For many executives, their eyes glaze over and their minds wander to other, more pressing, issues when the topic of enterprise risk management (ERM) is broached.
But yet the topic is getting considerable attention these days from regulatory bodies and many of the world’s most successful companies. So where’s the disconnect?
“Risk management practices have been around as long as businesses have been around,” says Ted Flom, member in charge, Risk Advisory Services, Brown Smith Wallace, St. Louis, Mo. “But as businesses have grown and the world has become more interconnected, risk management approaches need to evolve. While many companies are already ‘doing risk management,’ there are typically opportunities to enhance longstanding approaches and elevate the discussion in order to keep up with today’s business environment. Companies with a solid understanding of and approach to risk, and how it affects the whole organization, are more successful, more profitable and ultimately better able to manage through difficult times like a recession.”
ERM focuses on developing thoughtful strategies that address risks in a variety of areas, including strategy, finance, operations and technology. While it is not a new concept, it is an evolved way of approaching risk management, where a company proactively looks at risk from the strategic, enterprise level, versus taking a siloed approach. ERM acknowledges that risk is not good or bad, but rather that it needs to be recognized and understood so a company can most effectively prepare and react.
Smart Business spoke with Flom about ERM and how companies can implement some simple risk management principles in their organizations.
What is enterprise risk management, and how is it different from what companies have done in the past?
ERM is a continuous process that seeks to identify, analyze, mitigate and monitor potential events that create uncertainty to the achievement of a company’s objectives. An effective, integrated ERM program can help an organization identify and take action on risks that may be affecting the achievement of its core strategic objectives.
ERM should align with a company’s goals and objectives. It’s more than just a program or process: It’s a cultural shift. ERM should approach risk from a wide-angle view of a company, rather than homing in on specific activities or areas. ERM is becoming more than just a way of managing risk but also a way of doing business.
Why should companies consider adopting ERM?
In 2010, the Corporate Executive Board Co. conducted an analysis of the root causes underlying market capitalization declines of 50 percent or more in a single year. This analysis found that more than 80 percent of these significant declines were tied to strategic and operational risks. The potential consequences of these risks are considerable and highlight the need for comprehensive ERM programs.
No one likes surprises, especially ones that overturn your market share or competitive advantage. ERM takes into account silo risks, such as IT systems security or finance department checks and balances, and integrates them into the big picture of the business and its long-term goals and objectives. A company that has this comprehensive understanding of risk is likely to be less volatile and more successful in the long run.
What benefits can a company realize through ERM?
Companies that understand their risks have a greater ability to prevent or react to events that can impact goals and objectives. Ultimately, this can translate into less volatility and a competitive edge. A good grasp of risk can also open up a company’s perspective on opportunities it may want to pursue.
ERM enables management and the board to have a more consistent view of and approach to risk. Management and the board often have different perspectives on a company’s most important risks, such as implications of a disaster or a business disruption.
Often, a company’s ability to respond is not truly understood until an event such as a tornado or earthquake occurs. Considering that 50 percent of companies experiencing a major disruption or disaster are out of business within five years, a company’s preparedness can make all the difference.
How can a company begin implementing ERM?
Several recognized frameworks can be leveraged when considering ERM. COSO’s ‘Enterprise Risk Management — Integrated Framework’ and ISO 31000 ‘Risk management — Principles and guidelines’ are widely recognized information sources and good places to start.
Start small to get a feel for what ERM is, its benefits, and what it can and should be. Most companies start by doing a risk assessment and then deciding what to do with the results — e.g., which risks should be focused on, where and how should discussion occur on those risks, and who is responsible for monitoring this information and keeping it relevant.
A successful ERM program should be customized to integrate into a company’s existing organizational framework and culture, as opposed to being set up and managed as a standalone program.
What kind of culture shift can occur when ERM practices are adopted?
Ultimately, a company should seek to be more aware of risk at all levels, and to make decisions and set goals utilizing that understanding. ERM helps make risk part of the everyday agenda; it’s a way to bake it into the culture. That is when you begin to see the real benefits.
Risk management then becomes less bureaucratic, less resource intensive and more focused on implementing strategies that help a company reach its long-term goals.
Ted Flom is member in charge of Risk Advisory Services at Brown Smith Wallace, St. Louis, Mo. Reach him at (314) 983-1294 or TFlom@bswllc.com.
An earthquake in San Francisco. A hurricane striking New Orleans. A terrorist attack in New York City.
These are all events that insurance actuaries would define as a one-in-100-year-event. But if that year turns out to be this year, will your business be prepared?
“In the 1950s, organizations had straight-line reporting authority, manual processes, single suppliers and a local or regional service area, and awarded pay increases in a steady and systematic way based on time in that grade,” says Mike Corbin, Director of Internal Audit and Risk Management at Nichols, Cauley & Associates LLC. “Today matrixed organizations have a heavy reliance on technology and a greater need for speed of information flow. They work with multiple vendors in a global environment and award raises based on performance. With that organizational evolution, companies face far greater risks than at any time in the past.”
Smart Business spoke with Corbin about how to approach the enterprise risk management process to assess and address risks.
What is enterprise risk management?
Enterprise risk management (ERM) is a systematic and disciplined set of policies, processes and practices used to identify, assess and prioritize the major risks associated with a company’s key business objectives; develop, implement and monitor risk mitigation strategies; and provide for independent and objective evaluations by management, board and external audiences of risk mitigation strategies.
Today’s businesses face a rapidly changing regulatory environment, increased economic pressure, political uncertainty and a changing global marketplace, making it more important than ever to take steps to assess and address the risks faced by your organization
Where do you begin the process?
ERM begins with an enterprise risk assessment. Formulate a series of survey questions that are designed to measure corporate culture, the organization’s appetite for risk, knowledge of risks within the organization and existing control design and effectiveness.
The survey should be conducted by cross-functional disciplines and should provide a detailed evaluation of the organization’s vulnerability and exposure to environmental conditions. We are in a new era of increasing governmental regulations and the increased need for internal audit and related skill sets. This will also necessitate a change in the internal auditor’s role to better understand risk exposure and mitigation.
Sample survey questions may include:
- Is there an appropriate tone at the top regarding the importance of a strong internal control environment?
- Are there internal controls regarding segregation of duties?
- Are documented policies and procedures adequate with regard to identification, measurement, monitoring and control of known risks?
- Have inherent and residual risks in your area of responsibility been identified and documented?
- Do you have adequate reports and information to address significant identified risks?
How should an organization approach risk?
Assess the inherent risk for each department and function from two perspectives: its likelihood and its impact should it occur. Also assess the four areas of management’s control to mitigate inherent risk: adequate internal control structure, adequate policies and procedures, active management and board oversight and adequate risk monitoring.
When performing a risk management assessment, evaluate both internal and external risk factors, identify possible scenarios, prioritize identified risk and evaluate whether mitigating controls exist and are effective.
Once you’ve identified risks, how do you develop a risk management program?
At a minimum, the process should include the chief compliance officer, general counsel, chief audit executive, the CFO, the controller, the chief risk officer, the COO, CIO and the CEO.
It should include enhanced audit programs, which will ensure that control identification, gap analysis and the effectiveness of anti-fraud controls are addressed.
The plan should also leverage Sarbanes-Oxley work. This is often performed with SAS 99 considerations in mind and can also serve as a trigger for additional silos that have not been considered. Evaluate the code of ethics, which should be mapped against the best practices in the industry. Finally, provide annual training programs, which is a great opportunity to provide leadership within the organization.
Implementation typically takes two months, depending on the availability of resources and the commitment of management. This program is a continuous improvement process that requires annual measurements of where your organization is in terms of identifying and mitigating risks. The process shouldn’t be difficult if you follow the right framework.
What is the right framework?
First, evaluate the current status and effectiveness of your approach to implementing and maintaining risk management programs within the organization. Then assess, define and document risks and control effectiveness and establish a risk profile.
Next, develop an action plan to address areas of risk identified for control improvement or new control implementation during the risk assessment. Mitigate those risks identified during the risk assessment by enhancing, implementing and maintaining preventive and detective control activities.
Then enable continuous monitoring activities through technology and ongoing analysis activities to alert management of potential new risks and incorporate findings into an annual risk assessment process.
Mike Corbin is the Director of Internal Audit and Risk Management at Nichols, Cauley & Associates LLC. Reach him at (404) 214-1301, ext. 1420, or firstname.lastname@example.org.
Similar to for-profit corporations, nonprofits and charitable organizations (hereafter “nonprofits”) are highly susceptible to myriad risks. Faced with pressures created by today’s economic environment, nonprofits participate in a fiercely competitive environment. Barriers to entry for new organizations are low, and donors can easily shift their giving to alternate organizations. Additionally, nonprofits are generally staffed with employees and volunteers who are first committed to helping the organization achieve its mission. The achievement of this mission requires considerable resources, often leaving less than adequate time for these individuals to establish and/or maintain enterprise risk management (ERM) processes.
When properly implemented, “ERM processes can not only help nonprofits safeguard assets and their reputation, they can also allow the organization to capitalize on opportunities afforded by risk taking,” says Harry Cendrowski, managing director, Cendrowski Corporate Advisors. “In this manner, ERM implementation is similar to corporate strategy initiatives.”
Smart Business spoke with Cendrowski about the risks faced by nonprofits and the manner in which a nonprofit can develop and implement an effective ERM process.
How should a nonprofit develop an ERM process?
Risk management for nonprofits begins at the highest levels of the organization, with the board and C-suite executives. Before risk management processes can be devised and implemented, these individuals must work together to identify an overarching, balanced philosophy of risk. This philosophy should detail the risks the organization is willing to bear, as well as the expected reward for taking such risks. It should also be accepted uniformly among high-level individuals, for if it is not, downstream employees and volunteers will see a fractured view of not only the organization’s risk philosophy but also the vision by which the organization will achieve its mission. This may, in turn, lead these individuals to make decisions that are not necessarily in the nonprofit’s best interest and most certainly not aligned with its balanced risk philosophy.
Once a balanced risk philosophy has been established, the risks faced by a nonprofit should be enumerated and evaluated according to their potential impact to the organization and likelihood of occurrence. A priority should be placed on mitigating high-impact/high-likelihood events, as these risks pose the greatest threat to the organization. Mitigation might include the implementation of processes designed to detect and correct risks once they have occurred, or processes designed to prevent risks from occurring.
What mistakes do organizations make in establishing ERM processes?
Many nonprofits and for-profit corporations do not allow enough time for an ERM process to take hold within the organization. They sometimes rush implementation, which, in turn, causes a lack of process ownership at the employee or volunteer level. The implementation of an ERM process requires significant cultural change; this is not something that can be altered overnight. Cultural change is an indirect effect of other organizational changes and leadership behavior; it cannot be directly effected by leadership. However, once cultural change has been embraced, and a risk-focused culture has been adopted, employees and volunteers will be conscious about the risks associated with their jobs and the impact such risks may have on the organization.
How much time should leaders and the board allot for the implementation of an ERM process?
The amount of time required for an ERM process’s implementation varies for every organization. In addition to being a function of the organization’s size, it is also a function of the current state of the organization’s environment and the approach of its employees and volunteers. If these individuals have rarely had to think about risk, an ERM process will take a considerable amount of time to implement. ERM is very similar to corporate strategy in that changes can certainly take place, but they may require considerable time to implement. Short- and long-range ERM plans should be developed, complete with key milestones and roles and responsibilities for process managers. These plans should subsequently be monitored to ensure that the organization is progressing and that the ERM process is evolving as the organization intended. This will ensure that realized benefits of the ERM process are maximized.
What benefits can nonprofits realize from ERM processes?
ERM helps nonprofits maintain their relevance and capitalize on opportunities presented by risk. For example, when its goal of defeating polio was achieved, the March of Dimes made a conscious change to focus its efforts on preventing birth defects. Without this change — or the support of the change from its donor base — the organization would probably have become irrelevant to its donors. ERM also helps nonprofits mitigate perhaps the largest risk they face: reputational risk. Stripped of a once-sterling reputation, a nonprofit will find it extremely difficult to rebuild its image. This could have far-reaching consequences beyond the direct realization of a risky event.
For example, in a university setting, misappropriation or misuse of university endowment funds could have a significant impact on the organization’s overall reputation. Both Princeton and Yale University recently settled lawsuits in which the plaintiffs alleged the universities misused millions of dollars of endowment funds. The lawsuits harmed the reputation of the university not only in the eyes of existing donors, but also potential donors looking to make contributions, faculty, staff and even potential students.
It is important to note that what begins as the realization of a seemingly isolated risk may soon impact the organization as a whole — on many levels — if a functioning ERM process is not in place.
HARRY CENDROWSKI is managing director for Cendrowski Corporate Advisors LLC. Reach him at email@example.com or (866) 717-1607, or visit the company’s website at www.cca-advisors.com.