Risk Treatment

Enterprise Risk Management (ERM) is an integrated approach to enterprise-wide risk management intended to protect and increase value for all parties with an interest in the organization. The ERM approach engages all levels and departments of a business to identify, evaluate, monitor risks and seize opportunities. Given this scope, ERM may constitute an approach to corporate governance as opposed to an isolated and discrete function of an organization. The approach has support from influential parties and is gaining acceptance in the business community.

Keywords Benchmarking; Internal Auditor; Risk Ranking; Sarbanes-Oxley Act; Stakeholders; Value at Risk

Insurance & Risk Management > Risk Treatment

Overview

The purpose of an organization can be understood as creating value for all interested parties or stakeholders. These stakeholders are executives, members of the board of directors, shareholders (who many number in the millions), and employees that may number in the thousands; there is much at stake in a business. Risk and reward is a fundamental concept to capital enterprises. Capitalism requires that businesses take risks in their effort to develop and offer valuable products to the markets. As the saying goes, no risk no reward. However, the existence of risk should not to translate to irresponsibility in business affairs or creative paralysis. As the size of business grows, the frequency and magnitude of the impact of the risks faced by companies increases. This fact highlights the need for some approach to risk management. Insurance is a critical important component to minimize the impact of specific events and legal liability. However, enterprise risk management is an active system incorporated into the corporate governance across an entire organization in order to manage and even capitalize on the risk. The consequences of poor governance and lax risk management became headlines with the WorldCom and Enron scandals in the beginning of the twentieth century. These scandals prompted increased government regulation and underscored the value of effectively managing the risk that stakeholders face.

Every organization, regardless of size, faces risk to some extent or another. The severity of risk is often cast in terms probability and impact. That is, the degree of risk is a function of the probability a given event will occur and the severity of the consequences should the event occur. The product of those two factors may be thought of as a risk score. Ideally, a risk with a high probability and high potential damage would be addressed first and with all appropriate care. In practice, this simple idea may become difficult to implement effectively and consistently. To increase overall facility with handling risks, organizations can turn to Enterprise Risk Management (ERM). ERM is a structured and disciplined approach to managing risk that incorporates methods and processes to deal with the risks inherent in the pursuit of its business goals. With an extensive implementation, ERM can serve as both a risk management tool and as method to capitalize on potential opportunities. ERM may also be described as a management technique that employs the concepts of strategic planning, operations management, and internal company controls. The basic functions, or tasks, of ERM are to identify, analyze, evaluate, respond, and monitor risks and opportunities.

The Goal

The goal of ERM is to form an integrated and unified approach, or perhaps a holistic approach, that considers all risk. Large organizations typically have several departments that individually identify and manage risks within their particular field of responsibility. In terms of ERM, individual risk areas may sometimes be called "risk functions." The core goal of the ERM is to maximize and coordinate the capabilities of each area in an effort to generate an integrated and unified presentation of risk for stakeholders and to enable the business to more effectively manage risk.

Areas of Participation

There are a number of areas within a large organization that participate in ERM programs. Strategic planning efforts identify external threats and weak points and the methods to appropriately address them. Marketing departments seek to ensure that product and services offered are in line with customer needs and desires. The compliance and ethics departments join the ERM to ensure conformity with relevant ethical codes on conduct and to direct fraud investigations. The accounting department identifies financial reporting risks that may arise under the Sarbanes-Oxley Act. The legal department manages ongoing litigation and studies trends in the law that may affect the organization. Insurance is integrated to provide the proper coverage for the businesses operations and interests. The treasury must be sure that risk related to commodity pricing and foreign exchange fluctuations is covered while being certain the organization has the cash on hand to meet on going operations. Quality assurance must monitor output to ensure that it is within tolerance limits. The operations department conducts the daily business and identifies obstacles that may threaten those day to day operations. The credit department makes certain that any credit extended to a customer is in accord with their ability to pay. Customer service ensures that complaints are adequately addressed and the cause for complaint is reported to the operations department. The internal audit department evaluates the effectiveness of each department and recommends improvements. All the functions are incorporated into the ERM structure.

The Process

The ERM process begins with risk identification. Risk identification should be both creative, well-structured and extend to all risk whether or not within a company's control. This creative wide-open process may have a tendency to produce a large and unwieldy list. To keep things organized, a computerized risk register is often recommended. Once a list has been created and organized, the cause and effect of each item should be considered and the appropriate experts consulted. Each risk should be assessed to separate minor risks from more serious risks and should be assigned a score. For example, a number from one to ten can be determined for each of the two dimensions: Probability and severity. A zero score may mean a risk almost never happens or is of trivial consequence. On the other hand, a score of ten may mean that a particular risk almost always happens or carries potentially catastrophic consequences. These scores can then be multiplied together to generate a final risk score that can be used to communicate the magnitude of impact posed by a risk and the urgency required. The scores along with a detailed description and evaluation can be placed in a risk register. That risk register creates a record on which to base future action and strategy. Risk registers should contain a variety of information including; a reference number, risk category, the nature and mode of potential occurrence, the risk rank, the priority assigned, the time frame for action, the person responsible for taking action, and the estimated budget for treatment. Communication and consultation with stakeholders is important to the ERM model and most have a number of stakeholders that could benefit from such information. Indeed, participation of stakeholders is critical to the success of an ERM program and good communication is important to maintaining interest in the program.

The unification of the various risk functions into a coherent and effective ERM program can raise several challenges and present a daunting and overwhelming task. The most basic place to start when implementing an ERM program is to identify its supporters. Unless an initiative has the support of the top management and the CEO, it would very difficult to get a program off the ground. It may be difficult for separate units to effectively communicate with one another. Accordingly, a company that wishes to implement an ERM may consider defining a common risk language or glossary that defines and implements a risk ranking system to prioritize risk both within and across departments. To address implementation issues related to responsibility, a company may establish a risk committee or chief risk officer to coordinate the activities across function areas and assign ownership for particular risks and responses.

Applications

A recognized framework for implementing an ERM program is the Integrated Approach developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO was first issued over a decade ago as an integrated framework intended to address the need for improved corporate governance. During the development of COSO, that need was highlighted by extensive stakeholder loss in such spectacular scandals as Enron and WorldCom that underscored the need for a robust, integrated framework providing clear guidance and a common language. According to the Committee, since the framework has been incorporated into policy, rules and regulations that have enabled enterprises to better control their affairs and reach their institutional objectives.

The basic premise underlying ERM is that entities exist to create value for their stakeholders. The COSO framework seeks to maximize value by setting a strategy and objectives to strike the optimal balance of uncertainty inherent in operations risk tolerance to enhance entity goal attainment. The COSO risk management approach encompasses: Aligning risk tolerance with institutional strategy; enhancing risk response by providing management with the tools to identify and select among alternate risk responses, be it avoidance, reduction, sharing, or acceptance; reducing costs associated with surprises by better predicting events; managing multiple and cross-enterprise risks with orchestrated responses to multiple or interrelated risks; seizing opportunities by considering a range of possibilities; and improving capital allocation with detailed risk information.

The COSO approach underscores fundamental concepts regarding ERM. Those basics are that ERM is a strategic process designed to identify events that will affect it at every level and involve all personnel in the organization. The process seeks results in separate but overlapping areas and those results should provide the board of directors and manger with reasonable assurance. According to the COSO, the ERM process is geared to achieve organizational goals in four categories: Strategic, high level goals; operations, which address use of resources; reporting; and, compliance with laws and regulations. These goals are reached through the application of eight components: Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and finally monitoring. The COSO identifies a direct relationship between objectives and components represented by a three dimensional cube that highlights the interrelated nature of each component and objective.

Internal Audit

In conjunction with the COSO release of the ERM Integrated Framework, the Institute of Internal Auditors (IIA) released a position paper discussing the role of an internal auditor in the ERM process. The IIA identified that the central role of the internal auditor with respect to ERM was to provide objective assurance to the board of directors regarding the effectiveness of the organization in handling key business risks. The IIA regards internal auditing as an independent, objective assurance and consulting function while objective reporting is the primary value of an auditor from outside the company. Accordingly, the IIA identifies suitable activities for the internal auditor in the ERM process. This is accomplished by advising upon the accuracy of the company's risk evaluation, evaluating the ERM processes and the method employed for reporting those risks, and reviewing the management of risk. The IIA considers activities such as facilitating, coaching, coordinating and developing an ERM framework as appropriate activities for internal auditors. However, the IIA considers setting risk appetite, imposing the ERM process, decision-making or implementation of risk response as roles an internal auditor should not undertake.

Credit Reporting

ERM programs have real effects on a business' internal operations and success, as scandals have made clear. The importance of an effective ERM program also affects a business' ability to raise capital as reflected in their credit rating. Standard & Poor's (S&P), the financial reporting giant, assesses and scores companies in part based on how they handle risk management. With respect to financial firms, S&P uses a PIM approach to measure a company's risk management efforts. The PIM approach focuses on the quality of company polices, infrastructure and methodologies related to a firms trading operation, or trading risk management (TRM). The policy dimension of the evaluation is concerned with the firm's philosophy toward risk as indicated by the organization's appetite for risk and the way it relates to the business strategy. This relationship should reveal a degree of consistency; mismatch between strategy and risk appetite would indicate a lack of awareness by senior management. Also relevant is whether, and the extent to which, the risk management strategy was championed or monitored by senior management. An evaluation of the organizational and reporting structure and authority of the risk management structure provides clues for addressing, measuring and reporting the risk information. The policy dimension also evaluates the firm's risk tolerance and senior management awareness and control of risks as indicated by trading floor limits, and the procedure for handling breaches of policy. The third component of the policy dimension has to do with communication and disclosure of information within the firm. The quality of communication is indicated by the focus of internal inquiry discussions with senior management and the board and sophistication of the dissemination of material throughout the firm as evidenced by the depth, clarity and frequency of risk reports used in the normal course of business.

The S&P TRM evaluation for the infrastructure dimension is concerned with three key aspects of that dimension. The first aspect is the risk architecture and data quality. Factors relevant to this assessment are the integration of data warehouses and risk engines to detect gads that may be exploited by a rogue trader. Also important is the firm's awareness of events that could cause system failure and a well-articulated disaster recovery plan in the event of massive system failure or terrorist attack. The second aspect of infrastructure is concerned with mid to back office operations. S&P looks to operational control in a firm's trading room, ability to capture complex transactions accurately and provide timely confirmations. The third aspect is concerned with a firm's risk education and training as reflected by background, experience, and education of the firm's risk management team.

The methodology dimension has to do with the systems in place to address risk within a firm. S&P first looks to whether the risk management tools employed by the firm allow it to identify and integrate the effects of risks. Among others measures, the S&P analysis looks to the widely used industry measure called Value at Risk. Also important is the manner the firm calculates credit risk.

Insights

Enterprise risk management, as discussed, is a rigorous approach designed to minimize risk and identify opportunities. While the programs are not yet a part of everyday corporate practice, the approach is gaining in popularity according to recent studies. Of 271 manufacturing, financial services, healthcare, energy and business and professional services companies surveyed with over $1 billion in revenue, 55 percent report a corporate board initiated ERM program. Progress has been made in the beginning ERM stages involving the creation of risk inventories and assessment methods. Seventy percent of those companies were in North America and the study revealed that foreign-based companies have developed processes faster. Another study indicated that only one in ten companies have a fully integrated ERM program. Companies report challenges in the communication function and in including employees from all levels of the organization as opposed to the common practice of involving only top level personnel (Casale & Norris, 2007).

The increased awareness and adoption of ERM practices in North America has been fueled by the large credit reporting agencies, of which S&P discussed above is one of the most important. S&P has found that a companies' ERM objectives aligned well with the factors relevant to a credit evaluation. The risk management component is fundamental to the rating process and influences credit ratings.

S&P has also announced plans to introduce a formal program to evaluate nonfinancial company ERM programs for inclusion into their credit scoring process. Some companies have voiced concerns about how S&P may actually measure and evaluate such non-discrete information. However, S&P will look to company culture, corporate governance practices, risk preparation through on-site observation, discussions with company officials and comparison to peers. S&P will assign categories of weak, adequate, strong or excellent, with the excellent rating indicating a company that optimizes the risk-return relationship and has less volatility in earnings and cash flow.

Conclusion

The push for the development of ERM programs is a recognition of the fact that companies must manage risk and that a comprehensive approach is the best way to do so. The ERM approach is intended to protect and increase value for all parties with an interest in the organization. Accordingly, the ERM approach engages all levels and departments of a business to identify and manage risks and seize opportunities. Given this scope, ERM may constitute an approach to corporate governance as opposed to an isolated and discrete function of an organization. The approach has support from influential parties and is gaining acceptance in the business community. The ERM approach appears poised to be an important area in business management for years to come.

Terms & Concepts

Benchmarking: The use of a standard for comparison.

Internal Auditor: One who provides assurance and consulting services for an organization as an employee. An internal auditor performs financial, compliance, and performance audits; conducts special investigations; or offers consultant support.

Risk Ranking: The severity of a risk determined by the likelihood of occurrence and the severity of the potential consequences.

Sarbanes-Oxley Act: A statute passed by Congress in 2002 in response to the Enron and WorldCom financial scandals. It is designed to protect shareholders from fraudulent practices and accounting errors.

Stakeholders: Refers to any party with an interest in a company and can include employees, executives, shareholders and clients. Compare: Shareholder refers to the holder of an equity interest in a company.

Value at Risk: A widely used financial industry measure of risk in a trading book.

Bibliography

Committee of Sponsoring Organizations of the Treadway Commission (2004, September). Enterprise Risk Management — executive summary. Retrieved January 28, 2008, from http://www.coso.org/Publications/ERM/COSO%5fERM%5fExecutiveSummary.pdf

Enterprise risk management (ERM). (n.d.). Dictionary of Accounting Terms. Retrieved January 29, 2008, from Answers.com Website. http://www.answers.com/topic/enterprise-risk-management

Fernandes, J.B., de Araujo, P.D., & Fernandes, E.B. (2013). Enterprise Risk Management (ERM): A study of ERM implementation levels in Brazilian companies. Review of Business Research, 13(1), 71-76. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=87118284&site=ehost-live

Institute of Internal Auditors. (2004, September). The role of internal auditing in enterprise-wide risk management. Alamonte Springs: FL. Retrieved January 28, 2008, from http://www.theiia.org/download.cfm?file=283

Karlin, B. (2007, Dec/Jan). Sweating out the ERMs. Treasury & Risk, 15. Retrieved January 28, 2008, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=28144191&site=ehost-live

McLeod, J. (2006). Securing your business. Canadian Underwriter, 73(8), 26-28. Retrieved January 28, 2008, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22096696&site=ehost-live

Panning, W. (2008). Getting a company started on ERM. Best's Review, 108(9), 65-65. Retrieved January 28, 2008, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=28334514&site=ehost-live

Scarlat, E., Chirita, N., & Bradea, I. (2012). Indicators and metrics used in the enterprise risk management (ERM). Economic Computation & Economic Cybernetics Studies & Research, 46(4), 5-18. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=85469423&site=ehost-live

Standard & Poor's, a Division of the McGraw-Hill Companies. (2005, November). Enterprise Risk Management for financial institutions: Rating criteria and best practices. New York: NY. Retrieved January 28, 2008, from http://www.mgt.ncsu.edu/pdfs/erm/sp%5ferm%5fbusdevbk.pdf

Varela-Vaca, A., & Gasca, R.M. (2013). Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach. Information & Software Technology, 55(11), 1948-1973.Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=90093302&site=ehost-live

Suggested Reading

Casale, J., & Norris, B. (2007). ERM push gaining ground but not yet business as usual: Studies. Business Insurance, 41(47), 32-32. Retrieved January 29, 2008, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=27726631&site=ehost-live

Hershman, R. (2007). On solid ground. Best's Review, 108(7), 102-104. Retrieved January 29, 2008, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=27478431&site=ehost-live

Ingram, D. (2008). Rating risk holistically. Business Finance, 14(1), 37. Retrieved January 29, 2008, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=28399853&site=ehost-live

Essay by Seth M. Azria, J.D.

Mr. Azria is the founder and director of legal services at Seth Michael Premier legal, an organization dedicated to legal writing, research, analysis and the use of technology to aid the practice of law (www.premierlawpractice.com). He earned his JD, magna cum laude, from New York Law School where he was an associate editor of the law review and a research assistant to a labor and employment law professor. He is admitted to the practice of law in New York, Georgia and Florida.