A sustainable approach to ERM: as best practices begin to emerge, one company uses a phased plan to create a fully functioning, integrated enterprise risk management system
Arnold Schanfield
ON SEPT. 29, 2004, THE Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its long-awaited Enterprise Risk Management--Integrated Framework. Best practices have begun to emerge from some of the framework's early adopters.
At Weiser LLP, a professional accounting and consulting services provider, the overall objective is to help clients "institutionalize" the enterprise risk management (ERM) process within their organization so that the process can be self-sustaining. This provides companies with the ability to identify, assess, measure, monitor, and report on their business risks; determine the degree to which these risks are being mitigated in accordance with established risk tolerances; and respond appropriately to the various risks. In developing its methodology, Weiser took a phased approach to COSO's ERM framework by capturing the essence of its eight components--internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring--and rolling it up into five distinct phases.
1. UNDERSTAND THE BUSINESS MODEL
In the first phase, the project team undertaking implementation of ERM (e.g., the risk management group, the heads of business planning/strategy and internal auditing, the treasurer, and outside consultants) obtains a comprehensive understanding of the organization, focusing on overall strategy, vision, mission, objective setting, risk appetite, risk tolerances, and the interrelationships therein. It is critical that the team clearly understand what the company does, how it buys, from whom it buys, how it sells, where it manufactures, etc. Objective setting and company background in conjunction with an understanding of the internal environment--tone at the top, board of directors, integrity and ethical values, human resource policies and procedures--provides perspective on the business so that the risk identification process can begin. In this phase:
* The internal environment is identical to the control environment section in the COSO internal controls framework with some add-ons. Specifically, key information needs to be gathered related to risk management philosophy, risk culture, board of directors, integrity/ethical values, commitment to competence, management's philosophy/operating style, risk appetite, organizational structure, assignment of authority/responsibility, and human resource policies/procedures.
* Objective setting includes the strategic and business objectives, risk appetite, risk tolerance, and the relationship of each of these to the company's overall vision and mission.
* Company background information usually is obtained through review of off-the-shelf material (e.g., business plans and U.S. Securities and Exchange Commission filings), but may also include interviews with key constituents.
2. IDENTIFY, ASSESS, PRIORITIZE, LINK, AND REPORT RISKS
In the second phase, the project team must determine how and from whom the risk information is to be gathered. There are many different options available, including one-on-one interviewing, facilitated sessions with key personnel, and dissemination of a risk universe questionnaire. Whatever the means, it is critical to gather the risk information and link the risks to the strategic objectives and the key business processes. Finally, the team must assess the risks for impact and likelihood so that they can be prioritized and communicated, enabling appropriate action to be taken. Key points in this phase include:
* Identifying risk participants in the risk assessment process, including a risk champion, key business process owners, senior and executive management, and key governance personnel.
* Evaluating options for gathering information, including questionnaires, surveys, one-on-one interviewing, or facilitated control self-assessment.
* Creating the risk universe--logical groupings of high-level risks (usually about 40 to 50). Start with a blank piece of paper. Use existing risk models, research the Internet for insurable risks, research professional and industry associations, brainstorm, and understand industry indicators.
* Defining risk universe terms for each of the logical groupings. For example, brand equity risk is defined as "failure to establish and maintain brand awareness, positioning, and strength. This may impair the company's ability to execute strategic growth objectives."
* Linking risk universe to strategic objectives. Cross-reference the risks (e.g., brand equity risk) to the various strategic objectives they could impact (i.e., unmitigated brand equity risk would impact accomplishment of the strategic objective related to maintaining the company's reputation).
* Understanding the risk characteristics of the risk universe. Is the risk a core risk, a driver, an indirect driver, or an external risk? Core risks may be direct strategic barriers. Their occurrence will result in inability to achieve key strategic objectives. They are internal to the company and are at the center of strategic success. Direct drivers are those that, if they occur, will likely result in a core risk occurring. Indirect drivers could cause occurrence of a direct driver but are unlikely to generate occurrence of the core risk. External risks are parts of the organization's business strategy that happen externally.
* Rolling up drivers, indirect drivers, and external risk into core risks across the businesses and processes. For example, product failure risk could be an indirect driver to brand equity risk, which could be a direct driver to loss of investor confidence, which is a core risk.
* Plotting risk characteristics of the risk universe against strategic objectives--an expansion of the "linking risk universe to strategic objectives" step. Prepare a chart that uses the descriptive characteristics of core (c), direct (d), indirect (i), and external (e) to cross-reference each risk to strategic objectives.
* Assessing significance of risks to accomplishment of objectives. Create scales to assess the impact/magnitude should the risk occur. There are several qualitative and quantitative techniques to assess significance. Ordinal measurement, which qualitatively assigns numbers corresponding to a specific situation, is most commonly used. For example, on a scale of one to nine, with nine being highly significant and one being not significant, nine indicates that the strategic objectives cannot be achieved, resulting in significant financial impact and questions about the company's future viability.
* Assessing likelihood of risk to accomplishment of objectives. Create scales to assess the probability of occurrence, either assuming no controls are in place (inherent risk) or considering controls known to be in place (residual risk). For example, on the same scale with nine being "definitely will occur" and one being "cannot occur," three would represent "unlikely to occur," meaning that the risk is not likely to occur in the specified time period (less than 25 percent probability).
* Assessing risk tolerance of each risk. Determine how much risk management has agreed to assume. This will impact the nature of the risk strategy response.
* Summarizing all risks. Multiply significance and likelihood of each risk to determine a risk score, rank the risks, and report to management with an analysis.
* Articulating risks on a visual display. Develop graphs and heat maps to compare the relative risk scores. These can be color-coded by red, yellow, and green, consistent with the urgency of management attention needed.
* Linking risks to business processes. Align the risks to the relative business processes so that the risk process owners can be identified and the process for monitoring risks can begin (i.e., brand equity risk is linked to quality assurance, distribution/warranty and repairs, and research).
3. DETERMINE THE APPROPRIATE RISK RESPONSES
There are choices to be made as to how risks will be addressed, and those choices have consequences (cost versus benefits). Management needs to determine how these risks should be mitigated. There are qualitative and quantitative considerations in determining how to mitigate risks. For example, under the following conditions, it is best to avoid the risk by eliminating the activity:
* A risk is significant to the overall company risk tolerances.
* The activity is not viewed as being core to the company's mission.
* Management believes that the risk will be difficult to manage.
Certain risk responses are obvious. For example, if data security is being compromised because passwords have not been changed, the response is to change the passwords. However, other risk responses are not so straightforward. For example, if a business ships contaminated waste, with minimal mitigation in place, what action is appropriate? Should it insure the freight at perhaps a significant cost? Should it stop the activity? Should it outsource the activity? Should it train its personnel in handling procedures? The most important goal is to achieve the necessary mitigation so that the resulting residual risk is aligned with the company's overall objectives.
Avoid, share, reduce, accept, and exploit are the various options available for management to consider in implementing risk responses (also known as risk mitigation strategies). There are qualitative and quantitative (cost versus benefit) considerations. It also may be necessary to use experts to expedite the process and ensure all issues are reviewed (e.g., actuaries or environmental experts).
4. DETERMINE CAPABILITIES TO MANAGE RISK AND IMPLEMENT RISK RESPONSES
The project team must evaluate the organization's capabilities and infrastructure to address the risks, implement risk responses, and remediate gaps. If an adequate infrastructure--strategies, processes, people, technology, and information--is not in place, the team needs to work with senior management to build the organization's capabilities. Each of these five areas must be evaluated as to how well they are being managed versus how well they need to be managed. Key points of this phase include:
* Determining current state of risk capabilities for strategies, processes, people, technology, and information--rate each of these areas from "poor" to "excellent."
* Determining management expectations of risk capabilities.
* Identifying gaps.
* Building additional capabilities/infrastructure, if necessary.
* Remediating gaps.
* Implementing corrective action/risk responses to the identified risks.
5. IMPLEMENT RISK MONITORING AND INTERNAL AUDIT PROGRAMS
Implementing an effective risk monitoring process involves several components, including internal audit projects, external auditing, and ongoing internal monitoring of key performance indicators. It is important to remember that internal audit projects are driven by the identified risks and the required level of assurance that the board/management would like to have in place. The ongoing risk monitoring needs to be instilled in the organization. Key performance metrics need to be built into the monitoring of the organization and triggered at the appropriate time for management follow-up. Key activities included in this phase include:
* Developing the necessary internal audit programs.
* Executing the programs.
* Identifying key performance indicators and implementing self-monitoring mechanisms.
* Implementing monitoring mechanisms (e.g., dashboard mechanisms).
FULLY FUNCTIONING ERM
Implementing a fully functioning, integrated ERM system can provide significant value to a company. The primary benefit is ensuring that business objectives can be accomplished and shareholder value can be maximized. Many lessons have been learned over the past few years by companies that have implemented such systems. Some best practices include using a risk champion to lead the project, using a common business language throughout the process, and "biting off" small manageable chunks to demonstrate specific measurable accomplishments at each step of the process. Enterprise risk management is an ongoing journey.
To comment on this article, e-mail the authors at aschanfield@theiia.org.
ARNOLD SCHANFIELD, CIA, CPA, CA, CFE, and MICHAEL MILLER, CISA, CRP, are directors of Internal Audit and Risk Management Services at Weiser LLP in Edison, N.J.
EDITED BY JAMES ROTH AND DONALD ESPERSEN
To share emerging risk issues and best practices from your own audit experiences, or to request coverage of a particular risk, e-mail jamesroth@audittrends.com.
COPYRIGHT 2005 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment