John Thackeray, CFE
Founder and CEO of Risk Smart Inc.
Enterprise risk management (ERM)
is the process of planning, organizing, leading and controlling the activities
of an organization to minimize the effects of risk on an organization's capital and earnings, reputation
and shareholder value. The benefit of ERM is that it aligns organization,
people, processes and infrastructure, provides a benchmark for
risk/reward, aids risk visibility to operational activities and for the
more mature benefit, creates a competitive advantage. It is an important
process for organizations of all sizes and within all industries. Here’s a look
at how to develop an ERM strategy.
Business objectives and strategy
Risk
management must function in the context of business strategy, and the first
step in this integration is for an organization to determine its goals and
objectives. Typical organizational strategic objectives include market share,
earnings stability/growth, investor returns, regulatory standing and capital
conservation.
From
there, the institution assesses the risk implied in that strategy
implementation and determines the level of risk it is willing to assume in
executing that strategy — given its internal risk capacity, existing risk
profile, vision, mission and capability. Since strategies are usually predicated
on assumptions (beware those that are unspoken and unverified) and calculations
that may or may not be accurate, the role of ERM is to challenge these assumptions
and the execution of such strategy. ERM and strategic management are not two
separate things; rather, they are two wheels of a bicycle that must be built
uniformly in order to contribute to the stability of the whole.
Determining risk appetite
Risk
direction is defined by the risk appetite — which, in turn, is defined as the
amount of risk (volatility of expected results) an organization is willing to
accept in pursuit of a desired financial performance (returns). A risk appetite
statement is the critical link that combines strategy setting, business plans,
capital and risk. It reflects the entity’s risk management philosophy and
influences the culture and operating style. When determining your risk appetite,
think about your:
1.
Existing risk profile
2.
Attitudes toward risk
3.
Risk capacity
4.
Risk tolerances
The
risk appetite statement is developed by management with board review. The
overall risk appetite should use broad risk statements and then dive into each major
class of organizational objective and the different categories of risk. An
effective risk appetite statement needs to be stated precisely enough so it can
be communicated, operationalized and aid in decision-making. More importantly, it
needs to be broken down into specific operating metrics so that it can be
monitored.
Next,
the risk appetite should be converted into operating/tactical metrics known as
risk tolerances, which reflect the application of risk appetite to specific
objectives. Then the risk tolerances are further distilled into risk
thresholds. The key here is moving from a low measurement of quantification (i.e.
risk appetite) to a high measure of granularity (i.e. a threshold). The risk
appetite is then converted into high-level enterprise key performance indicators
(KPIs), which should be defined, acceptable and operationalized — with risk
appetite and tolerances established for capital, earnings, credit worthiness,
reputation and shareholder returns. Once the risk appetite is set, it needs to
be embedded and continuously monitored and revised. As strategies and
objectives change, it should provide a further discussion of risk appetite.
The importance of culture, governance and taxonomy
The
statement of risk appetite is conveyed through culture, governance and taxonomy.
These three factors help an organization manage its risk-taking activities. A
strong risk culture set from the top, augmented by comprehensively laid-out
roles and responsibilities with collective centralized decision-making and
clear escalation protocols, is a must for successful implementation. Strong,
well-thought-out risk management principals, ownership and culture training
help to promote and reinforce this strong risk culture. Evidence of this culture
should be seen in open communication — both top down and bottom up in decision-making
and conflict resolution.
Enterprise
means that no area of the organization is excluded; it includes all operating
and support areas in terms of engagement, training and support. The tone and
execution from the top means that these areas become partners, and even owners,
with the ability to manage outcomes. This ensures transparency and accountability.
Good ERM is about understanding change and managing that change within the
overall mandate and not in isolation. Intertwined with this change is a need
for a risk taxonomy which can help assess the impact of the risk undertaken.
Risk data and delivery
It’s
all about the data, but more importantly the correct data. The risk data and
delivery must be robust and to scale so that the information
collected, integrated and analyzed can be translated into cohesive, credible reports.
Internal control environment
The
internal control environment is one of the most important tools to help senior
management reduce the level of inherent risk to an acceptable level — known as residual
risk. Residual risk is defined as the level of inherent risks reduced by
internal controls. Building an effective internal control environment allows
management to control what can be controlled. Moreover, an effective control
environment must allow for a consistent structure which is both balanced and realistic.
Measurement and evaluation
Measurement
and evaluation determine which risks are significant, both individually and
collectively, and where to invest time, energy and effort in response. Various
risk management techniques can be used to measure and quantify the risks on
both an aggregate and portfolio level.
All
risks, responses and control effectiveness must be reported and communicated in
a format that makes sense to the different stakeholders and
oversight/governance bodies. The oversight/governance bodies will be tasked
with ensuring that the risk profile is aligned with business and capital plans,
and that the amount of capital is commensurate with the risk taking.
Scenario planning and stress testing
Given
that management must address known and unknown risks, tools like scenario
planning and stress testing are used to shed light on missing risks and, more
importantly, the interconnection of these risks. Armed with this information, your
organization can develop contingency plans to counter the effects on the future
operational viability and trend/model of these risks.
ERM is not
a passing fad, as it is now instrumental to the survival of an organization.
Its importance is both in the maturity of the thinking and the structured
planning. This allows an organization to navigate the risks posed to business
objectives and strategy.