An earthquake in San Francisco. A hurricane striking New Orleans. A terrorist attack in New York City.
These are all events that insurance actuaries would define as a one-in-100-year-event. But if that year turns out to be this year, will your business be prepared?
“In the 1950s, organizations had straight-line reporting authority, manual processes, single suppliers and a local or regional service area, and awarded pay increases in a steady and systematic way based on time in that grade,” says Mike Corbin, Director of Internal Audit and Risk Management at Nichols, Cauley & Associates LLC. “Today matrixed organizations have a heavy reliance on technology and a greater need for speed of information flow. They work with multiple vendors in a global environment and award raises based on performance. With that organizational evolution, companies face far greater risks than at any time in the past.”
Smart Business spoke with Corbin about how to approach the enterprise risk management process to assess and address risks.
What is enterprise risk management?
Enterprise risk management (ERM) is a systematic and disciplined set of policies, processes and practices used to identify, assess and prioritize the major risks associated with a company’s key business objectives; develop, implement and monitor risk mitigation strategies; and provide for independent and objective evaluations by management, board and external audiences of risk mitigation strategies.
Today’s businesses face a rapidly changing regulatory environment, increased economic pressure, political uncertainty and a changing global marketplace, making it more important than ever to take steps to assess and address the risks faced by your organization
Where do you begin the process?
ERM begins with an enterprise risk assessment. Formulate a series of survey questions that are designed to measure corporate culture, the organization’s appetite for risk, knowledge of risks within the organization and existing control design and effectiveness.
The survey should be conducted by cross-functional disciplines and should provide a detailed evaluation of the organization’s vulnerability and exposure to environmental conditions. We are in a new era of increasing governmental regulations and the increased need for internal audit and related skill sets. This will also necessitate a change in the internal auditor’s role to better understand risk exposure and mitigation.
Sample survey questions may include:
- Is there an appropriate tone at the top regarding the importance of a strong internal control environment?
- Are there internal controls regarding segregation of duties?
- Are documented policies and procedures adequate with regard to identification, measurement, monitoring and control of known risks?
- Have inherent and residual risks in your area of responsibility been identified and documented?
- Do you have adequate reports and information to address significant identified risks?
How should an organization approach risk?
Assess the inherent risk for each department and function from two perspectives: its likelihood and its impact should it occur. Also assess the four areas of management’s control to mitigate inherent risk: adequate internal control structure, adequate policies and procedures, active management and board oversight and adequate risk monitoring.
When performing a risk management assessment, evaluate both internal and external risk factors, identify possible scenarios, prioritize identified risk and evaluate whether mitigating controls exist and are effective.
Once you’ve identified risks, how do you develop a risk management program?
At a minimum, the process should include the chief compliance officer, general counsel, chief audit executive, the CFO, the controller, the chief risk officer, the COO, CIO and the CEO.
It should include enhanced audit programs, which will ensure that control identification, gap analysis and the effectiveness of anti-fraud controls are addressed.
The plan should also leverage Sarbanes-Oxley work. This is often performed with SAS 99 considerations in mind and can also serve as a trigger for additional silos that have not been considered. Evaluate the code of ethics, which should be mapped against the best practices in the industry. Finally, provide annual training programs, which is a great opportunity to provide leadership within the organization.
Implementation typically takes two months, depending on the availability of resources and the commitment of management. This program is a continuous improvement process that requires annual measurements of where your organization is in terms of identifying and mitigating risks. The process shouldn’t be difficult if you follow the right framework.
What is the right framework?
First, evaluate the current status and effectiveness of your approach to implementing and maintaining risk management programs within the organization. Then assess, define and document risks and control effectiveness and establish a risk profile.
Next, develop an action plan to address areas of risk identified for control improvement or new control implementation during the risk assessment. Mitigate those risks identified during the risk assessment by enhancing, implementing and maintaining preventive and detective control activities.
Then enable continuous monitoring activities through technology and ongoing analysis activities to alert management of potential new risks and incorporate findings into an annual risk assessment process.
Mike Corbin is the Director of Internal Audit and Risk Management at Nichols, Cauley & Associates LLC. Reach him at (404) 214-1301, ext. 1420, or [email protected].
