The Fraud Examiner

A Road Map for Establishing an Enterprise Risk Management Program

John Thackeray, CFE      
Founder and CEO of Risk Smart Inc.

Enterprise risk management (ERM) is the process of planning, organizing, leading and controlling the activities of an organization to minimize the effects of risk on an organization's capital and earnings, reputation and shareholder value. The benefit of ERM is that it aligns organization, people, processes and infrastructure, provides a benchmark for risk/reward, aids risk visibility to operational activities and for the more mature benefit, creates a competitive advantage. It is an important process for organizations of all sizes and within all industries. Here’s a look at how to develop an ERM strategy.


Business objectives and strategy

Risk management must function in the context of business strategy, and the first step in this integration is for an organization to determine its goals and objectives. Typical organizational strategic objectives include market share, earnings stability/growth, investor returns, regulatory standing and capital conservation.


From there, the institution assesses the risk implied in that strategy implementation and determines the level of risk it is willing to assume in executing that strategy — given its internal risk capacity, existing risk profile, vision, mission and capability. Since strategies are usually predicated on assumptions (beware those that are unspoken and unverified) and calculations that may or may not be accurate, the role of ERM is to challenge these assumptions and the execution of such strategy. ERM and strategic management are not two separate things; rather, they are two wheels of a bicycle that must be built uniformly in order to contribute to the stability of the whole.


Determining risk appetite

Risk direction is defined by the risk appetite — which, in turn, is defined as the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns). A risk appetite statement is the critical link that combines strategy setting, business plans, capital and risk. It reflects the entity’s risk management philosophy and influences the culture and operating style. When determining your risk appetite, think about your:


1.       Existing risk profile

2.       Attitudes toward risk

3.       Risk capacity

4.       Risk tolerances


The risk appetite statement is developed by management with board review. The overall risk appetite should use broad risk statements and then dive into each major class of organizational objective and the different categories of risk. An effective risk appetite statement needs to be stated precisely enough so it can be communicated, operationalized and aid in decision-making. More importantly, it needs to be broken down into specific operating metrics so that it can be monitored.


Next, the risk appetite should be converted into operating/tactical metrics known as risk tolerances, which reflect the application of risk appetite to specific objectives. Then the risk tolerances are further distilled into risk thresholds. The key here is moving from a low measurement of quantification (i.e. risk appetite) to a high measure of granularity (i.e. a threshold). The risk appetite is then converted into high-level enterprise key performance indicators (KPIs), which should be defined, acceptable and operationalized — with risk appetite and tolerances established for capital, earnings, credit worthiness, reputation and shareholder returns. Once the risk appetite is set, it needs to be embedded and continuously monitored and revised. As strategies and objectives change, it should provide a further discussion of risk appetite.

The importance of culture, governance and taxonomy

The statement of risk appetite is conveyed through culture, governance and taxonomy. These three factors help an organization manage its risk-taking activities. A strong risk culture set from the top, augmented by comprehensively laid-out roles and responsibilities with collective centralized decision-making and clear escalation protocols, is a must for successful implementation. Strong, well-thought-out risk management principals, ownership and culture training help to promote and reinforce this strong risk culture. Evidence of this culture should be seen in open communication — both top down and bottom up in decision-making and conflict resolution. 

Enterprise means that no area of the organization is excluded; it includes all operating and support areas in terms of engagement, training and support. The tone and execution from the top means that these areas become partners, and even owners, with the ability to manage outcomes. This ensures transparency and accountability. Good ERM is about understanding change and managing that change within the overall mandate and not in isolation. Intertwined with this change is a need for a risk taxonomy which can help assess the impact of the risk undertaken.

Risk data and delivery

It’s all about the data, but more importantly the correct data. The risk data and delivery must be robust and to scale so that the information collected, integrated and analyzed can be translated into cohesive, credible reports.

Internal control environment

The internal control environment is one of the most important tools to help senior management reduce the level of inherent risk to an acceptable level — known as residual risk. Residual risk is defined as the level of inherent risks reduced by internal controls. Building an effective internal control environment allows management to control what can be controlled. Moreover, an effective control environment must allow for a consistent structure which is both balanced and realistic.

Measurement and evaluation

Measurement and evaluation determine which risks are significant, both individually and collectively, and where to invest time, energy and effort in response. Various risk management techniques can be used to measure and quantify the risks on both an aggregate and portfolio level.

All risks, responses and control effectiveness must be reported and communicated in a format that makes sense to the different stakeholders and oversight/governance bodies. The oversight/governance bodies will be tasked with ensuring that the risk profile is aligned with business and capital plans, and that the amount of capital is commensurate with the risk taking.

Scenario planning and stress testing

Given that management must address known and unknown risks, tools like scenario planning and stress testing are used to shed light on missing risks and, more importantly, the interconnection of these risks. Armed with this information, your organization can develop contingency plans to counter the effects on the future operational viability and trend/model of these risks.

ERM is not a passing fad, as it is now instrumental to the survival of an organization. Its importance is both in the maturity of the thinking and the structured planning. This allows an organization to navigate the risks posed to business objectives and strategy.