Enterprise Risk Management: The Checks and Balances of Successful Strategy
Implementation
By
Tim Lauer
Senior Consultant
The recent economic downturn has many of our clients facing new
uncertainties, competitive realities, and stiffer shareholder and
customer expectations. In many cases, businesses are asking, “What
happened?” or “How did it happen?” These are the wrong questions because
they address the situation retrospectively and on an incident basis.
They also indicate a risk management system that is not linked to a
corporate strategy; one out of tune with emerging risk. It is better to
have a risk management program that links to the firm’s mission and
strategy first, quantifies the firm’s risk appetite, and provides a
periodic risk assessment across the enterprise. This proactive
design—which incorporates risk response, monitoring, and reporting as
control features—is based on deep participation throughout the
enterprise.
The current state of the art in enterprise risk management (ERM) program
design uses the framework developed by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO), published in 2004. The
framework is easily pictured as a three-dimensional matrix, with the
columns being corporate objectives, the rows being ERM program
activities, and the depth being departments or other organizational
sub-units. The ability to compile organizational sub-units into larger
groupings provides executives and boards with a portfolio-wide view of
risk.
Objectives
ERM programs operate within a strategy setting. Their goal is to help
ensure that the corporation’s mission and strategy are accomplished. The
COSO framework groups objectives into four standard
categories—strategic, operations, reporting, and compliance.
However, it is not uncommon to have more than the standard four. For
example, a technology company might want a category for innovation risk,
or a financial enterprise might need categories for safeguarding assets
and product risk. The key point is that ERM program objectives,
corporate strategic objectives, and the activities of the enterprise are
linked. Every activity engaged in by the entity should connect to an
objective.
Activities
The machinery of the ERM, how it works, and what it does in a year are
called “components” or “activities” of ERM programs. Auditors, rating
agencies, and regulatory agencies are very interested in the scope and
depth of ERM activities undertaken by the firm. Under the COSO
framework, activities are organized into eight areas—internal
environment, objective setting, event identification, risk assessment,
risk response, control activities, information and communication, and
monitoring.
The key to understanding how ERM activities work in the COSO framework
is to understand how they fit together and why the activities are what
they are. (There’s a danger in immersing oneself too deeply in the
details.) Beginning with the board of directors and applying an
organized, systematic assessment, the risk management philosophy,
strategic plan, risk appetite, and the company’s ethical values are
linked to certain activities (namely, objective setting, event
identification, risk assessment, and risk response). Control activities,
information and reporting, and monitoring activities are carried out to
provide feedback to management and the board about the current risk
position of the firm.
The questions of where the ERM program should be placed within the
organization and who should operate it arise frequently. ERM programs
are not slip-and-fall prevention; they are not insurance programs, and
they are not about legal involvement in business operations. Rather,
they are about communications, training, education, and a corporate-wide
view of the enterprise. They require relatively high levels of
experience and business savvy. They require energy and a person who is
not easily discouraged to operate them. For these reasons, we believe a
carefully selected person from the finance area is the best leader to
get the program off the ground and operational. The finance department
usually has an entity-wide view, has influence and contact with most
sub-units, and is staffed by personnel familiar with the development of
the strategic plan. Finance personnel probably talk to rating agencies,
regulatory agencies, and auditors about the entity and all of these
outsiders will be interested in the ERM program.
Analytics
The basic analysis for most risk management programs centers around
quantifying the probabilities of an event and the dollar amount of the
impact. Although not complicated, the analysis takes a step-by-step
approach and some interesting graphical presentations that we will cover
in a future article.
Getting Started
Beginning a new ERM program or remodeling an existing one should be
undertaken as a long-term commitment. In our experience, it takes at
least two business cycles for an ERM program to fully realize its
objectives and demonstrate its value. The first cycle is all-new and
reinforcement for training; the first application in the real world. By
the time the second cycle comes around, the entity is more experienced,
knows what to expect, and is far enough along in the ERM activities to
see real results. At the very least, clients should obtain the COSO
materials available from the AICPA bookstore and begin studying. Every
situation is different, but here are a few important timing and pacing
milestones:
