Enhanced Enterprise Risk Management

CHAPTER 1

Introduction

The performance and even vitality of a business today depends on managing both—the known and foreseeable risks. Every business needs to understand the acceptable risks in achieving its objectives, as well as the type and level of risk embedded within its operations. It is vital to identify and prioritize significant risks and detect the weakest points. Managing risks may be in a form of an essential Enterprise Risk Management (ERM) program but can be significantly enhanced by considering other elements frequently present in most companies, such as the Three Lines of Defense (3LoD) components and Process Improvement teams (Six Sigma, 8D, etc.). There are employees within these functions who are aware of and employing resources to address perceived risk areas. To better prioritize and manage risks, it can be helpful to integrate these programs into the formal ERM program. The overall objective should be to apply the limited risk management resources to the highest company risks for strongest payback. In this book we will address the basic ERM program first, then delve into the 3LoD as well as Process Improvement activities.

ERM has been around for some time. There are a few frameworks that influence and address managing risks, such as Committee of Sponsoring Organizations of the Treadway Commission (COSO),¹ National Institute of Standards and Technology (NIST),² International Organization for Standardization—ISO31000. The leading practice is to use COSO as the base, but also consider elements of both ISO and NIST as appropriate. We will focus on COSO as the primary framework for managing risks.

¹ www.coso.org/

² www.nist.gov/

CHAPTER 2

What Is ERM?

Enterprise Risk Management (ERM) is a process reinforced by a set of principles and must be supported by an appropriate organizational structure, which is aligned with the external environment and with other corporate activities. It needs to be comprehensive, ingrained into routine activities, and responsive to changing economic, political, legislative, regulatory, ecological, and other conditions impacting business. A successful ERM program should be proportionate to the level of risk depending on the size and complexity of the business or organization, enabling the ERM to deliver outputs, including compliance with applicable governance requirements and assurance to stakeholders regarding the management of risk and improved decision making. The impact or benefits associated with these outputs include more efficient operations, effective tactics, and effective strategy, and need to be measurable and sustainable.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition reflects certain fundamental concepts. Enterprise risk management is:

•A process, ongoing and flowing through an entity

•Effected by people at every level of an organization

•Applied in strategy setting

•Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

•Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

•Able to provide reasonable assurance to an entity’s management and board of directors

•Geared to achievement of objectives in one or more separate but overlapping categories

This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.¹

There are as many descriptions of ERM as there are different ways to apply these principles. But there should be a common understanding of the fundamentals. Figure 2.1 shows what ERM is and what ERM is not. While it may seem basic, it is important that all executives, managers, and employees have a common understanding of these components, and also understand that risk is not inherently bad—managed/calculated risk can generate returns.

Taking too much uncalculated risk can destroy the value of a company. There is a lot of publicly available information showing examples when risk management failures in some part(s) of a company can be quite costly. The companies shown in Figure 2.2 are from all types of industries—retail, service, banking, technology, and manufacturing. The size of these companies also varies substantially, which means that there is no discernible relationship between the type of industry and between the sizes of company versus the relative degradation of company value. The events shown in Figure 2.2 include all categories of risks (Financial, Strategic, Operational, and Regulatory), and it is apparent how the reputation was negatively affected for a majority of the cases.

Figure 2.1 ERM introduction

Figure 2.2 Example of various risks

Figure 2.3 ERM in form of questions

Risk management lapses are diverse, and the cost can be great. Regulators and stakeholders are holding the Management and the Board of Directors fully accountable.

Let’s summarize ERM in basic terms—ERM is a company’s ability to answer the following questions (as shown in Figure 2.3):

Coverage

ERM must be integrated into the overall business strategy because every business needs to answer the fundamental question: What is our strategy and associated risks?

Therefore, a business must set its strategy first—defining goals and objectives with respect to products, markets, segments, revenue, profits, and so on. Only then can it assess the risks associated with the strategy and decide what level of risk it is willing to accept in executing the strategy, that is its risk appetite.

The minimal set of risks that must be incorporated into a business strategy, and consequently into its ERM program include:

•Liquidity (Financial and Other Assets)

•Recognition and Reputation (Brand and Business)

•Operational

•Suitability

•Compliance (Legal and Regulatory)

•Business Environment (Market, Economy, etc.)

Figure 2.4 depicts a pictorial of the business coverage impacted in a typical manufacturing and distribution environment. Note, the administrative functions occur in all types of companies.

Risk Appetite

Risk appetite is the level of volatility a business is willing to accept in executing its strategy. Risk appetite is a crucial tool aiding the Board of Directors and executive leadership teams (ELTs) to understand the essential links between the business strategy and the risk(s). Therefore, ERM has to be an integral part of the overall business strategy and an essential part of the business value creation for investors and shareholders.

It is important to differentiate risk appetite from risk tolerance (although they are often erroneously used interchangeably). Risk tolerance differs from risk appetite and represents operational boundaries or parameters implemented in the context of the business’s risk appetite definition.

Culture, Governance, and Policies

Culture, governance, and policies help a business to manage its risk-taking activities. Culture is one of the most important aspects of ERM effectiveness, while policies are used to transfer/communicate the risk appetite strategy to the broader audience. They specify what the business is willing to do or not do, and the procedures describing how to do it.

Figure 2.4 Pictorial of the business coverage impacted in a typical manufacturing/distribution environment

Risk Data and Infrastructure

Boards of Directors and ELT accomplish their risk management responsibilities through a deep understanding of a company’s risk profile. The risk data and infrastructure refer to how the information is collected, integrated, analyzed, and translated into a cohesive story. This area is probably the most challenging aspect of ERM. Companies have spent between US$200M to US$300M on ERM activities without yielding the desirable business results. An effective risk management infrastructure requires a highly robust management information system.

Control Environment

The internal control environment is one of the most important tools in the management toolbox to effectively manage risks. A well established and functional system of internal control can help safeguard an organization and minimize risk to its objectives by protecting assets, ensuring accuracy of records, promoting operational efficiency, and encouraging adherence to policies, rules, and regulations.

Management relies on internal controls to manage residual risk to an acceptable level. Residual risk is defined as the level of inherent risks reduced by the level of internal controls and processes in place surrounding the risk. Building an effective internal control environment allows management to control what can be controlled.

Measurement and Evaluation

At any given time, Boards of Directors and management must manage a portfolio of risks (from asset quality, liquidity, interest rate, to business continuity, information security, privacy, etc.). The science and art of measurement in ERM is about concluding which risks are significant and where to invest time, energy, and resources. To accomplish the goal of measurement and evaluation, a company may adopt various models—from color ratings (green, yellow, and red) to a highly sophisticated risk-adjusted models.

Regardless of the method used, measurement, and evaluation help, the Board of Directors and management answer the so what? question. The process of measurement and evaluation must include the system of internal controls and must determine how well the risks can be managed.

Given the importance and complexity of this subject, this book will be devoted to this topic to help risk management professionals choose the right methodology for their company.

Scenario Planning and Stress Testing

The art of ERM is the ability to answer the question, what can go wrong that will create deviation from expected outcomes? In that pursuit, management must address risks with known probability distributions (known unknowns) from those with an unknown distribution (unknown unknowns). Scenario planning and stress testing are tools that focus on the different categories of risks. A robust scenario planning and stress testing discipline is a must when considering both internal and external risk factors.

¹ COSCO. 2004. Enterprise Risk Management –Integrated Framework, www.coso.org/documents/Framework%20Reference%20Secured.pdf (accessed January 10, 2022).

CHAPTER 3

COSO Evolution ERM Frameworks

Enterprise Risk Management (ERM) has been around for some time. In August 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its Enterprise Risk Management—Integrated Framework after completing a three-year long project expanding on previously issued Internal Control—Integrated Framework and thus providing more robust focus on ERM. The financial crisis (2008) helped to boost ERM into overall business strategy (see Figure 3.1).

In 2013, COSO upgraded the framework creating the COSO Cube to better align risk management with the way management runs an enterprise and integrates the risk program within the management process (see Figure 3.2).

In September 2017, the 2017 COSO Enterprise Risk Management Framework—Integrating with Strategy and Performance takes a more pragmatic forward-looking view of ERM. The change from the iconic 2004 COSO Cube to the 2017 Helix structure reflects an evolution for risk professionals earning acceptance at the executive table. The change in focus supported the need to consider risk elements in strategy-setting processes and performance management processes. Historically, ERM programs intended to minimize the erosion of risks to an acceptable level. However, owing to the speed of risks in our fast-paced, ever-evolving global business environment, the updated model changed the direction while also encouraging ERM programs that help the identification of opportunities to create value-add (see Figure 3.3).

Today an effective risk management program is an integral part of overall business strategy as investors, shareholders, and consumers become increasingly concerned about risk(s). Risk(s) can be a determining factor of strategic decisions and should be embedded in all business activities, or it may just be a basis for an uncertainty the business has to manage. Comprehensive ERM enables a business to assess and address the probable outcomes of all types of risks on its products and services, operations, and stakeholders. This will result in what is commonly referred to as upside of risk (i.e., benefits realized by implementing ERM).

Figure 3.1 COSO internal control—integrated framework

Figure 3.2 COSO upgraded cube framework

Figure 3.3 COSO helix structure

The expected benefits of the ERM should be formulated in advance. The desired outcomes from successful ERM include stronger compliance (regulatory, Sarbanes Oxley (SOX), contracts, etc.), enhanced operational efficiency (reduced product costs, cost of capital, more accurate financial reporting, etc.), tactical direction, strategic alignment, and decision-making effectiveness (resulting in competitive advantage, improved customer perception, increased marketplace coverage, etc.).

ERM, as an integral part of business strategy setting, redefines the value proposition from tactical to strategic. ERM is about managing the risks that matter and viewing them from an opportunistic standpoint. There are volumes and volumes of literature available to discuss theoretical elements of risk; however, in this book, we provide insights into the leading and enhanced practices from some of the most successful and innovative global ERM concepts and practices that organizations can use to their full advantage to compete, succeed, and survive in today’s challenging economical, ecological, and geopolitical environment, and ever-challenging global markets.

The new COSO framework structure is made up of five components and introduces 20 key principles collectively among the five components. It encourages the integration of ERM with business practices and strategic direction, which generates more comprehensive, useful information and yields enhanced performance. It also tends to provide a continuum from Strategy to Business Execution to Performance and thus creating more value-add to the exercise or processes (see Figure 3.4).

The five components shown in the helix include:

•Governance and Culture—creates a base setting to exercise general oversight of an ERM program and philosophy;

•Strategy and Objective-Setting—creates a framework to link risk management to objective/goal setting;

Figure 3.4 COSO helix structure and 20 key principles

•Performance—allows for the identification and addressing of risks pertinent to business execution supporting the strategies;

•Review and Revision—requires the organization to constantly review effectiveness of mitigating risks during the remediation process, and adjusting as necessary to correct efforts; and

•Information, Communication, and Reporting—focuses on gaining, analyzing, and assessing information to report performance to executives and/or Boards.

The 20 key principles within the five components are as shown in Figure 3.5.

Figure 3.6 emphasizes the integration of ERM into the strategic planning for the company. It still uses the same 20 principles but shows a more fluid approach in thinking about the ERM process incorporated with the changing dynamics of an organization.

Figure 3.5 COSO ERM—20 key principles

Figure 3.6 COSO ERM—five components

CHAPTER 4

ERM Structure

The internal risk culture is the combined set of individual and corporate values, attitudes, risk appetite, competencies, and behavior that determine a company’s commitment and style of risk management. To build a desired risk management culture within the organization and to inform management about specific risk management tools and processes, Risk Awareness Programs must be implemented consisting of training, workshops, and informational sessions.

Although the ERM program is embedded within a company’s organization, it is generally administered and facilitated by an individual or a group, who are independent of line management responsibilities frequently reporting functionally to the Audit Committee of the Board of Directors. Ownership of the ERM function is normally housed in one of several departments such as Internal Audit, Legal, Finance, or a separate ERM group. To maintain effectiveness, it is important that the group reports to an administrative function rather than departments such as operations, sales, and so on; since these groups will also be responsible for managing activities to run the business on a day-to-day basis.

Risk Categories and Definitions

Risks are categorized based on the corporate objectives to which they relate. The following are the categories of company goals and objectives pursuant to the COSO ERM.¹ While this is from the older version of COSO framework, it still applies at the top level and aligns with the core functions and activities of nearly all companies.

Strategic

Risks are categorized under strategic when they relate to high-level goals, aligned with and supporting the Company’s mission and business objectives.