How to implement an effective enterprise risk management program

James P. Martin, Managing Director, Cendrowski Corporate Advisors LLC

The requirement for appropriate enterprise risk management (ERM) techniques continues to grow. The recently passed Dodd-Frank Wall Street Reform and Consumer Protection Act calls for a risk committee to be established by all public, nonbank financial companies, as well as larger public bank holding companies.

Supervised by the board of governors of the Federal Reserve, the risk committee will be held responsible for enterprisewide risk management oversight and practices. Additionally, ERM is a central focus for many organizations outside of the financial sector looking to mitigate risks in today’s volatile economic climate.

“All organizations face uncertainty; the challenge for management is to determine how much uncertainty to accept,” says James P. Martin, CMA, CIA, CFE, managing director of Cendrowski Corporate Advisors LLC. “Uncertainty brings both risk and opportunity, with the potential to enhance or erode value. A robust ERM process helps the organization ready itself to make the most of the opportunity while appropriately managing the downside of relevant risky events.”

Smart Business spoke with Martin about how companies can establish effective ERM processes and the benefits of such processes to organizations.

How can an effective ERM process benefit an organization?

In short, effective ERM processes help the organization respond to the constantly changing business environment. More specifically, ERM helps organizations quickly perceive changes in their environments, analyze these changes, develop a plan for response and execute this plan. Through identification and planning, organizations will improve their resilience to changes in their environment by viewing the realization of risky events as opportunities for shareholder value creation rather than degradation: If an organization is able to successfully mitigate risky events and capitalize on opportunities presented by change, it will tend to be more successful than those that are not prepared.

On what areas of risk should organizations focus?

Risk is really a continuum across the business environment, but for simplicity, there are generally four main areas that must be considered: strategic, operational, process and compliance risks. The latter element is a key thrust of the recently passed Dodd-Frank law.

In brief, strategic risks describe those associated with the organization’s plan to create shareholder value, including their chosen risk/reward appetite; operational risks that relate to the design of processes intended to carry out the organization’s strategy; process risks that are presented by the day-to-day operations of the organization; and compliance risks, those associated with an organization’s failure to comply with federal, state and local laws and regulations.

Can you describe the differences among these four types of risks?

Strategic risks can prevent the accomplishment of the strategic objectives of the organization. These include visionary plans to maximize shareholder value over a long-term horizon. These objectives drive operational objectives, such as the deployment of people and other resources, which present another layer of risk to the organization. These objectives, in turn, define and drive operational processes. These layers must all work in harmony to ensure that overall objectives are achieved. The risk assessment process should encourage ongoing, active identification of risk and ensure that ideas about risk facing the organization at any level are elevated to the appropriate level. Compliance risks pervade virtually all levels of an organization and thus are a foundational element of an organization’s strategy, operations and processes. However, due to their marked importance, the Dodd-Frank law has explicitly stated that organizations should place an intense focus on compliance risk and that compliance risks should be integrated with other areas of risk in the assessment process.

How should risks be identified and evaluated?

Risks should be identified and evaluated through the use of ERM workshops. These workshops bring together numerous subject matter experts, allowing them to collectively brainstorm risks faced by the organization in an open environment.

Once identified, the impact and likelihood of risks should be estimated by subject matter experts. Those risks with both high impact and high likelihood should be prioritized for oversight and monitoring by the organization, as they can have the greatest potential effect on the organization’s objectives.

What types of individuals should participate in ERM workshops?

An ideal workshop participant is an open and honest communicator who embraces change rather than impedes it. Even though numerous individuals within an organization may have excellent ideas regarding organizational risk and how risk readiness can be improved, many may fail to share them due to their personality or because the organization has created obstacles to communication.

However, beyond these traits, the characteristics of an ideal workshop participant will differ by the type of workshop being conducted. For instance, in conducting an operations-focused ERM workshop, an ideal participant would be a creative thinker and a process visionary. By possessing these character traits, operational processes can be devised that maximize the organization’s rewards associated with its strategy while concurrently minimizing risk.

In contrast, an ideal participant in a process-focused ERM workshop need not possess these traits, but he or she should have a profound understanding of the workflow within an organization. This type of knowledge will help ensure processes are implemented according to their operational design.

James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or [email protected]

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC