Revision as of 13:05, 16 March 2022

writed & developed by Pietro Boschetto

Abstract

One of the most serious problems of today's businesses is the differentiation of risk that can be found within the various components of the business: management, operations, marketing, accounting, and finance. Often, in the past, risk was analysed by looking at individual departments, a strategy that allowed many companies to grow by assigning responsibilities to different managers. The problem of risk diversification, however, is precisely linked to corporate growth that does not go hand in hand with mutual control of the various corporate departments. In fact, if we consider relevant business enterprises, we cannot consider an individual risk analysis to be effective because it does not allow us to protect against combinations of events often linked to different business areas. The solution is a new approach that derives from common risk management, but which allows us to analyse a business in its integrity and no longer in its individual parts. Enterprise Risk Management is a new method posed as a solution in this analysis and will be the object of study for this article.

Definition

Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth.^[1]As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions.^[2]A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. ^[3]In spite of the uniqueness of each company, ERM uses standards that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. Trough the most important standards we recognise COSO 2017 – Enterprise Risk Management - Integrated Framework which has been reported on the wiki article as a relevant framework statement for ERM.

Origins

Is difficult to define proper origins for Enterprise Risk Management, as an evolution of Risk Management is better to describe the motivations that lead to this new approach. Starting from the late 40s to the early 50s we can identify 2 main fields for importance related to risk management, and this are the management of insurance risks and financial risks. Back in the days, Companies used to affiliate certain types of risks to insurance companies.These transferred risks related to natural catastrophes, accidents, human error and fraud allowed insurance markets to expand, letting them consider also types of commercial risks such as credit risks. The tactic adopted forced managers to consider alternatives to the purchase of insurance. Risk Management represented an Opportunity Cost that companies weren't considering, moreover, allowing the management of risk by a character inside the corporation would have allowed a better analysis as it exploits the internal point of view and subjected to greater engagement. The 70s where characterized by a huge development on the financial risk management in particular considering movements in exchange rates, commodity prices, interest rates and stock prices. The existence of financial derivatives also forced companies to consider more carefully the pricing of risks, how risks could be financed internally, and the value of the additional services supplied by investment banks as a big cake slice. Companies also understood that insurable risks and financial risks could have been managed together, since the coordination of them would have led to a good risk management.The next step in the development of a more holistic approach to risk management came from Contingency planning , which has been a part of corporate policy for many years. Its purpose was to identify those activities that might have been threatened by dangerous events and to have systems in place to cope with these events. Business Management extended the practice of Contingency Planning requiring more internal systems. As a result of the combined work of the Contingency Planning and the Business Management we have Enterprise Risk Management that is historically traced from the 90s. The identification of this new method brought also to the formation of a new figure in the company called Chief Risk Officer in charge of the correct analysis and development of ERM.

Chief Risk Officer

^[4] The Chief Risk Officer (CRO) is corporate executive responsible for identifying, analyzing, and mitigating internal and external risks.As ERM is a costant evolution process, CRO follows it. Based on the innovation that nowadays corporations have to pursue expecially on the technology field, the CRO must govern the information security, protect the different stakeholders against frauds, and guard ^[5] intellectual property, that is basically defined as the inventions patended by the company. ^[4]We can categorised the types of threats that the CRO usually controls for can be grouped into regulatory, competitive, and technical groups.Corporations must verify that they are in accordance with the rules reporting accurately to government agencies their obbligations. ^[6] The CRO as an internal stakeholder is responsible for the development of operational risk management and he is in charge of protecting the company from losses resulting from inadequate procedures, systems and policies. ^[4] Cro stands as the advocate of the law, as an example, considering companies using sensitive data, it is important to safeguard them by continuously updating cookie and policy mechanisms. The management of these protocols is the responsibility of the figure in question, who must collaborate with the IT branch of the company in order to avoid problems such as access to these data by unauthorised persons or, worse still, the sharing of these data. ^[7]The job position of the CRO is very articulated and has different fields of application. That is why this role is often covered by people with high education level with up to 20 years of experience in accounting, economics, legal or actuarial work, and many have specialised training in risk management.

ERM Framework

^[8]As stated in the definition of ERM, the use of standards is quite relevant to ensure proper alignment between all participants in this task. One of the most relevant is COSO, whose name derives from the Committee of Sponsoring Organisations of the Treadway Commission, the group that commissioned the project. By pursuing leadership and developing understandable frameworks to optimise internal management control, COSO deters fraud by improving organisational performance.This document highlights the importance of considering risk in both the strategy-setting process and in driving performance. At the base of this report there are objectives such as improving the alignment between performance and Enterprise Risk Management to understand the impact of risk on performance, but also new ways of looking at risk in order to achieve objectives in a more complex business environment. COSO will also evaluate the importance of evolving technologies, data and analytics to support decision-making.

^[9]Before going trought the main framework part is important to clarify that ERM is not properly a function or a department, is way more the culture, capabilities and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value. As a framework we identify 5 different components that must be addressed on a ERM analysis:

1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

4. Review and Revision: By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

ERM Weakness Points

^[10]As an article in Risk Management Reports observed, “ While businesses have made progress in implementing enterprise risk management (ERM) programs, we have seen that such programs have often been ineffective. ERM has not become embedded in corporate strategic thinking and culture. Risk management processes continue to be fragmented and left to functional managers or business units and do not reflect a vision of the firm’s long-term goals. Summarizing ERM to date, it consists of methods and processes used by organizations to manage risks and seize opportunities influencing achievement of their objectives. Like all such innovative initiatives, ERM has been evolving – with contributions from many sources. In this evolution process has been delighted 5 main weakness points that could and must be overcome in order to consolidate this always-in-progress tool.

1. ERM Lacks the Framework it Touts

The expansion of traditional Risk Management beyond financial concerns – and denoting it as Enterprise Risk Management – was haphazard, almost random in nature. Obviously, the intent was to consolidate all activities, functions, and interests within a corporation so that their risks might be integrated, examined, and managed as a unit. The idea was admirable. But the very singularity it was seeking is missing – because it has no universal rationale or mechanism to attain it. ERM lacks the framework it touts. It has no defined process that assures TOTAL management of risk. Instead, it’s “bits and pieces” -- often focused on the sensational and obvious while ignoring the mundane and routine. The goal of ERM is to address risk in all areas of the enterprise.“Enterprise” turns out to be elusive rather than descriptive. ERM in one organization may not even resemble ERM in another. What is needed? Application of the systems approach – that global, holistic, all-encompassing, universal technique used successfully in high-risk space endeavors. That approach clearly defines the boundary of concern – so that there is no ambiguity about what is and what is not the entity for which risk is being managed. Once that is accomplished, its known inputs and desired outputs are established, a functional platform for identifying every conceivable risk is constructed, and risk scenarios are written. Until ERM becomes systematic, it will suffer misunderstanding,false exploitation, fragmentation, and confused reaction.

2. ERM is Reactive instead of Proactive

History certainly reveals a wealth of risks needing to be managed. However, those risks are only a portion of those that management must address if an organization is to protect and create value for its stakeholders -- including owners, employees, customers, regulators, and society overall. Risks that have yet to be revealed or experienced may be more consequential than the obvious ones that most organizations traditionally manage. There is no recognized and endorsed ERM process for foreseeing and identifying risks prior to experiencing their associated losses. This deficiency forces ERM to be reactive instead of proactive – waiting for a loss before implementing countermeasures against it. Reactionary management is always inefficient and impulsive – as well as expensive. ERM should be proactive, but it’s not. It’s usually reactive. Because it has no method or process for identifying risks that have not yet happened, it is destined to remain reactive. The sad fact is that – by being reactive – every loss is much more costly than if it had been foreseen and controlled.

3. ERM Discards the Wisdom of Insiders

Insurers and risk consultants in financial institutions have always convinced most client executives that they know how best to manage risk. So those executives have fallen victim to engaging experts from the outside to tell them what they already know -- while still remaining vulnerable to risks the outsiders know nothing about. Most critically, the wisdom required to manage and control risk is right within the enterprise itself. The key is to have a technique that extracts and organizes that wisdom. Traditionally, risk management has been a profitable business – primarily because it was performed by insurers on behalf of the insured. But risks really weren’t managed. They were financed. So it follows logically that the early recruits and participants in ERM came from the financial end of the risk management spectrum – rather than the control end. Their influence and earmarks cannot be denied.Yet, as the scope of risk concern broadened under ERM to include control of risk, it became obvious that risk management knowledge and expertise required was not available from the outside financial experts who had historically provided it. This is not to say that outside financial consultants cannot augment the internal wisdom of a client enterprise regarding management of risk. But the shortcoming is that they typically limit their involvement to a few mid- or high-level client managers with financial interests. Risks can only be impacted or reduced by those in control of the scene wherein they occur – and it is those very people who are rarely involved in the ERM process even though they have the greatest knowledge and understanding of those risks. ERM discards the wisdom of insiders.

4. ERM Doesn’t Calculate Mitigation Costs

Every identified risk attracts management attention – in one of two ways. If it is defined only in terms of its severity and likelihood, unanimity of concern about it is generally universal but inconsequential. Why? Because there is no consequence involved. Everyone agrees that the risk exists. But it is simply a moral concern – but not a management one. However, if a third dimension – mitigation cost – is assigned to that risk, decision -makers are forced to address it. It becomes consequential. It cannot be ignored. Questions arise – about all three dimensions because, taken collectively, that risk can now be placed in an array of management significance or consequence. Executives become accountable for its management. As a general rule, ERM measures risk in only two dimensions – severity and likelihood. With little doubt, this short-sighted approach almost guarantees that management will not get involved in addressing it. It may become assigned to a list or a group of similar risks or be classified within a zone of interest. But without a mitigation price tag, management will ignore it. Ignoring mitigation cost assures ignored risk.

5. ERM Fails to Rank Risks

There are never enough resources in any organization to mitigate every identified risk. So allocating resources to manage risk is a prime concern for executives. On what basis then can an executive determine the necessity for investment to control risk? How can one risk be justified as more important than another? When and how can a decision-maker feel justified in allocating limited resources to competing candidates for risk control – particularly when great diversity in complexity, function, or cost among them exists? Compounding this dilemma is the possibility that risk identification itself may even be manipulated to favor or influence resource allocation decisions. Should an executive desire to have the organization publicly appear more risk responsible, he could limit or divert the function of risk identification – ordering that certain types of known risk not be acknowledged and documented. Such a risk ranking will always remain dynamic, not static -- not only because the world is always changing but because risk identification is an ongoing activity. New risks can be expected to be identified on an ongoing basis. Further, as risk mitigation takes place, there is constant re-ordering of the ranking that reflects the impact of risks that have been controlled.

ERM Continuum

Businesses evolve their response to risk along a Risk and Compliance maturity continuum. ERM is a never ending developing strategy framework that aim to perform the best on different stages.

1. In the Comply Stage, they start with a strategy of penalty avoidance, often implemented through manual auditing and control procedures on top of existing processes. Frequently, laws also require changes to business processes, which are done manually and in an uncoordinated manner in this stage.

2.As businesses realize that compliance is not limited to a one year project but rather an approach that must be sustained and adapted to meet changing regulations year after year,they enter the improve stage. Most companies in the Improve Stage initially focus on improving the efficiency of their compliance and control procedures to minimize cost by standardizing procedures across the enterprise and adding automated status monitoring. The processes in turn are instrumented with the necessary control points, measurements and metrics needed to enable automated monitoring. Long term this will reduce today’s redundant control procedures to be replaced by lighter-weight random audit checks and control procedures to ensure the separation of duty and increase overall accountability.

3. As enterprises enter the transform stage they embrace a holistic, optimized risk management approach looking at events and classifying them into risks and opportunities, based on well-defined policies that take risk and regulations into account. In this stage, the enterprise is focused on achieving internal improvements by streamlining and rationalizing processes at an enterprise level and by adding automated control points directly into the business procedures to replace error-prone manual controls.

Giving some percentages data related to this Tool, according to Mark Beasly’s 2005 ERM Status Report about half of the companies had either no ERM plans, had not decided yet or thinking about it for the future. About 37% claimed to have partial ERM plans implemented and 11% claimed to have a full ERM system in place. Most companies today are still in the comply stage and working their way towards the improve stage. For example, only 12% of companies have a large level of automatically generated reports. One year later, the situation seems to have shifted. According to the latest CFO study of the IBM Institute of Business Value, more than 75% percent of the studied Finance departments ‘frequently or sometimes’ support their company in designing an enterprise risk management framework and in developing a corresponding ERM culture. Furthermore, more than 90% of the involved Finance organizations already ‘fully or partially manage compliance risk’ while less than 70% manage event risk.

Annotated Bibliography

Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control -- Integrated Framework”, Jersey City, NJ: AICPA/COSO (1992).

Aligning Corporate Governance with Enterprise Risk Management,

IBM Institute for Business Value, "Risk, regulation and return – Delivering value through Enterprise Risk Management”, April (2005).

Beasley, Mark S; Clune, Richard, Hermanson, Dana R, “ERM: a status report”, Internal Auditor - Volume 62, Issue 1, February (2005).

The Geneva Papers on Risk and Insurance Vol. 26 No. 3, Gerry Dickinson, Enterprise Risk Management: Its Origins and Conceptual Foundation

References

1. ↑ KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/
2. ↑ Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp
3. ↑ https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/
4. ↑ ^{4.0 4.1 4.2} Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer"
5. ↑ https://www.wipo.int/about-ip/en/
6. ↑ Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
7. ↑ Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
8. ↑ https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
9. ↑ https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
10. ↑ Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"