In order to sufficiently manage key industry and business-specific risks, organizations must utilize a formal, repeatable risk assessment process when making major business decisions. If not, significant risks may not be identified during decision making, planning and implementation phases of critical business initiatives. Alternatively, for the risks that are identified, ad hoc approaches to mitigating the risks may be utilized, resulting in gaps in risk coverage and, at other times, duplication of effort.
Research indicates a number of mature organizations use risk steering committees at the corporate level to address risk management program gaps. With accountability to the board of directors, a risk steering committee commissions an in-depth enterprise risk assessment across the entire company to assess current key business risks and control status, as well as establish recommendations for remediation.
This article focuses on providing insight and direction to executive management teams, to help evaluate and improve upon their organization’s risk management framework. Many companies have initiated efforts to improve their company-wide approach to managing risk, commonly referred to as enterprise risk management (ERM).
According to COSO, “ERM is a process that is affected by an entity’s board of directors, management and other personnel, and applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, to manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives.”
ERM Strategy & Implementation
Many organizations that have recognized the need for an ERM program have proceeded to implement various ERM elements without a clear ERM strategy and implementation plan. An ERM strategy and implementation plan should be guided by the expected benefits and business case for the program. A clear articulation of expected benefits will enable an organization to develop appropriate timelines, budgets and metrics. Companies that skip the strategy development process tend to use a haphazard approach to ERM implementation, leading to a program that may not be sustainable or won’t achieve the desired benefits.
An effective ERM program should be based upon one or more of the following elements:
Avoidance Of Critical Risks: ERM can enable an organization’s senior executives and the board to focus on important prospective issues rather than reacting to unexpected risks. Industry-specific risks can actively be identified and resources allocated to manage the most critical risks. Furthermore, modeling and discussing the correlation between risk factors and business objectives can assist senior management and the board in understanding the nature of risk in their business, enhancing their ability to make strategic choices and to maintain the organization’s risk profile within acceptable limits. This is a particularly powerful driver for an organization with critical risks that are not being managed effectively.
Meeting Regulatory Requirements: An effective ERM program can lead to formal or informal favorable treatment by applicable regulators through decreased oversight or greater flexibility with capital requirements, product offerings or access to emerging markets.
Managing The Cost Of Risk Management Activities: A common framework and organization structure — including standardized processes, methods, tools to address regulatory requirements and coordination of overlapping risk management activities — can provide substantial savings over the cost of multiple stand-alone responses and solutions.
Increasing Speed To Market For New Products & Services: An effective ERM program can actually shorten time to market with new products and services by accelerating an organization’s ability to identify and address risk issues for new products and services.
Improved Pricing For Risk: Enhanced risk identification and assessment capabilities can provide front-line managers with the information necessary to effectively assess risk and therefore accurately price the risks associated with current or future products or services.
Lower Requirement For Overall Economic Capital: A better understanding of risk across a firm enables a more thorough understanding of the capital required to support a given risk tolerance — for example, target credit rating or solvency risk — thereby allowing more effective allocation of capital across initiatives and business units, as well as potentially reducing overall capital requirements. This will become increasingly more critical to an organization’s success as it expands its business model.
Organizations should identify the desired business benefits from its ERM program before developing a strategy and detailed implementation plan. The articulation of the business objectives and desired benefits will guide the allocation of resources (including people, management time and budget) to this effort. Finally, the program should be measured over time to determine that progress on both specific key risks and overall risk management program maturity is being achieved.
The ERM Committee
Business units and specific functions have long been responsible for managing risks in their respective areas. However, many risks cut across different businesses, geographies, customer segments and functions. Organizations should create an ERM committee (ERMC) to re-evaluate the role, functions and meaning of ERM in the organization. Additionally, the committee supports the Chief Risk Officer function as they execute their roles and responsibilities.
Through standardized practices of risk identification, assessment, reporting and management, the committee shall support the efforts of an organization’s leadership to successfully execute its business plans. When necessary, the committee will escalate the overall level of risk taking and risk mitigation, and bring forward emerging risks that may have a current or future high materiality impact on the organization to executive staff. The committee will also identify and help influence opportunities to cross collaborate on similar key risks across the company and business units.
It is neither the purpose nor duty of the committee to manage risks for individual business units, nor to make decisions about which projects should be accepted or rejected. The ultimate purpose of the committee should be to guide the company in becoming an effective, risk-intelligent organization.
Roles & Responsibilities
The role of the committee shall be to establish and manage enterprise risk standards, review identified risks and risk management capabilities, provide consultative advice to risk councils and owners, review and support company-wide investments and communications regarding risk training, and escalate risk findings to executive management. The committee shall:
A. Champion and support an ERM framework to enable business units and corporate functions to:
- Identify key and emerging risks.
- Set risk tolerance levels.
- Mitigate key risks.
- Communicate key risks and plans to mitigate those risks to the committee.
- Enhance the strategic planning process.
B. Invite cross functional councils and risk owners to participate and present at meetings, and review programs and plans.
C. Evaluate and support investments in company-wide risk management trainings and/or communications.
D. Communicate risk matters to executive management as necessary, to enable execution of the company’s strategic objectives and business plans.
The committee shall have adequate access to the executives of the organization in order to fulfill its role and undertake its duties, the authority to establish a common risk framework across the organization, and receive from business units and corporate risk functions related reports for material exposures utilizing this framework and associated metrics. The committee will require business units to escalate large exposures for review and potential management, and has the authority to assign ownership for newly identified corporate risks, identify subject matter specialists to support assessment and management of key risks, and establish appropriate reporting requirements.
Membership of the committee shall consist of a core team, who shall be present at all meetings, and extended members — the extended team — with expertise appropriate to the subject matter being discussed at a particular meeting.
The core team may include the Chief Financial Officer (CFO), who may also serve as committee chair, senior level representation from general counsel, human resources, treasury, the head of corporate ERM, who may also serve as committee secretary, business unit head of ERM, and the VP of internal audit in an advisory, non-voting capacity.
The extended team shall include each business unit’s CFO, VP of legal affairs/regulatory, VP of technology, VP of human resources, business unit head of internal audit (in an advisory capacity) and a designated member of the business unit’s executive management team or delegate.
The committee shall meet as deemed necessary by any core member. Four of seven core ERMC members shall form the quorum for all meetings.
The secretary shall maintain minutes for all meetings and circulate the minutes to all sitting committee members at the subsequent meeting. Meetings will cover one or more of the following:
- Business unit and/or corporate heat map.
- Review and discussion of a business unit and/or corporate key or emerging risk.
- Evaluation of risk in context of aggregate company risk exposure.
- Risk mitigation plans and tolerance levels.
- Discussion on whether risk tolerance levels require escalation to executive staff.
- Changes/enhancements to enterprise risk management framework.
- Investments in company-wide risk training and communications.
The committee shall report its activities to executive management through the committee chair and audit committee at least annually.
Roles Of Company Risk Stakeholders
In addition to the core members of the committee, the following groups play a critical role in ERM.
Business unit leadership shall:
- Ensure completion of an enterprise risk assessment in accordance with the ERM framework as set forth by the ERMC.
- Identify and allocate resources to individual risk owners based on business unit and risk owners’ assessment of investment to achieve desired target state and aggregate business unit risk tolerance.
- Continuously track existing and emerging risks that may impact their strategic objectives.
- Approve risk tolerance or mitigation plans for individual risk owners within its business unit.
- Carry out appropriate mitigation plans in accordance with commitments.
- Ensure key risks are clearly understood and quantified.
Business unit risk owners shall:
- Determine requirements for risk mitigation and risk tolerance, and seek appropriate resources.
- Share mitigation plans, acceptable tolerance level and target state for plans (with assistance from the ERMC team as necessary) with business unit executive/management team.
ERM teams shall:
- Assist the business unit risk owner in identifying and quantifying risk in the context of the aggregate business unit risk.
- Assist the business unit risk owner in preparing to report to its business unit executive management team and to the ERMC.
- Advise the ERMC of concerns related to individual and aggregate risk exposure.
- Formulate the ERM program framework, vision and mission.
- Coordinate and facilitate annual enterprise risk assessments.
- Collate and share the aggregate corporate risk exposure overview to the ERMC.
- Perform such duties as directed by the committee.
Executive staff shall:
- Review risks escalated to them by the chair of the committee, determine acceptability of tolerance/exposure presented and act as deemed appropriate.
Risk is unavoidable and is present in all parts of an organization. ERM allows for a comprehensive approach to risks so they are no longer managed in department silos. The use of an ERMC team and the guidelines presented in this article will help to coordinate all of the necessary players and ensure that an effective ERM capability is implemented.