Enterprise Risk Management (Summary)

Published on January 2017 | Categories: Documents | Downloads: 31 | Comments: 0 | Views: 342
of 11
Download PDF   Embed   Report

Comments

Content

Enterprise Risk Management (ERM) – Summarized e-Booklet

Produced By

1. Introduction to Enterprise Risk Management

“Risk comes from not knowing what you’re doing.” – Warren Buffett The Enron scandal in 2002: Enron inflated cashflow and asset values, and spun off liabilities to “special purpose entities” Risk has become an ever-present in our everyday life. Its ascent to become the buzzword of the decade is nothing short of meteoric, thanks in large part to the furore over the accounting scandals of Enron and WorldCom in 2002, and the subsequent enactment of the Sarbanes-Oxley Act. The spotlight is cast on the enigmatic word – risk. What is risk? Overnight, the world appears much more risky than before. Risk suddenly appears everywhere. The literature on risk multiplies exponentially. But why has risk become such a popular topic? Two main reasons have contributed to the popularity of risk: More risks, and ever more complicated risks. With globalisation came exposure. 20 years ago, companies welcomed globalisation as they faced the prospects of greater profit, but not many prepared themselves for the increased risks that came with it. Companies are not just faced with more risks, but the consequences of these risks are also increasingly severe. An example: although Hurricane Andrew in 1993 was recorded as weaker than Hurricane Camille in 1969, Andrew caused USD 26.5 bn in damage, almost 19 times as much as Camille, and 5 times as much damage inflationadjusted. This goes to show just how much greater the stakes have become.

In picture: Enron founder and chairman Kenneth Lay Source: Business 2.0 magazine

As the business landscape broadens and changes over time, more complicated risks also present themselves. Currency risk was not common to companies 20 years ago; now every company has an active currency risk management policy. The failure to plan ahead had left many companies vulnerable to all sorts of risks they may not even have heard of. The increasing complexity and consequences of the risks have left an important message to all companies: Manage your risks, or die. Enterprise Risk Management - trend or fad? Due to the increasing concern over risk management, Enterprise Risk Management (ERM) came into being, playing an increasingly important role in helping organisations worldwide manage their risks properly. Through a systematic and integrated process of managing risks, organisations are better prepared to face the harsh and unpredictable business conditions. Yet, it was in risk of being a fad. ERM’s popularity declined in the ensuing years from the Sarbanes-Oxley Act, with it often being treated as a management policy or pet project, and not carried out properly. Worse, it is commonly viewed by management as a cost centre, a dispensable or even useless programme that does not value add to the organisation. This can be seen in the amount of leverage and increasingly aggressive strategies taken by investment banks prior to the financial meltdown in 2008. Greed had prevailed over common sense. With the occurrence of the financial crisis, ERM has belatedly returned to the fore. Organisations are again placing greater weight on risk management, and they view ERM as a value-creating process and an integral part of decision-making and business activities.

Enterprise Risk Management & You At this point, you may be inclined to ask, so what does ERM have to do with me? The answer is simply: Everything. Whether you are going to be an entrepreneur, a banker, an accountant or an engineer, a sound knowledge of ERM equips you with the tools to help your future organisation combat and mitigate risks. As an active participant in your respective CCAs, understanding ERM can also help you better understand the risks that affect your CCA, and implement measures to manage these risks. Whichever way you look at it, having an understanding of ERM certainly increases your stock! This handbook is a useful primer to introduce you to ERM, including what Source: www.airmic.com ERM is and what it comprises of, the benefits of implementing ERM and the common misconceptions of ERM. We borrow heavily from the widely used COSO ERM Framework. We hope this handbook will provide you with a different perspective of risk, and an insight into the ingredients for creating a successful ERM process. Enjoy reading!

2. What is Enterprise Risk Management?

ERM, as we know, is a discipline under the more general field of risk management. Deloach (2000) suggested that ERM is the evolution of operational risk management into a strategic process which aligns strategy, process, people and technology at the entity level.

Evolution of Enterprise Risk Management

Source: www.husdal.com

There are currently several definitions of ERM proposed by different frameworks. The Casual Actuarial Society, in its 2003 publication “An Overview of Enterprise Risk Management”, defined Enterprise Risk Management as “the discipline by which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisation's short- and long-term value to its stakeholders." Alternatively, according to the COSO ERM Framework, Enterprise Risk Management is defined as “a process, affected by an organisation’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the organisation, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of organisation objectives”. We can actually see that the definitions propose what constitutes the elements of good ERM processes, which we explore in a later section.

3. The components of Enterprise Risk Management

ERM comprises of 8 distinct but interrelated components. Each component is vital to the success of the ERM system. All of these components should be aligned with the objectives of organisation. Implementation of the ERM system should take place at every level of the organisation which includes the subsidiary, business unit, divisional and organisational level. They are:

Internal Environment
The internal environment strongly influences how the people and the organisation perceive risk and ERM. The internal environment consists of the organisational culture, the way senior Source: COSO ERM Framework management views risk and ERM, and the individual characteristics of the personnel – their integrity, competence, and ethical values. Organisations should strive to create an internal environment that reflects its risk appetite. This will better enable risks to be managed to the organisation’s accepted level.

Objective Setting
ERM ensures that the organisation has a systematic process to set objectives which are aligned with the organisation’s mission and its risk appetite. Setting objectives, in turn, helps the management identify riskcausing events using ERM techniques.

Event Identification
Potential events that can affect the organisation’s objectives are identified. These events can be from internal or external sources, and that may represent risk or opportunity, or both. Risks and opportunities should

be distinguished so that management can take appropriate action to mitigate the risk or capitalise on the opportunity. ERM process: Identification Assessment Response & Control The COSO Framework identifies events as the main triggers of risk. However, having such a narrow view of risk may obscure the organisation’s view of the entire universe of risks, and leave it susceptible to risks which are not caused by a single triggering event, or those caused by events that have no precedents.

Risk Assessment
The identified risks are assessed to determine how the organisation should respond to them. This assessment should take into consideration the affected objectives, the impact and the likelihood of the risk occurring.

Risk Response
Source: Passenheim (2009) Potential responses to the risk are identified. These include acceptance, sharing, reduction, and avoidance. Risk responses should be aligned with the organisation’s risk appetite and tolerance.

Control Activities
Control activities constitute the policies and procedures instituted and implemented to execute the risk response in a timely and proper manner.

Information and Communication
Relevant information is captured and communicated in a form and timeframe to enable personnel to carry out their duties effectively. This includes clear communication to the personnel of their roles and responsibilities. Information does not simply flow top-down, or bottom-up, but also across the organisation at all levels. Unrestrained flow of information is pivotal for the organisation to identify, assess and respond to risks on a timely basis.

Monitoring
The ERM system is monitored to ensure fast reaction to changing risks and dynamic risk management. Monitoring can take the form of ongoing management activities or separation evaluations, or a combination of the two.

4. Benefits of Enterprise Risk Management

ERM is more than just a risk management activity; it is a value creation activity that is vital to the proper functioning of the entire organisation to achieve its strategic objectives. The effects of implementing ERM can be felt in all aspects of the organisation. Let us take a look at 5 benefits that implementing a good ERM process brings to the organisation.

4.1

Alignment of risk and strategy

Executives consider the risk appetite of the organisation by the assessment of strategic alternatives and by the development of mechanisms towards the control of the risks. The focus is now not merely on returns, but riskadjusted returns, and ERM provides the platform for management to maximize risk-adjusted returns.

4.2

Improvement from risk-based decisions

ERM provides alternatives in the case where a risk is detected – risk avoidance, acceptance, reduction and sharing. This allows management flexibility in making decisions according to the organisation’s risk appetite.

4.3

Reduction in surprises and losses in the business environment

Organisations improve their ability to recognize possible events and to initiate counteractive measures as well as to reduce surprises and the expenses or losses involved with them.

4.4

Identification and management of multiple and cross-organisation risks

Every organisation faces a huge number of risks in which several divisions are concerned. Parallel to this, organisation-wide risk management allows effective reactions dependent on each other as well as on general measures with multiple risks.

4.5

Identification of Opportunities

ERM considers all possible events including opportunities, hence allowing management to recognize and proactively capitalize on these opportunities.

5. Misconceptions about Enterprise Risk Management

In the development of ERM over the past decade, organisations have not always been practising correct ERM processes. In fact there are a number of misconceptions of ERM, which hinders its successful execution. In this section, we attempt to dispel 5 common misconceptions about ERM. Do not make the same mistakes!

5.1

The biggest risk an organisation faces is financial risk.

In fact, the biggest risk that an organisation faces is strategic risks, in other words, failure of organisational strategy. Organisations tend to view financial risks such as fraud most seriously, but strategic failures and the inability to assess and mitigate risks in strategy have had the greatest impact by way of share price declines.

Source: Corporate Executive Board Research

5.2

ERM is a one-off project.

Such a view will lead to a waste of resources, as the organisation will not be able to see the returns on its investment in its ERM programme. To realise the benefits of ERM, an organisation should follow through its ERM programme for a number of years, and reinforce the effects of ERM with supporting factors such as a consistent organisational culture and risk philosophy that is in line with the organisational strategy.

5.3

My company is safe because we review risks on an annual basis.

Reviewing risks and the implemented control system annually provides only a static view of the risks. How can this allow the organisation to compete in a dynamic and unpredictable business environment? 88% of senior executives in a 2009 Corporate Executive Board survey tagged “agility” as “important” or “extremely important” to the overall business success at their companies. Thus, for effective risk management, a company has to actively manage risks and make timely changes to its risk management priority. In other words, organisational risk agility is paramount.

5.4

The organisation is well-protected if it has a strong quantitative model to measure risk.

Contrary to what many may think, quantitative risk models are not the definitive cure to enterprise risks. Current quantitative models, such as the widely-used Value-at-Risk (VaR) model, oversimplify risks and are also shown to have fallen short in the recent financial crisis of 2008. Further, such models are not totally objective, but require the users’ subjective judgement and assumptions, and are liable to backfire if the user exercises the wrong judgement or the model is used blindly. Source: www.bfinance.co.uk

5.5

Risks must be quantified.

Quantitative risk assessment is not the only available mode of assessment. Risks can also be assessed qualitatively. It is not always worthwhile to quantify each and every risk. In fact, most of the risks that are quantifiable are easily manageable, and the hard-to-quantify risks tend to be those that may affect the organisation most severely. It is, however, important that in both quantitative and qualitative risk assessments, proper judgement must be justified and exercised.

6. Elements of a successful ERM

Recall the definition of ERM provided by the COSO Framework in Section2. Based on this definition, we look at the different elements that contribute to a successful ERM process.

6.1

A Process

ERM consists of continuous and iterative actions taken to adjust the organisation’s risk management system in the face of the changing risk landscape. ERM should not be a knee-jerk response towards a certain event. Neither should ERM be an add-in towards daily activities such as the addition of a quality control step in production line. ERM is most effective only if it is part of the essence of the organisation. ERM is cultivated into the organisation’s model and directly affect objective and strategy setting. Building in ERM this way also saves costs by focusing on existing processes and integrating risk management into the basic processes, instead of adding new ones. This is especially important in the present competitive markets.

6.2

Effected by People

ERM is effected by the board of directors, management and other staff. They set the goals and strategy for the organisation, and are responsible for designing, implementing and executing the ERM mechanisms to accomplish them. For ERM to be effective, it must have top management support and a strong core team with representation from each of the business units. The core team will also need to develop a clear vision of how ERM is used going forward, and how it is integrated within the organisation to achieve its objectives.

6.3

Applied in Setting Strategy

Management should consider risk relative to different strategy alternatives. Different strategies are associated with different level of risks. ERM helps the management identify risks for different strategy alternatives and assemble risk profiles. In this way, ERM techniques also help management evaluate and select the optimal strategy.

6.4

Applied Across the Enterprise

ERM should be implemented across the entire organisation. ERM takes places at all levels the organisation, from strategy setting to production and operation to customer communication. The organisation needs to take a portfolio view of risk. This means considering the impact of risks on the organisation as a whole, and not just individual departments. The manager at each business unit, functional or process level should assess the relevant risks. Senior management will then consider risks at all levels to generate an overall risk assessment for organisation.

6.5

Risk Appetite

Risk appetite is the amount of risk the organisation is willing to accept as it strives to maximise returns. Risk appetite affects the organisation’s culture and operational philosophy. Risk appetite greatly affects the organisation’s strategy setting and resource allocation. ERM is instrumental in assisting management to set the optimal strategy in alignment with its risk appetite. Resources are allocated according to the organisation’s risk appetite and desired return, as well as the infrastructure required to monitor and respond to risks. Hence, defining the organisation’s risk appetite is of utmost importance, as ERM is dependent on clear direction provided by the risk appetite, which serves as the critical link between corporate strategy and day-to-day risk assumption.

7. Future of ERM

We have seen how ERM contributes to the organisation, how the ERM process works and what constitutes good ERM practices. Indeed, ERM is a vital tool for companies to manage its strategy and operations. Yet, many organisations view ERM as a regulatory requirement or an unnecessary expense. The fact that unmitigated or poorly controlled risks are likely to cost the organisation much more than a well-designed ERM system appears well-hidden from them, for some reason or another. This could explain why the 2010 COSO ERM Survey showed that only 3.4% of 460 ERM leaders considered their organisation’s ERM process as “very mature”. Source: SAS However, the 2008 financial crisis has revived interest in ERM and there is growing evidence provided by US insurers that proper ERM does minimise the impact of risk. A strong trend has emerged towards a more systematic and more formal approach in implementing ERM processes. ERM is now being seen as a value-creating activity, enabling not just an entitywide portfolio management of the risks, but also helping the organisation capitalise on opportunities. With this shift in perspective, ERM has evolved from a “good-to-have” to a “must-have”. In fact, Singapore is closely following the trend, with KPMG reporting an almost 50% increase in ERM adoption among the companies surveyed, from 35% in 2006 to 51% in 2010. The future of ERM remains bright indeed.

References

Casualty Actuary Society, 2003. Overview of Enterprise Risk Management. http://www.casact.org/research/erm/overview.pdf

Committee of Sponsoring Organizations of the Treadway Commission, 2004. The COSO Enterprise Risk Management Integrated Framework.

Committee of Sponsoring Organizations of the Treadway Commission, 2004. The COSO Enterprise Risk Management Integrated Framework: Application Techniques.

Committee of Sponsoring Organizations of the Treadway Commission, 2004. COSO’s 2010 report on ERM. http://www.coso.org/documents/COSOSurveyReportFULL-Web-R6FINALforWEBPOSTING111710.pdf

Corporate Executive Board India, 2010. Six Myths on how to assess and mitigate risk. http://www.scribd.com/doc/26301480/Six-Risk-Management-Myths

Germond, N., 2009. Eight Common Pitfalls of Enterprise Risk Management Implementation. http://www.allbusiness.com/company-activities-management/management-risk/13116305-1.html

Germond, N., 2010. Enterprise Risk Management a Must in 2011 and Beyond. http://www.allbusiness.com/company-activities-management/company-strategy/15377913-1.html

Husdal, J., 2009. Book review: Enterprise-wide risk management. http://www.husdal.com/2009/04/15/bookreview-enterprise-wide-risk-management/

Jaspal, S., 2010. Highlights of COSO ERM survey. https://soniajaspal.wordpress.com/2010/12/14/highlights-of-coso-erm-survey/

KPMG, 2010. Charting a safe and sustainable growth journey: Singapore Enterprise Risk Management survey 2010.

Passenheim, O., 2009. Enterprise Risk Management. http://ebooklink.net/g/download/8776816841/Enterprise%20Risk%20Management,%20Prof.%20Dr.%20Olaf% 20Passenheim/

Towers Watson, 2009. Risk appetite: The foundation of Enterprise Risk Management. http://www.towerswatson.com/assets/pdf/625/ERM_Risk_Appetite_12-28-09.pdf

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close