week 5.2 post - HR

User Generated

wbarmabah

Business Finance

Description

Hello, please see the below:

  1. Read “Taking It to the Next Level—Enhancing Capabilities” (questions and answers 125-133) in the Guide to Enterprise Risk Management located at the website: http://www.ucop.edu/enterprise-risk-management/_files/protiviti_faqguide.pdf
  2. Read “The Building a Compelling Business Case” (questions and answers 134-136) in the Guide to Enterprise Risk Management.
  3. Read “Making It Happen” (questions and answers 137-144) in the Guide to Enterprise Risk Management.
  4. Navigate to the ERM: Taking it to the Next Level and Making it Happen discussion thread below and answer the following questions based on your current organization or an organization with which you are familiar:
    1. Portfolio View of Risks. Would taking a portfolio view of risks make sense for your organization? Explain why or why not? (Be sure to identify the organization.)
    2. Improving Business Performance. An important contribution of ERM is improvement of business performance, in part because key elements of the business are monitored more closely. Accordingly, identify at least one value driver (or key underlying variable) and an associated KPI (key performance indicator; metric) that should likely be monitored as part of ERM in the organization.
    3. Making the Case for ERM. Based on what you have learned about ERM thus far, create an “elevator speech”—a speech that can be shared in about 1 ½-2 minutes—for making a compelling business case for ERM.
  5. Provide a detailed post that demonstrates clear, insightful critical thinking. Your initial posting should be 200-300 words long.
  6. Your initial posting is to include, at a minimum, two sources properly cited and referenced: (a) the Enterprise Risk Management Guidebook, and (b) one academic journal article that is at least 3-5 pages in length and published within the last 3-5 years.

Thanks

Unformatted Attachment Preview

Guide to Enterprise Risk Management F R E Q U E N T LY A S K E D Q U E S T I O N S Guide to Enterprise Risk Management: Frequently Asked Questions Page No. Introduction 1 The Fundamentals 1. What is Enterprise Risk Management (ERM)? 3 2. Why implement ERM? 3 3. How does the scope of ERM compare to existing risk management approaches? 5 4. What is the value proposition for implementing ERM? 7 5. Which companies are implementing ERM? 9 6. If companies are not implementing ERM, then what are they doing? 10 7. Who is responsible for ERM? 11 8. What are the steps companies can take immediately to implement ERM? 11 9. Is ERM applicable to smaller and less complex organizations? 11 10. Why have companies that have tried to implement ERM failed in their efforts? 11 11. Does implementation of ERM ensure the success of a business? 12 12. What is the difference between ERM and management? 12 13. What does it mean to “implement ERM”? 12 14. Generally, how long does it take to implement ERM? 13 15. Is there any way to benchmark the level of investment required to implement ERM? 13 16. Don’t successfully run companies already apply ERM? 14 17. How long has ERM been around and why is there a renewed focus on it? 14 18. What percentage of public companies currently have an ERM process or system? 15 19. Is there an example of effective ERM as it is applied in practice? 16 20. How does the application of ERM vary by industry? 16 21. Are there any organizations that need not implement ERM? 16 22. What are the regulatory mandates for implementing ERM? 16 23. Are standards for implementing ERM different for private and public companies? 17 24. Must companies have sophisticated processes in all areas of risk management to realize the benefits of ERM? 17 The COSO Enterprise Risk Management – Integrated Framework 25. What is COSO? 17 26. Why was the COSO Enterprise Risk Management – Integrated Framework created? 18 27. What is the COSO Enterprise Risk Management – Integrated Framework? 18 28. How can we obtain the COSO ERM framework? 19 Table of Contents (continued) Page No. 29. How was the COSO ERM framework developed? 19 30. How do we use the COSO ERM framework? 20 31. Are companies required to use the COSO ERM framework? 20 32. Does the COSO Enterprise Risk Management – Integrated Framework replace or supersede the COSO Internal Control – Integrated Framework? 20 How does the COSO Enterprise Risk Management – Integrated Framework compare to the COSO Internal Control – Integrated Framework? 20 Does the new COSO framework broaden the focus of ERM beyond the traditional risk management model’s focus on insurable risk? If so, how? 21 Are there other standards and frameworks in existence and, if so, what do they promulgate and how does the COSO Enterprise Risk Management – Integrated Framework relate to them? 21 What is the point of view of the Securities and Exchange Commission (SEC) with respect to ERM? 21 37. What are the deliverables when the COSO ERM framework is implemented? 21 38. Can a company “partially” adopt the COSO Enterprise Risk Management – Integrated Framework with success? 22 33. 34. 35. 36. The Role of Executive Management 39. Who should participate in the ERM process, and how? 23 40. Must the CEO be fully engaged in the ERM process or system for it to be successful, or can he or she delegate it to someone else? 23 41. How will senior management benefit from supporting ERM implementation? 24 42. How should executive management evaluate ERM? 24 43. What is the role of the CIO in an ERM environment? 24 44. What is the role of the treasury and insurance in an ERM environment? 25 45. Does ERM require reporting to executive management? If so, what types of reports are most suitable for executive management? 25 The Role of the Director 46. How are ERM and governance related? 26 47. Why should directors be concerned about whether their companies implement ERM? 26 48. How should the audit committee view ERM? 27 49. How should the board exercise oversight of ERM implementation? 28 The Role of the Chief Risk Officer 50. Should our organization have a chief risk officer (CRO) and, if so, what is his or her role? 30 51. What are the skill sets of the CRO? 32 52. To whom does the CRO report? 32 Table of Contents (continued) Page No. The Risk Management Oversight Structure 53. What is the primary purpose of the risk management oversight structure? 33 54. How are compensation issues considered when organizing the risk management oversight structure? 33 55. Is there a recommended organizational oversight structure? 34 56. How does the risk management oversight structure relate to the entity’s existing organizational structure? 35 Does implementation of ERM require the identification of individual risk owners? 40 57. The Role of Internal Audit 58. What roles does internal audit play in ERM implementation? 40 59. Should internal audit lead the ERM effort? 42 60. Should internal audit integrate the COSO ERM framework into its work? 42 61. Hasn’t internal audit evaluated the application of ERM within the organization? 42 62. Does the Institute of Internal Auditors (IIA) support the COSO Enterprise Risk Management – Integrated Framework? 42 Do The IIA standards require the use of the COSO Enterprise Risk Management – Integrated Framework? For example, what is the relationship of ERM to IIA Standard 2010.A1 (which requires internal audit to undertake an annual risk assessment) and 2110.A2 (which requires a broad risk assessment aligned with the COSO framework)? 42 63. Risk Management Vision and Objectives 64. How does management develop a shared vision for the role of risk management in the organization? What is the practical use of a shared vision? 43 65. How does management define the entity’s risk management goals and objectives? 44 66. What is “risk appetite” and how is it different from “risk thresholds,” “tolerances” or “limits?” 46 67. Is there a defined methodology for calibrating performance with risk tolerances? 47 68. How are the risk management vision and objectives translated into the appropriate ERM infrastructure? 49 Conducting Risk Assessments 69. What is the relationship between risk assessment and risk management? 51 70. What is the relationship between risk assessment and performance assessment? 51 71. What are the components of an effective objective statement and why are objectives important to an effective risk assessment? 52 72. What is the difference between an event and a risk? 52 73. Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as well as downside? 52 How do we articulate the concept of inherent risk so that it can be effectively used as risk assessment criteria? 53 74. Table of Contents (continued) Page No. 75. Is there an officially endorsed risk language we can use for our organization? 53 76. To what extent does the organization strictly define risk for the enterprise as a whole, when the organization has a variety of different businesses? 55 77. What are risk maps and how are they used appropriately during the risk assessment process? 55 78. What’s an effective way for an organization to conduct a risk assessment? 56 79. What are the common mistakes and pitfalls during the risk assessment process? 58 80. How do we identify, understand and apply interrelationships among risks? 60 81. What is the appropriate level of depth when assessing risk? 61 82. Who should participate during the risk assessment process? 61 83. How is risk assessment related to risk quantification and should risk quantification be used during risk assessment? 61 Is there value in using qualitative information when assessing risk? 61 84. Getting Started – Set the Foundation 85. What are the best steps to take when getting started? 62 86. Is ERM another “project”? 64 87. Are there specific things an organization should accomplish the first year? 64 88. Who is responsible for “leading the charge” to implement ERM? 64 89. Who should sponsor ERM implementation? 65 90. How is buy-in obtained from key senior executives? 65 91. How do we obtain buy-in among our operating managers? 65 92. Can we leverage existing infrastructure so that we don’t create more overhead? 67 93. What types of skills are needed to implement ERM? 67 94. Do we need to put a name on an ERM initiative, i.e., isn’t ERM just good business practice with another name? 67 Do companies typically add full-time personnel to successfully develop and roll out an ERM process and system, or do they ordinarily use existing personnel who devote their efforts to this initiative on a part- or full-time basis? 68 96. What steps does management take to set the foundation? 68 97. How does management decide on the appropriate foundation capabilities? 69 98. Why have a common language and are there examples? 69 99. Are there examples of a process classification scheme? 69 100. How is dialogue about risk and its root causes, drivers and sources improved? 69 101. How is knowledge sharing about risk management improved? 70 102. What does it mean to increase an organization’s awareness of or sensitivity to risk? 71 95. Table of Contents (continued) Page No. Taking a Process View – Building Capabilities 103. What steps does management take to build risk management capabilities? 72 104. How does management decide on the appropriate risk management capabilities? 74 105. How does management improve the organization’s risk assessments? 74 106. How are objective-setting, event identification and risk assessment related? 74 107. How important is risk assessment to the ERM effort? 74 108. What alternative responses are available to manage risk? 74 109. What factors must management consider when evaluating alternative risk responses? 78 110. What are the elements of risk management infrastructure, why are they important and how are they considered? 82 Is there a model to help us set our priorities when implementing ERM and monitor our progress as we improve our risk management capabilities? 83 112. What are alternative techniques for measuring risk and when are they deployed? 92 113. How does ERM influence management reporting? 95 114. What risk management software products are currently available to assist companies with implementing ERM? 96 Has the ERM software market reached maturity such that there are established solutions and clear leaders? 96 What criteria should we use to evaluate the software alternatives? Are there different prioritizations of functionality? 97 Is specialized ERM software preferable to broader platforms for compliance, governance and risk management? 99 118. How does software functionality support the goals of ERM? 99 119. What are the primary categories and characteristics of successful ERM software vendors? 100 120. Is it better to design an ERM process first and then select the appropriate ERM software, or vice versa? 101 121. What is dashboard or scorecard reporting and how is it used in an ERM environment? 101 122. For financial services companies, is economic capital measurement a prerequisite for adoption of ERM? 104 123. How is continuous improvement applied to risk management? 104 124. What are the synergies and differences between ERM and “quality initiatives” (e.g., Six Sigma, Lean, TQM, etc.)? 106 111. 115. 116. 117. Taking it to the Next Level – Enhancing Capabilities 125. What steps does management take to enhance risk management capabilities? 107 126. How does management decide on the appropriate enhancement capabilities? 108 127. What is a “portfolio view” of risks and how is it practically applied? 108 128. How does management quantify risks enterprisewide? 109 Table of Contents (continued) Page No. 129. How does management use ERM to improve business performance? 112 130. How should we integrate our ERM approach with our strategic planning process? 115 131. Should we complete our strategic planning process prior to conducting our first enterprisewide risk assessment, or vice versa? 116 Is it possible to successfully merge together the risk assessments that companies perform as a result of ERM, Sarbanes-Oxley compliance, business continuity planning, internal audit and various compliance activities related to workplace, environmental and other regulations? 116 How does management use ERM to establish a sustainable competitive advantage? 116 132. 133. Building a Compelling Business Case 134. How do we build a compelling business case for ERM? 118 135. How do we select the appropriate capabilities for our ERM solution? 119 136. What are the key success factors or measures of success when evaluating the effectiveness and impact of ERM implementation, i.e., how can we know whether an ERM approach has been successful? 121 Making it Happen 137. What is journey management and why is it relevant to ERM implementation? 123 138. What is program management and why is it relevant to ERM implementation? 125 139. How can we quantitatively and qualitatively evaluate the benefits of implementing ERM in terms of improving performance? 127 140. How is the ERM implementation managed? 128 141. How do we know when we are done? 128 142. Given that we have so many other things going on, how can we take on something like ERM implementation? 128 143. What standards should companies use to evaluate their ERM approach? 128 144. Are there any pitfalls to avoid when implementing an ERM approach? 128 Relevance to Sarbanes-Oxley Compliance 145. Does the Sarbanes-Oxley Act of 2002 (SOA) require companies to adopt ERM? Are there any other laws and regulations mandating ERM? 130 Can ERM assist certifying officers with the discharge of their SOA Section 302 certification and Section 404 assessment responsibilities? 130 147. How is ERM related to SOA compliance? 130 148. Should a decision to implement ERM consider the effort to comply with SOA? 130 149. Should management broaden the focus on compliance to managing business risk? 131 150. As a public company, why would we want to take on ERM on the heels of Section 404 compliance? 131 How does self-assessment build on Section 404 compliance? Why does self-assessment contribute to the evolution to ERM? 132 146. 151. Table of Contents (continued) Page No. 152. 153. 154. What does it mean to integrate compliance with Sections 404 and 302? How does such integration build on an established self-assessment process and on Section 404 compliance? Why does such integration contribute to a company’s evolution to ERM? 134 How does compliance with other applicable laws and regulations build on compliance with Sections 404 and 302? Why does such compliance contribute to the evolution to ERM? 137 How does operational effectiveness and efficiency build on compliance initiatives? Why does operational effectiveness and efficiency contribute to the evolution to ERM? 137 Other Questions 155. Will implementation of the COSO Enterprise Risk Management – Integrated Framework prevent fraud? 139 Have any of the companies that have publicly disclosed their ERM processes received any positive feedback from analysts? 139 Have analysts and others within the investment community or rating agencies expressed their views on how an effectively functioning ERM approach would impact their views of a company? 139 Can all of the information about risk and risk management be classified as attorney-client privileged information, and therefore not be discoverable? 139 Since all of this information is presumed to be discoverable, does ERM create more litigation risk for companies? 140 Are there any court cases in which a company’s management or its board was viewed as deficient because they did not have an adequate risk management system in place? 140 161. Are there risks associated with not having an ERM process in place and, if so, what are they? 140 162. Is it possible to link an ERM system to an employee’s performance and compensation? Are any companies doing this? 140 163. Does a third-party certification, rating or other assessment mechanism exist for ERM? 140 164. How does ERM relate to the Basel Capital Accord requiring financial institutions to report on operational risk? 141 165. What is the difference between ERM and an international standard such as ISO? 141 166. How does the COSO Enterprise Risk Management – Integrated Framework integrate with such frameworks as COBIT, ISO 17799, BITS, NIST Special Publication 800-53 and ITIL? 141 What is happening in other countries with respect to risk management? Are these developments positively impacting company performance and corporate governance? 141 Is there a format for communicating our risk management process to our customers in order to align and comply with their requirements? 141 156. 157. 158. 159. 160. 167. 168. About Protiviti Inc. 142 Introduction In today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring the organization’s business opportunities and risks. The question is: How does an organization take practical steps to link opportunities and risks when managing the business? And further: What does this have to do with risk management? In August 2004, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) issued its Enterprise Risk Management – Integrated Framework after completing a developmental project spanning a three-year period. The framework, which includes an executive summary and application techniques, expands on the previously issued Internal Control – Integrated Framework to provide a more robust and extensive focus on enterprise risk management (ERM). As explained in the foreword to the framework: “While [the framework] is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.” At Protiviti, we believe that ERM implementation should be integrated with strategy-setting. ERM redefines the value proposition of risk management by elevating its focus from the tactical to the strategic. ERM is about designing and implementing capabilities for managing the risks that matter. The greater the gaps in the current state and the desired future state of the organization’s risk management capabilities, the greater the need for ERM infrastructure to facilitate the advancement of risk management capabilities over time. COSO’s new framework provides criteria against which companies can benchmark their risk management practices and processes. The framework provides a common language that fosters communication among executives, directors, auditors and advisors, and we encourage everyone with an interest in implementing ERM to read and understand it. Many are asking questions about the value proposition of ERM and practical steps on how to implement it. While we do not have all the answers, we attempt to address in this publication some of the most commonly asked questions with respect to ERM. This publication is designed to answer your questions without making you wade through material with which you are already familiar. It often refers to the COSO framework, which readers can obtain at www.coso.org. It offers ideas, suggestions and insights to executives responsible for ERM implementation. It is intended for use as a reference tool rather than as a book to be read from cover to cover. It is supplemented by Issue 6 of Volume 2 of The Bulletin, “Enterprise Risk Management: Practical Implementation Advice,” which provides an overview for C-level executives and directors and is available at www.protiviti.com. As companies gain more experience with implementing ERM, we expect to update this publication from time to time. If we do so, we will post information at www.protiviti.com. Protiviti periodically publishes ERM performer profiles on KnowledgeLeaderSM to provide ERM case examples and plans to publish a book including such profiles from time to time. This publication is neither intended to be a legal analysis nor a detailed “cookbook” of steps to take in every situation. Accordingly, companies should seek out appropriate advisors for counsel on specific questions as they evaluate their unique circumstances. Protiviti Inc. January 2006 1 • 2 • THE FUNDAMENTALS 1. What is Enterprise Risk Management (ERM)? COSO defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” This definition is broad for a reason. It reflects certain fundamental concepts, each of which is discussed on pages 5 through 9 of the COSO ERM framework. As summarized on page 5 of the framework, “enterprise risk management is: • A process, ongoing and flowing through an entity • Effected by people at every level of an organization • Applied in strategy-setting • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk • Designed to identify potential events affecting the entity and manage risk within its risk appetite • Able to provide reasonable assurance to an entity’s management and board • Geared to the achievement of objectives in one or more separate but overlapping categories – it is “a means to an end, not an end in itself.” ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. It advances the maturity of the enterprise’s capabilities around managing its priority risks. Before a company can assert it is applying ERM, it must address ALL of the above concepts embodied in COSO’s definition. 2. Why implement ERM? Using the ERM definition articulated in Question 1, the overriding objective for implementing ERM is to provide reasonable assurance to an entity’s management and board that the entity’s business objectives are achieved. On pages 1 through 4 of the framework, COSO states that ERM assists management with aligning risk appetite and strategy, enhancing risk response decisions, reducing operational surprises and losses, identifying and managing cross-enterprise risks, providing integrated responses to multiple risks, seizing opportunities and improving deployment of capital. We agree with COSO’s point of view and will further discuss it in this publication. We believe there are six fundamental reasons for implementing ERM. Each serves to help elevate risk management to a strategic level. The six reasons are: (1) Reduce unacceptable performance variability: ERM assists management with (a) evaluating the likelihood and impact of major events and (b) developing responses to either prevent those events from occurring or manage their impact on the entity if they do occur. Most companies focus on traditional risks that have been known for some time. Few companies have a systematic process for anticipating new and emerging risks. Therefore, many companies often learn of critical risks too late or by accident, spawning the “fire fighting” and crisis management which drains resources and creates new vulnerabilities. The strategic lens of ERM broadens the traditional risk management focus on lowprobability and catastrophic risks to a more expansive view on reducing the risk of erosion of critical sources of enterprise value. ERM assists management with improving the consistency of operating performance by increasing the emphasis on reducing earnings volatility, avoiding earnings-related surprises, and managing key performance indicator (KPI) shortfalls. ERM improves the management of increasing risk mitigation costs and the success rate of achieving business objectives. 3 • (2) Align and integrate varying views of risk management: There are many silos within organizations with a point of view on managing risk, e.g., treasury, insurable risk, EH&S, IT, and within business units. Silo mentality inhibits efficient allocation of resources and management of common risks, enterprisewide. When there are multiple functions managing multiple risks, there is a need for a common framework. For example, some organizations are: - Assessing the need for a chief risk officer (CRO), including that individual’s role, authority and reporting lines - Integrating risk management into critical management activities, e.g., strategy-setting, business planning, capital expenditure and M&A due diligence and integration processes - Linking risk management to more efficient capital allocation and risk transfer decisions - Increasing transparency by developing quantitative and qualitative measures of risks and risk management performance - Aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to enterprise value and formulating an integrated risk response (3) Build confidence of investment community and stakeholders: As institutional investors, rating agencies and regulators talk more about the importance of risk management in their assessments of companies, management may be requested to disclose and comment on the organization’s capabilities for understanding and managing risk to enable stakeholders to make informal assessments as to whether returns are adequate in relation to the risks undertaken. As companies increase the transparency of their risks and risk management capabilities, and improve the maturity of their capabilities around managing critical risks, management will be able to articulate more effectively how well they are handling existing and emerging industry issues. (4) Enhance corporate governance: ERM and corporate governance are inextricably linked. Each augments the other. ERM strengthens board oversight, forces an assessment of existing senior management-level oversight structures, clarifies risk management roles and responsibilities, sets risk management authorities and boundaries, and effectively communicates risk responses in support of key business objectives. All of these activities are germane to good governance. By the same token, effective governance sets the tone for (a) understanding risks and risk management capabilities and (b) aligning risk appetite with the entity’s opportunity-seeking behavior. Directors often ask, “What are the risks, how are they managed and how do you know?” (5) Successfully respond to a changing business environment: As the business environment continues to change and the pace of change accelerates, organizations must become better at identifying, prioritizing and planning for risk. ERM assists management with evaluating the assumptions underlying the existing business model, the effectiveness of the strategies around executing that model, and the information available for decision-making. ERM drives management to identify alternative future scenarios, evaluate the likelihood and severity of those scenarios, identify priority risks and improve the organization’s capabilities around managing those risks. As the environment changes, new risks emerge and are escalated in a timely manner for action and possible disclosure. These activities impact resource allocation for the organization as a whole. (6) Align strategy and corporate culture: ERM helps management create risk awareness and an open, positive culture with respect to risk and risk management. In such an environment, individuals can raise issues without fear of retribution. With respect to matters of enterprisewide importance, ERM often centralizes policy-setting and creates focus, discipline and control. It clarifies the distinction between risk-taking and risk-avoidance behaviors, improves tools for quantifying risk exposures, increases accountability for managing risks across the enterprise and facilitates timely identification of changes in an entity’s risk profile. ERM encourages balance in both the entrepreneurial activities and control activities of the organization, so that neither one is too disproportionately strong relative to the other. 4 • 3. How does the scope of ERM compare to existing risk management approaches? Traditional risk management approaches are focused on protecting the tangible assets reported on a company’s balance sheet and the related contractual rights and obligations. The emphasis of ERM, however, is on enhancing business strategy. The scope and application of ERM is much broader than protecting physical and financial assets. With an ERM approach, the scope of risk management is enterprisewide and the application of risk management is targeted to enhancing as well as protecting the unique combination of tangible and intangible assets comprising the organization’s business model. This point of view is consistent with COSO’s assertion that ERM is applied both across the enterprise and in strategy-setting. With market capitalizations often significantly exceeding historical balance sheet values, the application of risk management to intangible assets is critically important. Just as potential future events can affect the value of tangible physical and financial assets, so, too, can they affect the value of key intangible assets, e.g., customer assets, employee/supplier assets and organizational assets such as the entity’s distinctive brands, differentiating strategies, innovative processes and proprietary systems. This is the essence of what ERM contributes to the organization – the elevation of risk management to a strategic level by broadening its application to ALL sources of value, not just physical and financial ones. The five broad categories of assets representing sources of value, and examples within each category, are illustrated below1: n n n n n n n n n Land Buildings Equipment Inventory Physical Assets Customer Assets n n n Customers Channels Affiliates Organizational Assets Cash Receivables Investments Equity Prepaids and other Financial Assets n n n n Leadership Strategy Knowledge Values Employee/ Supplier Assets n n n n n n n Employees Suppliers Partners Reputation Innovation Systems Process These five asset categories include sources of value underlying an organization’s business strategy. By placing the emphasis on strategy-setting, ERM transitions risk management from a discipline of avoiding and hedging bets to a differentiating skill for enhancing and protecting enterprise value as management seeks to make the best bets in the pursuit of new opportunities for growth and returns. ERM invigorates opportunityseeking behavior by helping managers become confident in their understanding of the risks and in the capabilities at hand within the organization to manage those risks. Cracking the Value Code: See What Matters, Invest in What Matters and Manage What Matters in the New Economy, Richard E. S. Boulton, Barry D. Libert and Steve M. Samek, HarperCollins, 2000. 1. 5 • The risk assessment process can lead to more comprehensive risk responses when management identifies potential future events that could affect each category of assets critical to the execution of the enterprise’s business model. The schematic below illustrates categories of potential future events that might be considered during a risk assessment: n n n n n n n n n n n n Unauthorized use Inefficient use Catastrophic loss Unacceptable costs Poor economic performance Lack of economic sources of debt or equity capital Unacceptable losses Unexpected losses Insufficient liquidity Inefficient use Physical Assets Customer Assets Organizational Assets Employee/ Supplier Assets Financial Assets n n n n n n n n n n n n n n n n n n Lack of leadership Unclear or obsolete strategies Lack of resiliency Lack of institutional learning Ineffective/ inefficient processes Irresponsible business behavior Illegal acts Poor knowledge sharing Obsolete systems n n n n n n n n n n Pervasive quality failures Significant losses of key customers or channels Inefficient channels Loss of markets or market opportunities Ineffective alliances Talent shortages Work stoppages Loss of morale Poor supplier performance Excessive costs & lead times Poor quality Ineffective partnerships Inadequate information for decision-making Financial restatements False executive certifications Business interruption Erosion of intellectual property Brand erosion Reputation loss Late to market Security breach An enterprise’s sources of value, whether tangible or intangible, are inherent in its business model. They are affected by sources of uncertainty which must be understood and managed as an organization works to achieve its performance objectives. They may be external or internal. For example, environment risks are uncertainties arising in the external environment affecting the viability of the enterprise’s business model. Process risks are uncertainties affecting the execution of the business model, and therefore often arise internally within the organization’s business processes. Because inadequate knowledge and information breeds more uncertainty, information for decision-making risks are uncertainties affecting the relevance and reliability of information supporting management’s decisions to protect and enhance enterprise value. These three broad categories – environment, process and information for decision-making – provide the basis for understanding the sources of uncertainty in any business. As Question 75 illustrates, these risk categories include many subcategories of potential future events which could become the focal point for assessing risk and formulating appropriate risk responses. In summary, uncertainty about the future creates risk and ERM broadens the focus of risk management to all significant sources of enterprise value. By understanding the key external and internal variables contributing to uncertainty in a business and monitoring trends in those variables over time, management can more effectively run the business and realize the potential of the enterprise’s business model. The following table provides examples of observable events to illustrate this point. 6 • ASSET CATEGORY EXAMPLES OF EXPOSURES Physical facilities Catastrophic occurrence probability of: - Maximum possible loss - Maximum foreseeable loss - Normal loss Production throughput Defects occurrence probability Changes in backlog Net monetary assets Business plan cash flow Total accounts receivable Commodity holdings Equity holdings Change in interest, exchange and inflation rates Change in interest, exchange and inflation rates Customer default probability Changes in oil, metals, power and other prices Changes in stock prices Customer base Change in service quality index Revenue streams Change in competitor pricing Returns occurrence probability Physical Financial Customer Employee group Change in change readiness index Health and safety incidents occurrence probability Strategic suppliers Change in just-in-time performance ratings Change in quality ratings Change in raw materials prices Brand image Change in ability to deliver on brand promise Differentiating strategy Change in quality, time and cost performance relative to competitors Change in customer expectations and wants Innovative processes New technological innovations that obsolete existing process capabilities Employee/Supplier Organization SOME ILLUSTRATIVE VARIABLES FOR EVALUATING UNCERTAINTY For any of the key variables noted above that are relevant to a business, there are potential future events that provide the context for assessing and managing risk. An underlying principle in strategy-setting further illustrates this context: The greater the dispersion of possible future events or outcomes, the higher the organization’s level of exposure to uncertain returns. An organization’s sensitivity to risk is a function of (1) the significance of its exposures to change and future events, (2) the likelihood of those changes and future events occurring and (3) its ability to manage the business implications should any combination of those possible future changes and events occur. The organization’s ERM infrastructure facilitates the advancement of risk management capabilities to provide better knowledge and information about the enterprise’s key variables (or risks) and its capabilities around managing the effects of changes in those variables (or risks). 4. What is the value proposition for implementing ERM? Directors and CEOs face many challenges. They must focus their organizations to capitalize on emerging opportunities. They must continually invest scarce resources in the pursuit of promising – though uncertain – business activities. They must manage the business in the face of constantly changing circumstances. And as they do all of these things, they must simultaneously be in a position to provide assurance to investors, directors and other stakeholders that their organizations know how to protect and enhance enterprise value. Amid constantly changing risk profiles, directors and CEOs need a higher level of performance from every discipline within the organization, including risk management. ERM will help directors and CEOs meet these challenges by establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing 7 • operating environment. ERM redefines the value proposition of risk management by providing an organization with the processes and tools it needs to become more anticipatory and effective at evaluating, embracing and managing the uncertainties it faces as it creates sustainable value for stakeholders. By continuously improving the risk management capabilities that really matter to the successful execution of the business model, ERM elevates risk management to a strategic level. As ERM is deployed to advance the maturity of the organization’s capabilities for managing the priority risks, it helps management to successfully enhance as well as protect enterprise value in three ways. First, ERM focuses on establishing sustainable competitive advantage. Second, it optimizes the cost of managing risk. And third, it helps management improve business performance. These contributions redefine the value proposition of risk management to a business. The following schematic illustrates the value proposition of ERM: Implement More Robust Risk Assessment Process ablish Competiti Est ve Improve Capital Deployment and Resource Allocation Configure Risk Taking with Core Competencies ta an v d ge Properly Price Risks Inherent in Transactions O Man ptim ag em PROTECT AND ENHANCE ENTERPRISE VALUE r Pe s Imp s rove Busine Protect Reputation and Brand Image Improve Change Readiness Reduce Operational Losses and Surprises Improve Regulatory Compliance and Risk Responses The above illustrative points are discussed throughout this book. 8 • Aggregate Risk Transfer and Acceptance Decisions k Ris Cost ize ent A Improve Management of Common Risks Across Enterprise Align Risk Appetite and Strategy fo rm anc e Integrate Risk Management with Business Planning and Strategy Setting Eliminate Redundant and Unnecessary Activities Instill Confidence from Systematic Risk Evaluation Process Enhance Understanding of Risks Affecting Earnings and Capital Anticipate and Communicate Uncertainties Inherent in Performance Goals These valued-added contributions from ERM lead to possibly the greatest single benefit risk management provides for the success of a business: Instill greater confidence in the board, CEO and executive management. These stakeholders need to know that risks and opportunities are systematically identified, rigorously analyzed and cost-effectively managed on an enterprisewide basis, in a manner consistent with the enterprise’s risk appetite and business model for creating value. Under ERM, executives are more knowledgeable of the risks inherent in their operations. They understand the process by which risks are identified, assign risk ownership in a timely fashion and ensure that risk responses are formulated timely and monitored effectively. They also bring to bear systematic risk assessment techniques to new risk-taking ventures. They insist that business plans incorporate a focus on risk, so that they will be more substantive and robust. In summary, in an ERM environment the assumptions underlying the business model are periodically challenged and, if necessary, refined in a dynamic cycle of continuous improvement and change. It is vital to understand that the above articulation is generic. Because a generic value proposition is not sufficient to drive senior management decisions to invest in ERM infrastructure, it must be supplemented with a more granular articulation made possible by an enterprise risk assessment and a gap analysis around the entity’s existing capabilities for managing its priority risks. As explained in our response to Question 85, the greater the gap between the current state and the desired future state of the organization’s risk management capabilities, the greater the need for ERM infrastructure to facilitate the advancement of those capabilities over time. This understanding improves the specificity of the ERM value proposition, making it more compelling. In summary, an effectively functioning ERM infrastructure can become one of the root differentiators between mere survivors and industry pacesetters. Beyond delivering the above benefits, redefining the value proposition of risk management will add to the CEO’s storyline with stakeholders in today’s demanding environment. An ERM infrastructure stimulates and reinforces desired behaviors within the organization consistent with its business objectives, strategies and performance goals. An ERM approach differentiates the firm’s business model and helps to build its image and reputation with customers, suppliers, employees and the capital markets, all of which are keys to sustaining a successful business. 5. Which companies are implementing ERM? Few, if any, companies can claim they have fully implemented ERM, as defined by COSO. For most companies, the chasm between the traditional risk management model and ERM, as discussed in Question 6, is simply too overwhelming to address. For example, the COSO definition (see Question 1) states that ERM is “applied … across the enterprise.” A comprehensive, enterprisewide focus on managing risk is a high implementation standard for most companies because of the behavioral changes required to overcome the conventional management of risk in silos, which companies have had in place for a long time. For that reason, in recent years ERM has been pursued more by visionary organizations than by the mainstream of companies. ERM is a “best-of-breed” approach consisting of different techniques that different companies have implemented in different ways. Institutions in financial services are probably furthest along based on the capabilities they have put in place to manage market and credit risks across the enterprise. However, even those institutions have a ways to go to address operational risk enterprisewide. 9 • 6. If companies are not implementing ERM, then what are they doing? Most companies are applying the traditional risk management model in their business, which makes ERM a “future goal state,” as the following schematic illustrates: Risk Management Business Risk Management Enterprise Risk Management Focus Financial and hazard risks and internal controls Business risk and internal controls, taking a risk-by-risk approach Business risk and internal controls, taking an entity-level portfolio view of risk Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value Scope Treasury, insurance and operations primarily responsible Business managers accountable Applied across the enterprise, at every level and unit Emphasis Finance and operations Management Strategy-setting Application Selected risk areas, units and processes Selected risk areas, units and processes Enterprisewide to all sources of value “Current State” Capabilities Physical Assets Physical Assets “Future State” Vision Customer Assets Physical Assets Customer Assets Organizational Assets Financial Assets Financial Assets Employee/ Supplier Assets Financial Assets Employee/ Supplier Assets The evolution from the traditional risk management model to ERM noted above is not easy. Under traditional risk management approaches, the process is fragmented, risk is viewed as a negative (something to be avoided), reactive and ad hoc behavior is accepted, and the risk management activity is transactionoriented (or cost based), narrowly focused and functionally-driven. Under ERM, as defined by COSO, the process is integrated, risk is also viewed as a positive (recognizing that successful companies must take on risks when seizing opportunities), proactive behavior is expected, and the risk management activity is strategic (or value-based), broadly focused and process-driven. The traditional risk management model is focused on managing uncertainties around physical and financial assets. ERM is focused on the enterprise’s entire asset portfolio, including its intangible assets such as its customer assets, its employee and supplier assets, and such organizational assets as its differentiating strategies, distinctive brands, innovative processes and proprietary systems. Very few companies have implemented a truly enterprisewide approach in all aspects of the business. Companies at the early stages of developing their ERM infrastructure often lay a foundation with a common language, a risk management oversight structure and an enterprisewide risk assessment process. A few companies have evolved toward more advanced stages, such as institutions in the financial services industry managing market and credit risks. Some companies apply ERM in specific units, such as in a trading unit’s management of commodity price risk on an enterprisewide basis. 10 • 7. Who is responsible for ERM? Because the emphasis is on strategy-setting, ownership begins at the top of the organization with executive management and cascades downward into the organization to unit and functional managers. Questions 39 through 45 discuss the role of executive management. The board of directors provides oversight (the role of directors is discussed in Questions 46 through 49). In addition, there is the chief risk officer (or equivalent executive), whose role is discussed in Questions 50 through 52. There may also be one or more risk management committees, depending on the nature and complexity of the risks and the need for crossfunctional and cross-unit coordination. Questions 53 through 57 explain the respective roles of these executives in the context of the risk management oversight structure. 8. What are the steps companies can take immediately to implement ERM? There are steps that any organization can take beginning tomorrow morning. We will illustrate them in this book. For example, organizations can: • Adopt a common risk language. See Question 75. • Conduct an enterprise risk assessment to identify and prioritize the organization’s critical risks. Refer to Questions 69 through 84. • Perform a gap analysis of the current and desired capabilities around managing the critical risks. Refer to Questions 110 and 111. • Articulate the risk management vision, goals and objectives (see Questions 64 and 65), along with a compelling value proposition (refer to Questions 4 and 134 through 136) to provide the economic justification for going forward. • Advance the risk management capability of the organization for one or two critical risks, i.e., start with a risk area where senior management knows improvements are needed to successfully execute the business strategy. While there are other possible steps, the above are an excellent beginning and provide a simplified view for getting started with ERM implementation. It is also important to inventory what has already been done and to achieve visible early successes. The key is to keep the effort simple and focused by integrating the ERMrelated activities into the business strategy and plan. 9. Is ERM applicable to smaller and less complex organizations? All organizations face business risk, regardless of size. Organizations ignore risk at their own peril. No organization can afford to stand pat with its existing risk management capabilities; therefore, every organization should evaluate how it can improve its risk management. The COSO framework is useful for this purpose because its gives each organization a framework with criteria against which to compare its existing risk management capabilities. COSO points out on page 13 of its published framework: While some small and mid-size entities may implement component[s of ERM] differently than large ones, they still can have effective enterprise risk management. The methodology … is likely to be less formal and less structured in smaller entities than in larger ones, but the basic concepts should be present in every entity. 10. Why have companies that have tried to implement ERM failed in their efforts? Few companies have implemented ERM, as defined by COSO. For example, the COSO definition makes clear that application of ERM must be “across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk.” Unless the ERM implementation is applied uniformly across the company 11 • and is a holistic and comprehensive focus on all key business risks, it is not truly enterprisewide. Furthermore, unless the ERM implementation is tightly linked to the assessment and formulation of business strategy, it is not meeting the COSO requirements. While some companies have begun their journey to implement ERM, few of them have completed it. 11. Does implementation of ERM ensure the success of a business? ERM does not guarantee the success of a business. It provides better information to managers and a more robust process for them to deploy, but does not necessarily transform a poor manager into a good manager. COSO points out that “limitations result from the realities that human judgment in decision-making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented because of human failures such as simple errors or mistakes, controls can be circumvented through collusion by two or more people, and management has the ability to override enterprise risk management decisions.” The COSO definition also refers to “reasonable assurance.” According to COSO, “reasonable assurance reflects the notion that uncertainty and risk relate to the future, which no one can predict with precision.” In addition, COSO states on page 8 of the framework: Reasonable assurance does not imply that enterprise risk management frequently will fail. … The cumulative effect of risk responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an entity may not achieve its objectives. … However, an uncontrollable event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk management can experience a failure. Reasonable assurance is not absolute assurance. 12. What is the difference between ERM and management? ERM is an integral part of managing an organization, but does not drive everything management does. COSO states that “[m]any judgments applied in management’s decision-making and related management actions, while part of the management process, are not part of enterprise risk management.” COSO provides several examples on page 14 of the framework. For example, management’s choices as to the relevant business objectives, the specific risk responses and the allocation of entity resources are management decisions and are not part of ERM. That said, risk management is neither an afterthought nor an appendage to the existing management activities of the core business. In an ERM environment, risk management is effectively integrated with strategy-setting, business planning, performance measurement and other business disciplines. 13. What does it mean to “implement ERM”? We believe the ERM implementation should emphasize strategy-setting. As explained in our response to Question 85, the application depends on each organization’s priority risks (defined in the context of its business strategy) and the gaps around managing those risks. ERM is not a “one-size-fits-all” solution on a shelf. Management must decide the nature of the ERM solution based on the organization’s size, objectives, strategy, structure, culture, management style, risk profile, industry, competitive environment and financial wherewithal. According to COSO, these and other factors affect how the ERM framework is applied. Implementing ERM requires that management take the following steps: (a) Identify and understand the organization’s priority risks to provide a context. (b) Use the COSO framework to define the current state of the organization’s risk management capabilities. (c) Use the COSO framework to define the desired future state of the organization’s risk management capabilities. (d) Analyze and articulate the size of the gap between (b) and (c) and the nature of the improvements needed to close the gap, which is a function of (i) the organization’s existing capabilities and experience and (ii) management’s desire to improve and outperform. 12 • (e) Based on the analysis in (d), develop a business case for addressing the gap to provide the economic justification for the overall effort to implement the ERM infrastructure improvements. (f) Organize a plan that advances the desired ERM infrastructure capabilities and address change issues associated with executing the plan. (g) Provide the oversight and facilitation necessary to ensure effective integration and coordination of the overall effort. See our response to Question 85 for further advice on getting started. COSO states that ERM is “a means to an end, not an end in itself.” The trend towards ERM recognizes that risks are complex and interrelated, and the business environment isn’t getting any simpler. Therefore, there are significant benefits that can be achieved from evaluating and managing risk on a comprehensive enterprisewide basis. The process of implementing ERM is fundamentally a process of education, building awareness, developing buy-in and ultimately assigning accountability and accepting ownership. Because risks will continue to change and evolve as the global marketplace changes and evolves, implementing ERM should be viewed as a commitment to continuous improvement as opposed to an event. 14. Generally, how long does it take to implement ERM? It is fashionable to view business initiatives as discrete activities with clear objectives and well-defined timetables. While ERM is certainly no exception from the standpoint of applying project management discipline, it is much more than a project. ERM is a journey, meaning it is a growth process in which the organization integrates risk management with strategy-setting to improve the effectiveness of its risk management capabilities over time. The length of time required to implement ERM varies, depending on the current state of the organization’s risk management, its desired future state and the extent to which it is willing to dedicate resources to improve risk management capabilities. In addition, because ERM requires an open environment conducive to effective communications about risks and risk management up, down and across the enterprise, cultural issues may exist for many organizations to overcome. For example, ERM requires an elimination of barriers – functional or departmental – so that a truly holistic, integrated, proactive, forward-looking and processoriented approach is taken to manage all key business risks and opportunities – not just financial ones. If there are significant change management issues to address, the period of time to implement ERM will be extended. While there are concrete things any organization can do that will make an impact within 12 months, we estimate that most organizations will require from three to five years to accomplish their objectives in fully implementing their ERM solution. 15. Is there any way to benchmark the level of investment required to implement ERM? As noted in the responses to Questions 13 and 14, it is difficult to generalize on the required investment. One reason for this is that the current and desired states vary for different companies. ERM is also the responsibility of every key individual within the organization. COSO states that ERM “is affected by an entity’s board of directors, management and other personnel.” It is integral to what they do. Managing an organization and managing risk should be inextricably linked. Therefore, management must decide the nature of the ERM solution based on the organization’s facts and circumstances. With the point of origin and the point of destination varying by company, each organization’s approach will have its own distinctive elements. One effective way to determine the level of investment is to compare the organization’s existing risk management to a framework (such as the COSO framework) and, using that comparison as a context, empower a group of senior executives to define the role of risk management in the organization. Based on this assessment, the level of investment can be priced based on the people, tools and other resources required to implement the desired ERM infrastructure. Our response to Question 85 provides additional context for gauging the level of investment by pointing to the need to begin with an enterprise risk assessment and a gap analysis around managing the organization’s critical risks. 13 • 16. Don’t successfully run companies already apply ERM? We would expect that successfully run companies are applying many aspects of ERM infrastructure. It is indeed difficult to succeed without identifying, formally assessing, responding to, controlling and monitoring risk. However, we suggest that few companies on the planet can say with certainty that their risk management practices need no further improvement. The message is not about what companies are currently doing, but about what companies should do to enhance or improve their risk management capabilities as the operating environment changes. The COSO framework provides criteria by which companies can evaluate their risk management practices. Businesses have always faced a variety of risks, but these are times when the pace of change and the resulting consequences to a business seem to be greater than ever. Some examples: • Globalization has increased exposure to international events. Rarely do country borders insulate companies from such events. The price of energy is a case in point. • The need for increased efficiency, innovation and differentiation, while always relevant, has escalated in importance as companies seek new ways to differentiate themselves. • While competitor risk continues to be a priority, the cost of strategic error is rising in the global marketplace. Financial markets are more volatile than ever. Obsolete business models create a losing hand in the game. And, even if the business model is the right one to establish sustainable advantage, it is a winner only if the organization is able to execute it effectively. • Understanding and responding to customer wants remains the key in this demanding era of increasingly focused niche markets. Failure to keep pace can result in rapid erosion of market share. • Outsourcing has become so commonplace, questions arise about clarifying the retention and transfer of risk. • Unfortunately, we now know the unthinkable can happen. The events of September 11, 2001 have changed how we think about business interruption risk. • Due to the highly publicized public reporting fiascos and high demands on certifying officers, financial reporting is now a significant risk area as companies focus on the sustainability of their disclosure process and internal control structure. Today, these and other risks are driving a continually changing risk profile that not only has financial implications, but also strategic and operational impacts. As executives examine the risks their companies face today, they will see a different profile than what they saw even a few years ago. And, more importantly, they can expect to see even different risks just a few years from now. That is why an enterprise risk assessment process is so critical. It all comes down to this: It isn’t the strongest or the smartest that will survive and prosper in the global economy – it’s the organizations that can best adapt to change. As markets and customers change, business models change. As the competitive landscape changes, business strategies change. Furthermore, unless the ERM implementation is tightly linked to the assessment and formulation of business strategy, it is not realizing its full potential. That is why even companies that have achieved excellence in risk management should periodically evaluate the effectiveness of their risk management capabilities. 17. How long has ERM been around and why is there a renewed focus on it? The concepts and theories underlying ERM, namely a portfolio view of risk, have been around a long time. The application of these concepts and theories has emerged in financial institutions and world-class corporate treasuries as they apply at-risk frameworks, capital attribution techniques and other measurement methodologies to the management of market risk and credit risk. However, market developments in recent years have made it clear that volatility isn’t just a currency, interest rate or equity security risk anymore. 14 • Customer preferences, competitor product offerings, labor markets and technology are all changing with increasing frequency, with their behavior resembling that of the financial markets. Even the life cycles of organizational business models are compressing. Change is no longer linear, but exponential. Successful companies must innovate and deliver total solutions that create new sources of value for their customers or markets or they will lose ground to nimbler, more creative rivals. Never-ending innovation also gives rise to new risks that should be evaluated frequently. This way of thinking makes business strategy a fluent, dynamic process, with risk management augmenting that process. This increasing pace of change and recognition that change is a proactive way of life, coupled with increasingly effective risk identification, measurement, reporting and planning techniques, have caused companies to take a closer look at the state of their risk management. In the past, the gap between the traditional risk management model and ERM, as explained in Question 6, was just too wide for most companies to address. However, compliance with Sarbanes-Oxley has laid a foundation for implementing ERM capabilities that did not previously exist. Companies that have implemented improved disclosure processes and internal control over financial reporting (ICFR) should take a closer look at how they can expand these capabilities to encompass other critical business activities, because the chasm is not as great as it once was due to the ongoing compliance effort required by Sarbanes-Oxley. The COSO Enterprise Risk Management – Integrated Framework provides the criteria to assist management in evaluating what needs to be done. That framework encompasses the COSO Internal Control – Integrated Framework used by many companies to assess the effectiveness of their ICFR. 18. What percentage of public companies currently have an ERM process or system? The short answer is that the COSO framework provides the criteria needed to address this question. Until the framework gets more traction in the marketplace and companies can benchmark their risk management against the framework to assess where they stand, we won’t know the complete answer to this question. However, there are some insights from which we can infer where companies currently stand: • A Global CEO Survey published by PricewaterhouseCoopers (PwC) in 2004 indicated that 39 percent of 1,400 CEOs strongly agreed that ERM was a priority. While this group of CEOs (described by PwC as “strongly committed” CEOs) reported benefits from ERM, PwC’s survey reports that 53 percent of them agree they have the enterprise information they need, 42 percent integrate ERM with strategic planning, 29 percent report the use of quantification to the greatest extent possible, 27 percent integrate ERM across all functions and units, and only 20 percent report that everyone understands his or her accountability relating to risk management. By contrast, the remaining CEOs (those not as strongly committed to ERM, according to the survey) report significantly lower percentages on these and other related questions. • In our research over the last 10 years, we have deployed several surveys (with the latest study in the fall of 2005) to inquire about the level of confidence senior executives have in their organization’s risk management. In every case, around 60 percent of the senior executives reporting indicated that they lacked high confidence that their organization’s risk management capabilities were effective in identifying and managing all potentially significant business risks. Our experience indicates that this lack of confidence is caused by the absence of a systematic process for engaging appropriate executives in identifying and prioritizing risk enterprisewide. Deciding what to do and how to do it only comes after the vital risks are on management’s screen through an effective enterprise risk assessment process. • The lack of transparency also extends to the board of directors. In a McKinsey study involving 200 directors representing over 500 boards, released just before the Sarbanes-Oxley Act was enacted into law, 36 percent of the directors indicated that their boards did not understand the company’s major risks. Approximately 40 percent of directors indicated that they lacked knowledge as to how to effectively identify, safeguard and plan for risk. The study also found that nonfinancial risk received only “anecdotal treatment” in the boardroom. No wonder management is getting more questions from directors about their company’s risks and risk management. 15 • 19. Is there an example of effective ERM as it is applied in practice? The COSO Application Techniques provide examples of the methods utilized by different companies at various levels of the organization in applying ERM principles. Readers familiar with the framework will find the material useful as examples. 20. How does the application of ERM vary by industry? On page 3 of the Application Techniques, COSO states that “because of the array of available approaches and choices, even similar organizations implement enterprise risk management differently – whether applying the framework’s concepts and principles for the first time or considering whether their existing enterprise risk management process, which may have been developed ad hoc over time, is truly effective.” The industry within which a company operates is noted by COSO as one of the attributes that will “affect how the framework’s concepts and principles are most effectively and efficiently applied.” The nature of the industry will drive the nature of the risks and the risk management practices the organization adopts to manage those risks. For example, a bank will focus on managing market and credit risk to a greater extent than other institutions because the assumption of those risks is the essence of its business model. A pharmaceutical company will focus on managing its research and development pipeline because that is the lifeline to its future revenue streams. A utility will manage conformance risks in a nuclear power facility because that is the key to its reputation and future viability. Regardless of the industry, however, the components of the framework – as defined by COSO – still apply. 21. Are there any organizations that need not implement ERM? Every successful organization faces risk. As articulated by COSO, ERM is a process for dealing with risks and opportunities. Executive management in most organizations, regardless of industry sector, is focused on investment and return, on opportunity and reward and on competitive advantage and growth. That’s why ERM is vital to success – it assists managers in gaining confidence that they understand the organization’s risks and have the capabilities in place to manage those risks. Every successful organization takes risks. Every choice management makes to act or not to act affects the organization’s risk profile. ERM can assist management in developing a differentiating skill in selecting the best bets for a company to make, given the competitive, regulatory and other forces in the external environment. This enhanced skill invigorates opportunity-seeking behavior. Every successful organization responds to risk. Executive management must run the business amid changing market realities. They must carefully evaluate risk and reward as they channel resources to the best opportunities, consistent with the organization’s risk appetite. They must confidently assure investors and other stakeholders that their organization is effectively managing risk while thriving in the global marketplace. As if that isn’t enough, in the face of Sarbanes-Oxley, the CEO and CFO as certifying officers must be champions of transparent public reporting. Responding to these and other risks inherent in the business model is what successful organizations do. An ERM infrastructure will help executives and directors meet these challenges. As discussed in Question 23, this assertion applies to both public and private companies. 22. What are the regulatory mandates for implementing ERM? While there are no explicit regulatory requirements mandating use of the COSO Enterprise Risk Management – Integrated Framework at the present time, regulatory developments have created an environment in which companies would benefit from ERM. COSO pointed out that, like other factors defining the external environment, regulation itself creates uncertainty. In the United States, Sarbanes-Oxley has commanded the headlines from its passage in July 2002 up to the time this publication was released to print. While the focus of Sarbanes-Oxley is limited to the reliability of 16 • financial reporting, we believe that companies would benefit from an ERM process focused on identifying the enterprise’s critical risks for timely action and disclosure. There are also other developments in the United States, such as the USA PATRIOT Act requiring “know your customer” anti-money laundering regulations and the Gramm-Leach-Bliley Act requiring financial institutions to safeguard and preserve privacy of “non-public” customer information. According to the New York Stock Exchange (NYSE) listing requirements, the audit committee charter must require the committee to discuss policies with respect to risk assessment and risk management. The NYSE also mandates an internal audit function with the purpose of providing management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. While not required, ERM would facilitate compliance with these requirements through an infrastructure and process which strengthens the enterprise’s focus on simultaneously protecting and enhancing enterprise value. Outside the United States, the KonTrag legislation in Germany requires large companies to establish risk management supervisory systems and report controls information to shareholders. Firms listed on the London Stock Exchange and incorporated in the United Kingdom are required to report to shareholders on a set of defined principles relating to corporate governance (known as the Combined Code, and supported with guidance provided by the Turnbull Report). The new Basel Capital Accord, issued by the Basel Committee on Banking Supervision, requires financial institutions to report on operational risk. Again, an ERM process would facilitate compliance with these requirements. In addition, Sarbanes-Oxley type legislation continues to arise in countries outside the United States. 23. Are standards for implementing ERM different for private and public companies? The COSO framework applies to all organizations, large and small, public and private. The methods used to apply the components of the framework may vary depending on the organization’s size, objectives, strategy, structure, culture, management style, risk profile, industry, competitive environment and financial wherewithal. 24. Must companies have sophisticated processes in all areas of risk management to realize the benefits of ERM? The COSO framework does not require sophistication in risk management. It is unnecessary to deploy the most advanced techniques for all risks. Few organizations have the resources to do that, and there isn’t a compelling business case for doing so. Sophistication is a function of (a) the nature of the risks faced by an organization, i.e., their complexity, volatility, pervasiveness and susceptibility to measurement, and (b) the availability of practical solutions that the entity can put into practice. When evaluating the desired risk management capabilities in a specific risk area or areas, the issue is not about deploying the most sophisticated processes, competencies, technology and knowledge – it is about selecting the most appropriate processes, competencies, technology and knowledge. This is a management decision. And that decision should be made in the context of the strategy-setting process. For each individual risk or group of related risks, management must evaluate the current state of the organization’s risk management capabilities. At that point, management must decide how much added capability is needed to achieve the entity’s risk management objectives. Further, management must address the expected costs and benefits of improving the organization’s capabilities. The goal is to identify the entity’s most pressing exposures and uncertainties and to focus improvement activities on the elements of ERM infrastructure needed to manage those exposures and uncertainties more effectively. THE COSO ENTERPRISE RISK MANAGEMENT— INTEGRATED FRAMEWORK 25. What is COSO? COSO stands for “Committee of Sponsoring Organizations” and is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on 17 • Fraudulent Financial Reporting, an independent private sector initiative often referred to as the Treadway Commission. The Commission studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the Securities and Exchange Commission (“SEC” or “Commission”) and other regulators, and for educational institutions. The sponsoring organizations are the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA) and American Accounting Association (AAA). COSO so far has produced two documents, one in 1992 on the Internal Controls – Integrated Framework (which is the framework of choice in the United States for purposes of complying with Section 404 of Sarbanes-Oxley), and the other in the mid1990s on derivatives. 26. Why was the COSO Enterprise Risk Management – Integrated Framework created? The project to develop this framework began in 2001, before the scandals fueling the Sarbanes-Oxley legislation arose. In the foreword to the framework, COSO indicated that “recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.” COSO’s purpose was to develop a framework that “would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.” COSO goes on to point out that after the high-profile business failures occurred during the period of the framework’s development, there were “calls for enhanced corporate governance and risk management, with new law, regulatory and listing standards.” All these developments made more compelling the need for a framework to provide a common language and give clear direction and guidance. 27. What is the COSO Enterprise Risk Management – Integrated Framework? COSO broadly defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The framework encompasses, but does not replace, the Internal Control – Integrated Framework published by COSO in 1992. Like its internal control counterpart, the ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives across the top – strategic, operations, reporting and compliance. There are eight components of enterprise risk management, which are further explained below. Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix for applying the framework. As outlined by COSO, the framework provides eight components for use when evaluating ERM: 1. Internal environment: This component reflects an entity’s enterprise risk management philosophy, risk appetite, board oversight, commitment to ethical values, competence and development of people, and assignment of authority and responsibility. It encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people. 2. Objective-setting: Management sets strategic objectives, which provide a context for operational, reporting and compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response. 18 • 3. Event identification: Management identifies potential events that may positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives and performance goals. Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses. Potentially positive events represent opportunities, which management channels back into the strategy and objective-setting processes. 4. Risk assessment: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon. 5. Risk response: Management considers alternative risk response options and their effect on risk likelihood and impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired risk tolerances. Risk response planning drives policy development. 6. Control activities: Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed. 7. Information and communication: The organization identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities. Effective communication also flows down, across and up the organization. Reporting is vital to risk management and this component delivers it. 8. Monitoring: Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time. The thought process underlying the above framework works in the following manner: For any given objective, such as operations, management must evaluate the eight components of ERM at the appropriate level, such as the entity or business unit level. 28. How can we obtain the COSO ERM framework? Interested parties can obtain the executive summary of the framework at www.coso.org. At this site, they can also place an order for either a hard copy or electronic copy of the integrated framework, which includes three segments – the Executive Summary, the Framework and the accompanying Application Techniques. 29. How was the COSO ERM framework developed? Appendix A to the COSO ERM framework describes the process. COSO engaged PricewaterhouseCoopers (PwC) to conduct the project. PwC obtained input from a broad range of executives – chief executive officers, chief financial officers, chief risk officers, controllers and internal auditors representing public and private companies of varying sizes and from different industries and government agencies. Input was also obtained from legislators, regulators, external auditors, lawyers and academics. PwC received advice and counsel from an advisory board to the COSO board. Periodically, PwC, the advisory board and the COSO board would meet to discuss the project plan, progress, framework drafts and specific topics and issues germane to completing the framework. As discussed in Appendix A of the framework, the project consisted of five phases – Assessment, Envisioning, Assessing and Designing, Preparation for Public Exposure and Finalization. The document was exposed for a 90-day period and the framework was field tested with selected companies. Input was considered from both the comment period and the field tests. Published sources considered by the project team were listed in Appendix D to the framework, including two books authored by a Protiviti managing director. Appendix E includes a summary of the project team’s consideration of specific issues arising during the comment period. 19 • 30. How do we use the COSO ERM framework? On pages 6 and 7, COSO suggests alternative uses of the framework according to the user. For example: USER POSSIBLE USES Directors • Discuss with management the state of ERM • Provide oversight to risk management activities • Ensure they are apprised of risks and management’s actions to address them • Consider input from internal auditors, external auditors and others Senior management • Assess the organization’s ERM capabilities Managers and other entity personnel • Consider how they are conducting their responsibilities in light of the framework components • Discuss with superiors ideas for improving ERM Internal auditors • Consider the breadth of their focus on ERM in the audit plan COSO also provided suggestions for regulators, professional organizations and educators. In summary, the COSO framework should be used as a benchmarking tool to evaluate the effectiveness of the ERM process in place as well as specific risk management activities at all levels of the organization. The framework can provide the context for defining improvements in risk management capabilities. 31. Are companies required to use the COSO ERM framework? No. Use of this framework is optional. To put this statement in perspective, however, readers should understand that when it was issued in 1992, the Internal Control – Integrated Framework was also optional. Now almost every public company in the United States is using it. 32. Does the COSO Enterprise Risk Management – Integrated Framework replace or supersede the COSO Internal Control – Integrated Framework? No. Both frameworks stand alone. Appendix C to the ERM framework addresses this question. COSO states that internal control is encompassed within and is an integral part of ERM. Therefore, the new ERM framework does not replace or supersede the internal control framework. This point is important because many U.S. companies are using the COSO Internal Control – Integrated Framework for purposes of complying with Section 404 of Sarbanes-Oxley. 33. How does the COSO Enterprise Risk Management – Integrated Framework compare to the COSO Internal Control – Integrated Framework? Appendix C to the ERM framework addresses this question, laying out the differences between the two frameworks. For example, in comparison to the internal control framework: • The ERM framework is a broader focus on risk management and encompasses the internal control framework. • The ERM framework added a new category, strategic objectives, and expanded the reporting objective to include internal reporting. 20 • • The ERM framework introduced the concepts of risk appetite and risk tolerance. • The ERM framework expands the risk assessment component into four components – objective-setting, event identification, risk assessment and risk response. There are also specific differences in the components themselves, which are discussed in Appendix C to the framework. For example, roles and responsibilities are expanded to focus on risk management versus internal control. The internal environment component of the ERM framework encompasses the seven attributes of the control environment component of the internal control framework, with the emphasis on risk management, and adds three additional attributes – risk management philosophy, risk culture and risk appetite. 34. Does the new COSO framework broaden the focus of ERM beyond the traditional risk management model’s focus on insurable risk? If so, how? Yes. The COSO ERM framework focuses comprehensively on all risks, not just financial or insurable ones. The framework achieves this broader focus in at least two ways: • It emphasizes strategic, operational, reporting and compliance objectives and, therefore, addresses risks to the achievement of those objectives. • The eight components of ERM, as outlined by COSO, are sufficiently comprehensive and extend beyond the procurement of insurance. Thus when COSO uses the term “Enterprise Risk Management,” it is referring to a broader risk management concept than the insurable risk management model. 35. Are there other standards and frameworks in existence and, if so, what do they promulgate and how does the COSO Enterprise Risk Management – Integrated Framework relate to them? There are indeed other standards, which COSO lists in Appendix D. These standards include: • Internal Control Guidance for Directors on the Combined Code (United Kingdom) • King Report on Corporate Governance for South Africa • International Organization for Standardization – ISO/IEC Guide • Australian/New Zealand Standard 4360: Risk Management • A Risk Management Standard (Institute of Risk Management, Association of Insurance and Risk Management) COSO did not publish a reconciliation of these various standards to its ERM framework. However, the project team considered these frameworks in the Assessment phase of the project. In addition, Question 164 relates ERM to the Basel Capital Accord requiring financial institutions to report on operational risk. Questions 165 and 166 briefly comment on the relationship between the COSO ERM framework and other frameworks, such as COBIT, ISO 17799, BITS, NIST Special Publication 800-53 and ITIL. 36. What is the point of view of the Securities and Exchange Commission (SEC) with respect to ERM? The Commission had not issued an official statement as of the date this publication went to print. However, an SEC Commissioner periodically has addressed the importance of ERM in a number of speeches. 37. What are the deliverables when the COSO ERM framework is implemented? The “deliverables” vary according to the techniques and tools deployed to implement the eight ERM components, the breadth of the objectives addressed, the nature of the industry, the nature of the risks and the extent of coverage of the organization’s units. The ERM infrastructure, which is intended to provide the 21 • discipline, focus and control to advance the enterprise’s capabilities around managing its priority risks, may include such elements as the following: POSSIBLE ERM INFRASTRUCTURE ELEMENT DISCUSSED IN QUESTIONS Presence on CEO agenda 3, 4, 21, 30, 40, 41, 56, 88-90, 129, 136, 141, 142, 144 Overall risk management policy 65, 110 Common risk language 74-76, 98 Enterprisewide risk assessment process 65, 69-85, 103, 106, 129, 131 Common process view 99, 103, 104 Clarity of roles and responsibilities related to risk management 30, 56, 57, 90, 91, 110, 144 Focused risk committee(s) 48, 49, 56, 85 CRO (or equivalent executive) 50-52, 56 Integration of risk responses within business plans 50, 54, 108, 109, 127, 129, 133 Integration of risk management with strategy-setting 3, 4, 41, 49, 56, 66, 67, 85, 108, 109, 111, 129, 131, 133, 135 Alignment of organizational behavior with risk appetite 45, 49, 53, 54, 56, 65-67, 95, 102, 106, 127, 129, 131, 133 Risk reporting 45, 50, 109, 111-113, 121 Knowledge sharing process for identifying best practices 51, 91, 101, 103, 111, 121, 123 Common training 111, 123 Proprietary tools to portray a portfolio view of risk 3, 56, 108, 109, 111, 112, 127, 129 Supporting technology 110, 111, 113-121 Additional “deliverables” include the improved capabilities around managing the enterprise’s priority risks. The value proposition, as summarized in Question 4, illustrates the benefits achievable through an effective ERM infrastructure. Note that a relationship exists between (a) the need for ERM infrastructure on the one hand and (b) the nature and extent of gaps in risk management capabilities on the other. The greater the gaps in the current state and the desired future state of the organization’s risk management capabilities, the greater the need for ERM infrastructure to drive the advancement of capabilities over time to close these gaps. The good news is that the existing management infrastructure of most companies already includes elements of ERM infrastructure. 38. Can a company “partially” adopt the COSO Enterprise Risk Management – Integrated Framework with success? In defining ERM, COSO has indicated that the framework is applied across the enterprise. This can be accomplished, however, within a specific unit, subsidiary or division, representing a form of “partial adoption” while still retaining an enterprisewide focus. The application of ERM to strategic operating units works because such units often have distinctively different objectives and strategies, manage distinctive product groups, serve heterogeneous markets and act as standalone profit centers. Therefore, they have distinctly different risk profiles. Executive management at the parent level may even foster, explicitly or 22 • implicitly, a competitive environment among different strategic units. If so, the risk profiles for separate business units may differ to such an extent that it may be appropriate to evaluate and manage them separately. In such circumstances, a decentralized approach may make more sense with ERM applied at one or more selected operating units. Ultimately, taking an enterprisewide view means achieving the highest level of risk-adjusted return possible from the resources available to managers within the defined enterprise boundaries, whether for a specific operating unit or for the enterprise as a whole. From a risk management standpoint, this view has to be consistent with executive management’s view of the organization. If management takes a centralized view of the business, an enterprise view must of necessity extend to the entire organization. On the other hand, if management has a decentralized view of the organization with different units operating autonomously, an enterprise view would apply at the unit level. THE ROLE OF EXECUTIVE MANAGEMENT 39. Who should participate in the ERM process, and how? While ultimate responsibility for ERM starts at the top, everyone who matters within an organization should participate to some extent in the ERM process. While several executives have significant responsibilities for ERM, including the chief risk officer, chief financial officer, chief legal officer and chief audit executive, the ERM process works best when all key managers of the organization contribute. The COSO framework states that managers of the organization “support the entity’s risk management philosophy, promote compliance with its risk appetite and manage risks within their spheres of responsibility consistent with risk tolerances.” Therefore, identifying leaders throughout the organization and gaining their support is critical to successful implementation. A goal of ERM is to incorporate risk management into the organization’s agenda and decision-making processes. This means that ultimately, every manager is responsible, which can only happen when performance goals are clearly articulated, and the appropriate individuals are held accountable for results. 40. Must the CEO be fully engaged in the ERM process or system for it to be successful, or can he or she delegate it to someone else? The COSO framework states that the CEO “is ultimately responsible and should assume ownership” over the implementation of ERM. Because ERM, as COSO defined it, is integral to running and managing a business, the CEO’s involvement is vital to the success of ERM. For example, an effective ERM solution affects the organization’s culture, because it establishes an environment where people can raise their hands and express issues without fear of retribution. This kind of open and positive environment is not possible without the CEO’s active and visible support. The CEO sets the tone by asking the tough questions about risk and risk management and by demonstrating a commitment to raising the focus of risk management to a strategic level. A point that is often omitted in this discussion is that it is important to the CEO that he or she be involved in the process. The CEO’s participation keeps the focus at a strategic level. The CEO wants to know the answers to at least two questions about risk. First, are there any unknown exposures to events that can abruptly shift the organization’s agenda to “damage control” in a heartbeat should they occur? Second, if such exposures exist, what can be done cost-effectively to prevent the potential future events from happening and how will the organization respond should the events occur? ERM can help supply CEOs with answers to these two questions, but only if the CEO is sufficiently involved to ensure the process is appropriately focused on strategic and reputation risks. Support from the top is vital to an effectively functioning ERM infrastructure. To create and sustain momentum, senior management must demonstrate a strong commitment to ERM through consistent communications and actions. This level of commitment arises from a compelling business case. The business case articulates the organization’s priority risks, the gaps around managing those risks, the ERM infrastructure needed to close significant gaps and the resulting costs and benefits. The business case clarifies 23 • why ERM infrastructure is needed, focuses on the big picture with a shared vision of the future state of risk management within the organization, sets realistic goals and develops a clear plan of action. A well articulated business case helps get the CEO engaged. 41. How will senior management benefit from supporting ERM implementation? As they focus on investment and return, on opportunity and reward and on competitive advantage and growth, CEOs and their management teams must pursue promising – though uncertain – opportunities in the face of changing market conditions. They must be in a position to confidently assure investors and other stakeholders that the organization is managing risk effectively. They must also comply with Sarbanes-Oxley and other applicable laws and regulations. Research we have conducted several times since 1995 (with the most recent study completed during fall of 2005) almost consistently indicates that approximately 6 in 10 senior executives lack high confidence that their organization’s capabilities are identifying and managing all potentially significant business risks. Senior executives can gain increased confidence from an effective process that engages everyone who has key responsibilities within the organization for assessing and managing risk. Our research has also indicated that roughly 50 percent of senior executives have made significant changes within the previous two years and that about 50 percent report they plan to make significant changes during the next three years. These results are not surprising. Opportunity-seeking behavior is invigorated if managers possess the confidence that they understand the related risks and have the capabilities to manage those risks. In a rapidly changing world, traditional risk management approaches will not be effective because they are fragmented, treating risks as disparate events and easily compartmentalized in silos. While the tight focus of traditional risk management activities on loss prevention is not a bad thing, neither is it a good enough thing because the activities are not adequately integrated with the identification, evaluation and pursuit of growth opportunities. Moreover, current risk management approaches are too firmly rooted in the command and control era, which means they may not effectively balance the desire for control with the need for agility, responsiveness and cross-functional cooperation. The inevitable conclusion is that the c...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Please feel free to reach out in case you need any edits or clarifications where necessary.

Surname 1

Contents
Week 5.2 – HR ...............................................................................Error! Bookmark not defined.
Speech ........................................................................................Error! Bookmark not defined.
Works Cited ...................................................................................Error! Bookmark not defined.


Surname 1

Student’s Name
Lecturer’s Name
Course Title and Code
Date of Submission
Week 5.2 – HR
Getting an entity-level por...


Anonymous
Really great stuff, couldn't ask for more.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags