Enterprise risk management relevance, core elements and implementation

Contents

Introduction .. 2

ERM Framework .. 2

ERM Implementation .. 3

Risk management fails during the financial crisis .. 4

Conclusion .. 5

References .. 6

Introduction

The risk awareness and strategic view of risk management have proved being key drivers for long-term results in all types of organizations, in the financial services industry the risk is part of the business and the importance of reassess it become evident after the recent financial crisis had shown a week risk management culture among financial institutions worldwide including the ones that called themselves’ low risk. Such exposure to risk has been mainly brought up from failures on recognition and evaluation of risks. The risk is anything which can affect the business, institutions or individuals in a different way from expected, what could be a negative, positive or deviation.

A solid risk management links a risk awareness culture to the organizations’ strategical objectives expanding responsibilities along the structure and building resilience and continuous improvement. An enterprise risk management (ERM) is a complex system englobing different actors and levels of an organization aligning strategic objectives to tactical management and operational process. The International Organization for Standardization (ISO) 31000 is a standard for risk management providing requirements and directives for ERM application.

This paper outlines the core elements of ERM, key factors for its successful implementation under ISO 31000 guide, highlighting the importance of risk culture and analyzing the financial crisis from a risk management viewpoint.

ERM Framework

The ERM framework is the risk management integration between the strategy, executive, and operational levels. In order to achieve this risk-aware culture a structured based on risk architecture, risk strategy and risk protocols was designed supporting the risk management context. According to AIRMIC, Alarm, IRM (2010) risk architecture specifies the roles, responsibilities, and communication; Risk strategy is defined by risk appetite, attitude, and philosophy all settled on the risk management policy; Risk protocols are the guidelines for the organization, rules, procedures, methodologies, and tools are stated here. These represent the internal arrangements for communication on risk issues.

Risk Assessment and Risk treatment are the key stages of the risk management process. Risk Assessment is the identification and establishment of the risk exposure on the organization evolving a great knowledge of the organization’s market and its environment legally, socially, politically and culturally. A methodology should be defined on the risk management policy and then applied to the core activities in order to evaluate all the risks intrinsic to these activities and mapping the business area risk exposure. This exposure should be evaluated in a risk rating matrix considering for that the impact of this risk and then the likelihood, it is important to highlight here that the impact of a risk can be financial, operational, regulatory and legal, customer, and reputational or a combination of them. This risk analysis will facilitate the prioritization for risk controls and improve the effectiveness of its implementation. If a risk is qualified higher than the business risk appetite and action has to be done.

AIRMIC, Alarm, IRM (2010) includes the range of available risk treatments: tolerate, treat, transfer and terminate. ISO 31000 presents risk treatment as the implementation of control measures to modify the risk. Once a high risk is identified for a specific activity, the risk police will define the action required, if this risk was not transferred through insurance or terminated through the ending of this process, a control is applied for its mitigation until a tolerate level of risk is achieved. On the response decision for each risk, the effectiveness is always the key factor, a comparison of costs and benefits should be done analyzing each of the responses or the combination of them: Insurance(transfer), Internal controls implementation, Ending of the process, and Risk toleration.

A feedback mechanism is also included in ISO 31000 as part of the risk management process. This provides support for the elementary condition of the risks definition as dynamics. A proper monitoring and review system ensure that the organization learns from experience, and a communication and consultation enforces the risk management guaranteeing the effectivity and applicability in a regulatory and market context, of the reviewed controls.

ERM Implementation

An ERM success evolves not just a consistent strategic alignment but also the management ability to address the limited organization resources to the most important issues (PWC, 2015). Starting from the implementation the planning and designing step should include details of risk architecture, strategy, and protocols. AIRMIC, Alarm, IRM (2010, Table 2 p.10) states that a risk management policy should include: Risk management and internal control objectives (governance); Statement of the attitude of the organization to risk (risk strategy); Description of the risk aware culture or control environment; Level and nature of risk that is acceptable (risk appetite); Risk management organization and arrangements (risk architecture); Details of procedures for risk recognition and ranking risk (risk protocols); Risk mitigation requirements and control mechanisms (risk response); Allocation of risk management roles and responsibilities; Risk management training topics and priorities; Criteria for monitoring and benchmarking of risks; Allocation of appropriate resources to risk management; and Risk activities and risk priorities for the coming year.

A risk management policy can become misaligned and outdated if there is not the appropriated mandate and commitment from the Board, it should be frequently updated to reflect the current strategic objectives and future business environment. The risk management responsibilities need to be allocated extensively including: Individual employees who should understand, co-operate and report within the implementation, loss events, and near miss, and risk management processes; Unit managers that should build a risk-aware culture, agree on performance targets and keep up to date procedures and controls (AIRMIC, Alarm, IRM,2010).

Risk Assessment is required to provide the base information for decision-making process including risk drivers, consequences, and interrelationships. It will also identify the most appropriated risk classification system under a risk rating matrix. AIRMIC, Alarm, IRM (2010) mentioned on risk assessment techniques: Questionnaires and checklists; Workshops and brainstorming; Inspections and audits; Flowcharts and dependency analysis; Hazard and Operability studies (HAZOP) and Failure Modes Effects Analyzes (FMEA) approaches; Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses. The risk appetite and tolerance should be specifically settled according to the business activities and context, recognizing the complexity of risk and the core elements of each business unit and driven adequately the resource allocation.

It is important to set up an accessible tool where all the data should be compiled in order to provide measures and monitoring reports including details of the controls, planned reviews, events, and the unit risk responsible. This will help to develop the understanding of how individual and aggregate risk affect the business and allow effective monitoring of the existing controls and support the implementation of additional ones, as well as the evaluation of the risk aware culture where eventual changes on the organization and external business environment must be identified driven the modification of existing procedures. Learning and reporting are part of risk management process and according to AIRMIC, Alarm, IRM (2010) in order to learn from experience, evaluations of risk performance and measures of its contribution are required allowing the organization to improve the risk management process and framework.

The risk culture is associated with the idea of ‘control environment’ and is a mix between formal and informal process aiming the risk taking perception and it mitigation including even small behaviors and habits. A successful ERM implementation evolves the whole organization increasing the footprint of risk management and providing the appropriated flow of information. Ashby et all (2012) outlined that all the organizations are concerned to break down silos and promote risk information sharing, transforming it into internal knowledge shared via data repository. This collaborative network works as the first organization’s line of defense spreading the conscious for recognition, analysis and engagement on risk management.

Risk management fails during the financial crisis

It is undeniable that lapses in risk management played a key role in the recent financial crisis, and the costs of these were very high. Problems related to corporate governance and internal managerial conflicts as well as credit policies and capital structure with a short-term focus are outlined as the main breakdowns under risk management perspective.

The control systems had proven to be not able to tell whether a financial manager was generating true excessing returns for risk, or whether the current returns were a compensation for the risk that has not being measured Kashyap (2010). These high returns products, despite the risk, had being incentivized among traders by the generous performance based bonus, exploiting deficiencies on the internal risk measurement system.

The President’s Working Group on Financial Regulation (2008) cited “risk management weaknesses at some U.S. and European financial institutions” as one of “the principal underlying causes of the turmoil in financial markets”. He also argued that “firms that suffered significant losses tended to exhibit the following risk management weaknesses: (a) weak controls over potential balance sheet growth, including ineffective limits on the growth of business lines and poor monitoring of off-balance sheet exposures; (b) inadequate communications among senior management, business lines, and risk management functions.”

Conclusion

For a successful ERM implementation, a strict analysis on the organization chart has to be done, describing very specifically the roles and respective risk exposures through the qualification of impact and likelihood of each risk, the specification of its risk-owner, and the definition of the reporting structure. Strategically the risk management policy should be integrated with the organization’s objectives considering its complexity and stating the risk appetite and philosophy. On the other hand, is on the operations that the main breakdown is done, a solid base built on procedures, controls, assessment, and review spread the risk ownership among the whole company promoting a risk aware environment and making possible the feedback and review flow be continuous and operational integrated in association with the risk culture development within the relevant perception of risk taking and focusing and its mitigation.

References

AIRMIC, Alarm, IRM (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000.

Ashby, Simon, Palermo, Tommaso, and Power, Michael (2012). Risk culture in financial organisations: an interim report. Centre for Analysis of Risk and Regulation and the University of Plymouth, London, UK. Available at: http://eprints.lse.ac.uk/47488/1/Risk%20culture%20in%20financial%20organisations%28published%29.pdf

ISO 31000 (2009). Risk management – Principles and guidelines, provides principles, framework and a process for managing risk.

Kashyap, Anil K, (2010). Lessons from the Financial Crisis for Risk Management. University of Chicago, Booth School of Business and NBER

President’s Working Group on Financial Markets (2008). Policy Statement of Financial Market Developments. US Treasure. Available at: http://treas.gov/press/releases/reports/pwgpolicystatemktturmoil_03122008.pdf

PwC (2015). How ERM programs evolve. How to achieve excellent Enterprise Risk Management series, Article 3: June 2015.

PwC (2015). The alignment challenge – How strategic is your ERM program. How to achieve excellent Enterprise Risk Management series, Article 2: April2015