96 Copyright 2017. Kogan Page. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. 08 Enterprise risk management Enterprise-wide approach In the past few years, there have been important developments in the practice of risk management. Firstly, there has been the development of specialist branches of risk management, including project, energy, finance, operational risk and clinical risk management. Secondly, organizations have embraced the desire to take a broader approach to the practice of risk management. Various terms have been used to describe this broader approach, including holistic, integrated, strategic and enterprise-wide risk management. It is the term enterprise or enterprise-wide risk management (ERM) that is now the most widely used and generally accepted terminology for this broader approach. The fundamental idea behind the ERM approach is to move away from the practice of risk management as the separate management of individual risks. ERM takes a unifying, broader and more integrated approach. The ERM approach means that an organization looks at all the risks that it faces across all of the operations that it undertakes. ERM is concerned with the management of the risks that can impact the objectives, key dependencies or core processes of the organization. Also, ERM is concerned with the management of opportunities, as well as the management of control and hazard risks. There has also been consideration of the fact that many risks are interrelated and that traditional risk management fails to address the relationship between risks. With the ERM approach, the relationship between risks is identified by the fact that two or more risks can have an impact on the same activity or objective. The ERM approach is based on looking at the objective, key dependency or core process and evaluating all of the risks that could impact the item being evaluated. Organizations practise risk management in a number of different ways. However, there are many common features to most of these approaches. Table 8.1 gives an overview of the features of enterprise risk management as a comparison to the silo-based approach whereby risk management tools and techniques are applied to different types of risks independently. Enterprise risk management has become the established means of undertaking risk management activities within most organizations. This allows the organization to gain an overview of all the risks that it faces so EBSCO Publishing : eBook Academic Collection (EBSCOhost) - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS AN: 1446715 ; Hopkin, Paul.; Fundamentals of Risk Management : Understanding, Evaluating and Implementing Effective Risk Management Account: s8501869.main.eds_new Enterprise risk management Ta b le 8.1 Features of an enterprise-wide approach 1 Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc). 2 Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual ‘silos’ of risk. 3 Evaluates the risk portfolio in the context of all significant internal and external contexts, systems, circumstances and stakeholders. 4 Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks. 5 Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature. 6 Seeks to embed risk management as a component in all critical decisions throughout the organization. 7 Provides a means for the organization to identify the risks that it is willing to take in order to achieve strategic objectives. 8 Constructs a means of communicating on risk issues, so that there is a common understanding of the risks faced by the organization, and their importance. 9 Supports the activities of internal audit by providing a structure for the provision of assurance to the board and audit committee. 10 Views the effective management of risk as a competitive advantage that contributes to the achievement of business and strategic objectives. that it can take co-ordinated actions to manage these risks. Nevertheless, the specialist risk management functions, such as health and safety and business continuity continue to make a valuable contribution. An example of the ERM approach is to consider a sports club where the core process is to maximize attendance at games. This process is made up of several activities, including marketing, advertising, allocation and sale of tickets as well as logistical arrangements to ensure that the experience at the game is as good as possible. Part of maximizing attendance at games will be to ensure there are adequate parking and transport arrangements, together with suitable catering and other welfare arrangements in the ground. EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use 97 98 Approaches to risk management By identifying the key activities that deliver the selected core process, the club is able to identify the risks that could impact both these activities and the core process. Targets can then be set for increased attendance at future games, and responsibility for the success of this core process has been allocated to the commercial director of the club. A consideration of the opportunities for increasing attendance at games can also be included in this broader approach. Definitions of ERM Table 8.2 presents a number of suggested definitions of enterprise risk management. There are three components that are required in a comprehensive definition of the ERM process. These are: 1) the description of the process that underpins enterprise risk management; 2) identification of the outputs of that process; and 3) the impact (or benefit) that arises from those outputs. Many of the definitions concentrate on the process by describing the activities that make up the ERM approach. This is a good starting point, but the outputs from that process are more important than the process itself. Some of the definitions do include reference to the outputs from the process, such as being able to manage Ta b le 8.2 Definitions of enterprise risk management Organization Definition of enterprise risk management RIMS Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. COSO Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives. IIA (Institute of Internal Auditors) A rigorous and co-ordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. HM Treasury All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them and monitoring and reviewing progress. EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use Enterprise risk management risks within the risk appetite of the organization and provide reasonable assurance regarding the achievement of objectives. To be comprehensive, however, the definition must also consider the intended impact of those outputs. In summary, the intended outputs from ERM are that better decisions will be taken, improved core processes will be identified and introduced, possibly by way of tactics that include projects or programmes of work, and operations will be effective, efficient and free from unplanned disruption. This list of outputs from enterprise risk management can be described as mandatory obligations fulfilled, assurance obtained, decision making enhanced and effective and efficient core processes introduced (MADE2). The following is offered by the author as a comprehensive definition of ERM: ●● ●● ●● ERM involves the identification and evaluation of significant risks, assignment of ownership, implementation and monitoring of actions to manage these risks within the risk appetite of the organization. The output is the provision of information to management to improve business decisions, reduce uncertainty and provide reasonable assurance regarding the achievement of the objectives of the organization. The impact of ERM is to improve efficiency and the delivery of services, improve allocation of resources (capital) to business improvement, create shareholder value and enhance risk reporting to stakeholders. ERM in practice The developing role of the risk manager is discussed in Chapter 22. It was mentioned that the seniority of the risk manager should be proportionate to the risks that the organization faces. For many organizations, including those in finance and energy, a board-level risk director is often appropriate. Where it is appropriate and proportionate, the risk manager at board level is often referred to as a chief risk officer (CRO). To date, these appointments have been almost exclusively in the energy and finance sectors, although this may change as ERM becomes more clearly established in a wider range of organizations. The seniority of the CRO is just one example of how ERM should be achieved in practice. The principles of risk management set out as PACED are fully applicable to the practice of enterprise risk management. The principles of risk management are that it should be proportionate, aligned, comprehensive, embedded and dynamic (PACED). By taking a comprehensive approach to enterprise risk management, a wide range of benefits can be delivered and these are set out in Table 8.3. It is for each organ­ ization to decide how the enterprise risk management initiative will be structured and how these benefits will be achieved. The key feature of ERM is that the full range of significant risks facing the organization is evaluated. The interrelationship between risks should be identified, so that the total risk exposure of the organization may be compiled. Having measured the total risk exposure of the organization, that level of risk exposure can EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use 99 100 Approaches to risk management Ta b le 8.3 Benefits of enterprise risk management FIRM risk scorecard Benefits Financial Reduced cost of funding and capital Better control of CapEx approvals Increased profitability for organization Accurate financial risk reporting Enhanced corporate governance Infrastructure Efficiency and competitive advantage Achievement of the state of no disruption Improved supplier and staff morale Targeted risk and cost reduction Reduced operating costs Reputational Regulators satisfied Improved utilization of company brand Enhanced shareholder value Good reputation and publicity Improved perception of organization Marketplace Commercial opportunities maximized Better marketplace presence Increased customer spend (and satisfaction) Higher ratio of business successes Lower ratio of business disasters then be compared with the risk appetite of the board and the risk capacity of the organization itself. ERM and business continuity There is an important relationship between enterprise risk management (ERM) and business continuity management (BCM). The risk assessment that is required as part of the risk management process and the business impact analysis that is the basis of business continuity planning (BCP) are closely related. This can be seen in Table 8.1, which describes the features of an enterprise-wide approach. The normal approach to risk management is to evaluate objectives and identify the individual risks that could impact these objectives. The output from a business EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use Enterprise risk management impact analysis is the identification of the critical activities that must be maintained for the organization to continue to function. Based on the definition of ERM set out above and the fact that it should be applied to the evaluation of core processes, it can be seen that the ERM approach and the business impact analysis approach are very similar, because both approaches are based on the identification of the key dependencies and functions that must be in place for the continuity and success of the business. The next activity differs between ERM and BCP, because the former is concerned with the management of the risks that could impact core processes, whereas business continuity is concerned with actions that should be taken to maintain the continuity of individual activities. The business continuity approach, therefore, has the very specific function of identifying actions that should be taken after the risk has materialized in order to minimize its impact. BCP relates to the damage-limitation and cost-containment components of loss control, as described in Chapter 13. ERM in energy and finance Risk management in the energy and finance sectors has become a well-developed specialist branch of the discipline. In the finance sector, the objective of an ERM initiative is to enhance shareholder value by: ●● ●● ●● improving capital and efficiency by providing an objective basis for allocating resources and exploiting natural hedges and portfolio effects; supporting financial decision making by considering areas of high potential adverse impact and by exploiting areas of risk-based advantage; building investor confidence by stabilizing results and protecting them from disturbances and thus demonstrating proactive risk stewardship. ERM in the energy sector is often dependent on the treasury function and the specialist expertise of hedging against the price of a barrel of oil. This area of financial risk management has become well established, with very large departments being set up in many energy companies. However, the practice of ERM in energy companies still remains very closely related to the management of treasury risks. One of the drivers for risk management in the finance sector is the regulatory environment. Banks have been subjected to Basel II for some time, and are preparing for implementation of the Basel III requirements by 2019. The insurance sector in Europe is about to be subjected to similar requirements, set out in the Solvency II Directive. This gives rise to the obligation on financial institutions to measure their exposure to operational risk. The output of operational risk management (ORM) activities in financial institutions is the ability to calculate the capital that should be held in reserve to cover the consequences of the identified risks materializing. The impact of these ORM activities is that risks will be better identified and managed, so that the capital required to meet the consequences of the risks materializing is lowered. ORM within financial institutions can be seen as a particular application of the ERM approach. EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use 101 102 Approaches to risk management The failure of the world banking system called into question the effectiveness of risk management activities in banks and, in particular, the effectiveness of operational risk management. One of the consequences of the world financial crisis is that the news reports now routinely state that: 1) risk is bad; and 2) risk management has failed. In fact, taking risk is essential for the success of organizations. The statement that risk management has failed in banks is more difficult to contradict. However, the reality is that it was not the failure of risk management principles that caused the banking crisis. It was the failure to correctly apply those principles. Many banks made two simultaneous mistakes: ●● ●● An accurate risk and reward analysis was not undertaken, so that banks made decisions on the basis of the rewards available, rather than taking a more balanced view of the risks involved in seeking those higher rewards. Quantification of the level of risk involved was not accurate, because the banks were taking such a risk-aggressive approach that certain events were considered to be so unlikely that they could be ignored. Detailed analysis of the banking crisis in 2008 is outside the scope of this text. However, it appears that the crisis was caused by the failure of two different sets of risk analysis models. Firstly, the banks had assumed that re-packaged debts, including sub-prime mortgages, would continue to be tradable commodities in the market, but this proved not to be the case. Secondly, the banks assumed that short-term borrowing on the wholesale money markets would continue to be available. This short-term money is used by banks so that they can continue to lend money on a long-term basis, at a more profitable rate. The collapse of the wholesale money markets was not anticipated by the credit models used by most banks. Future development of ERM The COSO ERM cube represents a framework for undertaking enterprise risk management, although there is insufficient description in the COSO model of the risk management process itself. However, the COSO approach is becoming more widespread because the recently updated COSO Internal Control framework (2013) is the preferred approach for compliance with the requirements of the Sarbanes– Oxley Act. US companies that have subsidiaries around the world frequently require that their subsidiaries adopt the COSO approach. Other important developments in risk management are the publication in 2008 of British Standard BS 31100 and the publication in 2009 of the ISO risk management standard, ISO 31000. ISO 31000 was adopted by Standards Australia to replace the previously available and well-established Australian Standard AS 4360 (2004), which was first published in 1995. BS 31100 was revised and updated in 2011 to provide greater compatibility with ISO 31000. Future developments in the practice of ERM are likely to be focused on two key areas: firstly, ensuring risk management activities are fully embedded in the core business processes of the organization; and secondly, demonstrating measurable EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use Enterprise risk management financial benefits associated with the implementation of an enterprise risk management initiative. The embedding of ERM in the organization is achieved by leadership, involvement, learning, accountability and communication (LILAC). Developments in the practice of operational risk management are probably leading the way in the measurement of the total risk exposure of an organization. Whilst considering the continued development of enterprise risk management, it is also worth commenting on the strong emergence of resilience as an organizational requirement for the 2010s. The ISO 22300 series of standards will cover business continuity, crisis management and broader requirements concerned with the resilience of society, in general, and organizations, in particular. ISO 22301 on business con­ tinuity is discussed in Chapter 18 and the importance of the other standards in the ISO 22300 series is considered in Chapter 9. In summary, the discipline of enterprise risk management has become established and is here to stay, but it has to be able to demonstrate significant and measurable financial benefits. These financial benefits need to be demonstrated in the form of increased profit in private-sector organizations and in the form of the enhanced efficiency and/or value-for-money delivery of services in the public sector. The box below suggests the keys to success in ERM. Successful implementation of ERM Risk managers have the responsibility of selling the value added by risk management to the organization and its stakeholders, but this is not an easy task. How do risk managers sell the value they are generating when that value may only be realized when unforeseen events occur, or if the new control systems are successful, when the risk never occurs? Risk managers need to remember that the actual implementation of an ERM programme generates value in itself. Often risk managers are so focused on successfully managing the programme that they do not have the time to clearly communicate this value to the organization. The greatest value coming from the development of a corporate risk management programme into an ERM system is the development of physical, financial and cultural resilience in the overall business, while still focusing on achieving overall business objectives. Risk managers can be their own worst enemies as one of the key elements of a successful practitioner is a passion to successfully tailor, implement and maintain an ERM programme. Correspondingly, this passion is a weakness as the practitioner needs to remember that others do not always share that passion. One of the major challenges ERM programmes face is the development of an ‘ivory tower’ mentality. In this scenario, all risk knowledge and activities are based in one department. Risk managers need to devise a system that encourages the migration of risk management methodologies and tools out into the organization. There is also a balancing act required. Practitioners must not force the use of risk management processes on operational areas where there is little value. It is critical to the success of an ERM programme that it has a system that is flexible enough to work with the organization to capture and manage the critical risks successfully without adding unnecessary work on managing lower level risks. EBSCOhost - printed on 3/7/2020 4:02 PM via UNIVERSITY OF THE CUMBERLANDS. All use subject to https://www.ebsco.com/terms-of-use 103 REPORTING KEY RISK INFORMATION TO THE BOARD OF DIRECTORS What is Enterprise risk management? 2016 Mark S. Beasley Deloitte Professor of ERM and Director of the ERM Initiative North Carolina State University 1 2801 Founders Drive Raleigh, NC 27695 919.513.0901 | www.erm.ncsu.edu WHAT IS ENTERPRISE RISK MANAGEMENT? Mark S. Beasley Deloitte Professor of ERM and Director of the ERM Initiative All organizations have to manage risks in order to stay in business. In fact, most would say that managing risks is just a normal part of running a business. So, if risk management is already occurring in these organizations, what’s the point of “enterprise risk management” (also known as “ERM”)? Let’s Start by Looking at Traditional Risk Management Business leaders manage risks and they have done so for decades. Thus, calls for enterprise risk management aren’t suggesting that organizations haven’t been managing risks. Instead, proponents of ERM are suggesting that there may be benefits from thinking differently about how the enterprise manages risks affecting the business. Traditionally, organizations manage risks by placing responsibilities on business unit leaders to manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is responsible for managing risks related to the organization’s information technology (IT) operations, the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating Officer is responsible for managing production and distribution, and the Chief Marketing Officer is responsible for sales and customer relationships, and so on. Each of these functional leaders is charged with managing risks related to their key areas of responsibility. This traditional approach to risk management is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing or elevating risks within their silo as shown in Figure 1 below. Figure 1 1 WHAT IS ENTERPRISE RISK MANAGEMENT? Limitations with Traditional Approaches to Risk Management While assigning functional experts responsibility for managing risks related to their business unit makes good sense, this traditional approach to risk management has limitations, which may mean there are significant risks on the horizon that may go undetected by management and that might affect the organization. Let’s explore a few those limitations. Limitation #1: There may be risks that “fall between the siloes” that none of the silo leaders can see. Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in the business. As a result, a risk may be on the horizon that does not capture the attention of any of the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event. For example, none of the silo leaders may be paying attention to demographic shifts occurring in the marketplace whereby population shifts towards large urban areas is happening at a faster pace than anticipated. Unfortunately, this oversight may drastically impact the strategy of a retail organization that continues to look for real estate locations in outlying suburbs or more rural areas surrounding smaller cities. Limitation #2: Some risks affect multiple siloes in different ways. So, while a silo leader might recognize a potential risk, he or she might not realize the significance of that risk to other aspects of the business. A risk that seems relatively innocuous for one business unit, might actually have a significant cumulative effect on the organization if it were to occur and impact several business functions simultaneously. For example, the head of compliance may be aware of new proposed regulations that will apply to businesses operating in Brazil. Unfortunately, the head of compliance discounts these potential regulatory changes given the fact that the company currently only does business in North America and Europe. What the head of compliance doesn’t understand is that a key element of the strategic plan involves entering into joint venture partnerships with entities doing business in Brazil and Argentina, and the head of strategic planning is not aware of these proposed regulations. Limitation #3: Third, in a traditional approach to risk management, individual silo owners may not understand how an individual response to a particular risk might impact other aspects of a business. In that situation, a silo owner might rationally make a decision to respond in a particular manner to a certain risk affecting his or her silo, but in doing so that response may trigger a significant risk in another part of the business. For example, in response to growing concerns about cyber risks, the IT function may tighten IT security protocols but in doing so, employees and customers find the new protocols confusing and frustrating, which may lead to costly “work-arounds” or even the loss of business. Limitation #4: So often the focus of traditional risk management has an internal lens to identifying and responding to risks. That is, management focuses on risks related to internal operations inside the walls of the organization with minimal focus on risks that might emerge externally from outside the business. For example, an entity may not be monitoring a competitor’s move to develop a new technology that has the potential to significantly disrupt how products are used by consumers. Limitation #5: Despite the fact that most business leaders understand the fundamental connection of “risk and return”, most businesses are struggling to connect their efforts in risk management to strategic planning. For example, the development and execution of the entity’s strategic plan may not give adequate consideration to risks because the leaders of traditional risk management functions within the organization have not been involved in the process. 2 WHAT IS ENTERPRISE RISK MANAGEMENT? The result? There can be a wide array of risks on the horizon that management’s traditional approach to risk management fails to see, as illustrated by Figure 2. Unfortunately, some organizations fail to recognize these limitations in their approach to risk management before it is too late. Figure 2 Embracing Enterprise Risk Management (ERM) Over the last decade or so, a number of business leaders have recognized these potential risk management shortcomings and have begun to embrace the concept of enterprise risk management as a way to strengthen their organization’s risk oversight. They have realized that waiting until the risk event occurs is too late for effectively addressing significant risks and they have proactively embraced ERM as a business process to enhance how they manage risks to the enterprise. The objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business. Leadership of ERM Given the goal of ERM is to create this top-down, enterprise view of risks to the entity, responsibility for setting the tone and leadership for ERM resides with executive management and the board of directors. They are the ones who have the enterprise view of the organization and they are viewed as being ultimately responsible for understanding, managing, and monitoring the most significant risks affecting the enterprise. Top management is responsible for designing and implementing the enterprise risk management process for the organization. They are the ones to determine what process should be in place and how it should function, and they are the ones tasked with keeping the process active and alive. The board of director’s role is to provide risk oversight by (1) understanding and approving management’s 3 WHAT IS ENTERPRISE RISK MANAGEMENT? ERM process and (2) overseeing the risks identified by the ERM process to ensure management’s risktaking actions are within the stakeholders’ appetite for risk taking. (Check out our thought paper, Strengthening Enterprise Risk Management for Strategic Advantage, issued in partnership with COSO, that focuses on areas where the board of directors and management can work together to improve the board’s risk oversight responsibilities and ultimately enhance the entity’s strategic value.1 Elements of an ERM Process Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process. Unfortunately, some view ERM as a project that has a beginning and an end. While the initial launch of an ERM process might require aspects of project management, the benefits of ERM are only realized when management thinks of ERM as a process that must be active and alive, with ongoing updates and improvements. The diagram in Figure 3 illustrates the core elements of an ERM process. Before looking at the details, it is important to focus on the oval shape to the figure and the arrows that connect the individual components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model. Figure 3 Positioning ERM for Strategic Value Because ERM seeks to provide information about risks affecting the organization’s achievement of its core objectives, the starting point of an ERM process begins with gaining an understanding of what currently drives value for the business and what’s in the strategic plan that represents new value drivers for the business. To ensure that the ERM process is helping management keep an eye on internal or external events that might trigger risk opportunities or threats to the business, a 1 Visit our website – http://www.erm.ncsu.edu – to download this and the other thought papers highlighted in this document. 4 WHAT IS ENTERPRISE RISK MANAGEMENT? strategically integrated ERM process begins with a rich understanding of what’s most important for the business’ short-term and long-term success. Let’s consider a public-traded company. A primary objective for most publically traded companies is to grow shareholder value. In that context, ERM should begin by considering what currently drives shareholder value for the business (e.g., what are the entity’s key products, what gives the entity a competitive advantage, what are the unique operations that allow the entity to deliver products and services, etc.). These might be thought of as the entity’s current “crown jewels”. In addition to thinking about the entity’s crown jewels, ERM also begins with an understanding of the organization’s plans for growing value through new strategic initiatives outlined in the strategic plan (e.g., entry into new geographic markets, launch of a new product, or the acquisition of a competitor, etc.). You might find our thought paper, Integration of ERM with Strategy, helpful given it contains three case study illustrations of how organizations have successfully integrated their ERM efforts with their value creating initiatives. With this rich understanding of the current and future drivers of value for the enterprise, management is now in a position to move through the ERM process by next having management focus on identifying risks that might impact the continued success of each of the key value drivers. How might risks emerge that impact a “crown jewel” or how might risks emerge that impede the successful launch of a new strategic initiative? Using this strategic lens as the foundation for identifying risks helps keep management’s ERM focus on risks that are most important to the short-term and longterm viability of the enterprise. With knowledge of the most significant risk on the horizon for the entity, management then seeks to evaluate whether the current manner in which the entity is managing those risks is sufficient and effective. In some cases, management may determine that they and the board are willing to accept a risk while for other risks they seek to respond in ways to reduce or avoid the potential risk exposure. The Focus is on All Types of Risks Sometimes this emphasis on identifying risks to the strategies causes some to erroneously conclude that ERM is only focused on “strategic risks” and not concerned with operational, compliance, or reporting risks. That’s not the case. Rather, when deploying a strategic lens as the point of focus to identify risks, the goal is to think about any kind of risk – strategic, operational, compliance, reporting, or whatever kind of risk – that might impact the strategic success of the enterprise. As a result, when ERM is focused on identifying, assessing, managing, and monitoring risks to the viability of the enterprise, the ERM process is positioned to be an important strategic tool where risk management and strategy leadership are integrated. It also helps remove management’s “silo-blinders” from the risk management process by encouraging management to individually and collectively think of any and all types of risks that might impact the entity’s strategic success. Output of an ERM Process The goal of an ERM process is to generate an understanding of the top risks that management collectively believes are the current most critical risks to the strategic success of the enterprise. Most organizations prioritize what management believes to be the top 10 (or so) risks to the enterprise (see our thought paper, Survey of Risk Assessment Practices, that highlights a number of different approaches organizations take to prioritize their most important risks on the horizon. Generally, the 5 WHAT IS ENTERPRISE RISK MANAGEMENT? presentation of the top 10 risks to the board focuses on key risk themes, with more granular details monitored by management. For example, a key risk theme for a business might be the attraction and retention of key employees. That risk issue may be discussed by the board of directors at a high level, while management focuses on the unique challenges of attracting and retaining talent in specific areas of the organization (e.g., IT, sales, operations, etc.). Monitoring Top Risks with Key Risk Indicators (KRIs) While the core output of an ERM process is the prioritization of an entity’s most important risks and how the entity is managing those risks, an ERM process also emphasizes the importance of keeping a close eye on those risks through the use of key risk indicators (KRIs). Organizations are increasingly enhancing their management dashboard systems through the inclusion of key risk indicators (KRIs) linked to each of the entity’s top risks identified through an ERM process. These KRI metrics help management and the board keep an eye on risk trends over time. Check out our thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management, issued in partnership with COSO for techniques to develop effective KRIs. Conclusion Given the speed of change in the global business environment, the volume and complexity of risks affecting an enterprise are increasing at a rapid pace. At the same time, expectations for more effective risk oversight by boards of directors and senior executives are growing. Together these suggest that organizations may need to take a serious look at whether the risk management approach being used is capable of proactively versus reactively managing the risks affecting their overall strategic success. Enterprise risk management (ERM) is becoming a widely embraced business paradigm for accomplishing more effective risk oversight. Interested in Learning More About ERM? As business leaders realize the objectives of ERM and seek to enhance their risk management processes to achieve these objectives, they often are seeking additional information about tactical approaches for effectively doing so in a cost-effective manner. The ERM Initiative in the Poole College of Management at North Carolina State University may be a helpful resource through the articles, thought papers, and other resources archived on its website or through its ERM Roundtable and Executive Education offerings. Each year, we survey organizations about the current state of their ERM related practices. Check out our most recent report, The State of Risk Oversight Report: An Overview of Enterprise Risk Management Practices. Visit www.erm.ncsu.edu to learn more. ____________________________________________________________________________________ Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative at NC State University. He specializes in the study of enterprise risk management, corporate governance, financial statement fraud, and the financial reporting process. He completed over seven years of service as a board member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and has served on other national-level task forces related to risk management issues. He advises boards and senior executive teams on risk governance issues, is a frequent speaker at national and international levels, and has published over 90 articles, research monographs, books, and other thought-related publications. He earned his Ph.D. at Michigan State University. 6 
Purchase answer to see full attachment