Q&A on Enterprise Risk Management Concept

What is ERM?

ERM, or Enterprise Risk Management, is a systematic approach to identifying and addressing potential events that could pose a risk to an organization's strategic objectives or opportunities for competitive advantage. It is a multidimensional and ongoing process that is primarily managed by the company's board of directors at a senior level and is used to create a culture of risk awareness among employees. Effective risk management is an essential element of strategic management and should be integrated into ongoing business activities. Two widely recognized frameworks for ERM are the Committee of Sponsoring Organizations of the Treadway Commission (COSO) "ERM - Integrated Framework" and the guidance developed by The Association of Insurance and Risk Managers in Industry and Commerce (AIRMIC) and The Institute of Risk Management (IRM) - "A structured approach to ERM and the requirements of ISO 31000". In ERM, top-level management makes decisions regarding risk management, rather than individual units. A Chief Risk Officer (CRO) is typically appointed to identify and analyse risk factors and ensure compliance with ERM frameworks and guidelines, such as ISO 31000. The CRO works with the board of directors to consider, analyse and provide solutions to risks, while other departments like finance are not directly involved in the decision-making process.

What is an enterprise risk management framework?

An enterprise risk management framework refers to a structured set of guidelines that organizations use to manage risk reporting procedures. Examples of such frameworks include ISO 31000, the Sarbanes-Oxley Act, corporate governance codes, and the COSO frameworks I and II, which were developed by the Committee of Sponsoring Organizations.

How to implement enterprise risk management?

The steps to implement Enterprise Risk Management (ERM) in an organization include establishing ERM objectives, identifying stakeholders, evaluating and assessing risks, developing a risk register, and monitoring and controlling any deviations.

How frequently is the enterprise risk management framework reviewed?

The frequency at which an enterprise risk management (ERM) framework is reviewed can vary depending on several factors, such as the size and complexity of the organization, the nature of its business activities, and the regulatory requirements applicable to it.

In general, it is good practice for organizations to periodically review their ERM frameworks to ensure that they remain effective and relevant. The frequency of these reviews may range from annually to every few years, and may be driven by internal factors (such as changes in the organization's strategy or risk profile) or external factors (such as changes in regulatory requirements or market conditions).

Some organizations may also choose to conduct interim reviews of their ERM frameworks in response to significant events or changes, such as mergers and acquisitions, major capital investments, or the introduction of new products or services.

Ultimately, the frequency of ERM framework reviews should be determined based on the specific needs and circumstances of the organization, with a view to ensuring that its risk management practices remain robust and effective in addressing the risks that it faces.

What is Risk Owner?

A risk owner refers to a person who bears the responsibility of overseeing recognized hazards in a project or operation and creating plans to control them. Risk owners need to have a comprehensive understanding of the hazards, encompassing their origins, triggers, and impacts. Moreover, they should possess the ability to avert or minimize risks with efficiency. In certain situations, a risk owner may have limited responsibility and only manage a single risk or a particular set of risks.

What are the duties of risk owners?

Risk owners typically have the following primary duties:

• Evaluate and keep an eye on identified risks.
• Express the origins and consequences of risks in risk statements.
• Specify measures for risk tolerance.
• Create plans for reducing risks.
• Support risk managers in carrying out risk reduction plans.
• Conduct regular assessments of the company's environment to detect new risks.

What is the difference between a Risk Owner and a Risk Manager?

In enterprise risk management (ERM), the roles of risk manager and risk owner are different and complementary. Here are some of the key differences between the two roles:

• Definition of risk: The risk owner is responsible for identifying and defining a specific risk, whereas the risk manager is responsible for managing the overall risk management program across the organization.
• Scope of work: The risk owner's scope of work is limited to the specific risk or risks that they are accountable for, while the risk manager's scope of work encompasses the entire risk profile of the organization.
• Strategy development: The risk owner is responsible for developing risk mitigation strategies for their specific risk, while the risk manager develops and implements risk management policies, procedures, and processes for the entire organization.
• Accountability: The risk owner is accountable for the implementation of risk mitigation strategies for their specific risk, while the risk manager is accountable for the effectiveness of the overall risk management program.
• Reporting: The risk owner reports updates on their specific risk to the risk manager, while the risk manager consolidates and communicates risk information to senior management and the board of directors.

In summary, the risk owner is responsible for a specific risk, while the risk manager oversees the overall risk management program for the organization. While their roles are different, they are complementary and work together to ensure that risks are effectively identified and managed across the organization.

What constitutes the fundamental components of an Enterprise Risk Management Process?

Objective/Strategy Setting: During the stage of defining strategy and objectives, the ERM process will analyse the components that add value to a company. For instance, in the case of Tesla, which is a publicly traded firm with two main segments - automotive and energy generation, these components might involve the company's competitive advantages, innovative strategic endeavours, important product offerings, or possible mergers and acquisitions.

• Risk Identification: After identifying the key drivers, the ERM process proceeds to identify risks that could potentially impede the success of each driver.
• Risk Assessment: The risks are then assessed from a cross-departmental perspective in the risk assessment phase.
• Risk Response: After upper management has discussed and acknowledged the potential risks, executives will determine an optimal risk response strategy.
• Communication and Monitoring: Finally, upper management will use key risk indicators, as deemed appropriate by the organization, to measure, monitor, and communicate the effectiveness of the risk response strategies.

What are the risk response strategies used in Enterprise Risk Management?

To address risks that have been identified, management typically chooses one of the following five risk response strategies:

• Risk avoidance: This involves eliminating risks or activities that could have a negative impact on the organization's assets. For instance, management may cancel or suspend a proposed production or product line.
• Risk reduction: This strategy involves reducing the severity of potential losses. For example, management can accomplish this by regularly visiting major suppliers to identify potential issues early.
• Alternative actions: This strategy involves considering other ways to reduce risks.
• Risk transfer: This strategy involves transferring risks to third parties such as insurance agencies. For instance, a business might purchase an insurance policy to cover unexpected losses.
• Risk acceptance: This strategy involves acknowledging identified risks and being willing to accept the consequences. Any loss resulting from a risk that was not avoided or covered falls under the category of risk acceptance.

What are the different categories of risks?

• Financial Risks: Financial risks pertain to the potential dangers associated with capital or money. A company's objectives cannot be effectively achieved without a steady flow of capital. Therefore, finance plays a crucial role in enhancing the potential growth of a firm. Financial risks encompass various factors such as interest rates, cash flow, inflation, and asset values.
• Hazard Risks: Hazard risks are directly linked to the health and safety of both employees and customers. Therefore, it is crucial to diligently monitor and manage these risks to safeguard the interest of individuals involved. Examples of hazard risks include fire and property damage, adverse weather conditions, theft, and criminal activities.
• Compliance Risks: Compliance risks are associated with legal matters. Any violation or criminal activity related to government regulations can lead to compliance risks. These risks may involve negative environmental impacts, insider trading, and legal offenses.
• Strategic Risks: Strategic risks emerge from factors such as changing consumer demands and increased competition. Ignoring these risks can result in significant losses for a firm. Examples of strategic risks include damage to reputation, entrance of new competitors, shifts in social trends, technological advancements, and other similar factors.
• Operational Risks: Operational risks primarily arise from internal factors and decisions within a firm. They are related to potential disruptions in day-to-day operations. Examples of operational risks include issues with product development, changes in the business cycle, and shifts in operational leadership.

What is the difference between Risk Tolerance and Risk Appetite?

Risk Tolerance refers to the level of risk that an organization is willing to accept on an individual risk basis. It involves the acceptance of potential outcomes should a risk materialize, as well as having appropriate resources and controls in place to manage or "tolerate" that specific risk. Risk tolerance is typically expressed through qualitative and/or quantitative criteria.

On the other hand, Risk Appetite refers to the overall amount of risk that an organization is willing to assume within a given risk profile. It is a broader measure of the organization's capacity to handle risk and is often expressed in aggregate terms. Risk appetite is closely related to the long-term strategic goals of the organization and the available resources needed to achieve those objectives. It is typically expressed through quantitative criteria.

In summary, risk appetite represents the general level of risk that an organization is willing to accept, while risk tolerance is more granular, influencing the acceptance of individual risks.

Here are a few definitions from ISO Guide 73, Risk Management - Vocabulary

• Risk attitude: Organization’s approach to assess and eventually pursue, retain, take, or turn away from risk.
• Level of risk: Magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood.
• Risk criteria: Terms of reference against which the significance of a risk is evaluated.
• Risk evaluation: Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
• Risk appetite: Amount and type of risk that an organization is willing to pursue or retain.
• Risk tolerance: Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.

What are Pros and Cons of implementing ERM practices?

Pros

• Enhanced Preparedness: Implementing ERM practices can improve a company's readiness to handle risks and uncertainties, allowing for proactive measures to be taken.
• Employee Satisfaction: ERM practices can instil a sense of security among employees about the future state of the company, leading to increased satisfaction and morale.
• Improved Customer Service: By being well-prepared for potential situations, companies can deliver better customer service, enhancing their reputation and customer loyalty.
• Enhanced Decision-Making: Effective ERM practices enable efficient reporting to upper management, providing valuable insights for informed decision-making.
• Streamlined Operations: ERM can contribute to more efficient company-wide operations by identifying potential bottlenecks and streamlining processes.

Cons

• Risk Identification Limitations: ERM practices may not always accurately identify all the risks that a company is likely to experience, leaving room for unforeseen risks to emerge.
• Assessment Accuracy: ERM may struggle to accurately assess the financial impact or likelihood of certain outcomes, potentially leading to misjudgements in risk evaluation.
• Resource Investment: Implementing ERM often requires significant investments of time and capital from a company in order to be successful, which may pose challenges for smaller organizations or those with limited resources.

Note: It is important to acknowledge that the pros and cons mentioned above are general observations and can vary depending on the specific context and implementation of ERM practices.

The author, Tarandeep Singh is a Chartered Accountant with over 13 years of experience in internal audit.