Enterprise Risk Management
Encyclopedia
Enterprise risk management (ERM) in business
Business
A business is an organization engaged in the trade of goods, services, or both to consumers. Businesses are predominant in capitalist economies, where most of them are privately owned and administered to earn profit to increase the wealth of their owners. Businesses may also be not-for-profit...

 includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (ERM)

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...

, Sarbanes–Oxley Act, and strategic planning
Strategic planning
Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy. In order to determine the direction of the organization, it is necessary to understand its current position and the possible avenues...

. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

ERM frameworks defined

There are various important ERM frameworks, each of which describe an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
  1. Avoidance: exiting the activities giving rise to risk
  2. Reduction: taking action to reduce the likelihood or impact related to the risk
  3. alternative actions: deciding and considering other feasible steps to minimize risks.
  4. Share or insure: transferring or sharing a portion of the risk, to finance it
  5. Accept: no action is taken, due to a cost/benefit decision


Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

Casualty Actuarial Society framework

In 2003, the Casualty Actuarial Society
Casualty Actuarial Society
The Casualty Actuarial Society is a professional society of actuaries whose goal is "the advancement of the body of knowledge of actuarial science applied to property, casualty, and similar risk exposures." Its members are mainly involved in the property and casualty areas of the actuarial...

 (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders." The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. The risk types and examples include:
Hazard risk: Liability torts, Property damage, Natural catastrophe
Financial risk: Pricing risk, Asset risk, Currency risk, Liquidity risk
Operational risk: Customer satisfaction, Product failure, Integrity, Reputational risk
Strategic risks: Competition, Social trend, Capital availability

The risk management process involves:
  1. Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
  2. Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas to the organization may exploit for competitive advantage.
  3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
  4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics.
  5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
  6. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
  7. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

COSO ERM framework

The COSO
Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...

 "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as a "…process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite
Risk appetite
Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...

, to provide reasonable assurance regarding the achievement of entity objectives."

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...

-Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:
  • Internal Environment
  • Objective Setting
  • Event Identification
  • Risk Assessment
  • Risk Response
  • Control Activities
  • Information and Communication
  • Monitoring


The four objectives categories - additional components highlighted - are:
  • Strategy - high-level goals, aligned with and supporting the organization's mission
  • Operations - effective and efficient use of resources
  • Financial Reporting - reliability of operational and financial reporting
  • Compliance - compliance with applicable laws and regulations

Goals of an ERM program

Organizations by nature manage risks and have a variety of existing departments or functions ("risk functions") that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization's ability to manage the risks effectively.

Typical risk functions

The primary risk functions in large corporations that may participate in an ERM program typically include:
  • Strategic planning - identifies external threats and competitive opportunities, along with strategic initiatives to address them
  • Marketing - understands the target customer to ensure product/service alignment with customer requirements
  • Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations
  • Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which identifies financial reporting risks
  • Law Department - manages litigation and analyzes emerging legal trends that may impact the organization
  • Insurance - ensures the proper insurance coverage for the organization
  • Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange
  • Operational Quality Assurance - verifies operational output is within tolerances
  • Operations management - ensures the business runs day-to-day and that related barriers are surfaced for resolution
  • Credit - ensures any credit provided to customers is appropriate to their ability to pay
  • Customer service - ensures customer complaints are handled promptly and root causes are reported to operations for resolution
  • Internal audit - evaluates the effectiveness of each of the above risk functions and recommends improvements

Common challenges in ERM implementation

Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:
  • Identifying executive sponsors for ERM.
  • Establishing a common risk language or glossary.
  • Describing the entity's risk appetite
    Risk appetite
    Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...

     (i.e., risks it will and will not take)
  • Identifying and describing the risks in a "risk inventory".
  • Implementing a risk-ranking methodology to prioritize risks within and across functions.
  • Establishing a risk committee and or Chief Risk Officer
    Chief risk officer
    The chief risk officer or chief risk management officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic,...

     (CRO) to coordinate certain activities of the risk functions.
  • Establishing ownership for particular risks and responses.
  • Demonstrating the cost-benefit of the risk management effort.
  • Developing action plans to ensure the risks are appropriately managed.
  • Developing consolidated reporting for various stakeholders.
  • Monitoring the results of actions taken to mitigate risk.
  • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
  • Developing a technical ERM framework that enables secure participation by 3rd parties and remote employees.

Internal audit role

In addition to information technology audit, internal audit
Internal audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk...

ors play an important role in evaluating the risk management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function.

Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.

Current issues in ERM

The risk management processes of U.S. corporations are under increasing regulatory and private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and opportunity. Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology
Disruptive technology
A disruptive technology or disruptive innovation is an innovation that helps create a new market and value network, and eventually goes on to disrupt an existing market and value network , displacing an earlier technology there...

 change; geopolitical instabilities; and the rising price of energy.

Sarbanes-Oxley Act requirements

Section 404 of the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...

 of 2002 required U.S. publicly-traded corporations to utilize a control framework in their internal control assessments. Many opted for the COSO Internal Control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...

 Framework, which includes a risk assessment element. In addition, new guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-down risk assessment and included a specific requirement to perform a fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...

 risk assessment. Fraud risk assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to the organization, related controls, and any action taken as a result.

NYSE corporate governance rules

The New York Stock Exchange
New York Stock Exchange
The New York Stock Exchange is a stock exchange located at 11 Wall Street in Lower Manhattan, New York City, USA. It is by far the world's largest stock exchange by market capitalization of its listed companies at 13.39 trillion as of Dec 2010...

 requires the Audit Committees of its listed companies to "discuss policies with respect to risk assessment
Risk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

 and risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

." The related commentary continues: "While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."

ERM and corporate debt ratings

Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about risk management in its company evaluation process. This will rollout to financial companies in 2007. The results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact on the interest rates lenders charge companies for loans or bonds. On May 7, 2008 S&P also announced that it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, with initial comments in its reports during Q4 2008.

ISO 31000 : the new International Risk Management Standard

ISO 31000
ISO 31000
ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...

 is an International Standard for Risk Management which was published on 13 November 2009. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73.

Casualty Actuarial Society

In 2003, the Enterprise Risk Management Committee of the Casualty Actuarial Society
Casualty Actuarial Society
The Casualty Actuarial Society is a professional society of actuaries whose goal is "the advancement of the body of knowledge of actuarial science applied to property, casualty, and similar risk exposures." Its members are mainly involved in the property and casualty areas of the actuarial...

 (CAS) issued its overview of ERM. This paper laid out the evolution, rationale, definitions, and frameworks for ERM from the casualty actuarial perspective, and also included a vocabulary, conceptual and technical foundations, actual practice and applications, and case studies.

The CAS has specific stated ERM goals, including being "a leading supplier internationally of educational materials relating to Enterprise Risk Management (ERM) in the property casualty insurance arena," and has sponsored research, development, and training of casualty actuaries in that regard. The CAS has refrained from issuing its own credential; instead, in 2007, the CAS Board decided that the CAS should participate in the initiative to develop a global ERM designation, and make a final decision at some later date.

Society of Actuaries

In 2007, the Society of Actuaries
Society of Actuaries
The Society of Actuaries is a professional organization for actuaries based in North America. It was founded in 1949 as the merger of two major actuarial organizations in the United States: the Actuarial Society of America and the American Institute of Actuaries...

 developed the Chartered Enterprise Risk Analyst (CERA) credential in response to the growing field of enterprise risk management. This is the first new professional credential to be introduced by the SOA since 1949. A CERA studies to focus on how various risks, including operational, investment, strategic, and reputational combine to affect organizations. CERAs work in environments beyond insurance, reinsurance and the consulting markets, including broader financial services, energy, transportation, media, technology, manufacturing and healthcare.

It takes approximately three to four years to complete the CERA curriculum which combines basic actuarial science, ERM principles and a course on professionalism. To earn the CERA credential, candidates must take five exams, fulfill an educational experience requirement, complete one online course, and attend one in-person course on professionalism. CERAs are members of the Society of Actuaries
Society of Actuaries
The Society of Actuaries is a professional organization for actuaries based in North America. It was founded in 1949 as the merger of two major actuarial organizations in the United States: the Actuarial Society of America and the American Institute of Actuaries...

.

Institute and Faculty of Actuaries

The Institute and Faculty of Actuaries
Institute and Faculty of Actuaries
The Institute and Faculty of Actuaries is the professional body which represents the actuaries in the United Kingdom. It operates publicly under the name Actuarial Profession.-History:...

 (the merged body formed in 2010 from the Institute of Actuaries
Institute of Actuaries
The Institute of Actuaries was one of the two professional which represented actuaries in the United Kingdom . The Institute was based in England, while the other body, the Faculty of Actuaries, was based in Scotland...

 and the Faculty of Actuaries
Faculty of Actuaries
The Faculty of Actuaries in Scotland was the professional body representing actuaries in Scotland. The Faculty of Actuaries was one of two actuarial bodies in the UK, the other was the Institute of Actuaries, which was a separate body in England, Wales and Northern Ireland...

) is the professional body representing actuaries in the United Kingdom. In March 2008, Enterprise Risk Management was adopted as one of the six actuarial practice areas, reflecting the increased involvement of actuaries in the ERM field.

A regular newsletter communicates the ongoing work that the profession performs in respect of ERM.

Some of the key areas that the profession works on are summarised below (together with some of the recent outcomes in each area):
  • Education, CPD, Career Support and Development


From April 2010 actuaries were able to study ERM as one of the Specialist Technical Stage exams (ST9 course information), which (with other exam passes) gives candidates the Chartered Enterprise Risk Actuary (CERA) qualification. In July 2010 the first nine actuaries to obtain the CERA qualification were announced. The CERA qualification is offered by 13 participating actuarial associations, with further information available at a global or UK level.

Various events (e.g. networking evenings and webinars) are available to actuaries and other interested parties.
The main event is the Risk and Investment Conference, which is often held during the summer months (e.g. 2011 Risk & Investment Conference). There is also some regularly reviewed material available from the profession which may be of use in developing knowledge of ERM.
  • Research & Thought Leadership


A committee has been established to consider research and thought leadership in the ERM field (including what the “elevator speech” on ERM issues might be, definition of the scope of ERM and demonstration of the value of ERM).

Some areas in which work has been completed include:

- ERM - A guide to Implementation

- A survey on actuaries in risk management

- A suggested common risk classification system for the actuarial profession

Research topics will be categorised and subject to a number of tests before proceeding with the research.

- enterprise-wide test (not just topic-specific / silo-based)

- risk management test (management = taking actions, not just modelling)

- director test (important enough for the Board, not just line managers)
  • Communications & Marketing


Actuaries continue to look to demonstrate and promote the value of actuaries and the CERA qualification in the field of ERM - including through publication of articles in the Actuary

The Actuarial Profession also liases with other professions where appropriate- e.g. the Institution of Civil Engineers
Institution of Civil Engineers
Founded on 2 January 1818, the Institution of Civil Engineers is an independent professional association, based in central London, representing civil engineering. Like its early membership, the majority of its current members are British engineers, but it also has members in more than 150...

 on considering ERM in the context of Risk Analysis and Management for Projects (RAMP).

Companies Increasingly Focusing on ERM

It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities. In a 2008 survey by Towers Perrin, at most life insurance companies, responsibility for ERM resides within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge of ERM, and these individuals typically report directly to the chief executive officer. From their vantage point, the CRO and CFO are able to look across the organization and develop a perspective on the risk profile of the firm and how that profile matches its risk appetite
Risk appetite
Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...

. They act as drivers to improve skills, tools and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for identifying and measuring risk and for management decision making. Respondents also reported that they have made good progress in building their ERM capabilities in certain areas.

In this study, more than 80% of respondents reported that they currently have adequate or better controls in place for most major risks. In addition, about 60% currently have a coordinated process for risk governance and include risk management
in decision making to optimize risk adjusted returns.

In another survey conducted in May and June 2008, against the backdrop of the developing financial crisis, six major findings came to light regarding risk and capital management among insurers worldwide:
  • Embedding ERM is proving to be a significant challenge
  • Company size matters
  • European insurers are better positioned
  • ERM is influencing important strategic decisions
  • Economic capital standards are gaining ground
  • Operational risk
    Operational risk
    An operational risk is, as the name suggests, a risk arising from execution of a company's business functions. It is a very broad concept which focuses on the risks arising from the people, systems and processes through which a company operates...

     remains a weak spot

See also

  • Basel III
    Basel III
    BASEL III is a new global regulatory standard on bank capital adequacy and liquidity agreed upon by the members of the Basel Committee on Banking Supervision. The third of the Basel Accords was developed in a response to the deficiencies in financial regulation revealed by the global financial...

  • Benefit risk
  • Cost risk
  • credit risk
    Credit risk
    Credit risk is an investor's risk of loss arising from a borrower who does not make payments as promised. Such an event is called a default. Other terms for credit risk are default risk and counterparty risk....

  • Information Quality Management
    Information Quality Management
    Information Quality Management is an information technology management discipline, which encompasses the COBIT Information Criteria of efficiency, effectiveness, confidentiality, integrity, availability, compliance, and reliability...

  • ISO 31000
    ISO 31000
    ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...

  • market risk
    Market risk
    Market risk is the risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, and commodity prices...

  • Operational risk management
    Operational risk management
    The term Operational Risk Management is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk...

  • Optimism bias
    Optimism bias
    Optimism bias is the demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. Along with the illusion of control and illusory...

  • Risk adjusted return on capital
    Risk adjusted return on capital
    Risk adjusted return on capital is a risk-based profitability measurement framework for analysing risk-adjusted financial performance and providing a consistent view of profitability across businesses. The concept was developed by Bankers Trust and principal designer Dan Borge in the late 1970s...

  • Risk management tools
    Risk management tools
    Risk Management is a non-intuitive field of study, where the most simple of models consist of a probability multiplied by an impact. Even understanding individual risks is difficult as multiple probabilities can contribute to Risk total probability, and impacts can be "units" of cost, time, events...

  • RiskLab
    RiskLab
    RiskLab is a laboratory that conducts research in financial risk management. The first was created in 1994 at Eidgenössische Technische Hochschule Zürich in Zurich, Switzerland. In 1996, another one was created independently at the University of Toronto, this time sponsored by the private company...

  • RiskAoA
    RiskAoA
    RiskAoA is a United States Department of Defense project Risk Management tool, allowing the instantaneous review of portfolio , proposal or alternatives Risk. It was designed by Air Force Research Laboratory Headquarters to perform predictive risk analysis for the Analysis of Alternatives ...

  • ISA 400 Risk Assessments and Internal Control
    ISA 400 Risk Assessments and Internal Control
    ISA 400 Risk Assessments and Internal Control is one of the International Standards on Auditing. It serves to require the auditor is to understand the client's accounting system and internal control system and to assess control risk and inherent risk...

  • SOX 404 top-down risk assessment
    SOX 404 top-down risk assessment
    In financial auditing of public companies in the United States, SOX 404 top-down risk assessment is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 . The term is used by the U.S. Public Company Accounting Oversight Board and the Securities and...

  • Total Security Management
    Total Security Management
    Total Security Management is the business practice of developing and implementing comprehensive risk management and security practices for a firm’s entire value chain. This business process improvement strategy seeks to create added value for companies by managing security and resilience...


External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK