Enterprise risk management to the rescue*

A Canadian CA gives his perspective on COSO’s new integrated ERM framework

By Frank Martens

*This is an expanded version of a summary that originally appeared in the March 2005 issue of CAmagazine.

Effective enterprise risk management is more than just getting better at identifying and assessing risk. The true value of ERM is that it can help organizations operate more effectively in environments filled with risks. ERM is not about constraints; it’s about helping organizations get where they want to go.

Businesses in Canada and around the world are experiencing unprecedented change. Once-stable companies have dissolved and been replaced by seeming upstarts. Businesses that are flexible, readily adaptable and more anticipatory are being rewarded. This challenge – ensuring strong performance in an environment of accelerating change – is compounded by the mandate for companies to be accountable to stakeholders’ growing expectations. The resulting increase in uncertainty affects virtually every business, and has given rise to a need for aligning corporate governance, enterprise risk management and organization-wide compliance.

Most large companies have risk management processes in place. They know taking risks is part of doing business, and managing risk is critical to success. But enterprise risk management practices vary greatly and the term itself has meant different things to different people. As a result, boards and senior executives who are responsible for overseeing the identification, analysis and management of risk have not had comprehensive guidance from a single source by which to evaluate their approach to ERM.

In September 2004, the US Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Enterprise Risk Management – Integrated Framework. With the release of this framework, organizations have a principles-based framework to provide direction and criteria for improving their ability to manage risks to the enterprise. This emerging open standard should eliminate past confusion resulting from competing views of what ERM is and is not.

“This framework could not be completed at a more appropriate time,” says COSO chairman John J. Flaherty. “Organizations worldwide now recognize the linkage between corporate governance, enterprise risk management and entity performance. Many seek to improve processes for identifying, analysing and managing risks. Yet until now, there hasn’t been a comprehensive framework that truly meets the far-reaching demands of the new regulatory and competitive environment.”

The advantages of the COSO framework have not gone unnoticed. Says Tamara Ebl, manager, enterprise risk management and OSC compliance for Terasen Inc.: “Enterprise risk management provides management throughout the Terasen group of companies with a more holistic view of the enterprise from a corporate governance perspective. Management is cognizant of the importance of mitigating risk and periodically reassessing the risk profile of the enterprise in response to changes in the business environment, both internal and external. Management believes that Terasen’s shares command a premium as a result of investor confidence in the management of the enterprise’s risk profile and earnings consistency year over year.”

A strategic approach to risk management

COSO’s framework adopts the premise that every entity exists to provide value for its stakeholders. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty, enhancing its ability to build value.

This applies to for-profit as well as nonprofit organizations. Kay Best, executive vice president, risk management and CFO for the Calgary Health Region, puts it this way: “We are constantly challenged to find new ways to provide services with limited resources. Risks are being presented on multiple fronts, demanding well-coordinated and integrated responses to minimize uncertainty and maximize opportunities. To meet these challenges, healthcare organizations need to move beyond the traditional insurance and claims management focus and take a more strategic approach to risk. Our main focus is preserving and creating value for the people we serve by ensuring that our strategic efforts are not diminished through avoidable loss, or hampered by change and uncertainty.”

While COSO’s framework offers benefits to organizations that move to adopt it, there are other risk management frameworks in use today. Several organizations have adopted Standard Australia’s Risk Management framework and many government organizations have adopted the Treasury Board of Canada Secretariat’s Integrated Risk Management Framework. In addition, publications such as the CICA’s Criteria of Control (CoCo) guidance provide insight and assistance to organizations reviewing and assessing control, risk and governance.

One of the inevitable questions will be how the CICA intends to respond to the COSO framework and whether it also plans an update of its Criteria of Control publications to adopt emerging views on ERM. Says Gigi Dawe, principal, risk management and governance department at the CICA: “The CICA has no current plans to re-issue its Criteria of Control publications. However, this is not to say that the CICA has reduced its support for these publications, and continues to develop publications on risk and governance that, among other things, will be aimed at helping organizations respond to regulators’ expectations for internal control over financials and disclosure controls and procedures.”

While there remains support for these documents, it appears that a shift toward the adoption of the COSO framework has already begun. The recent CICA Exposure Draft on Service Organizations (Section 5900) has adopted COSO-based terminology. Many Canadian businesses seek to comply with their respective regulatory requirements are applying one of the COSO frameworks. The review of several major accounting firms’ publications on OSC material suggests few are promoting the use of the CICA’s internal control framework, deferring to COSO’s Internal Control – Integrated Framework for organizations both south and north of the border. Only time will tell whether organizations will look for a single source that integrates internal controls and risk management rather that relying on multiple sources.

The Canadian profession continues to seek to position CAs as the provider of choice by boards and management for guidance on governance and risk management, with recent publications providing questions for consideration at senior levels. Many of these publications focus primarily on internal roles and responsibilities for ERM – the CEO, risk manager and internal auditors. CAs filling these roles will most certainly bring their financial skills to the risk management processes.

Tamara Ebl notes, “The broad-based business knowledge I attained through the CA program has definitely been a fundamental asset. Development skill sets including researching, facilitation, critical analysis and application of professional scepticism, the ability to effectively communicate results in both written and oral form, professionalism, flexibility and ability to multitask, etc. can be attributed in large part to the CA training program and articling experience. The soft skills developed, such as management of client relationships, have been equally relevant in dealing internally with various levels of management and staff throughout the Terasen group of companies.”

As growing governance duties require board members to provide oversight to these risk management processes, members are looking for support from their trusted advisers. It is becoming more common for CAs in an external audit role to provide insight to boards and management seeking to understand this topic. Expect to see more and more CAs including material on enterprise risk management in regular communications to boards and audit committees, especially once the initial focus on regulatory compliance has passed.

Boards and senior management are also asking questions about the “value” derived from current certification efforts. Organizations continue to invest considerably in the regulatory compliance programs, an investment that continues to increase. Gartner Inc. estimates that by 2006 public companies that do not adopt compliance management processes will spend 50% more annually to achieve US regulatory compliance. Accordingly, building effective, sustainable processes that integrate governance, risk management and compliance efforts is becoming increasingly important, with organizations looking for some form of payback.

The COSO Enterprise Risk Management – Integrated Framework is built on the foundation of the Internal Control – Integrated Framework. The fact that COSO’s ERM framework incorporates the key elements established in the previous internal control framework may ease the transition from a focus on internal control to integrated risk management. However, COSO’s new framework does not replace the internal control framework, and organizations are not required to use it for regulatory reporting.

Getting started

Many companies are now shifting their focus to better leverage people, process and technology to help launch ERM initiatives that align with the goals of the organization and provide a value greater than periodic sign-offs. As with any endeavour, however, knowing where to start can be a challenge. A practical first step is to establish a core team that can bring energy and dedication to this effort. Include people from strategic planning, finance, operations, compliance, internal audit, marketing and human resources – people who play a key role in your organization’s success. This team will also take responsibility for overseeing the design of program tasks and monitoring them in the initial stages. Have each member research a specific topic, reach out to other organizations for insight, or develop a portion of the organization’s presentation on enterprise risk management and solicit feedback from peers. Hold practice Q&A sessions with this group until they are in-house experts on the topic. Develop responses to anticipated questions, such as “Why is this good for us?” and “Which organizations do this well?”

Once your core team is in place with an understanding of basic ERM principles, the organization can begin to identify potential benefits. Since organizations will not all pursue ERM in the same way, the benefits of ERM will differ for each. ERM offers many benefits, but finding those that are relevant for your organization is one of the most important choices you will make. Looking to enterprise risk management to reduce operational surprises and losses is of little value if these losses have not been significant in the past. However, ERM may be of significant value in helping your organization integrate responses that were traditionally managed through multiple and awkward internal channels. Once these benefits are determined, management can then begin to develop a business case. A recommendation to pursue ERM should be supported by an appropriate business case – one that captures the points above, anticipates how key planning tasks will be deployed and establishes authority and accountability.

Together these tasks can help an organization move forward. The tasks themselves need not be overly complex, but should be sufficiently rigorous so that management and the board can pursue the implementation of ERM with confidence.

So, will the COSO Enterprise Risk Management – Integrated Framework really make a difference to Canadian organizations? The answer will depend on how organizations choose to view risk management. Those that adopt the view that managing risk drives better business performance and facilitates achievement of strategic, operations, reporting and compliance objectives are likely to attain greater benefits from their efforts than those that focus their risk management efforts on protecting against bad things that can happen. That choice rests with managements and boards.

Frank Martens, B.Comm, CA, is a senior manager in PricewaterhouseCoopers Advisory practice in Vancouver and one of the principal contributors to the COSO Enterprise Risk Management – Integrated Framework. Contact: frank.j.martens@ca.pwc.com

http://www.camagazine.com