Date post: | 06-May-2015 |
Category: |
Economy & Finance |
Upload: | anu-damodaran |
View: | 405 times |
Download: | 3 times |
TO STUDY ENTERPRISE RISK MANAGEMENT
A COMPETITIVE EDGE FOR THE COMPANY
AND
HOW IT ADDS VALUE TO ITS SHAREHOLDERS
This term paper is submitted in partial completion of MBA
Page 1 of 48
SUBMITTED TO:
Faculty Guide: Mr. C.T. Sunil
Assistant Prof - Finance & Accounts
Amity University, Dubai, U.A.E.
SUBMITTED BY:
Student: Ms. Anu Damodaran
Registration No: AUD0260
Program: MBA - General (Semester 2)
Year: 2012 to 2014
CERTIFICATE FROM FACULTY GUIDE
This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA –
General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term
paper - “To study ERM - A competitive edge for the company and how it adds value to
its shareholders” from 01-Apr-2013 to 12-May-2013.
She has completed the term paper successfully. She has done this term paper work
independently and submitted the same on 19-May-2013.
Mr. C.T. Sunil, Faculty Guide,
Assistant Professor of Finance & Accounts,
Amity University, Dubai, UAE
Page 2 of 48
ACKNOWLEDGEMENT
I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance
extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity
University, Dubai, U.A.E. toward successful completion of this term paper “To study ERM
- A competitive edge for the company and how it adds value to its shareholders”.
I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the
guidance toward completion of this term paper.
Thanking you,
Yours sincerely,
Ms. Anu Damodaran
Reg. No. AUD0260,
1st Year MBA – General, 2nd Semester
Amity University, Dubai, U.A.E.
Page 3 of 48
TABLE OF CONTENTS
No.
TOPICPAGE
NO
EXECUTIVE SUMMARY 7
OBJECTIVE 8
1 CHAPTER 1 – INTRODUCTION 9
1.1 – BACKGROUND 10
1.2 – RELATED INFORMATION 11
1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT 13
1.4 – RELEVANCE OF ERM 13
1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM - PROTECT AND ENHANCE ENTERPRISE VALUE
14
1.6 – WHAT IF THERE IS NO ERM 14
2 CHAPTER 2 – REVIEW OF LITERATURE 15
2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK APPETITE AND EVENT
16
2.2 – INDUSTRY SPECIFIC EXAMPLES 26
2.3 – HEALTH CARE ORGANIZATION 30
2.4 – AEROSPACE SUPPLIER 31
2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III) 32
3 CHAPTER 3 – EXPLORATION COMMENT ON ERM 33
3.1 - RISK MAPPING 33
3.2 - THE CAPABILITY MATURITY MODEL 37
3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES WITH IMPLEMENTING ERM
40
3.4– ADVANTAGES 42
3.5 – SUITABILITY 44
3.6 – LIMITATIONS 45
CONCLUSION 47
REFERENCES 48
Page 4 of 48
TABLE OF TABLES
No. TABLE NAMEPAGE
NO
Table 1DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK MANAGEMENT AND ENTERPRISE RISK MANAGEMENT
23
Table 2 TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES 23
Table 3EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT
26
Table 4 STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION 27
Table 5OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER EDUCATION
28
Table 6 LIST OF RISKS SEPARATED BY CATEGORY 29
Table 7 A RISK MODEL 34
Table 8SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT RISK
37
Table 9 PRIORITIZATIONS OF FUNCTIONALITY 41
Page 5 of 48
TABLE OF FIGURES
No. FIGURE NAMEPAGE
NO
Fig.1 THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK 13
Fig.2 CONSOLIDATED RISK PROFILE 33
Fig.3 A RISK DRIVERS MAP 35
Fig.4A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION
36
Fig.5 KEY QUESTIONS A BUSINESS CASE MUST ADDRESS 44
Page 6 of 48
EXECUTIVE SUMMARY
ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage
the variety of strategic, market, credit, operational and financial risks they confront.
ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete
management by different risk overseers.
ERM has given rise to a question: Who should head the risk management process internal
audit or a chief risk officer? Some believe internal audit should take a back seat to preserve
the checks and balances the audit function provides. Others say risk leadership should
depend on what a company is comfortable with.
Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a
per-project basis.
ERM also gives the company a means to assess the controls in place to handle each risk and
identify any gaps. This consistent approach also offers businesses an opportunity to
determine authority and responsibility and allocate resources appropriately.
To Extract Risk Data, Many Organizations use business intelligence software. Many
packages feature "traffic-light" systems that show a red light if risk exceeds acceptable
levels. The chief risk officer then can "drill down" to see the reasons and make more
informed decisions.
Overall responsibility for enterprise risk is changing because of new standards from the
Institute of Internal Auditors. They require the internal audit function in a company to
monitor and evaluate the effectiveness of the organization's risk management and control
systems.
ERM can help CPAs (Certified Public Accountants) determine the right amount of capital
companies should direct toward risk by gathering or otherwise polling risk overseers to
identify the threats to the organization, their financial impact and the effectiveness of risk
mitigation options.
By mapping major risks on a matrix, companies can align their business processes to ensure
they are routinely collecting and storing related information in a database the chief risk
officer or executive risk committee can monitor. This will make it easier to identify
exception risks extending beyond the company's tolerance or threshold levels.
Page 7 of 48
OBJECTIVE
To understand what Enterprise Risk Management is, why it is important for any business
and how it can be measured.
To know whether by measuring and managing the risks consistently and systematically can
a company strengthen its ability to carry out its strategic plan.
To understand the methods/ tools used by firms to manage Enterprise Risk.
To study the processes and challenges in implementing Enterprise Risk Management and to
identify how much risk can be retained and how much should be laid off.
Page 8 of 48
CHAPTER 1 – INTRODUCTION
Enterprise Risk Management (ERM) is a data intensive process that measures all of a
company's risks. Enterprise Risk Management (ERM) is an integrated approach to
enterprise-wide risk management intended to protect and increase value for all parties with
an interest in the organization. Businesses have always faced a variety of risks, but these are
times when the pace of change and the resulting consequences to a business seem to be
greater than ever.
Example:
1. Globalization has increased exposure to international events
2. The need for increased and escalated efficiency, innovation and differentiation
3. Cost of strategic error is rising in the global marketplace
4. Understanding and responding to customer wants in this demanding era of
increasingly focused niche markets
5. Outsourcing raises questions about clarifying the retention and transfer of risk
6. The unthinkable can happen
7. Due to highly publicized public fiascos and high demands on certifying officers,
financial reporting is now a significant risk area as companies focus on sustainability
of their disclosure process and internal control structure
At most institutions today, the responsibility for enterprise risk management ultimately falls
to the chief executive officer since many of the senior people in the company who manage
risk on a day-to-day basis already report to him or her, including the CFO and chief lending
or credit officer. But institutions need to consider appointing a chief risk officer and forming
a management level risk committee."
The risk management function should be as independent as possible. However, true
independence would require the use of parallel structures where one team of individuals
would be responsible for a business unit like small business banking or an activity like
regulatory compliance, while a separate team of individuals would be focused solely on
Page 9 of 48
managing risk. "To be successful, the business units must view the risk management
function as a partner and a facilitator, rather than being in charge of saying no. There is a
danger, if ERM looks interchangeable with internal audit, that the business units will view it
as either an impediment or redundant, but one size does not fit all."
1.1– BACKGROUND
Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the
ultimate approach to risk management. Risk management has been practiced for thousands
of years. One can imagine a risk manager burning a fire at night to keep wild animals away.
Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one
individual and by restricting loans to those considered most likely to repay them. Individuals
and firms learned to manage the risk of fire through the choice of building materials and
safety practices, or after the introduction of fire insurance, by shifting it to an insurer.
Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management.
They enumerated the following steps for the risk management process:
Identifying loss exposures
Measuring loss exposures
Evaluating the different methods for handling risk assumption
Risk transfer
Risk reduction
Selecting a method
Monitoring results
Initially, the risk management process focused on what has been termed “pure risks”. Pure
risks are those in which there is either a loss or no loss. A typical example of a pure risk is
that your house may burn down or be hit by an earthquake. If none of these occur then you
are in the no loss position.
Beginning in the 1970s, financial risk became an important source of uncertainty for firms
and, shortly thereafter, tools for handling financial risk were developed. These new tools
Page 10 of 48
allowed financial risks to be managed in a similar fashion to the ways that pure risks had
been managed for decades.
Although financial risk had become a major concern for institutions by the early 1980s,
organizations did not begin to apply the standard risk management tools and techniques to
this area. The reason for this failure was because risk managers had built a wall around their
specialty, called pure risk, within which they operated. Thus, the refusal to expand into other
areas of risk has simply delayed by a number of decades.
1.2– RELATED INFORMATION
The US 'Committee Of Sponsoring Organizations Of Treadway Commission' (COSO)
defines Enterprise Risk Management as, "a process, effected by an entity's board of
directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risks
to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
“COSO divides ERM process into eight components:
(1) Internal environment,
(2) Objective setting,
(3) Event identification,
(4) Risk assessment,
(5) Risk response,
(6) Control activities,
(7) Information and communication,
(8) Monitoring.
Page 11 of 48
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
joint initiative of five private sector organizations, including the Institute of Management
Accountants (IMA), the American Accounting Association (AAA), the American Institute
of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and
Financial Executives International (FEI) established in the United States, dedicated to
providing thought leadership to executive management and governance entities on critical
aspects of organizational governance, business ethics, internal control, enterprise risk
management, fraud, and financial reporting.
1.2.1 - ENTERPRISE RISK MANAGEMENT — INTEGRATED FRAMEWORK
In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a
framework that would be readily usable by managements to evaluate and improve their
organizations' enterprise risk management. High-profile business scandals and failures (e.g.
Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) led to calls for
enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act
was enacted. This law extends the long-standing requirement for public companies to
maintain systems of internal control, requiring management to certify and the independent
auditor to attest to the effectiveness of those systems. In 2004 COSO published Enterprise
Risk Management - Integrated Framework. COSO believes this framework expands on
internal control, providing a more robust and extensive focus on the broader subject of
enterprise risk management.
Four categories of business objectives
Strategic: high-level goals, aligned with and supporting its mission
Operations: effective and efficient use of its resources
Reporting: reliability of reporting
Compliance: compliance with applicable laws and regulations
Page 12 of 48
Fig.1
1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT
The scope of ERM is much broader than protecting physical and financial assets. With an
ERM approach, the scope of risk management is enterprise wide and the application of risk
management is targeted to enhancing as well as protecting the unique combination of
tangible and intangible assets comprising the organization’s business model.
1.4 – RELEVANCE OF ERM
1. Reduce unacceptable performance variability
2. Align and integrate varying views of risk management
3. Build confidence of investment community and stakeholders
4. Enhance corporate governance
5. Successfully respond to a changing business environment
6. Align strategy and corporate culture
Page 13 of 48
1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM -
PROTECT AND ENHANCE ENTERPRISE VALUE
1. Optimize Risk Management Cost
2. Improve Business Performance
3. Establish Competitive Advantage
1.6 – WHAT IF THERE IS NO ERM
ERM doesn’t guarantee the success of a business. It provides better information to managers
and a more robust process for them to deploy, but does not necessarily transform a poor
manager into a good manager. All organizations face business risk, regardless of size.
Organizations ignore risk at their own peril. No organization can afford to stand pat with its
existing risk management capabilities; therefore, every organization should evaluate how it
can improve its risk management.
Page 14 of 48
CHAPTER 2 – REVIEW OF LITERATURE
Although many companies have used ERM over the last decade, the economic downturn of
2008 showed that some companies had not done well when it came to managing their risks
(Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that
corporate executives were not taking newly developed models of risk analysis as seriously
as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the
ERM concept is changing as more and more companies attempt to recover from the
downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy
base for using ERM to help manage companies through all phases of business cycles (Van
der Stede, 2009)
After Enron, WorldCom, Tyco, and other large business failed, the United States Congress
passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial
reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM.
Section 302 mandates disclosure controls and procedures so that companies could disclose
developments and risks of the business and section 404 requires an assessment of the
effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).
The United States Securities and Exchange Commission (SEC) has also implemented
requirements for publicly traded companies to disclose risk factors in section lA of their 10-
Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed
Section 404 guidance that supports top-down risk assessment that holds boards of directors
more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir &
Walker, 2009).
The types of risks that companies face:
1. External risk is the risk of events that may strike organizations or individuals
unexpectedly (from the outside) but that happen regularly enough and often enough
to be generally predictable.
Page 15 of 48
2. Manufactured risk is a result of the use of technologies or even business practices
that an organization chooses to adopt.
3. A technological risk is caused or created by technologies that can include trains
wrecking, bridges falling, and planes crashing (Giddens, 1999).
4. Business practice risk is caused or created by actions which the company takes
which could include investing, purchasing, sales, or financing customer purchases.
2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND
RISK APPETITE AND EVENT
Risk is defined as “the possibility that an event will occur and adversely affect the
achievement of objectives.”
Risk assessment is a systematic process for identifying and evaluating events (i.e. possible
risks and opportunities) that could affect the achievement of objectives, positively or
negatively. Such events can be identified in the external environment (e.g., economic trends,
regulatory landscape, and competition) and within an organization’s internal environment
(e.g., people, process, and infrastructure).
Risk assessments can be mandated by regulatory demands for example, anti-money
laundering, Basel III, and Sarbanes-Oxley compliance all require formalized risk
assessment, and focus on such processes as monitoring of client accounts, operational risk
management, and internal control over financial reporting. Risk assessments can also be
driven by an organization’s own goals, such as business development, talent retention, and
operational efficiency.
Risk tolerance is the acceptable level of variation relative to the achievement of a specific
objective, and should be weighed using the same unit of measure applied to the related
objective.
Risk appetite is the amount of risk, on a broad level; an organization is willing to accept in
pursuit of value.
Page 16 of 48
An event and a risk are related concepts. Events can have either a negative or a positive
impact. An event with a negative impact represents a risk whereas an event with a positive
impact represents an opportunity.
2.1.1 - THE PROCESS
The ERM process begins with risk identification. This creative wide-open process may
have a tendency to produce a large and unwieldy list. To keep things organized, a
computerized risk register is often recommended. Once a list has been created and
organized, the cause and effect of each item should be considered and the appropriate
experts consulted. Each risk should be assessed to separate minor risks from more serious
risks and should be assigned a score.
For example, a number from one to ten can be determined for each of the two dimensions:
Probability and severity. A zero score may mean a risk almost never happens or is of
trivial consequence. On the other hand, a score of ten may mean that a particular risk almost
always happens or carries potentially catastrophic consequences. These scores can then be
multiplied together to generate a final risk score that can be used to communicate the
magnitude of impact posed by a risk and the urgency required. The scores along with a
detailed description and evaluation can be placed in a risk register. That risk register creates
a record on which to base future action and strategy.
Participation of stakeholders is critical to the success of an ERM program and good
communication is important to maintaining interest in the program. Unless an initiative has
the support of the top management and the CEO, it would very difficult to get a program off
the ground. It may be difficult for separate units to effectively communicate with one
another. Accordingly, a company that wishes to implement an ERM may consider defining a
common risk language or glossary that defines and implements a risk ranking system to
prioritize risk both within and across departments. To address implementation issues related
to responsibility, a company may establish a risk committee or chief risk officer to
coordinate the activities across function areas and assign ownership for particular risks and
responses.
Page 17 of 48
2.1.2 - RISK ASSESSMENT CAN BE CONDUCTED AT VARIOUS LEVELS OF
THE ORGANIZATION
Frequently performed risk assessments include:
Strategic risk assessment - Evaluation of risks relating to the organizations mission and
strategic objectives, typically performed by senior management teams in strategic planning
meetings, with varying degrees of formality
Operational risk assessment - Evaluation of the risk of loss (including risks to financial
performance and condition) resulting from inadequate or failed internal processes, people,
and systems, or from external events.
Compliance risk assessment - Evaluation of risk factors relative to the organization’s
compliance obligations, considering laws and regulations, policies and procedures, ethics
and business conduct standards, and contracts, as well as strategic voluntary standards and
best practices to which the organization has committed
Internal audit risk assessment - Evaluation of risks related to the value drivers of the
organization, covering strategic, financial, operational, and compliance objectives. The
assessment considers the impact of risks to shareholder value as a basis to define the audit
plan and monitor key risks.
Financial statement risk assessment - Evaluation of risks related to a material misstatement
of the organization’s financial statements through input from various parties such as the
controller, internal audit, and operations.
Fraud risk assessment - Evaluation of potential instances of fraud. This is typically
performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk
assessment, and involves subject matter experts from key business functions where fraud
could occur (e.g., procurement, accounting, and sales) as well as forensic specialists.
Market risk assessment - Evaluation of market movements that could affect the
organization’s performance or risk exposure, considering interest rate risk, currency risk,
option risk, and commodity risk. This is typically performed by market risk specialists.
Page 18 of 48
Credit risk assessment - Evaluation of the potential that a borrower or counterparty will fail
to meet its obligations in accordance with agreed terms
Customer risk assessment - Evaluation of the risk profile of customers that could potentially
impact the organization’s reputation and financial position. This assessment weighs the
customer’s intent, creditworthiness, affiliations, and other relevant factors.
Supply chain risk assessment - Evaluation of the risks associated with identifying the inputs
and logistics needed to support the creation of products and services, including selection and
management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing
quality assurance reviews to assess any changes that could impact the achievement of the
organization’s business objectives).
Product risk assessment - Evaluation of the risk factors associated with an organization’s
product, from design and development through manufacturing, distribution, use, and
disposal. This assessment aims to understand not only the revenue or cost impact, but also
the impact on the brand, interrelationships with other products, dependency on third parties,
and other relevant factors.
Security risk assessment - Evaluation of potential breaches in an organization’s physical
assets and information protection and security. This considers infrastructure, applications,
operations, and people, and is typically performed by an organization’s information security
function.
Information technology risk assessment - Evaluation of potential for technology system
failures and the organization’s return on information technology investments. This
assessment would consider such factors as processing capacity, access control, data
protection, and cybercrime.
Project risk assessment - Evaluation of the risk factors associated with the delivery or
implementation of a project, considering stakeholders, dependencies, timelines, cost, and
other key considerations.
Page 19 of 48
Every organization should consider what types of risk assessments are relevant to its
objectives. The scope of risk assessment that management chooses to perform depends upon
priorities and objectives.
For risk assessments to yield meaningful results, certain key principles must be considered.
They are:
1. Begin and end with specific business objectives that are anchored in key value
drivers.
2. Governance over the risk assessment process must be clearly established
3. Risk rating scales are defined in relation to organizations’ objectives in scope
4. Capturing leading indicators enhances the ability to anticipate possible risks and
opportunities before they materialize.
5. Management forms a portfolio view of risks to support decision making.
6. Interpret the results of their risk assessment process to set a foundation for
establishing an effective enterprise risk management (ERM) program
7. Determine risk tolerance.
8. Risk appetite must be clearly defined and reflected in risk tolerances and risk limits
to help ensure that organizational objectives can be achieved.
2.1.3 - COMMON CHALLENGES TO EFFECTIVE RISK ASSESSMENT
Risk assessment is viewed as an episodic initiative providing limited value.
The owner of a risk assessment must clearly communicate its purpose, process, and
expected benefits.
The right parties must be engaged to ensure relevant input, informed assessment, and
meaningful and actionable results.
The assessment must be a repeatable process that integrates into regular business
practices, adapts to change, and delivers more than one-time value.
The amount of information and data gathered is difficult to interpret and use.
Failure to effectively organize and manage the volume and quality of assessment
data makes interpreting that data a challenge.
Page 20 of 48
Tools, templates, and guidance are necessary to ensure consistency in data capture,
assessment, and reporting.
Results of the risk assessment are not acted upon.
Lack of an effective risk assessment process and defined risk tolerance could result
in an organization over controlling a risk, which could place an excessive cost
burden on the organization and/or stifle its ability to seize opportunities.
Risk assessments become stale, providing the same results every time.
Without refreshing their data capture, process, and reporting from time to time, risk
assessments may lose relevance.
Breakdowns may occur without triggering key risk indicators to management.
Risk assessment is added onto day-to-day responsibilities without being integrated
into business processes.
Too many different risk assessments are performed across the organization.
Risk assessment will not prevent the next big failure.
Risk assessments need to invoke the right subject matter experts and consider not
only past experience but also forward-looking analysis.
2.1.4 – FORMS OF RISK ASSESSMENTS
Qualitative assessments are the most basic form of risk assessment, categorizing potential
risks based on either minimal or ordinal scales. External validation should be obtained to
guard against potential management biases.
Rigorous quantitative techniques ranging from benchmarking to probabilistic and non-
probabilistic modeling can be used for assessing risk as more data becomes available
through tracking of internal events (e.g., transaction errors, customer complaints, litigation)
and external events (e.g., loss events recorded by peer organizations and made available
through subscription to services such as the ORX or Fitch First databases).
Such data enables greater analysis of potential risk exposures, development of relevant
indicators that can be tracked regularly, and more rapid and efficient responses to risk
Page 21 of 48
situations. Risk categories, loss-event data, and key risk indicators are often refined through
iterative efforts to support issue and trend analysis.
Analysis is often enriched by various modeling techniques using assumptions regarding
distributions. Probabilistic models (e.g., “at-risk” models, assessment of loss events, back
testing) measure both the likelihood and impact of events, whereas non-probabilistic models
(e.g., sensitivity analysis, scenario analysis, stress testing) measure only the impact and
require separate measurement of likelihood using other techniques. Non-probabilistic
models are relied upon when available data is limited. Both types of models are based on
assumptions regarding how potential risks will play out.
The more mature risk assessment processes yield quantitative results that can be used to
allocate capital based on risk, as required by regulation in certain industries (e.g., Basel II or
III for the financial services industry). For organizations in industries not subject to such
requirements, the best approach should be determined based on a cost/benefit analysis of the
process for enabling timely and relevant discussion of risks, monitoring predictive
indicators, escalating information on increased risk exposures, and making risk-informed
decisions in an integrated manner.
Page 22 of 48
2.1.5 – DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK
MANAGEMENT AND ENTERPRISE RISK MANAGEMENT
RM BRM ERM
FocusFinance, hazard, internal controls
Business, internal controls
Business, internal controls, taking entity – level portfolio view of risk
ObjectiveProtect enterprise value
Protect enterprise valueProtect and enhance enterprise value
ScopeTreasury, insurance and operations
Business managersAcross the enterprise, at every level and unit
EmphasisFinance and operations
Management Strategy – setting
ApplicationSelected risk areas, units and process
Selected risk areas, units and process
Enterprise wide to all sources of value
Vision “Current State” Capabilities “Future State”
Table 1
2.1.5. A - TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES
Risk as individual hazards Risk in the context of business strategy
Risk identification and assessment Risk portfolio development
Focus on discrete risks Focus on critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Haphazard risk quantification Monitoring and measuring of risks
"Risk is not my responsibility" “Risk is everyone's responsibility"
Table 2
Page 23 of 48
2.1.6 - APPLICATION OF ERM ACROSS INDUSTRIES
The nature of the industry will drive the value of the risks and the risk management practices
the organization adopts to manage those risks. For example, a bank will focus on managing
market and credit risk to a greater extent than other institutions because the assumption of
those risks is the essence of its business model. A pharmaceutical company will focus on
managing its research and development pipeline because that is the lifeline to its future
revenue streams. Regardless of the industry the components of the framework as defined by
COSO still apply.
2.1.7 – RISK MANAGEMENT REPORT
These reports serve the purpose of providing information for decision making to executive
management.
1. A summary of the enterprise’s risks, broken down by operating unit, geographic
location, product group.
2. A summary of existing gaps in the capabilities for managing the priority risks.
3. A summary of the top and worst performing investments and reasons why?
4. From an “environment scan” process or early warning system, a report of emerging
issues or risks that warrant immediate attention.
5. Value at risk reports to assess the sensitivity of existing portfolio positions to market
rate changes beyond specified limits and consider the exposure of earnings or cash
flow to severe losses.
6. Summary of scenario analyses evaluating the impact of changes in other key
variables beyond management’s control (e.g. inflation, weather, competitor acts and
supplier performance levels) on earnings, cash flow, capital and the business plans.
7. Operational risk reports summarizing exceptions that have occurred versus policies
or established limits (i.e. limit breaches), including any significant breakdowns,
errors, accidents, incidents, losses (as well as lost opportunities) or “close calls” and
“near misses”
Page 24 of 48
8. Specific studies or targeted analyses to evaluate questions about specific events or
anticipated concerns that could “stop the show”
9. Summary of significant findings of business process audits performed by internal
audit or reviews conducted by other independent parties such as the organization’s
regulators.
10. Summary of the status of the improvement initiatives.
Good governance facilitates implementation of ERM because ERM is built on transparency.
Conversely, an effectively functioning ERM infrastructure would provide greater confidence
to the board and to executive management that risks and opportunities are being
systematically identified, rigorously analyzed and effectively managed on an enterprise wide
basis.
2.1.8 - INTERNAL AUDIT
The Institute of Internal Auditors (IIA) regards internal auditing as an independent, objective
assurance and consulting function while objective reporting is the primary value of an
auditor from outside the company. Accordingly, the IIA identifies suitable activities for the
internal auditor in the ERM process. This is accomplished by advising upon the accuracy of
the company's risk evaluation, evaluating the ERM processes and the method employed for
reporting those risks, and reviewing the management of risk. The IIA considers activities
such as facilitating, coaching, coordinating, educating, integrating, evaluating and
developing an ERM framework as appropriate activities for internal auditors. However, the
IIA considers setting risk appetite, imposing the ERM process, decision-making or
implementation of risk response as roles an internal auditor should not undertake.
Page 25 of 48
2.1.9 – EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT
InterviewsOnline surveys
Paper surveys
Document review
Facilitated workshops
Targeted reviews
Des
crip
tion
Individual stakeholder interviews to identify potential events and prioritize associated risk
Consisting of either a checklist of events or risks or an open – ended request
Hard copy survey consisting of either a checklist of events or risks or an open – ended request
Review of existing public documents, regulatory reviews, audit reports, special purpose studies and other materials
An in – person or online workshop attended by key stakeholders
Special studies to evaluate questions about specific events or anticipated concerns or targeted analyses
Table 3
Any combination of these options is appropriate.
2.2 – INDUSTRY SPECIFIC EXAMPLES
2.2.1 – COMPONENTS OF A HIGHER EDUCATION SPECIFIC ERM FRAMEWORK
Internal environment – organization’s code of conduct, management’s leadership,
communication and decision making style. Training should begin at the level of academic
deans, department heads, business managers and administrators
Objective setting – suppose the institution wants to build a new science and technology
block. The proposal should consider the return on investment risk in qualitative and
quantitative terms
Event identification – requires the institution to identify activities that may impact its
ability to achieve objectives
Page 26 of 48
Risk assessment and risk response – Low probability/ high impact events or high
probability/ high impact situations
Control and monitoring activities – adherence to policies and procedures that reduce risk,
follow up activity which ensures that the policies and procedures have been carried out as
intended
Information and communication – Administrators and other members of the campus need
to have access to accurate information that is communicated widely.
2.2.2 - WHY IS ERM RELEVANT IN THE HIGHER EDUCATION
ENVIRONMENT?
The higher education system operates in an inherently risky environment. By strategically
managing risk, they can reduce the chance of loss, create greater financial stability and
protect their resources so that they can support the university's mission of supporting
teaching, research and public service.
2.2.3 – STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION
Risk driver Stakeholders
Emerging educational delivery systemsStudents, faculty, executive management, staff, accrediting agencies
Inability of governance processes to support strategic objectives
Trustees, executive management, faculty
Increasing opportunities to leverage intellectual capital
Executive management, faculty
Excess physical capacity Trustees, executive management, donors
Quality of academic program Students, faculty, executive management
Increasing customer expectations (e.g. financial aid, student life, access, capacity)
Students, parents
Table 4
Page 27 of 48
2.2.4 – OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER
EDUCATION
Risk driver Stakeholders
New technologiesTrustees, executive management, staff (for selected issues)
Reimbursement and financial issues Dean, faculty, regulators, trustees
Increased regulatory scrutiny and accountability
Trustees, executive management, internal audit, public
Research and intellectual property Executive management, research
Human resource management HRM, unions, staff
Decentralized responsibility Staff, faculty, auditors
Security, internet access, electronic recordsStudents, executive management, faculty, staff
New constructionReal estate office, executive management, donors
New business creation (international operations)
Staff, faculty
Increased competition Trustees, executive management, faculty
Student behavior and community Alumni, parents, students, faculty, president
Contracting and related processes Attorneys and executive management
Endowment management Trustees, staff, alumni, other donors
Table 5
Page 28 of 48
2.2.5 - LIST OF RISKS SEPARATED BY CATEGORY
Risk category Sample risks
Hazard risks
Domestic terrorismCatastrophic natural eventsPandemicLaboratory safetyFacilities and ground safety
Financial risks
Conflicts of interest in financial transactions and agreementsBudget impairmentIneffective service center, auxiliary managementNon – compliant cost transfersInsufficient oversight over third party vendorsImproper governmental activities including fraud, embezzlement or misuse of university resources
Information technology risks
Unauthorized modification of dataDecentralization of systems leading to data inconsistencies and fragmentationDisclosure of confidential informationObsolescence of systems/technologyLack of common data definitionsInability to recover from system lossLack of comfort with third party vendor system security
Human resource risks
Personal issues or workplace violenceProfessional liability claimsWorkers compensation claimsEmployee recruitment and retention
Research risks
Falsification of data or resultsIntellectual property infringementUnethical or unapproved researchInadequate lab practices and processes for the promotion of environmental health and safetyThreat to safety of researchers
Contract and grant risks
Regulatory fines or penaltiesNon - compliance with sponsoring agency terms and conditions and agreementFunds used but agreement terms and conditions not followedFailure to maintain equipment inventories in accordance with grant requirementsSub – recipients not managed properly
Student life risksSports or public event disturbancesStudent mental healthSafety and security of students on and off campus
Facilities and maintenance risks
Deferred maintenanceIncrease in energy costsEquipment/ facility malfunction
Table 6
Page 29 of 48
2.2.6 – ERMIS
As a key support, a University can develop the ERM information system (ERMIS) to
provide management with current information in minutes in the form of key performance
indicators (KPIs). ERMIS reduces the cost of risk by improving the efficiency of
retrospective reviews and monitoring the effectiveness of controls to prevent reoccurrences.
The ERMIS includes:
1. Dashboard reporting on major risks
2. Risk assessment tools
3. Control and accountability tracking platform
4. Risk mitigation and monitoring tools
5. Survey capabilities
2.3 – HEALTH CARE ORGANIZATION
Specific objectives:
1. Quality of customer care
2. Attracting and retaining high quality physicians
3. Building sustainable levels of profit to provide access to needed capital and fund
existing activities
Statement of risk appetite:
The organization’s lowest risk appetite relates to safety and compliance objectives,
including employee health and safety, with a marginally higher risk appetite towards its
strategic, reporting and operations objective.
Page 30 of 48
2.4 – AEROSPACE SUPPLIER
A high level objective is to work with customers to improve products and market share.
There is a low risk appetite for allowing the capital structure to be leveraged that it hinders
the company’s future flexibility or ability to make strategic acquisitions.
Operations tolerances:
1. Near zero risk tolerance for product defects
2. Low risk tolerance for sourcing products that fail to meet the company’s quality
standards
3. Low risk tolerance for meeting customer orders on time
4. High risk tolerance for potential failure in pursuing research that will enable the
company’s product to better control and increase the efficiency of energy use
Reporting tolerances:
1. Low risk tolerance concerning the quality, timing and accessibility of data needed to
run the business
2. Very low risk tolerance concerning the possibility of material deficiencies in internal
control
3. Low risk tolerance related to financial reporting quality (timeliness, transparency,
Generally accepted accounting principles)
Compliance tolerances:
1. Near zero risk tolerance for violations of regulatory requirements or the company’s
code of ethics.
Page 31 of 48
2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS
(BASEL III)
The Basel Accords are a set of rules on banking regulations in regards to capital. Basel III is a series of additions to the existing accords designed to limit the likelihood and impact of a future financial crisis. It requires banks to hold more higher-quality capital against more conservatively calculated risk weighted assets (RWAs). It also looks to ensure sufficient liquidity during times of stress and to reduce excess leverage.
Capital: A minimum of 7 per cent of a bank’s RWAs must be core tier one to act as a buffer against losses. This compares with the 2 per cent required under Basel II. The definition of which liabilities can be classified as core tier one will narrow. There is a counter-cyclical buffer of 0 to 2.5 per cent, which is to be built up when the economy is strong so that it can be called upon in tougher times. Additional requirements will also be introduced for large banks deemed vital to the global financial system. Important Financial Institutions (G-SIFIs) – to hold an extra 1 to 2.5 per cent of core tier one capital. Risk Weighted Assets: In addition to increasing the quality and quantity of capital, Basel III also updates the risk weighted asset (RWA) calculation for counterparty credit risk. This will see the introduction of the Credit Valuation Adjustment (CVA) capital charge, which increases the capital, held against the risk that the mark-to-market value of derivatives will deteriorate due to a change in counterparty credit worthiness. The Financial Institution Asset Value Correlation (FI AVC) will be amended to increase the RWAs for banks’ exposures to large and / or unregulated financial institutions. Liquidity: The Liquidity Coverage Ratio (LCR) defines the amount of unencumbered, low risk assets (such as cash or gilts) that banks must hold to offset forecast cash outflows during a 30-day crisis. Outflows are estimated, based on the nature of the customer relationship and the type of product Leverage. A new leverage ratio of 3 per cent is due to become mandatory in 2018. This seeks to ensure banks apply adequate capital to all their exposures, including those off balance sheets, and without applying any risk weightings. Timing: Basel III requirements are being introduced from 2013 but some areas are still subject to change and total compliance is not expected until 2019. The long lead-in is designed to prevent sudden lending freezes as banks improve their balance sheets. These measures aim to: Improve the banking sector's ability to absorb shocks arising from financial and economic stress, whatever the source improve risk management and governance to strengthen banks' transparency and disclosures.
Page 32 of 48
CHAPTER 3 – EXPLORATION COMMENT ON ERM
3.1 - RISK MAPPING
Risk mapping is probably the most common tool used by companies to identify and
prioritize the risks associated with their business activities. It is a directional tool.
Consolidated risk profile
Imp
act
Man
agea
ble
Maj
or
C
riti
cal
Critical
Remote Possible Likely
Likelihood
Fig.2
Page 33 of 48
A RISK MODEL
Environment risk Process riskInformation for
decision making riskCompetitorCustomer wantsTechnological innovationSensitivityShareholder expectationsCapital availabilitySovereign/PoliticalLegalRegulatoryIndustryFinancial mattersCatastrophic loss
Financial Empowerment GovernancePriceInterest rateCurrencyEquityCommodityFinancial Instrument
LeadershipAuthority/LimitOutsourcingPerformance incentivesChange readinessCommunications
Organizational cultureEthical behaviorBoard effectivenessSuccession planning
LiquidityCash flowOpportunity costConcentration
Information Technology
Integrity
Access
Availability
Infrastructure
ReputationImage and Branding
Stakeholder relations
CreditDefaultConcentrationSettlementCollateral
IntegrityManagement fraudEmployee fraudThird party fraudIllegal actsUnauthorized use
OperationsCustomer satisfactionHuman ResourcesKnowledge capitalProduct developmentEfficiencyCapacity
ScalabilityPerformance gapCycle timeSourcingChannel effectivenessPartnering
ComplianceBusiness interruptionProduct/service failureEnvironmentalHealth and safetyTrademark/ brand erosion
StrategicEnvironment scanBusiness modelBusiness portfolioInvestment valuation/evaluationOrganization structureMeasurement (strategy)Resource allocationPlanningLife cyclePublic reportingFinancial reporting evaluationInternal control evaluationExecutive certificationTaxationPension fundRegulatory reporting
OperationalBudget and planningProduct/service pricingContract commitmentMeasurement (operations)AlignmentAccounting information
Table 7
Page 34 of 48
A RISK DRIVERS MAP
Fig.3
Page 35 of 48
Company expectations are unrealistic
Industry demand declines due to Environmental protection age issues
Performance measurement and reward system is not aligned with performance expectations
Executive management is not perceived as committed
Career or succession plan is poorly defined
Teamwork contradicts acceptance of individual accountability
Compensation levels are not competitive
Loss of reputation due to poor financial results
Hiring practices lack background checks
Hiring process
People are hired with dubious or questionable histories
Increased costs due to inflexible union rules
Market demand for company products significantly declines
Fewer entrants into higher education programs
High turnover occurs at remote locations
Loss of morale
Higher costs of expatriates due to transfers
Internal factorsHUMAN RESOURCES RISK
External factors
Job security declines resulting in good people leaving
Cost of retaining top and experienced performer increases
Company decides to restructure
Top and experienced performers conclude company not as attractive
Competition for talent increases
A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION
Fig.4
Page 36 of 48
Legal and regulatory compliance
Risk management compliance
Internal audit
Assurance units
Shared services
Functional support
Support units
Unit B
Unit A
Risk units
Program Management
CIO/CLO
CFO Unit C
Unit B
Unit A
COO
Business units
Chief risk officer
Business risk
Executive committeeRisk management executive committee
CEO
Board of Directors
3.2 - THE CAPABILITY MATURITY MODEL
The Capability maturity model is a tool for assisting management in thinking more clearly
about questions such as:
1. How capable do we want our risk management to be?
2. Do we vary the rigor and robustness of our risk responses and related control
activities?
3. Do we rely on a few well – qualified individuals in an ad hoc manner and regularly
put out fires?
4. Do we improve our capabilities?
3.2.1 - SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT
RISK
Business policies
Business processes
People and organizations
Management reports
MethodologiesSystems and
data
Init
ial
Procurement not addressed as a strategic opportunity, no direction or policies
Purchases not leveraged, no strategic partnerships
No leadership and lack of qualified staff
Critical information not available and no internet auditing
No models, reliance on people
Disparate, inefficient, purchasing and accounts payable systems
Rep
eata
ble Occasional
strategic focus on sourcing and informal policies
Occasional supply leverage, few strategic partnerships
Some procurement professionals as staff, limited training
Key internal procurement information available with audits occurring
Simple models are used inconsistently
Suite of fairly effective systems, procedure manual
Def
ined
Annual procurement plans, strategic sourcing for key commodities
Defined processes, strategic partnerships in place
Accounts payable centralized, training offered and special purpose teams
Key suppliers tracked, standard benchmarks and internal audits
Well – developed models available for decision making
Organization operates with contracts
Man
aged Increased
execution of strategic sourcing
Effective use of formal risk management technique
Consolidated leveraged supply base in place, trained commodity teams
High quality procurement information, self - assessment commonplace
Sophisticated robust models and tools
Procurement data warehouse in place and utilized, P – cards and automation
Op
tim
izin
g
Aligned strategic plans, defined and integrated policies and responsibilities
Integrated and effective procurement processes and continuous benchmarking
Ability to adapt to changing environments and customer demands, outsourcing of non – core competencies
Fully developed automated, consistent function and planning
Aligned strategic methodologies that emphasize continuous improvement
Complete suite of systems across the supply chain for analysis
Table 8
Page 37 of 48
3.2.2 - RISK MEASUREMENT TECHNIQUES AT EACH STATE OF CAPABILITY MATURITY MODEL
Initial state: Simple and straightforward methodologies
1. Self - assessment techniques
2. Facilitated assessments
3. Risk indicator analysis
4. Position reports
5. Gap analyses
Repeatable state: Basic
1. Risk rating or scoring
2. Claims exposure and cost analysis
3. Sensitivity analysis
4. Deterministic stress testing
5. Parametric value at risk
6. Uncertainty measures
Defined state: Refined methodologies
1. Surrogate performance measures
2. Historical simulation value at risk
3. Scenario analysis
Managed state: Managed quantitatively and aggregated at the corporate level
1. Monte Carlo value at risk
2. Earnings at risk
3. Integrated measurement methodologies
4. Risk – adjusted performance measurement
Optimizing state: Organization is focused on continuous improvement. Risks are aggregated
and managed as a portfolio; the quantitative means to transfer and scrutinize risk are
developed.
Page 38 of 48
3.2.3 - WAYS TO AGGREGATE MULTIPLE RISK MEASURES USING A COMBINATION OF A RIGOROUS METHODOLOGY AND THE APPLICATION OF JUDGMENT
1. Risk pooling - positively and negatively correlated
2. Risk appetite and risk tolerances
3. Hurdle rates - Discounted cash flow
4. At risk frameworks - Value at risk, earnings at risk, gross margin at risk and cash
flow at risk
5. Risk adjusted performance measurement - Risk adjusted return on capital
3.2.4 - RISK MEASUREMENT CAPABILITIES ACHIEVE
1. More robust risk reporting
2. Greater investment confidence
3. Greater integration and alignment
4. Higher valuation
The most important contribution of ERM to improving business performance is to help
managers make better choices in protecting and enhance the enterprise value.
Shareholder value is generally accepted measure of value and is therefore an example of a
useful context for defining enterprise value. Economic value added (EVA) is such a
measure.
The basic formula for calculating EVA is:
EVA = NOPAT less WACoC
NOPAT = Net operating profit after tax
WACoC = Weighted average cost of capital
Page 39 of 48
3.2.5 - APPLYING AN ERM PERSPECTIVE
Identify several opportunities for enhancing risk management processes to improve business
performance using the application of EVA
1. Create new opportunities
2. Improve performance
3. Harvest existing value
4. Adjust and align cost of capital
3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST
COMPANIES WITH IMPLEMENTING ERM
1. ERA – Enterprise risk assessment tools (decision support, survey and risk registers)
2. ORM – Operational risk management tools (qualitative and quantitative)
3. IA - Integrated compliance and risk management platform solutions
Page 40 of 48
3.3.1 - PRIORITIZATIONS OF FUNCTIONALITY
Feature COSO ERM component Solution
Entity definition and objectives
Internal environment, objective setting ERA, ERM, ORM
Risk identification Event identification, risk assessment ERA, ERM, ORM
Framework support Various ERA, ERM, ORM
Risk control and monitoring
Risk assessment, risk response, control activities ERM, ORM
Risk workflow scheduling and notification
Risk assessment, risk response, control activities, monitoring
ERM, ORM
Risk and audit issue tracking
Risk response, control activities, information and communication, monitoring
ERM, ORM
Data collection, event tracking
Information and communication, monitoring ORM
Risk and control self - assessment
Risk assessment, risk response ERA, ERM, ORM
KPI definition and trackingRisk response, control activities, information and communication, monitoring
ERM, ORM
Frequency and severity estimation and other statistical analyses
Risk assessment ORM
Exposure calculationRisk assessment, risk response, information and communication, monitoring
ORM
Scenario analysesRisk assessment, risk response, information and communication, monitoring
ORM
Capital calculationRisk response, information and communication, monitoring
ORM
RAROC analysisRisk response, information and communication, monitoring
ORM
VaR modelRisk assessment, risk response, information and communication, monitoring
ERM
Internal reportingInternal environment, information and communication, monitoring
ERA, ERM, ORM
Regulatory reportingInternal environment, information and communication, monitoring
ORM
Risk response Risk response ERM
Compliance templates Various ERM
Audit planning Risk assessment, monitoring IA
Project management Monitoring IA
Table 9
Page 41 of 48
3.3.2 - CHARACTERISTICS OF SUCCESSFUL ERM SOFTWARE VENDORS:
1. In – depth RM knowledge
2. Ability to educate prospects and customers
3. Ability to execute and support
4. Professional services
5. Global presence
6. Firm’s overall size
7. Ability to leverage existing relationships to build technology
8. Operational and financial risk expertise
3.3.3 - ERM VS. QUALITY INITIATIVES
ERM is an enterprise level process that is integral to strategy setting. Quality initiatives
provide the methodology and tools to help organizations understand measure and
continuously improve the efficiency and quality of their processes at a detailed level.
3.4– ADVANTAGES
3.4.1 - MANAGEMENT ALTERS AN ENTITY'S RISK CHARACTERISTICS BY
REDUCING:
1. The enterprise's net exposure
2. The variability of the enterprises expected returns caused by specific sources of
uncertainty (fluctuating currency rates)
3. The likelihood of financial distress in the event of realized changes in key variables
(changes in interest rates for highly leveraged company)
4. Other uncertainties in the attainment of expected returns
Page 42 of 48
3.4.2 - ERM TO ESTABLISH A SUSTAINABLE COMPETITIVE ADVANTAGE
1. Integrate risk management with business planning and strategy setting
2. Implement more rigorous risk assessment process
3. Improve management of common risks across the enterprise
4. Improve capital deployment and resource allocation
5. Configure the enterprise's risk taking with its core competencies
6. Seize opportunities through rational assumption of risk
Page 43 of 48
3.5 - SUITABILITY
Key questions a business case must address
Fig.5
Page 44 of 48
3.6 - LIMITATIONS
3.6.1 - VALUE IN USING QUALITATIVE INFORMATION WHEN ASSESSING
RISK
Some risks do not lend themselves to quantitative measurement because the related events
occur so infrequently and, if and when they do occur, they are subject to such a wide range
of possible outcomes in terms of severity that it is difficult if not impossible, to quantify
them.
3.6.2 - COMMON MISTAKES AND PITFALLS DURING RISK ASSESSMENT
PROCESS
1. Lack of clarification and common understanding of the meaning or definition of risk
2. Not including all stakeholders
3. Not considering or giving appropriate weight to knowledgeable positions
4. Setting unclear or unrealistic objectives
3.6.3 - THE PROBLEMS ERM PRACTITIONERS MAY FACE
It comes when identifying, collecting, cleansing, and analyzing data. Often adding to this
frustration is a lack of guidance on how to create an information infrastructure to accomplish
their goals. ERM practitioners also face the challenge of dealing with cultural,
organizational, and political obstacles to data transformation efforts that seem to be almost
universal in organizations of all types (Fraser, Schoening-Thiessen & Simkins, 2008).
ERM information systems are facing the same hurdles as other systems that have required
changes in procedures, processes, or culture; there are many lessons to be learned from the
past implementation of other large systems. Above all, patience and persistence are keys to
the process of implementation.
Page 45 of 48
3.6.4 - DEMONSTRATION OF ERM'S USEFULNESS KEY TO WINNING OVER
MANAGEMENT
Risk managers should expect resistance from their managers.
Risk managers who are preparing to implement an enterprise risk management
process should be ready to mitigate opposition from middle and lower management.
To counter resistance, risk managers must address it before implementing the
process.
Risk managers should demonstrate that ERM is a tool managers can use to improve
unit performance and promote their individual worth.
Risk managers also need a senior manager to co-champion ERM in addition to top
management support.
Unit managers perceive ERM as a spotlight that illuminates losses and potential
risks, which "doesn't paint them in a positive light.
Risk managers must adopt seven principles which will obtain and retain middle- and lower-
management support:
1. Simplify the ERM process, because "people don't do what they don't understand."
2. Communicate its purpose.
3. Provide training.
4. Personalize it to help managers achieve their objectives.
5. Demonstrate how it adds value to the managers' business operation.
6. Monitor performance.
7. Tie performance to compensation.
Of course, finding an individual whose expertise spans the full spectrum of enterprise wide
risks in a financial institution from loan quality and interest-rate mismatches to fraud and
natural disasters will be a significant challenge.
Page 46 of 48
CONCLUSION
I have done an exploratory self-study about Enterprise Risk Management and would like to
conclude that it is a relatively new and vast topic and needs much time and expertise
comprehend. In this study I did not obtain actual numbers and figures of any organization in
particular and I have also not used any advanced statistical techniques. There are different
approaches and models to obtain optimal risk management which needs much detailed
research and practical knowledge. Hence, I have not given any specific recommendations
regarding the implementation, application and use of ERM. But nevertheless it can be
understood that ERM is not just the simple sum of all risks facing an organization.
ERM basically becomes a means of shifting of focus from crisis response management and
compliance to evaluating risks in business strategies proactively to enhance investment
decision making and maximize stakeholder value. Enterprises (regardless of size) need to
protect themselves from the adverse effects of risk and need to exploit risk. ERM solutions
need to be tailored for each organization according to the factors affecting that enterprise.
Risk exists all around us, you can choose to use it or let it destroy you. The concept of ERM
is debatable in terms of time, cost and effectiveness for an enterprise.
Page 47 of 48
REFERENCES
https://web.ebscohost.com/ehost/detail
http://pwc.com/us/grc
http://www.pwc.com/us/en/issues/enterprise-risk-management/publications/guide-to-risk-assessment-risk-management-from-pwc.jhtml
http://www.ucop.edu/enterprise-risk-management/
http://www.zurich.com/internet/main/sitecollectiondocuments/insight/risk-management-in-a-time-of-global-uncertainty.pdf
http://www.zurich.com/insight/global-issues/hbr-study/
http://www.forbes.com/sites/tatianaserafin/2012/07/02/risky-business-managing-risk-in-a-volatile-world/
http://www.forbes.com/forbesinsights/risk_management_2012/index.html
http://business.illinois.edu/~s-darcy/Fin321/2007/Readings/erm%20(conference%20board).pdf
mib.rbs.com/Basel-III
Page 48 of 48