ERM Roadmap

ERM Roadmap

Assignment 1: ERM Roadmap

CIS 558: IT & Audit Control

Enterprise Risk Management (ERM) Roadmap

“Change, before you have to.”–Jack Welch, (Fein, 2012). Today’s business technology is moving and evolving fast than ever and for those that do not adopt and adapt often get left behind or even knock out of market viability. On the other hand, those businesses looking for the next significant technological change to get ahead of the competition must consider that change for change sake can make them vulnerable to a growing range of risks. Enterprise Risk Management (ERM) provides business leaders with the ability to mitigate risk, make well-informed decisions and to respond quickly to changes.

ERM is was born from the concept of a holistic approach to risk management initiated by the “risk management circle” proposed by Gustav Hamilton, the risk manager for Sweden’s State Company Limited, (Artebrant, Jönsson & Nordhemmer, 2004). Over the years, risk management evolved to have more of an enterprise scope, primarily in the financial sectors. Various watershed moments, such as the Sarbanes-Oxley Act, post 9/11/2001 business continuity & disaster preparedness and security issues in the wake of advancing business technology, reinforced the need for a better control ERM model. In 2004, the Committee of Sponsoring Organization (COSO) took on the task.

COSO Risk Management Framework and COSO’s ERM process.

In 2004, COSO published Enterprise Risk Management — Integrated Framework. COSO defines ERM as;

a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events

that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives, (COSO, 2004).

COSO’s ERM evaluates and quantifies an organization’s level of achievement in relation to four prime objectives;

Strategic – These are high-level goals that support/align with the organization’s mission

Operations – Day-to-day organizational activities and management processes

Financial Reporting – Accurate reporting of financial records and asset protection

Compliance – The organization’s regulatory compliance and legal adherence

Embedded within each objective is COSO’s Risk Management Framework, which is comprised of eight interconnected elements, discussed below.

Internal Environment – This comprises the nature of how an organization addresses risk, sets the foundation for how staff examines risk, the organization’s philosophy regarding risk management philosophy, the organization’s risk appetite, and the operating environment.

Objective Setting – The Board of Directors and Senior management must set objectives that align with and support the organization’s mission and are within its risk appetite.

Event Identification – Events, internal and external that affect the achievement of objectives must be identified and differentiated as either risk, opportunities, or both.

Risk Assessment – Risks are assessed, considering the likelihood and potential impact, then analyzed to develop a strategy for managing them.

Risk Response – Reduce, Accept, Transfer and Avoid are the primary organizational responses to risk. Which response an organization applies to risk depends on the organization’s risk appetite and risk tolerance.

Control Activities – Policies and Procedures are created and implemented to ensure that the response to risk is sufficient.

Information and Communication – Important data must be identified, obtained and disseminated in a useful format and within an appropriate timeframe so that users can meet their obligations and responsibilities.

Monitoring – ERM process is continual and requires monitoring, review, and when needed, modified to provide more effective risk management. (ERM Initiative, 2004), (Weller, 2018).

To achieve useful ERM implementation process, it should accomplish the following actions;

Determine and classify possible risks

Analyze and evaluate the risks identified

Conduct risk prioritization and response planning

Conduct continuous monitoring of all risks

Implementing ERM and Organizational Impact

Transitioning from a traditional model of risk management to an ERM model is not an easy accomplishment. Traditional risk models view risk as completely negative, processes are often compartmentalized, can be reactionary or provisional, and risk management actions are cost-based & functionally driven. On the other hand, the ERM, as characterized by the

Committee of Sponsoring Organizations of the Treadway Commission (COSO), is an integrated, proactive process in which risks are also considered to have positive traits, and that risk management actions are value-based and driven by the process. Analogous to sports, the transition is one of changing the gameplay from a rigid defensive posture to a controlled but flexible offensive strategy.

For many organizations, implementing ERM is a not only a difficult because of the actual change to the traditional risk management approach, but it can run contrary the conventional risk management beliefs and culture that are engrained in the organization. For organizations that decide adopt an ERM strategy, the following recommendations are beneficial;

Develop an ERM program charter, articulating the ERM vision, the goals, and desired objectives. Organizations must first “speak” the same risk management language. If an organization’s stakeholders do not have a clear understanding of the vision and goals, their commitment and efforts will be in contrast to the ERM process, and thus results will be unsuccessful. Provide stakeholder training, introducing ERM process methods and to teach ERM “as a second language.” Furthermore, the ERM vision must be supported and promoted by management to help facilitate changes to the risk management beliefs/culture that will need to take place.

Conduct Enterprise Risk Assessment to determine and prioritize the risks and their impact on the organization. Without a current, an accurate risk assessment strategic planning for value-based, objective-oriented goals will fall short of addressing risks. Furthermore, Gap analysis needs to be performed to identify the gap between current capabilities and those the organization wants to achieve. Organizations not only need

ERM Roadmap6

to the goals/objectives they want to meet but they need to know how far “off the mark” they currently are so that strategic plans have the proper scope and expectations. Performing both of these will help the organization qualify/quantify current risks, identify needed resources and well as under-utilized capabilities that can provide immediate improvement.

Although ERM efforts will expand to the whole organization, the initial implementation should have a small scope, focusing first efforts on high priority risks, such as risk with

and those with high governance exposure and those with low-risk tolerance. If the organization tries to implement a full range ERM process, especially with stakeholders that are new to ERM, it becomes unwieldy, impeding business operations. By focusing on small and “easy” areas, implementing ERM can seem less daunting and more manageable. For example, implementing ERM process in risk areas that senior

management is already aware of needed improvements. Quick “wins” that bring immediate benefits will build stakeholder confidence, motivation and lead higher level of ERM commitment.

ERM should align with the overarching organizational mission, in that it is an ongoing process of improving the organization. Without consistent, continuous monitoring for changing or emerging threats and developing mitigation strategies, organizations will soon return to a state that is highly vulnerable to risk(s). Organizations should create policies and procedures that direct ongoing ERM efforts to identify and address changes in the severity of risks, as well as the mitigation strategy effectiveness. (Guide to Enterprise Risk Management, 2006)

Establishing Key Risk Indicators (KRIs).

A Key Risk Indicator is a measure to determine the risk of an action. These indicators (KRIs) are used to augment the monitoring of risks, provide early notification of growing risk exposures and aid in reporting. Establishing KRIs can be challenging if the characteristics of quality KRIs are not understood. KRIs should be;

Able to measure the correct factors providing qualitative information that supports and facilitates effective decision making

Quantifiable in that they can offer calculable fiscal data about the financial impact of risk(s)

Capable of providing accurate and precise results

Sources that can help guide an organization in developing KRIs include;

Government regulations and industry compliance policies

Corporate objective and strategies

Prior incidents and losses associated with current risk vulnerabilities

Requirements and expectations of organizational stakeholders

Risk Assessment results (Lam, 2008)

Developing relevant and useful KRIs starts with a solid understanding of the organization’s objectives, and risk-related activities/incidents that can affect attainment of the objectives. Initially, organizations can list current metrics, categorizing them based on a) historical performance measures, b) predictive indicators based on past outcomes, and c) determine if there gaps. From there, the list can be parsed by selecting the meaningful,

measurable and predictive KRIs, and analyzing the root cause, an indicator associated with risk occurrence(s). Once KRIs are determined they should be prioritized, to help recognize highly relevant KRIs, and linked to strategic initiatives. (Pleshakova, 2017)

Linking KRIs to the Organization’s Strategic Initiatives.

KRIs are integral to the ERM process, providing opportunities to be strategic with risk management of emerging risks. KRIs should be linked to strategic initiatives, but depending on the organization’s risk management culture and maturity this could be a challenging endeavor. The Kaplan-Norton Strategy Execution Model explains six-stage framework to help develop strategic initiatives to which KRI can be linked.

Strategy development encompasses the previously stated considerations, such as an organization’s mission, values, and vision; risk assessment analysis to determine specific strategic risks

Strategy translation to outline strategy maps, objectives, targets and initiatives

Organizational alignment to ensure all organizational units and stakeholders are aligned with strategic initiatives

Operational planning to support strategic initiatives

Continual monitoring of strategic execution of initiatives

Testing and adapting, as a part of constant monitoring and ongoing strategic risk assessments to ensure KRIs and strategic initiatives are effective at identifying current known risks and predictive of emerging risks (Tonello, 2012)

Conclusion

ERM can help organizations better manage risk(s) and implement active mitigation

efforts against them. Implementing ERM will provide a framework by which organizations can

evaluate uncertainties, strategically manage risk, increase operational efficiency, and thereby

build greater organizational value.

References

n.a. (2006). Guide to Enterprise Risk Management: Frequently Asked Questions. Protiviti, Inc., Independent Risk Consulting. Retrieved from https://www.ucop.edu/enterprise-risk-management/_files/protiviti_faqguide.pdf

Artebrant, A; Jönsson, E. and Nordhemmer, M. (2004). Risks and Risk Management in the Supply Chain flow. Unpublished MSc in Master of Science in Industrial Management and Engineering, Lund Institute of Technology. Retrieved from http://www.husdal.com/ 2010/11/16/hamiltons-circle-of-risk/

COSO. (2004, September). Enterprise Risk Management — Integrated Framework. COSO ERM Executive Summary. Retrieved from https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf

ERM Initiative Staff. (2004, September 01). COSO’s Enterprise Risk Management – Integrated Framework. North Carolina State University, Poole College of Management, Enterprise Risk Management Initiative. Retrieved from ERM Library at https://erm.ncsu.edu/library /article/coso-erm-framework

Lam, J. (2008, January). Emerging Best Practices in Developing Key Risk Indicators and ERM Reporting. Executive White Paper, James Lam & Associates, and Cognos, an IBM Company. Retrieved from ftp://service.boulder.ibm.com/software/data/sw-library/ cognos/pdfs/whitepapers/wp_best_pract_in_dev_key_risk_indicators_erm_rep.pdf

Fein, I. A. (2012, April). “Change, before you have to.”–Jack Welch, Former CEO, General Electric. Critical Care Medicine: July 2012 – Volume 40 – Issue 7 – p 2227–2228. Retrieved from https://journals.lww.com/ccmjournal/Citation/2012/07000/_Change,_ before_you_have_to___Jack_Welch,_Former.29.aspx

Pleshakova, A. (2017, October 17). Key Risk Indicators, Explained: Part Two. Nehemiah

Security.com. Retrieved from https://nehemiahsecurity.com/blog/key-risk-indicators-explained-part-two/

Tonello, M. (2012). Strategic Risk Management: A Primer for Directors. Retrieved from http://blogs.law.harvard.edu/corpgov/2012/08/23/strategic-risk-management-a-primer-for-directors/

Weller, N. (2018, February 01). COSO Enterprise Risk Management Framework. Association of Chartered Certified Accountants, Technical Articles. Retrieved from http://www. accaglobal.com/us/en/student/exam-support-resources/professional-exams-study-resources/p1/technical-articles/coso-enterprise-risk-management-framework-part-1.html#