Enterprise risk management

Last updated

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (threats and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Contents

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

According to Thomas Stanton of Johns Hopkins University, the point of enterprise risk management is not to create more bureaucracy, but to facilitate discussion on what the really big risks are. [1]

ERM frameworks defined

There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

  1. Avoidance: exiting the activities giving rise to risk
  2. Reduction: taking action to reduce the likelihood or impact related to the risk
  3. Alternative Actions: deciding and considering other feasible steps to minimize risks
  4. Share or Insure: transferring or sharing a portion of the risk, to finance it
  5. Accept: no action is taken, due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

Casualty Actuarial Society framework

In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders." [2] The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. [2] The risk types and examples include: [3]

Hazard risk
Liability torts, Property damage, Natural catastrophe
Financial risk
Pricing risk, Asset risk, Currency risk, Liquidity risk
Operational risk
Customer satisfaction, Product failure, Integrity, Reputational risk; Internal Poaching; Knowledge drain
Strategic risks
Competition, Social trend, Capital availability

The risk management process involves: [4]

  1. Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
  2. Identifying Risks: This includes the documentation of the material threats to the organization's achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage.
  3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
  4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization's key performance metrics.
  5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
  6. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
  7. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

COSO ERM framework

The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 (New edition COSO ERM 2017 is not Mentioned and the 2004 version is outdated) defines ERM as a "…process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." [5]

The COSO ERM Framework has eight components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components are:

The four objectives categories - additional components highlighted - are:

ISO 31000: the new International Risk Management Standard

ISO 31000 is an International Standard for Risk Management which was published on 13 November 2009, and updated in 2018. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73. The standard set out eight principles based around the central purpose, which is the creation and protection of value. [6]

Implementing an ERM program

Goals of an ERM program

Organizations by nature manage risks and have a variety of existing departments or functions ("risk functions") that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization's ability to manage the risks effectively.

Typical risk functions

The primary risk functions in large corporations that may participate in an ERM program typically include:

Common challenges in ERM implementation

Various consulting firms offer suggestions for how to implement an ERM program. [7] Common topics and challenges include: [8]

Internal audit role

In addition to information technology audit, internal auditors play an important role in evaluating the risk-management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk-management function. [9]

Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX 404 top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.

Current issues in ERM

The risk management processes of corporations worldwide are under increasing regulatory and private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and opportunity. Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology change; geopolitical instabilities; and the rising price of energy.

Sarbanes–Oxley Act requirements

Section 404 of the Sarbanes–Oxley Act of 2002 required U.S. publicly traded corporations to utilize a control framework in their internal control assessments. Many opted for the COSO Internal Control Framework, which includes a risk assessment element. In addition, new guidance issued by the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board in 2007 placed increasing scrutiny on top-down risk assessment and included a specific requirement to perform a fraud risk assessment. [10] Fraud risk assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to the organization, related controls, and any action taken as a result.

NYSE corporate governance rules

The New York Stock Exchange requires the Audit Committees of its listed companies to "discuss policies with respect to risk assessment and risk management." The related commentary continues: "While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee." [11]

ERM and corporate debt ratings

Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about risk management in its company evaluation process. This will rollout to financial companies in 2007. [12] The results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact on the interest rates lenders charge companies for loans or bonds. [13] On May 7, 2008, S&P also announced that it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, [14] with initial comments in its reports during Q4 2008. [15]

IFC Performance Standards

International Finance Corporation Performance Standards [16] focus on the management of Health, Safety, Environmental and Social risks and impacts. The third edition was published on January 1, 2012 after a two-year negotiation process with the private sector, governments and civil society organizations. They have been adopted by the Equator Principles Banks, a consortium of over 118 commercial banks in 37 countries.

Data Privacy

Data privacy rules, such as the European Union's General Data Protection Regulation, increasingly foresee significant penalties for failure to maintain adequate protection of individuals' personal data such as names, e-mail addresses and personal financial information, or alert affected individuals when data privacy is breached. The EU regulation requires any organization--including organizations located outside the EU--to appoint a Data Protection Officer reporting to the highest management level [17] if they handle the personal data of anyone living in the EU.

Actuarial response

Casualty Actuarial Society

In 2003, the Enterprise Risk Management Committee of the Casualty Actuarial Society (CAS) issued its overview of ERM. [18] This paper laid out the evolution, rationale, definitions, and frameworks for ERM from the casualty actuarial perspective, and also included a vocabulary, conceptual and technical foundations, actual practice and applications, and case studies. [18]

The CAS has specific stated ERM goals, including being "a leading supplier internationally of educational materials relating to Enterprise Risk Management (ERM) in the property casualty insurance arena," [19] and has sponsored research, development, and training of casualty actuaries in that regard. [20] The CAS has refrained from issuing its own credential; instead, in 2007, the CAS Board decided that the CAS should participate in the initiative to develop a global ERM designation, and make a final decision at some later date. [21]

Society of Actuaries

In 2007, the Society of Actuaries developed the Chartered Enterprise Risk Analyst (CERA) credential in response to the growing field of enterprise risk management. [22] This is the first new professional credential to be introduced by the SOA since 1949. [23] A CERA studies to focus on how various risks, including operational, investment, strategic, and reputational combine to affect organizations. CERAs work in environments beyond insurance, reinsurance and the consulting markets, including broader financial services, energy, transportation, media, technology, manufacturing and healthcare. [23]

It takes approximately three to four years to complete the CERA curriculum which combines basic actuarial science, ERM principles and a course on professionalism. To earn the CERA credential, candidates must take five exams, fulfill an educational experience requirement, complete one online course, and attend one in-person course on professionalism. [23]

CERA Global

Initially all CERAs were members of the Society of Actuaries [24] but in 2009 the CERA designation became a global specialized professional credential, awarded and regulated by multiple actuarial bodies; [25] for example Chartered Enterprise Risk Actuary from the Institute and Faculty of Actuaries.

See also

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring.

<span class="mw-page-title-main">Actuary</span> Analyst of business risk and uncertainty

An actuary is a professional with advanced mathematical skills who deals with the measurement and management of risk and uncertainty. These risks can affect both sides of the balance sheet and require asset management, liability management, and valuation skills. Actuaries provide assessments of financial security systems, with a focus on their complexity, their mathematics, and their mechanisms. The name of the corresponding academic discipline is actuarial science.

<span class="mw-page-title-main">Audit</span> Independent examination of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

<span class="mw-page-title-main">International Actuarial Association</span>

The International Actuarial Association (IAA) is a worldwide association of local professional actuarial associations.

<span class="mw-page-title-main">Society of Actuaries</span> Actuary organization

The Society of Actuaries (SOA) is a global professional organization for actuaries. It was founded in 1949 as the merger of two major actuarial organizations in the United States: the Actuarial Society of America and the American Institute of Actuaries. It is a full member organization of the International Actuarial Association.

<span class="mw-page-title-main">Casualty Actuarial Society</span> North American professional society

The Casualty Actuarial Society (CAS) is a leading international professional society of actuaries, based in North America, and specializing in property and casualty insurance.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

The following outline is provided as an overview of and topical guide to actuarial science:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">SOX 404 top–down risk assessment</span>

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.

An entity-level control is a control that helps to ensure that management directives pertaining to the entire entity are carried out. These controls are the second level to understanding the risks of an organization. Generally, entity refers to the entire company.

The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.

The actuarial credentialing and exam process usually requires passing a rigorous series of professional examinations, most often taking several years in total, before one can become recognized as a credentialed actuary. In some countries, such as Denmark, most study takes place in a university setting. In others, such as the U.S., most study takes place during employment through a series of examinations. In the UK, and countries based on its process, there is a hybrid university-exam structure.

Certified Sarbanes-Oxley Professional (CSOXP) is a credential awarded by the governance, risk & compliance group. The CSOXP credential communicates that certified professionals have the knowledge listed below:

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

References

  1. Thomas Stanton (Feb 18, 2017). "Enterprise Risk Management". YouTube. TEDxJHUDC. The whole point of enterprise risk management is not to create another layer of bureaucracy, but rather to have your chief risk officer facilitate the conversations and then the discussions about priorities – what are the really big risks we've got to grapple with.
  2. 1 2 Enterprise Risk Management Committee (May 2003). "Overview of Enterprise Risk Management" (PDF). Casualty Actuarial Society: 8. Retrieved 2008-09-15.{{cite journal}}: Cite journal requires |journal= (help)
  3. Enterprise Risk Management Committee (May 2003). "Overview of Enterprise Risk Management" (PDF). Casualty Actuarial Society: 9–10. Retrieved 2008-09-15.{{cite journal}}: Cite journal requires |journal= (help)
  4. Enterprise Risk Management Committee (May 2003). "Overview of Enterprise Risk Management" (PDF). Casualty Actuarial Society: 11–13. Retrieved 2008-09-15.{{cite journal}}: Cite journal requires |journal= (help)
  5. "Enterprise Risk Management — Integrated Framework: Executive Summary" (PDF). Committee of Sponsoring Organizations of the Treadway Commission. September 2004. Archived from the original (PDF) on 2016-11-03. Retrieved 2008-09-16.{{cite journal}}: Cite journal requires |journal= (help)
  6. Hopkin, Paul (2022). Fundamentals of risk management : understanding, evaluating and implementing effective enterprise risk management. Clive Thompson (6th ed.). London. ISBN   978-1-3986-0286-1. OCLC   1300754988.{{cite book}}: CS1 maint: location missing publisher (link)
  7. ERM Implementation Advice
  8. ERM Frequently Asked Questions
  9. Role of Internal Auditing in ERM Archived 2013-09-05 at the Wayback Machine
  10. PCAOB Auditing Standard No 5 Archived 2007-06-27 at the Wayback Machine
  11. "NYSE Listing Standards Part 7d" (PDF). Archived from the original (PDF) on 2014-06-11. Retrieved 2017-08-27.
  12. S&P Ratings - Treasury & Risk Article Archived 2007-09-28 at the Wayback Machine
  13. S&P ERM for Financial Institutions
  14. S&P ERM FAQs
  15. S&P ERM Announcement
  16. "Performance Standard 1".
  17. "FERMA ECIIA Cyber Risk Governance Report | Ferma". www.ferma.eu. Retrieved 2018-10-01.
  18. 1 2 Enterprise Risk Management Committee (May 2003). "Overview of Enterprise Risk Management" (PDF). Casualty Actuarial Society . Retrieved 2008-09-15.{{cite journal}}: Cite journal requires |journal= (help)
  19. "ERM SAM Goals" (PDF). CAS Centennial Goal and SAM Goals. Casualty Actuarial Society. March 2008. Archived from the original (PDF) on 2020-05-14. Retrieved 2008-09-15.
  20. "Enterprise Risk Management Web Site". Casualty Actuarial Society. 2008. Archived from the original on 2020-08-15. Retrieved 2008-09-15.
  21. "Executive Summary: CAS Board of Directors Meeting" (PDF). Casualty Actuarial Society. June 17, 2007. Archived from the original (PDF) on June 27, 2010. Retrieved 2008-09-15.
  22. "Credential Overview". Society of Actuaries. 2008. Retrieved 2008-09-15.
  23. 1 2 3 "CERA Fast Facts". Society of Actuaries. 2008. Retrieved 2008-09-15.
  24. "Benefits". Society of Actuaries. 2008. Retrieved 2008-09-15.
  25. "The CERA Treaty". CERA Global. 2009. Archived from the original on 2015-01-12. Retrieved 2015-01-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.