Enterprise Risk Management
(→Definition) |
(→Definition) |
||
Line 4: | Line 4: | ||
== Definition == | == Definition == | ||
− | Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth. | + | Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth.<ref> KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/ </ref>As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions.<ref> Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp </ref>A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. |
− | <ref> KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/ </ref>As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions. | + | |
− | <ref> Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp </ref>A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. | + | |
<ref> https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/ </ref>In spite of the uniqueness of each company, ERM uses '''standards''' that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. | <ref> https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/ </ref>In spite of the uniqueness of each company, ERM uses '''standards''' that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. | ||
Trough the most important standards we recognise '''COSO 2017 – Enterprise Risk Management - Integrated Framework''' which has been reported on the wiki article as a relevant framework statement for ERM. | Trough the most important standards we recognise '''COSO 2017 – Enterprise Risk Management - Integrated Framework''' which has been reported on the wiki article as a relevant framework statement for ERM. |
Revision as of 21:27, 15 March 2022
Abstract
One of the most serious problems of today's businesses is the differentiation of risk that can be found within the various components of the business: management, operations, marketing, accounting, and finance. Often, in the past, risk was analysed by looking at individual departments, a strategy that allowed many companies to grow by assigning responsibilities to different managers. The problem of risk diversification, however, is precisely linked to corporate growth that does not go hand in hand with mutual control of the various corporate departments. In fact, if we consider relevant business enterprises, we cannot consider an individual risk analysis to be effective because it does not allow us to protect against combinations of events often linked to different business areas. The solution is a new approach that derives from common risk management, but which allows us to analyse a business in its integrity and no longer in its individual parts. Enterprise Risk Management is a new method posed as a solution in this analysis and will be the object of study for this article.
Definition
Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth.[1]As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions.[2]A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. [3]In spite of the uniqueness of each company, ERM uses standards that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. Trough the most important standards we recognise COSO 2017 – Enterprise Risk Management - Integrated Framework which has been reported on the wiki article as a relevant framework statement for ERM.
Contents |
Origins
The origin of ERM is significant as we can consider it as an evolution of Risk Management. Historically, Risk Management had been focused primarily on financing rather than controlling risk.For many years, companies have been able to transfer certain types of risks to insurance companies. These transferred risks related to natural catastrophes, accidents, human error or fraud, but as the scope of insurance markets expanded, some types of commercial risks could be transferred, such as credit risks. This was sufficiently short-sighted that it gradually became evident to clients that risk involved aspects of management concern greater than financially surviving accidental losses. Strategic and operational parameters involved risks that required foresight and control. Stakeholders were demanding that the Board of Directors take an active role in managing risk. So ERM was born in the financial services industry as an extension and expansion of its classical financing approach to risk. Two primary forces – global orientation and business complexity – provoked ERM into existence. In response, five aspects of risk have been increasingly addressed: strategy, accountability, identification, ranking, and mitigation. From the outset, ERM was intended and anticipated to rise in significance beyond the CFO to the top executive – and on into the boardroom – where it would join the highest strategic concerns. A new executive – Chief Risk Officer – was even inaugurated to carry the ERM torch.
Chief Risk Officer
[4] A Chief Risk Officer (CRO) is a corporate executive responsible for identifying, analyzing, and mitigating internal and external risks. The role of the chief risk officer is constantly evolving . As companies adopt new technologies, the CRO must govern information security, protect against fraud, and guard intellectual property. The types of threats the CRO usually keeps watch for can be grouped into regulatory, competitive, and technical categories. As noted, companies must ensure they are in compliance with regulatory rules and fulfilling their obligations on reporting accurately to government agencies. [5] The CRO is responsible for implementing operational risk management and mitigation processes to avoid losses stemming from inadequate or failed procedures, systems or policies. Operational risk management includes business continuity and disaster recovery planning, developing information security processes and managing the governance of regulatory compliance data. [4] CROs must also check for procedural issues within their companies that may create exposure to a threat or liability. For example, if a company handles sensitive data from a third party, such as personal health information, there may be layers of security that the company is required to maintain to ensure that data is kept confidential. If there are lapses in that security—such as when an employee allows an unauthorized person, even within the company, to have access to a company computer that contains such data—it can be a form of exposure that a CRO must address. Unauthorized access to sensitive data may also constitute a competitive risk if there is the potential for rival organizations to use such information to take away clients or otherwise damage the public image of the company.
ERM Framework
[6] Enterprise Risk Management—Integrating with Strategy and Performance clarifies the importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions. The Framework itself is a set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk manage-ment. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
ERM Weakness Points
[7]As an article in Risk Management Reports observed, “ While businesses have made progress in implementing enterprise risk management (ERM) programs, we have seen that such programs have often been ineffective. ERM has not become embedded in corporate strategic thinking and culture. Risk management processes continue to be fragmented and left to functional managers or business units and do not reflect a vision of the firm’s long-term goals. Summarizing ERM to date, it consists of methods and processes used by organizations to manage risks and seize opportunities influencing achievement of their objectives. Like all such innovative initiatives, ERM has been evolving – with contributions from many sources. In this evolution process has been delighted 5 main weakness points that could and must be overcome in order to consolidate this always-in-progress tool.
1. ERM Lacks the Framework it Touts
The expansion of traditional Risk Management beyond financial concerns – and denoting it as Enterprise Risk Management – was haphazard, almost random in nature. Obviously, the intent was to consolidate all activities, functions, and interests within a corporation so that their risks might be integrated, examined, and managed as a unit. The idea was admirable. But the very singularity it was seeking is missing – because it has no universal rationale or mechanism to attain it. ERM lacks the framework it touts. It has no defined process that assures TOTAL management of risk. Instead, it’s “bits and pieces” -- often focused on the sensational and obvious while ignoring the mundane and routine. The goal of ERM is to address risk in all areas of the enterprise.“Enterprise” turns out to be elusive rather than descriptive. ERM in one organization may not even resemble ERM in another. What is needed? Application of the systems approach – that global, holistic, all-encompassing, universal technique used successfully in high-risk space endeavors. That approach clearly defines the boundary of concern – so that there is no ambiguity about what is and what is not the entity for which risk is being managed. Once that is accomplished, its known inputs and desired outputs are established, a functional platform for identifying every conceivable risk is constructed, and risk scenarios are written. Until ERM becomes systematic, it will suffer misunderstanding,false exploitation, fragmentation, and confused reaction.
2. ERM is Reactive instead of Proactive
History certainly reveals a wealth of risks needing to be managed. However, those risks are only a portion of those that management must address if an organization is to protect and create value for its stakeholders -- including owners, employees, customers, regulators, and society overall. Risks that have yet to be revealed or experienced may be more consequential than the obvious ones that most organizations traditionally manage. There is no recognized and endorsed ERM process for foreseeing and identifying risks prior to experiencing their associated losses. This deficiency forces ERM to be reactive instead of proactive – waiting for a loss before implementing countermeasures against it. Reactionary management is always inefficient and impulsive – as well as expensive. ERM should be proactive, but it’s not. It’s usually reactive. Because it has no method or process for identifying risks that have not yet happened, it is destined to remain reactive. The sad fact is that – by being reactive – every loss is much more costly than if it had been foreseen and controlled.
3. ERM Discards the Wisdom of Insiders
Insurers and risk consultants in financial institutions have always convinced most client executives that they know how best to manage risk. So those executives have fallen victim to engaging experts from the outside to tell them what they already know -- while still remaining vulnerable to risks the outsiders know nothing about. Most critically, the wisdom required to manage and control risk is right within the enterprise itself. The key is to have a technique that extracts and organizes that wisdom. Traditionally, risk management has been a profitable business – primarily because it was performed by insurers on behalf of the insured. But risks really weren’t managed. They were financed. So it follows logically that the early recruits and participants in ERM came from the financial end of the risk management spectrum – rather than the control end. Their influence and earmarks cannot be denied.Yet, as the scope of risk concern broadened under ERM to include control of risk, it became obvious that risk management knowledge and expertise required was not available from the outside financial experts who had historically provided it. This is not to say that outside financial consultants cannot augment the internal wisdom of a client enterprise regarding management of risk. But the shortcoming is that they typically limit their involvement to a few mid- or high-level client managers with financial interests. Risks can only be impacted or reduced by those in control of the scene wherein they occur – and it is those very people who are rarely involved in the ERM process even though they have the greatest knowledge and understanding of those risks. ERM discards the wisdom of insiders.
4. ERM Doesn’t Calculate Mitigation Costs
Every identified risk attracts management attention – in one of two ways. If it is defined only in terms of its severity and likelihood, unanimity of concern about it is generally universal but inconsequential. Why? Because there is no consequence involved. Everyone agrees that the risk exists. But it is simply a moral concern – but not a management one. However, if a third dimension – mitigation cost – is assigned to that risk, decision -makers are forced to address it. It becomes consequential. It cannot be ignored. Questions arise – about all three dimensions because, taken collectively, that risk can now be placed in an array of management significance or consequence. Executives become accountable for its management. As a general rule, ERM measures risk in only two dimensions – severity and likelihood. With little doubt, this short-sighted approach almost guarantees that management will not get involved in addressing it. It may become assigned to a list or a group of similar risks or be classified within a zone of interest. But without a mitigation price tag, management will ignore it. Ignoring mitigation cost assures ignored risk.
5. ERM Fails to Rank Risks
There are never enough resources in any organization to mitigate every identified risk. So allocating resources to manage risk is a prime concern for executives. On what basis then can an executive determine the necessity for investment to control risk? How can one risk be justified as more important than another? When and how can a decision-maker feel justified in allocating limited resources to competing candidates for risk control – particularly when great diversity in complexity, function, or cost among them exists? Compounding this dilemma is the possibility that risk identification itself may even be manipulated to favor or influence resource allocation decisions. Should an executive desire to have the organization publicly appear more risk responsible, he could limit or divert the function of risk identification – ordering that certain types of known risk not be acknowledged and documented. Such a risk ranking will always remain dynamic, not static -- not only because the world is always changing but because risk identification is an ongoing activity. New risks can be expected to be identified on an ongoing basis. Further, as risk mitigation takes place, there is constant re-ordering of the ranking that reflects the impact of risks that have been controlled.
ERM Continuum
Businesses evolve their response to risk along a Risk and Compliance maturity continuum. ERM is a never ending developing strategy framework that aim to perform the best on different stages.
1. In the Comply Stage, they start with a strategy of penalty avoidance, often implemented through manual auditing and control procedures on top of existing processes. Frequently, laws also require changes to business processes, which are done manually and in an uncoordinated manner in this stage.
2.As businesses realize that compliance is not limited to a one year project but rather an approach that must be sustained and adapted to meet changing regulations year after year,they enter the improve stage. Most companies in the Improve Stage initially focus on improving the efficiency of their compliance and control procedures to minimize cost by standardizing procedures across the enterprise and adding automated status monitoring. The processes in turn are instrumented with the necessary control points, measurements and metrics needed to enable automated monitoring. Long term this will reduce today’s redundant control procedures to be replaced by lighter-weight random audit checks and control procedures to ensure the separation of duty and increase overall accountability.
3. As enterprises enter the transform stage they embrace a holistic, optimized risk management approach looking at events and classifying them into risks and opportunities, based on well-defined policies that take risk and regulations into account. In this stage, the enterprise is focused on achieving internal improvements by streamlining and rationalizing processes at an enterprise level and by adding automated control points directly into the business procedures to replace error-prone manual controls.
Giving some percentages data related to this Tool, according to Mark Beasly’s 2005 ERM Status Report about half of the companies had either no ERM plans, had not decided yet or thinking about it for the future. About 37% claimed to have partial ERM plans implemented and 11% claimed to have a full ERM system in place. Most companies today are still in the comply stage and working their way towards the improve stage.
For example, only 12% of companies have a large level of automatically generated reports.
One year later, the situation seems to have shifted. According to the latest CFO study of the IBM Institute of Business Value, more than 75% percent of the studied Finance
departments ‘frequently or sometimes’ support their company in designing an enterprise risk management framework and in developing a corresponding ERM culture.
Furthermore, more than 90% of the involved Finance organizations already ‘fully or partially manage compliance risk’ while less than 70% manage event risk.
Annotated Bibliography
Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control -- Integrated Framework”, Jersey City, NJ: AICPA/COSO (1992).
IBM Institute for Business Value, "Risk, regulation and return – Delivering value through Enterprise Risk Management”, April (2005).
Beasley, Mark S; Clune, Richard, Hermanson, Dana R, “ERM: a status report”, Internal Auditor - Volume 62, Issue 1, February (2005).
The Geneva Papers on Risk and Insurance Vol. 26 No. 3, Gerry Dickinson, Enterprise Risk Management: Its Origins and Conceptual Foundation
References
- ↑ KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/
- ↑ Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp
- ↑ https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/
- ↑ 4.0 4.1 Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer"
- ↑ Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
- ↑ https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
- ↑ Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"