices that companies can use as a reference when implementing ERM. 1)

Engage senior management and board of directors that set “the tone from the top” and provide organizational support and resources.

2)

Independent ERM function under the leadership of chief risk officer (CRO), who reports directly to the CEO with a dotted line to the board.

3)

Top-down governance structure with risk committees at the management and board levels, reinforced by internal and external audit.

4)

Established ERM framework that incorporates all of the company’s key risks: strategic risk, business risk, operational risk, market risk, and credit risk.

5)

A risk-aware culture fostered by a common language, training, and education, as well as risk-adjusted measures of success and incentives.

6)

Written policies with specific risk limits and business boundaries, which collectively represent the risk appetite of the company.

7)

An ERM dashboard technology and reporting capability that integrates key quantitative risk metrics and qualitative risk assessments.

8)

Robust risk analytics to measure risk concentrations and interdependencies, such as scenario and simulation models.

9)

Integration of ERM in strategic planning, business processes, and performance measurement.

10)

Optimization of the company’s risk-adjusted profitability via risk-based product pricing, capital management, and risk-transfer strategies.

Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration, pg. 34.

In summary, “ERM is essential in today’s business environment, where companies are required to disclose risk factors in the financial reports and the board of directors regularly questions top management about the company’s risk.”3

3

Statements on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration, pg. 34.

6