Establishing an Enterprise Risk Management (ERM) Framework
Enterprise risk management (ERM) is an ongoing process designed to manage all risks within a firm. The Commission of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
It is important to establish an ERM Framework because it enables a firm to gain a clear view of its overall risk level. Discussed below are the steps that need to be taken to establish an ERM Framework, the potential benefits that can be expected, and the challenges that may be faced.
Process for establishing an ERM Framework
1. Common language around risk
The risk management function (or equivalent) must establish and educate the organization on common terminology regarding risk. A common definition of risk is – the potential for loss, or the diminished opportunity for gain, which can obstruct the achievement of the firm’s business objectives. Common terminology will facilitate communication across business units.
2. Risk management steering committee
It is important to establish a senior management level committee to provide oversight of the implementation of the ERM Framework. In addition the committee will help delineate the roles and responsibilities within the Framework.
3. Roles and responsibilities
Roles and responsibilities must be clearly defined and understood throughout the organization.
- Board of directors & CEO– have ultimate accountability for all risks. Risk management practices must be discussed periodically and risk management related policies must be reviewed and approved.
- Senior management– design, implement, and maintain an effective Framework. Develop policies and procedures, establish and monitor the risk appetite, and report regularly to the board of directors. Promote a risk-aware culture.
- Business units– identify, assess, measure, monitor, control, and report risks to senior management. Manage relevant risks within the framework established by senior management. Ensure compliance with policies and procedures.
- Support functions (i.e. Legal, HR, IT, etc) – provide support to business units in developing and enforcing policies and procedures.
- Internal Audit & Compliance– monitor and provide independent assurance of the effectiveness of the Framework.
- Risk management– coordinate the establishment of the Framework and provide risk management expertise.
4. ERM methodology
Develop a methodology for the ERM Framework. This should include definitions of key risk terms, descriptions of roles and responsibilities, and clear procedures for risk identification, assessment, measurement, mitigating, monitoring, and reporting.
5. Risk appetite statements
A formally written document that comprises all of the key business areas. The document should take into account the firm’s strategic direction and objectives. It should clearly outline the firm’s capacity to take risk and its tolerance for potential loss. In addition, a risk appetite must be regularly reviewed and approved by senior management and board of directors. (For more information on establishing a risk appetite refer to the Risk Appetite article).
6. Risk identification
This can be completed via a risk control self-assessment (RCSA) approach; coordinated by risk management and conducted with subject-matter-experts. This method uses a risk taxonomy to identify applicable risks, inherent risk levels, quality of internal controls, and residual risk levels. The process consists of the following steps:
- Identify applicable risks and describe the business activity that exposes the business unit to the risk. This includes credit, market, liquidity, operational, event, and strategic risk.
- Establish the inherent risk level (H, M, L) and typical annual damage. Inherent risk is anything that prevents the achievement of business objectives without consideration of internal controls. Typical annual damage, if applicable, can be estimated based on subjective judgment of the business unit with consideration to both past (actual losses) and potential future occurrences.
- Assess and rank the quality of internal controls (H, M, L) and reason for the assessment. Internal controls mitigate the inherent risk and involve the implementation of policies, procedures and standards.
- Calculate the residual risk level (H, M, L) which remains after taking into account relevant internal controls. For example, a Medium inherent risk and Low quality of internal controls will result in a High residual risk level.
Note: High, Medium, Low are popular scales in the financial services industry; however, other ranking scales may be used.
Another method of identifying risks is to evaluate all processes within the firm and create a list of potential risk sources (known as Business Process Mapping). This step should be completed by the risk management department in conjunction with knowledgeable and well-seasoned employees of various departments within the firm. This method allows for open communication/ discussion and can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. Other techniques include, actuarial models, scenario analysis, external data collection, and comparative analysis.
7. Risk prioritization
Using the results of the RCSA for each business unit, prioritize key risks based on the residual risk levels. Discuss all High residual risks with the risk management steering committee and set risk mitigation plans.
8. Risk mitigation plans (RMPs)
RMPs must be established by taking a risk-based approach to address the areas with the greatest control weaknesses and largest potential for loss. Firms will generally run out of resources before they run out of risk therefore the High risk items must be given priority. Target completion dates and responsible owners must be selected to facilitate the risk mitigation process.
9. Risk monitoring & reporting
Key risks that were identified must be monitored and periodically reported to senior management and board of directors.
Establishment of an ERM Framework is not a one-time exercise that only involves a few participants. It is an intensive, dynamic and continuous process that requires firm-wide participation. When implemented successfully ERM will produce many benefits to the organization. An effective ERM Framework will:
- Allow an organization to gain a clear picture of its overall exposure to risk
- Improve firm-wide understanding of risks and controls
- Reduce operational losses
- Improve the deployment of capital
- Align risk appetite and strategy (business objectives)
- Facilitate board and senior management oversight
- Breakdown silos between various departments and across all risks (promote transparency)
- Result in a more efficient use of resources
- Improve regulator, rating agency, and shareholder perception
- Enhance internal control
- Promote a culture of risk awareness
After considering the benefits of implementing an ERM Framework, it is surprising to see that only 36% of institutions participating in Deloitte’s Sixth Global Risk Management Survey had an ERM program in place. Although 72% reported that the benefits of ERM outweigh the costs.
Enterprise risk management implementation is not considered an easy task. It requires organizational agreement/cooperation and a strong senior management team. Although there are clear benefits to ERM, challenges also exist. By examining some of these challenges, organizations will be better prepared to establish their own enterprise risk management programs. Challenges that an organization might run into include:
- Defining a common risk language
- Demonstrating the benefits/value of ERM (e.g. cultural issues)
- Establishing ownership for particular risks and responses
- Identifying risks and quantifying potential damage
- Prioritizing risks across the organization
- Developing RMPs to ensure the risks are appropriately managed
- Risk reporting- deciding what information should be shared and how
- Ensuring RMPs are carried out
- Formulating the risk appetite statements
- Lack of reliable data & insufficiency of technology (MIS)
COSO: Enterprise Risk Management-Integrated Framework (September 2004)
Deloitte: ERM- Not Just for Big Companies (2009)
Deloitte: Nine principles for building the Risk Intelligent Enterprise (2009)
Deloitte: Global Risk Management Survey (Sixth Edition) Risk management in the spotlight (2009)
Deloitte: Creating a Risk Intelligent Infrastructure- Getting risk intelligence done (2010)
Institute of Operational Risk: Operational Risk Governance (2010)
PWC: Becoming a risk resilient organization – the 5 continuous stages podcast- Joe Atkinson (2011)
Risk and Insurance Management Society (RIMS): 10 Common ERM Challenges-Jim Negus (2011) http://www.rmmag.com/MGTemplate.cfm?Section=RMMagazine&NavMenuID=128&template=/Magazine/DisplayMagazines.cfm&IssueID=343&AID=4056&Volume=57&ShowArticle=1