Tuesday, October 22, 2013

GRC: Enterprise Risk Management PII

Although, I recently posted one on this title but I think it needed more work, hence this one.




Convergys, a Cincinnati-based Relationship Management services company with $2.8 billion in 2008 revenues, followed a similar path in erecting its ERM structure. In its case, business leaders across the organization were identified and asked, “What risks keep you up at night and how do they impede your ability to meet strategic and operational objectives?”

Risk Management Defined

The identification, analysis and acceptance or mitigation of uncertainty in decision-making is Risk Management. This decision-making can pertain to operations and/or an investment in stocks, business expansion  or closing down a division/product or altogether leaving one market for another. Essentially, risk management occurs every time a business owner or for that matter an individual analyzes and attempts to quantify the potential losses that could flow from a specific decision and then takes the appropriate set of actions given the business or investment objectives and risk tolerance or risk appetite as it is better known and understood. 

Risk management is determining what risks exist on one hand and answering the question of how to handle those risks in a way best-suited to the business objectives on the other. Risk management occurs everywhere. It occurs even when a low-risk government bonds are preferred and bought over a more riskier corporate debt or when a fund manager hedges the currency exposure with currency derivatives and more so when a bank performs a credit check on an individual before extending a line of credit.

Inadequate risk management can result in severe consequences for companies as well as the individuals involved. For example, the recession that began in 2008 was largely caused by the relaxed credit risk management of financial institutions.  

With the instability from the economic crisis (of 2008-2009 and we are still going through it), the spotlight is on risk management more than ever before and whether or not organizations are assessing strategic and operational risks, the onus, however, is on all organizations to erect a systematic reporting structure for analyses of their risks and develop more comprehensive risk monitoring tools and devise strategies to manage them while taking enough calculated risks and it is these calculated and risk-managed risks that often separate the winners from the losers. 

The last couple of years have seen a strong corporate drive towards the development of a methodology to better identify, assess and quantify strategic, financial and operational risks across all functions of the business. It’s called Enterprise Risk Management ‘ERM.’ Most large public companies have implemented ERM, in some cases because of government regulations (as an extension to SOX for those operating in the US. In Europe, upon the passage of the European Union’s 8th Company Law Directive on Statutory Audit (Directive 2006/43/EC), European and non-European companies listed in any country of the European Economic Area have to comply with this directive). Many others have executed the strategy simply because it makes tremendous sense (Australia, France, Germany, Italy, Japan, Turkey and others that have developed regulations as a derivative of SOX). 


ERM is a framework for managing every possible risk and practically confronting it so as to enable the enterprise to achieve its business objectives and minimize unexpected operational volatility that could or may adversely affect earnings. Since companies hold capital to absorb the risk of loss — e.g. hedging, absorbing or transferring the risk — there is effectively lesser capital to invest in the profit-producing activities. ERM helps companies determine the right amount they should direct towards risk.



ERM Process

    The steps involved in an ERM process are essentially the same, however, having said that, since each organization has its unique way of doing business based on its vision, mission, corporate culture and philosophies, it will certainly have its own flavor to the style of implementation. Nevertheless, a solid ERM framework should have four key components:
  1. Governance Structure, Policies and Process flows 
  2.  Risk Analytics 
  3.  Risk Management Strategies 
  4.  Dashboard Reporting And Monitoring

Organizations that have implemented ERM now pass on their best practices to others, having first adopted ERM and now assisting others to do the same by conveying risk insights and solutions.


The toughest leg in the ERM journey is the first step: a course of action in which risk overseers from across the enterprise come together to share the respective risks within their own spheres of influence. Depending on the operational structure, a company can opt for a top-down process. It begins with an understanding of the company’s strategic priorities coming from the top of the pyramid; the board of directors and C-level suite.


Likewise, contrary to the above, a company may adopt a bottom-up approach wherein, the primary risk managers in each business unit assemble to examine the strategic objectives, the operational solutions to achieve them and the risks these raise. Once this consensus is reached, the risk drivers are aggregated and rolled up for C-level and board review. Senior management now has the ability to determine where best to allocate resources to achieve business objectives, completely aware of where the risks reside, their cost, and the mitigation strategies in place.



Knee Deep

Risk identification is not particularly a very simple task to accomplish. Strategic risk identification process alone can require a very big number of people from different functions of the organization. A review of operational risks, both top-down and bottom-up and also to conduct and subsequently review process and sub-process interviews to identify operational risks.  The company’s risk management department may then prioritize these risks in terms of their probability and impact.



Measuring Acceptance

Identifying a risk does not constitute ERM. Companies must understand risks. Once a risk contour is determined, ERM calls for companies to quantify risks in several metrics, such as the potential frequency of an event occurring, the potential severity of financial loss if the event occurs, and whether the risk may start a chain reaction into other areas of the business or also calculating if one risk might actually offset another.


One can argue that the subprime mortgage disaster was undoubtedly a failure of prudent risk measurement. While providers of mortgage-backed securities may have had an understanding of their own commitments, they had failed to act diligently by quantifying the ripple effect of the impact of the credit crisis involving other organizations on these commitments.



Confronting The Risks

After a company has identified and measured strategic and operational exposures, an unfailing strategy for managing and monitoring the risks is required. Bringing technology to use, particularly dashboard-type reporting; a warning system that will help keep track of all operations but then like all technology, the system is only as good as the data within and the processes created to report this data.


Many organizations have given the responsibility for monitoring enterprise risk to a Chief Risk Officer (CRO) or another high-level executive like a CFO or a CGRCO unlike the previous approach to risk management, wherein individual risks were catered to individually, like for example, the  insurance risk managers - hazard and liability risks, internal audit - financial and operational reporting risks, business units -project risks, treasury - foreign-exchange risks and so on.



Line Of Attack

Acceptance is the key, accepting the fact that the risks exist makes it easier for the company to plan for it. The better the understanding of the risks the better the plan and effective the strategy. As said earlier, technology is as good as its data, likewise, strategy is as good as its effective implementation. In addition to strategy, management buy-in is equally important. The strategy could be the best in the world but if there is no management buy in, not only is the entire purpose is defeated it can also lead to stricter regulatory interventions.

Saturday, October 19, 2013

GRC: Enterprise Risk Management PI



Governance: The Enterprise Risk Manager’s Line Manager

Any risk that is imaginable in the business world, strategic, financial, cyber security threats and many more including an ever changing  and an equally challenging regulatory environment; not forgetting the domestic, regional and global competition etc. prowl (for the lack of a better term) today’s unpredictable and extremely competitive commerce.
In times like this, it’s important to take a holistic view of business practices, processes and workplace ethics amongst everything else to ensure that adequate control mechanisms are in place to keep the business entity afloat while focusing not only on the risks that can threaten value, but also the risks that an enterprise can take to create value.

What Is Risk Management?

Risk management ensures that an organization identifies and understands the risks to which it is exposed. Risk management also assures that the organization has done enough in creating and implementing an effective risk management plan to prevent losses or at the least reduce the impact(s) if a loss occurs.
A risk management plan includes strategies and techniques for recognizing and confronting these threats. Good risk management doesn’t have to be expensive or time consuming; it may be as uncomplicated as answering these three questions:
  •    What can go wrong? 
  •  What will we do to prevent the occurring and in response to the loss? 
  •  If something happens, how do we pay for it?

What is ERM

Enterprise risk management (ERM) predominantly is a dynamic proactive approach in business to manage risks and seize opportunities related to the achievement of their objectives, this definitely includes constantly monitoring all business functions, the process and how they are carried out. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress of that one individual event, circumstance and activity or on an overall operations perspective. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (ERM)

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, and strategic planning.
Enterprise risk management calls for organizations to identify all the risks they face, to decide which risks managing actively or addressing on a priority basis. By priority it does not just mean giving preference for its ability to reoccur frequently but also its impact even if it was a onetime thing only, and then to make that plan of action available to all.
In putting together ERM initiatives, companies are supposed to focus not only on the downside of risk but the upside as well. The conventional approach was to focus on the downside - the losses that might be caused by a disruption in the normal course of business, e.g. a break in the supply chain or cyber attack that impairs a company's records. Likewise, working on the upside of this is when the companies are supposed to consider viable opportunities and future rewards that might arise out of efficient management of risk. Some of these involve matters of strategy like where to locate a plant or office abroad based on a risk analysis that would look at the political environment in a country.

Benefits of ERM

Enterprise Risk Management, pretty much like a snake wrapping itself around its prey wraps itself around the organizations nutty gritty but in a positive way to ensure all medium to large scale issues are addressed while the smaller ones are tackled to ensure there are no losses due to negligence of the people made responsible for the same.
In a nutshell, they can be bulleted into what appears below:
Increased consistency and communication of risks within the organization
  1. Enhanced reporting and analysis of corporate risks (risk data) 
  2. Improved focus, attention and perspective to risk data 
  3. More efficient and effective activities related to regulatory, compliance and audit matters 
  4. More cost-effective management and monitoring of risks

Aggregate Demand

* Aggregate Demand – Concept We’ve studied the Law of Demand, we know it is a negative relationship between the price of a commodity and it...