Enterprise Risk Management

From apppm
(Difference between revisions)
Jump to: navigation, search
(Definition)
(Chief Risk Officer)
Line 23: Line 23:
 
=== Chief Risk Officer ===
 
=== Chief Risk Officer ===
  
<ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref> The Chief Risk Officer (CRO) is corporate executive responsible for identifying, analyzing, and mitigating internal and external risks.As ERM is a costant evolution process, CRO follows it. Based on the innovation that nowadays corporations have to pursue expecially on the technology field, the CRO must govern the information security, protect the different stakeholders against frauds, and guard <ref> https://www.wipo.int/about-ip/en/ </ref> intellectual property, that is basically defined as the inventions patended by the company. <ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref>We can categorised the types of threats that the CRO usually  controls for can be grouped into regulatory, competitive, and technical groups.Corporations must verify that they are in accordance with the rules reporting accurately to government agencies their obbligations.
+
<ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref> The Chief Risk Officer (CRO) is corporate executive responsible for identifying, analyzing, and mitigating internal and external risks.As ERM is a costant evolution process, CRO follows it. Based on the innovation that nowadays corporations have to pursue expecially on the technology field, the CRO must govern the information security, protect the different stakeholders against frauds, and guard <ref> WIPO World Intellectual  https://www.wipo.int/about-ip/en/ </ref> intellectual property, that is basically defined as the inventions patended by the company. <ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref>We can categorised the types of threats that the CRO usually  controls for can be grouped into regulatory, competitive, and technical groups.Corporations must verify that they are in accordance with the rules reporting accurately to government agencies their obbligations.
 
<ref> Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO </ref> The CRO as an internal stakeholder is responsible for the development of operational risk management and he is in charge of protecting the company from losses resulting from inadequate procedures, systems and policies.
 
<ref> Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO </ref> The CRO as an internal stakeholder is responsible for the development of operational risk management and he is in charge of protecting the company from losses resulting from inadequate procedures, systems and policies.
 
<ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref> Cro stands as the advocate of the law, as an example, considering companies using sensitive data, it is important to safeguard them by continuously updating cookie and policy mechanisms. The management of these protocols is the responsibility of the figure in question, who must collaborate with the IT branch of the company in order to avoid problems such as access to these data by unauthorised persons or, worse still, the sharing of these data.  
 
<ref name = "CRO def"> Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer" </ref> Cro stands as the advocate of the law, as an example, considering companies using sensitive data, it is important to safeguard them by continuously updating cookie and policy mechanisms. The management of these protocols is the responsibility of the figure in question, who must collaborate with the IT branch of the company in order to avoid problems such as access to these data by unauthorised persons or, worse still, the sharing of these data.  

Revision as of 14:45, 20 March 2022

writed & developed by Pietro Boschetto

Abstract

One of the most serious problems of today's businesses is the differentiation of risk that can be found within the various components of the business: management, operations, marketing, accounting, and finance. Often, in the past, risk was analysed by looking at individual departments, a strategy that allowed many companies to grow by assigning responsibilities to different managers. The problem of risk diversification, however, is precisely linked to corporate growth that does not go hand in hand with mutual control of the various corporate departments. In fact, if we consider relevant business enterprises, we cannot consider an individual risk analysis to be effective because it does not allow us to protect against combinations of events often linked to different business areas. The solution is a new approach that derives from common risk management, but which allows us to analyse a business in its integrity and no longer in its individual parts. Enterprise Risk Management is a new method posed as a solution in this analysis and will be the object of study for this article.

Definition

Risk categorization.png

Enterprise risk management (ERM) is defined as a process, designed and applied in a coordinated manner by different corporate stakeholders such as the board of directors, managers and other corporate figures, designed to plan a suitable corporate strategy that protects the entire business from risk situations that would slow down or stop its proper functioning and growth.[1]As a process, it involves study and constant updating through data analysis and consultation between the various people involved: it is defined as the art and science of making informed decisions.[2]A holistic approach not only aims to define and contain business risks, but also allows figures such as the executive manager to make risk management decisions in the interest of specific departments of the organisation and the extended network. [3]In spite of the uniqueness of each company, ERM uses standards that allow a basic approach to the study of the company's business case. The objective of these documents/principles is to provide the team in charge of applying ERM with a guideline that can align them in the process but also establish a common point of view on the framework to be set up to succeed in the mission. These postulates are defined by international groups or industry groups and despite the legal factor to persist on the time, they are regularly supplemented and updated. Trough the most important standards we recognise COSO 2017 – Enterprise Risk Management - Integrated Framework which has been reported on the wiki article as a relevant framework statement for ERM.

Contents


Origins

Is difficult to define proper origins for Enterprise Risk Management, as an evolution of Risk Management is better to describe the motivations that lead to this new approach. Starting from the late 40s to the early 50s we can identify 2 main fields for importance related to risk management, and this are the management of insurance risks and financial risks. Back in the days, Companies used to affiliate certain types of risks to insurance companies.These transferred risks related to natural catastrophes, accidents, human error and fraud allowed insurance markets to expand, letting them consider also types of commercial risks such as credit risks. The tactic adopted forced managers to consider alternatives to the purchase of insurance. Risk Management represented an Opportunity Cost that companies weren't considering, moreover, allowing the management of risk by a character inside the corporation would have allowed a better analysis as it exploits the internal point of view and subjected to greater engagement. The 70s where characterized by a huge development on the financial risk management in particular considering movements in exchange rates, commodity prices, interest rates and stock prices. The existence of financial derivatives also forced companies to consider more carefully the pricing of risks, how risks could be financed internally, and the value of the additional services supplied by investment banks as a big cake slice. Companies also understood that insurable risks and financial risks could have been managed together, since the coordination of them would have led to a good risk management.The next step in the development of a more holistic approach to risk management came from Contingency planning , which has been a part of corporate policy for many years. Its purpose was to identify those activities that might have been threatened by dangerous events and to have systems in place to cope with these events. Business Management extended the practice of Contingency Planning requiring more internal systems. As a result of the combined work of the Contingency Planning and the Business Management we have Enterprise Risk Management that is historically traced from the 90s. The identification of this new method brought also to the formation of a new figure in the company called Chief Risk Officer in charge of the correct analysis and development of ERM.


Chief Risk Officer

[4] The Chief Risk Officer (CRO) is corporate executive responsible for identifying, analyzing, and mitigating internal and external risks.As ERM is a costant evolution process, CRO follows it. Based on the innovation that nowadays corporations have to pursue expecially on the technology field, the CRO must govern the information security, protect the different stakeholders against frauds, and guard [5] intellectual property, that is basically defined as the inventions patended by the company. [4]We can categorised the types of threats that the CRO usually controls for can be grouped into regulatory, competitive, and technical groups.Corporations must verify that they are in accordance with the rules reporting accurately to government agencies their obbligations. [6] The CRO as an internal stakeholder is responsible for the development of operational risk management and he is in charge of protecting the company from losses resulting from inadequate procedures, systems and policies. [4] Cro stands as the advocate of the law, as an example, considering companies using sensitive data, it is important to safeguard them by continuously updating cookie and policy mechanisms. The management of these protocols is the responsibility of the figure in question, who must collaborate with the IT branch of the company in order to avoid problems such as access to these data by unauthorised persons or, worse still, the sharing of these data. [7]The job position of the CRO is very articulated and has different fields of application. That is why this role is often covered by people with high education level with up to 20 years of experience in accounting, economics, legal or actuarial work, and many have specialised training in risk management.

ERM Framework

[8]As stated in the definition of ERM, the use of standards is quite relevant to ensure proper alignment between all participants in this task. One of the most relevant is COSO, whose name derives from the Committee of Sponsoring Organisations of the Treadway Commission, the group that commissioned the project. By pursuing leadership and developing understandable frameworks to optimise internal management control, COSO deters fraud by improving organisational performance.This document highlights the importance of considering risk in both the strategy-setting process and in driving performance. At the base of this report there are objectives such as improving the alignment between performance and Enterprise Risk Management to understand the impact of risk on performance, but also new ways of looking at risk in order to achieve objectives in a more complex business environment. COSO will also evaluate the importance of evolving technologies, data and analytics to support decision-making.

[9]Before going trought the main framework part is important to clarify that ERM is not properly a function or a department, is way more the culture, capabilities and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value. As a framework we identify 5 different components that must be addressed on a ERM analysis:

1. Governance and Culture: Governance and Culture play a crucial role in a correct Enterprise Risk Management application. In the foreground we must consider the resulting interdependence between directors, senior management, internal and external auditors, and risk owners. A relevant feature that allows the company to map out a good business strategy. [10] By the culture side, ERM influences business decisions and determines how organisations deal with risk. ERM culture is a product of shared values and behaviours that aim to establish predictability and reliability in executing processes for managing risk.

2. Strategy and Objective-Setting:[11] Strategy and objective setting can be defined as the main structural component of ERM framework as it is articulated in different principles which are business context analysis, risk appetite definition, alternative strategies evaluation and business objects formulation. All of this different tasks provide a complete overview of the risk contest and permit to avoid it.

3. Performance: [12] Performance and risk can be defined as 2 sides of the same coin, in fact higher performances are related to higher risk. ERM consider performances as the most suitable proof of the work done providing a real-time feedback capable of highlight which are the most dangerous aspects of risk to consider in order to achieve a better future strategy. The consequence is a selection of the risk response by the organisation that is allowed to get a portfolio view of the amount of risk it has assumed. Key risk stakeholders are in the end able to analyse and develop their strategy.

4. Review and Revision: The review process is another relevant aspect concerning the post ERM application emphasizing what followed the path and what didn't. As a process , ERM is allowed to give wrong predictions, the aim of the revision part is to analyse and report important issues that must be solved in order to obtain the best result and the lower risk.

5. Information, Communication, and Reporting:As already mentioned on the definition, ERM is a method that is constantly evolving,and it requires a communication system that can maintain a certain alignment between all collaborating elements. However, ERM needs not only good communication, but also constant input from external factors that can update the company's strategy as the risk evolves.

Framework ERM.png

ERM Weakness Points

Although we may consider ERM as the last frontier for business protection, there are negative aspects of this approach that need to be considered and evaluated. However, it should be pointed out that this method is complicated to apply and that the possible problems that may arise are often linked to production realities that struggle to relate to a holistic approach. The final outcome is an ineffective strategy that can not deal with risk. There are five main weakness points that perfectly define how ERM could become unproductive:

1. ERM Lacks the Framework it Touts

[13] In spite of the use of an appropriate framework capable of standardising the fundamental aspects of ERM, this method often lacks concreteness, becoming elusive and underperforming. The reason is that risk management is ineffective if not applied by different stakeholders within the company. The result is a strategy that may be effective but is fragmented and does not protect against risk.

2. ERM is Reactive instead of Proactive

[14]Perhaps one of the most unfavourable points of Enterprise Risk Management is that it reacts to risk situations rather than anticipating them. Contrary to what one might think, it is unthinkable for ERM to define an alert status without being able to define the risk. This means that a recognised risk makes it possible to operate at a strategic organisational level to limit damage but not to avoid it completely. This reactive rather than proactive approach is the most important limitation of this process, which is not always seen as the optimal solution.

3. ERM Discards the Wisdom of Insiders

[15]ERM needs competent people who can develop it across different management areas and with a relevant background covering different risk inputs and business cases. In spite of the high professionalism of the specialists, those who can really represent a resource and a solution are the employees of the various business areas who are often not consulted. This is why ERM is said to discard the wisdom of insiders: it does not consider figures of the lower organisational ladder who have the deepest knowledge of the risk in question, thus reporting an incorrect risk assessment.

4. ERM Doesn’t Calculate Mitigation Costs

[16]For Mitigation Costs is meant the mitigation of loss that would be payable under a contract or policy.[17] Risk can attract management from two points of view, which are respectively the severity and the probability of occurrence. This means that also for the Enterprise Risk Management we can have an identification of the risk through these two characteristics, but without being able to define how this will concretely impact the business. What is missing is the formalisation of a mitigation cost, how the risk can actually harm the business. ERM therefore makes it possible to assess the possible risks without converting them into damage that can affect a business economically.

5. ERM Fails to Rank Risks

[18] Enterprise risk management makes possible to define risk situations in a business, but without ranking them. The result is the discovery of risk environments without being able to catalogue and order them. If we consider it important to protect the company from the damage that may occur, we must also be able to decide on the least damage, and this is unfortunately not an output of ERM. However, one factor that must be taken into account is the dynamism of risk environments, i.e. the speed with which they can change and therefore be updated in the ranking, which is why, although important, this weakness does not completely condemn ERM.

ERM Continuum

ERM maturity continuum.png

ERM needs continuous updating and development as risk environments are constantly changing. Based on this we can recognise three important steps that outline this path:4n

1. In the Comply Stage, there is a phase of developing and applying a strategy to avoid risky situations. After outlining the starting point there is a real review of strategies already in use which can then be improved. Even in the bureaucratic field, there are often revisions of laws that can be adapted to business strategies.

2.The second stage is also defined as the Improving Stage and aims to improve the efficiency of risk control procedures in order to reduce costs through standardisation. The benefits of this stage can be seen throughout the enterprise as monitoring processes are automated, eliminating redundancy in control procedures and optimising time.

3.With the last step called Transform Stage we reach the real Holistic approach that characterises this Risk Management model. It is at this stage that a true definition of risks and opportunities in the various management areas is achieved, all based on policies that consider risk and regulations related to it. The focus of this stage is to improve ERM performance by rationalising and simplifying the control points within the different business areas of the company in order to replace error-prone manual controls.


Giving some percentages data related to this Tool, according to Mark Beasly’s 2005 ERM Status Report about half of the companies had either no ERM plans, had not decided yet or thinking about it for the future. About 37% claimed to have partial ERM plans implemented and 11% claimed to have a full ERM system in place. Most companies today are still in the comply stage and working their way towards the improve stage. For example, only 12% of companies have a large level of automatically generated reports. One year later, the situation seems to have shifted. According to the latest CFO study of the IBM Institute of Business Value, more than 75% percent of the studied Finance departments ‘frequently or sometimes’ support their company in designing an enterprise risk management framework and in developing a corresponding ERM culture. Furthermore, more than 90% of the involved Finance organizations already ‘fully or partially manage compliance risk’ while less than 70% manage event risk.

Annotated Bibliography

Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control -- Integrated Framework”, Jersey City, NJ: AICPA/COSO (1992).

Aligning Corporate Governance with Enterprise Risk Management,

IBM Institute for Business Value, "Risk, regulation and return – Delivering value through Enterprise Risk Management”, April (2005).

Beasley, Mark S; Clune, Richard, Hermanson, Dana R, “ERM: a status report”, Internal Auditor - Volume 62, Issue 1, February (2005).

The Geneva Papers on Risk and Insurance Vol. 26 No. 3, Gerry Dickinson, Enterprise Risk Management: Its Origins and Conceptual Foundation

References

  1. KMRD Partners; https://kmrdpartners.com/2018/04/05/enterprise-risk-management-process/
  2. Adam Hayes; https://www.investopedia.com/terms/e/enterprise-risk-management.asp
  3. Institute of Risk Management, https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/
  4. 4.0 4.1 4.2 Adam Hayes; https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp "Chief Risk Officer"
  5. WIPO World Intellectual https://www.wipo.int/about-ip/en/
  6. Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
  7. Mary K. Pratt; https://searchcompliance.techtarget.com/definition/Chief-risk-officer-CRO
  8. https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
  9. https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf "ERM framework"
  10. https://www.continuitycentral.com/index.php/news/erm-news/6510-building-an-effective-enterprise-risk-management-culture
  11. https://www.universalcpareview.com/ask-joey/what-is-the-strategy-and-objective-setting-component-of-erm/
  12. Mike Bourne & Matteo Mura, https://www.tandfonline.com/doi/full/10.1080/09537287.2018.1520319
  13. Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
  14. Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
  15. Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
  16. https://www.lawinsider.com/dictionary/mitigation-costs
  17. Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
  18. Shanon McKenzie; https://silo.tips/download/five-weaknesses-of-enterprise-risk-management "ERM 5 Weakness Points"
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox