ERM is an evolving discipline that companies are using to ensure that risk management becomes pervasive throughout an organization. It essentially “enshrines the notion of risk” within the management function, to ensure that ongoing decisions and planning are made with an awareness and appreciation of the risks involved. With a systematic and structured risk management approach in place, a company can be comfortable that its business activities fall within its risk “appetite” or profile, and that risk mitigation plans have been carefully considered and put into action. Without risk management, companies will almost certainly be exposed to undue risks and unforeseen events.
As with any significant program or project, in order to ensure that an ERM program is successful, it must begin with buy-in, support and participation of senior management. The proper “tone at the top” is needed to instill the requisite amount of energy, planning and importance in the project. Furthermore, senior management is often in control of, or participates in various key programs such as strategic planning and investment decisions that link into risk management.
In the Key services section of this web-site, the key components of an ERM program are identified. These components are part of the 2004 benchmark ERM study by COSO ERM (Committee of Sponsoring Organizations). Although the COSO program may not fit perfectly in all situations, it does provide all the tools needed for success. Reviews of successful ERM at various companies almost always refer back to this model. As a result, the COSO ERM program would be used by Edelkoort Smethurst Schein CPA’s LLP as a general guideline for supporting companies with their ERM projects.
Enterprise Risk Management
- Strategic – high-level goals, aligned with and supporting its mission
- Operations – effective and efficient use of its resources
- Reporting – reliability of reporting
- Compliance – compliance with applicable laws and regulations
This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular objective can fall into more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of objectives. Another category, safeguarding of resources, is also used by some entities. Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity’s control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external events not always within the entity’s control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. This is the proverbial “tone at the top”. The best way to review this is to meet with senior management and discuss objectives from the board of directors or ownership. Ideally this will have been explicitly stated, however if not, then a review of the overall business objectives and governance policies will provide the basis for this review.
Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. In other words, there must be an ongoing comparison between objectives and the risk associated with new projects, changing market conditions, etc. The question is – how do you estimate risk? Financial theory has numerous models such as the Capital Asset Pricing model that estimate risk. These complex models may be applicable in some instances, but a more straightforward approach would be to review the amount of stability / volatility of earnings that are acceptable (based on objectives and previous earnings history), and to ensure that new projects fall within that scope.
Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. The best way to approach this is to review each facet of the business using a prescribed template that contains a list of risks that should be reviewed. This will ensure that a comprehensive review takes place that will identify all the possible eventualities.
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Inherent risks are those that would flow directly from the event before taking into consideration any risk management programs, whereas residual risk is the risk what cannot be fully managed away. For example, disruption of critical supplies of raw material may cause disruptions to operations which will have a direct measurable impact (inherent), but the risk could be reduced by maintaining 2 suppliers. The residual risk is the very small chance that both suppliers will not deliver. The likelihoods of events are usually estimates based on past historical trends.
Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. This ensures that the business has put in place the appropriate management plan for each risk.
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. In other words, there should be a procedure and follow up in place on a continual basis. Perhaps the follow up can be part of a weekly or monthly management meeting agenda.
Information and Communication
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. This aspect is very important as the risk function must not be done in isolation – it must be communicated and ingrained as appropriate throughout the organization.
The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Many companies have a senior Risk Management function that reports directly to the President, giving the position the proper level of authority. By adhering to a structured monitoring and review program, the company can have constant visibility on the risks associated with various aspects of the business, and how they are being managed.
There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the form of a cube.
Determining whether an entity’s enterprise risk management is “effective” is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. Thus, the components are also criteria for effective enterprise risk management. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entity’s risk appetite. When enterprise risk management is determined to be effective in each of the four categories of objectives, respectively, the board of directors and management have reasonable assurance that they understand the extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations are being complied with.
The eight components will not function identically in every entity. Application in small and mid-size entities, for example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise risk management, as long as each of the components is present and functioning properly.
Feel free to call for a consultation about Risk Advisory services.