ENTERPRISE RISK MANAGEMENT
By Michael J. Moody, MBA, ARM
COSO offers framework for ERM
From the COSO Framework. Used with permission.
The Framework indicates that if practiced properly, ERM can provide a structure "for management to effectively deal with uncertainty and associated risks and opportunities, thereby improving its capacity to build value."
Risk is a necessary part of any business endeavor, regardless of the size and type of the organization. As a result of a number of recent corporate meltdowns, many organizations are currently evaluating their ability to manage risk. One tool that is expected to be helpful in this process is enterprise risk management (ERM).
ERM is a concept that allows organizations to take a holistic view of their risks. It has been an emerging management concept for the past four or five years and, at this point, has had a number of studies and articles written about it. Despite this, there is currently little agreement as to a common terminology or widely accepted management principles. Several groups have attempted to reach a consensus on this issue but, to date, none have succeeded.
Recently, however, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has advanced the Enterprise Risk Management Framework (the Framework) for public comment. The Framework was developed to provide management with a common reference point with regard to ERM.
Basic concepts
According to the Framework, one of the underlying principles of ERM is that "every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders." As a result of just being in business, all entities face uncertainty. This uncertainty manifests itself in the form of risks that can erode value or as opportunities that can enhance value. The Framework indicates that if practiced properly, ERM can provide a structure "for management to effectively deal with uncertainty and associated risks and opportunities, thereby improving its capacity to build value."
Uncertainty comes from an organization's "inability to precisely determine the likelihood that potential events will occur and the associated outcomes." The Framework offers the following definition for enterprise risk management:
"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
This definition incorporates a number of fundamental concepts upon which ERM is based. However, it is purposefully broad for several reasons. First, it provides a concept that can be applied across many different types of organizations and industries. Additionally, it focuses management's attention directly on achieving the entity's objectives.
ERM components
As set out in the Framework, ERM consists of eight interrelated components. These components are derived from the way management runs a business, and as such they should be integrated with the overall management process. The components that make up enterprise risk management are:
1) Internal Environment-The Framework states that "the entity's internal environment is the foundation for all other components of enterprise risk management, providing discipline and structure." As a result, the internal environment influences how companies establish strategies and objectives, as well as how business activities are structured and how risks are identified, assessed and acted upon. The elements that make up the internal environment include such things as "an entity's ethical values, competence and development of personnel, management's operating style and how it assigns authority and responsibility." As part of this internal environment, a company will establish its philosophy of risk management, determine its risk appetite, and integrate ERM with related initiatives.
2) Objective Setting-Strategic objectives are established by management, which then selects a strategy that is utilized throughout the enterprise and aligned with and linked to the strategy. Objectives can be grouped in four broad categories:
* Strategic - relating to high-level goals
* Operations - relating to the effectiveness and efficiency of the entity's operations
* Reporting - relating to the effectiveness of the entity's reporting
* Compliance - relating to the entity's compliance with applicable laws and regulations
By categorizing objectives into these four distinct but overlapping groups, management, and particularly the board, can focus on separate aspects of enterprise risk management.
3) Event Identification-This component confirms that management recognizes that uncertainties exist and also notes that management "cannot know with certainty whether and when an event will occur, or its outcome should it occur." Event identification takes into consideration both internal and external factors that affect event occurrence. Political, social and technological factors are among some of the external considerations, while internal factors are management choices with regard to infrastructure, personnel, process and technology. Techniques that involve event identification look at the past as well as the future. Past event identification techniques would include changes in commodity prices and lost-time accidents. Techniques that focus on the future would include shifting demographics and competitor actions.
4) Risk Assessment-While risk assessment allows an entity to consider how potential events might affect the achievement of objectives, they must be looked at from two perspectives. The first perspective is likelihood, or the possibility that a given event will occur, while the second perspective deals with impact or the effect on the organization should the event occur. "Estimates of risk likelihood and impact often are determined using data from past observable events" and may include a methodology that combines qualitative and quantitative techniques. It is important to recognize that while potential events that apply only to a single business unit be viewed individually, where risks are likely to occur within multiple business units, management must assess and group identified events into common categories.
5) Risk Response-"Management identifies risk response options and considers their effect on event likelihood and impact, in relation to risk tolerances and costs versus benefits, and designs and implements response options." The consideration of various risks responses, as well as the selection and implementation of the most appropriate response(s) is an integral part of enterprise risk management. It is designed to allow management to "bring risk likelihood and impact within the entity's risk tolerance." Risk responses can be grouped as risk avoidance, reduction, sharing and acceptance. Risk avoidance responses take action to exit activities that give rise to the risks. Risk reduction responses reduce the risk likelihood, impact or both, while sharing responses use risk transfer or sharing techniques. On the other hand, acceptance responses take no action that affects the likelihood or impact of a risk.
6) Control Activities-Those policies and procedures that help assure that risk responses are properly executed are considered control activities. The control activities are a part of the broad process by which an enterprise strives to achieve its business objectives and as such occur throughout the organization "at all levels and in all functions." Typically this component is made up of two elements: a policy establishing what should be done, and a procedure to implement the policy. In general, control activities are directed at ensuring the completeness, accuracy, and validity of the various policies and procedures.
7) Information and Communication-"[P]ertinent information--from internal and external sources--must be identified, captured and communicated in a form and timeframe that enable personnel to carry out their responsibilities." A central informational need of any organization is to identify, assess and respond to risks. In today's fast-paced environment, information comes from a wide variety of sources which allows ERM responses to be modified based on changing conditions in real time. As with most information, "the challenge for management is to process and refine large volumes of data into actionable information." The key, of course, is to establish information systems that support the organization's overall business strategies. ERM requires that both historical and current data be captured and used effectively. Relevant information is the basis for communication that assists groups and individuals to effectively carry out their responsibilities. Communications should be directed at advising personnel of their roles and responsibilities in effecting and supporting the various components of enterprise risk management.
8) Monitoring-The process of monitoring, or assessing both the presence and functioning of the enterprise risk management components as well as the quality of the performance over time is a key factor in the process. For the most part, monitoring can be done in two ways: "through ongoing activities or separate evaluations." Generally, ongoing monitoring which is built into the normal, recurring operating activities of an organization is favored. This is because it is more effective than separate evaluations since it is performed on a real-time basis, reacts dynamically to change and is ingrained in the entity. Despite this, many entities continue to utilize separate evaluations in conjunction with their enterprise risk management activities, due to the increasing importance of the ERM function.
Summary
There is a direct connection between an organization's objectives, which are what they strive to achieve and the eight enterprise risk management components, which represent what is needed to achieve them. This relationship is depicted in the three-dimensional matrix (Exhibit1). It should be noted that the four columns represent the categories of an organization's objectives, rather than parts or units of the organizations.
Conclusion
Recent events have caused corporations of all types to reassess and re-evaluate their ability to effectively manage risk. Today, there are few areas within the board's oversight responsibility that are of more importance. It has become clear that while it is widely agreed that ERM can assist in this task, a common body of knowledge is needed to move forward. COSO and its member organizations (the American Institute of Certified Public Accountants, the American Accounting Association, the Financial Executives International, the Institute of Management Accountants, and The Institute of Internal Auditors) have taken a major step forward in formalizing the ERM process with the publication of the Enterprise Risk Management Framework. It is, however, unfortunate that corporate risk management via the Risk and Insurance Management Society (RIMS), or the Casualty Actuarial Society (CAS), which has been very active in promoting ERM, does not appear to be a party to this effort. As a result, there is little similarity between the Framework and traditional corporate risk management thinking. *
The author
Michael J. Moody, ARM, is managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.