GRC: Enterprise Risk Management PII

Although, I recently posted one on this title but I think it needed more work, hence this one.

Convergys, a Cincinnati-based Relationship Management services company with $2.8 billion in 2008 revenues, followed a similar path in erecting its ERM structure. In its case, business leaders across the organization were identified and asked, “What risks keep you up at night and how do they impede your ability to meet strategic and operational objectives?”

Risk Management Defined

The identification, analysis and acceptance or mitigation of uncertainty in decision-making is Risk Management. This decision-making can pertain to operations and/or an investment in stocks, business expansion  or closing down a division/product or altogether leaving one market for another. Essentially, risk management occurs every time a business owner or for that matter an individual analyzes and attempts to quantify the potential losses that could flow from a specific decision and then takes the appropriate set of actions given the business or investment objectives and risk tolerance or risk appetite as it is better known and understood. 

Risk management is determining what risks exist on one hand and answering the question of how to handle those risks in a way best-suited to the business objectives on the other. Risk management occurs everywhere. It occurs even when a low-risk government bonds are preferred and bought over a more riskier corporate debt or when a fund manager hedges the currency exposure with currency derivatives and more so when a bank performs a credit check on an individual before extending a line of credit.

Inadequate risk management can result in severe consequences for companies as well as the individuals involved. For example, the recession that began in 2008 was largely caused by the relaxed credit risk management of financial institutions.  

With the instability from the economic crisis (of 2008-2009 and we are still going through it), the spotlight is on risk management more than ever before and whether or not organizations are assessing strategic and operational risks, the onus, however, is on all organizations to erect a systematic reporting structure for analyses of their risks and develop more comprehensive risk monitoring tools and devise strategies to manage them while taking enough calculated risks and it is these calculated and risk-managed risks that often separate the winners from the losers. 

The last couple of years have seen a strong corporate drive towards the development of a methodology to better identify, assess and quantify strategic, financial and operational risks across all functions of the business. It’s called Enterprise Risk Management ‘ERM.’ Most large public companies have implemented ERM, in some cases because of government regulations (as an extension to SOX for those operating in the US. In Europe, upon the passage of the European Union’s 8th Company Law Directive on Statutory Audit (Directive 2006/43/EC), European and non-European companies listed in any country of the European Economic Area have to comply with this directive). Many others have executed the strategy simply because it makes tremendous sense (Australia, France, Germany, Italy, Japan, Turkey and others that have developed regulations as a derivative of SOX). 

ERM is a framework for managing every possible risk and practically confronting it so as to enable the enterprise to achieve its business objectives and minimize unexpected operational volatility that could or may adversely affect earnings. Since companies hold capital to absorb the risk of loss — e.g. hedging, absorbing or transferring the risk — there is effectively lesser capital to invest in the profit-producing activities. ERM helps companies determine the right amount they should direct towards risk.

ERM Process

    The steps involved in an ERM process are essentially the same, however, having said that, since each organization has its unique way of doing business based on its vision, mission, corporate culture and philosophies, it will certainly have its own flavor to the style of implementation. Nevertheless, a solid ERM framework should have four key components:

1. Governance Structure, Policies and Process flows 
2.  Risk Analytics 
3.  Risk Management Strategies 
4.  Dashboard Reporting And Monitoring

Organizations that have implemented ERM now pass on their best practices to others, having first adopted ERM and now assisting others to do the same by conveying risk insights and solutions.

The toughest leg in the ERM journey is the first step: a course of action in which risk overseers from across the enterprise come together to share the respective risks within their own spheres of influence. Depending on the operational structure, a company can opt for a top-down process. It begins with an understanding of the company’s strategic priorities coming from the top of the pyramid; the board of directors and C-level suite.

Likewise, contrary to the above, a company may adopt a bottom-up approach wherein, the primary risk managers in each business unit assemble to examine the strategic objectives, the operational solutions to achieve them and the risks these raise. Once this consensus is reached, the risk drivers are aggregated and rolled up for C-level and board review. Senior management now has the ability to determine where best to allocate resources to achieve business objectives, completely aware of where the risks reside, their cost, and the mitigation strategies in place.

Knee Deep

Risk identification is not particularly a very simple task to accomplish. Strategic risk identification process alone can require a very big number of people from different functions of the organization. A review of operational risks, both top-down and bottom-up and also to conduct and subsequently review process and sub-process interviews to identify operational risks.  The company’s risk management department may then prioritize these risks in terms of their probability and impact.

Measuring Acceptance

Identifying a risk does not constitute ERM. Companies must understand risks. Once a risk contour is determined, ERM calls for companies to quantify risks in several metrics, such as the potential frequency of an event occurring, the potential severity of financial loss if the event occurs, and whether the risk may start a chain reaction into other areas of the business or also calculating if one risk might actually offset another.

One can argue that the subprime mortgage disaster was undoubtedly a failure of prudent risk measurement. While providers of mortgage-backed securities may have had an understanding of their own commitments, they had failed to act diligently by quantifying the ripple effect of the impact of the credit crisis involving other organizations on these commitments.

Confronting The Risks

After a company has identified and measured strategic and operational exposures, an unfailing strategy for managing and monitoring the risks is required. Bringing technology to use, particularly dashboard-type reporting; a warning system that will help keep track of all operations but then like all technology, the system is only as good as the data within and the processes created to report this data.

Many organizations have given the responsibility for monitoring enterprise risk to a Chief Risk Officer (CRO) or another high-level executive like a CFO or a CGRCO unlike the previous approach to risk management, wherein individual risks were catered to individually, like for example, the  insurance risk managers - hazard and liability risks, internal audit - financial and operational reporting risks, business units -project risks, treasury - foreign-exchange risks and so on.

Line Of Attack

Acceptance is the key, accepting the fact that the risks exist makes it easier for the company to plan for it. The better the understanding of the risks the better the plan and effective the strategy. As said earlier, technology is as good as its data, likewise, strategy is as good as its effective implementation. In addition to strategy, management buy-in is equally important. The strategy could be the best in the world but if there is no management buy in, not only is the entire purpose is defeated it can also lead to stricter regulatory interventions.

GRC: Enterprise Risk Management PI

Governance: The Enterprise Risk Manager’s Line Manager

Any risk that is imaginable in the business world, strategic, financial, cyber security threats and many more including an ever changing  and an equally challenging regulatory environment; not forgetting the domestic, regional and global competition etc. prowl (for the lack of a better term) today’s unpredictable and extremely competitive commerce.

In times like this, it’s important to take a holistic view of business practices, processes and workplace ethics amongst everything else to ensure that adequate control mechanisms are in place to keep the business entity afloat while focusing not only on the risks that can threaten value, but also the risks that an enterprise can take to create value.

What Is Risk Management?

Risk management ensures that an organization identifies and understands the risks to which it is exposed. Risk management also assures that the organization has done enough in creating and implementing an effective risk management plan to prevent losses or at the least reduce the impact(s) if a loss occurs.

A risk management plan includes strategies and techniques for recognizing and confronting these threats. Good risk management doesn’t have to be expensive or time consuming; it may be as uncomplicated as answering these three questions:

•    What can go wrong? 
•  What will we do to prevent the occurring and in response to the loss? 
•  If something happens, how do we pay for it?

What is ERM

Enterprise risk management (ERM) predominantly is a dynamic proactive approach in business to manage risks and seize opportunities related to the achievement of their objectives, this definitely includes constantly monitoring all business functions, the process and how they are carried out. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress of that one individual event, circumstance and activity or on an overall operations perspective. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (ERM)

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, and strategic planning.

Enterprise risk management calls for organizations to identify all the risks they face, to decide which risks managing actively or addressing on a priority basis. By priority it does not just mean giving preference for its ability to reoccur frequently but also its impact even if it was a onetime thing only, and then to make that plan of action available to all.

In putting together ERM initiatives, companies are supposed to focus not only on the downside of risk but the upside as well. The conventional approach was to focus on the downside - the losses that might be caused by a disruption in the normal course of business, e.g. a break in the supply chain or cyber attack that impairs a company's records. Likewise, working on the upside of this is when the companies are supposed to consider viable opportunities and future rewards that might arise out of efficient management of risk. Some of these involve matters of strategy like where to locate a plant or office abroad based on a risk analysis that would look at the political environment in a country.

Benefits of ERM

Enterprise Risk Management, pretty much like a snake wrapping itself around its prey wraps itself around the organizations nutty gritty but in a positive way to ensure all medium to large scale issues are addressed while the smaller ones are tackled to ensure there are no losses due to negligence of the people made responsible for the same.

In a nutshell, they can be bulleted into what appears below:

Increased consistency and communication of risks within the organization

1. Enhanced reporting and analysis of corporate risks (risk data) 
2. Improved focus, attention and perspective to risk data 
3. More efficient and effective activities related to regulatory, compliance and audit matters 
4. More cost-effective management and monitoring of risks

GRC - Compliance

The issue of compliance has been worrying organizations since the beginning of the millennium. Everyone wants to be compliant because the law says they have to be. And, if not the law, then it is industry standards and subsequent customer expectations that mandate the organization to implement changes in the way they work.

Many people don't understand what compliance is all about but it's really quite simple. It's all about conforming to the controls and procedures imposed on your company by appropriate laws or rulings. For this reason it is frequently termed 'regulatory compliance'.

The more satisfactorily these demands are met, the better compliance has been achieved in the organization. There is no such thing as just 'being in compliance' without stating the particular ruling you’re complying with.

As compliance has increasingly become a concern of corporate management, corporations are turning to specialized software, consultancies, and even a new function as well as a job title, the Chief Compliance Officer. Many organizations may still have Compliance working under a more broader Governance, Risk and Compliance platform otherwise known as GRC.

Compliance in a regulatory context is a prevalent business concern, perhaps because of an ever-increasing number of regulations and a fairly widespread lack of understanding about what is required for a company to be in compliance with new legislation. In the financial sector, SOX was enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. In the healthcare sector, HIPAA Title II includes an administrative simplification section which mandates standardization of healthcare-related information systems.

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so. Software, for example, may be developed in compliance with specifications created.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to achieve in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.

Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

Regulatory compliance and reporting needs to be viewed as a natural extension of the governance duties shouldered by top management and corporate boards. Moreover, only good governance can ensure that compliance is aligned with the company’s business objectives and risk management strategies — and is thereby adding real value (and not just cost) to the organization. Ultimately, the goal is to ensure that the spirit of compliance — as well as the letter of the law — is embraced in every corner of the enterprise.

Regulatory Compliance is the term generally used to describe the policies and processes which organizations have in place to ensure that they follow the very many laws, rules and regulations put in place. It is the set of all data that is relevant to a governance officer for the purposes of validating consistency, completeness, or compliance.

A key component of Regulatory Compliance is the variety of policies and processes firms are required to have in place to meet legislation and regulation designed to prevent fraud.

Regulatory compliance also describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations. This will include retaining data or records which can be used for the purpose of implementing or validating compliance.

Product Pricing

There are a variety of different types of pricing strategies in business. However, there's no one definite, formula-based approach that suits all types of products, businesses and/or markets. Pricing your product usually involves considering certain key factors, including identifying your target consumer, competition analysis and understanding the relationship between quality and the price.

The Basic Rules

No matter what type of product, the price charged to the consumer will have a direct effect on the success of the business. Though pricing strategies can be complex, the basic rules of pricing are straightforward:

• All prices must cover costs (and profits).
• The most effective way to lower prices is to control (if not lower) costs.
• Review prices frequently to assure that they reflect the dynamics of cost, market demand, competition, and profit objectives.
• Prices must be established to assure sales.

Know The Costs

Know the costs of running your business. If the price for your product or service doesn't cover costs, the cash flow will be cumulatively negative, which means, the financial resources will exhaust and the business will in due course not succeed and that is no reason to start a business, no one invests to fail; unless that is your way of spending on charity. Good Luck!

A good idea is to add a %age profit in your calculation of costs. Treat profit as a fixed cost, like a loan payment or payroll, since none of us is in business to break even.

The Right Time

When is the right time to review your prices? When:

• Introducing of a new product or product line;
• Costs change;
• Deciding to enter a new market;
• Competition changes prices;
• The economy experiences either inflation or recession;
• Change in sales strategy.

Pricing - In One Of Four Ways

Cost-Plus Pricing

Many manufacturers use cost-plus pricing. The key to being successful with this method is making sure that the "plus" figure not only covers all overheads but also generates the percentage of profit you require. If the overhead figure is not accurate, you risk profits that are too low. The following sample calculation should help you grasp the concept of cost-plus pricing:

  

Cost of materials	$ 50.00
+ Cost of labor	30.00
+ Overheads	40.00
Total Cost	120.00
+ Desired Profit (20% on sales)	30.00
= Required Sales Price	150.00

Demand Price

Demand pricing is a method in which consumer response to various price points in a range of prices is analyzed to arrive at the highest acceptable price. Also called value oriented pricing.

Demand pricing is determined by the optimum combination of volume and profit. Products usually sold through different sources at different prices e.g. retailers, discount chains, wholesalers, or direct mail marketers etc. are examples of goods whose price is determined by demand.

A wholesaler might buy greater quantities than a retailer, which results in purchasing at a lower unit price. The wholesaler profits from a greater volume of sales of a product priced lower than that of the retailer.

The retailer typically pays more per unit because he or she are unable to purchase, stock, and sell as great a quantity of product as a wholesaler does. This is why retailers charge higher prices to customers.

Demand pricing is difficult to master because you must correctly calculate beforehand what price will generate the optimum relation of profit to volume.

Competitive Pricing

Competitive pricing is generally used when there's an established market price for a particular product or service. If all competitors are charging $100 for a replacement windshield, for example, that's what you should charge and here the profitability is managed through lower/controlled operating costs.

Competitive pricing is used most often within markets with commodity products, those that are difficult to differentiate from another. If there's a major market player, commonly referred to as the market leader that company will often set the price that the smaller companies within that same market will be compelled to follow.

To use competitive pricing effectively, know the prices each competitor has established. Then figure out your optimum price and decide, based on direct comparison, whether you can defend the prices you've set. Should you wish to charge more than your competitors, be able to make a case for a higher price, such as providing a superior customer service or warranty policy. Before making a final commitment to your prices, make sure you know the level of price awareness within the market.

If you use competitive pricing to set the fees for a service business, be aware that unlike a situation in which several companies are selling essentially the same products, services vary widely from one firm to another. As a result, you can charge a higher fee for a superior service and still be considered competitive within your market.

Markup Pricing

Used by manufacturers, wholesalers and retailers, a markup is calculated by adding a set amount to the cost of a product, which results in the price charged to the customer. For example, if the cost of the product is $100 and your selling price is $140, the markup would be $40. To find the percentage of markup on cost, divide the dollar amount of markup by the dollar amount of product cost:

$40 / $100 = 40%

This pricing method often generates confusion and not to mention lost profits, among many first-time small-business owners because markup (expressed as a percentage of cost) is often confused with gross margin (expressed as a percentage of selling price). The next section discusses the difference in markup and margin in greater depth.

Pricing Basics

To price products, you need to get familiar with pricing structures, especially the  difference between margin and markup. As mentioned, every product must be priced to cover its production or wholesale cost, freight charges, a proportionate share of overhead (fixed and variable operating expenses), and a reasonable profit. 

Factors such as high overhead (particularly when renting in prime mall or shopping locations), changeable insurance rates, shrinkage (shoplifting, employee or other theft, shippers' mistakes), seasonality, shifts in wholesale or raw material, increases in product costs and freight expenses, and sales or discounts will all affect the final pricing.

Overhead Expenses

Overhead refers to all non-labor expenses required to operate your business. These expenses are either fixed or variable:

• Fixed expenses

No matter what the volume of sales is, these costs must be met every month. Fixed expenses include rent, depreciation on fixed assets (such as cars and office equipment), salaries, insurance, utilities, membership dues and subscriptions (which can sometimes be affected by sales volume), and legal and accounting costs. These expenses do not change, regardless of whether a company's revenue goes up or down.

• Variable expenses

Most so-called variable expenses are really semi-variable expenses that fluctuate from month to month in relation to sales and other factors, such as promotional efforts, change of season, and variations in the prices of supplies and services. Fitting into this category are expenses for telephone, office supplies (the more business, the greater the use of these items), printing, packaging, mailing, advertising, and promotion. When estimating variable expenses, use an average figure based on an estimate of the annual total.

Cost of Goods Sold

Cost of goods sold, also known as cost of sales, refers to the cost to purchase of products with an intention for resale or to add to the cost to manufacture products. Freight and delivery charges are customarily included in this figure.

Accountants segregate cost of goods on an operating statement because it provides a measure of gross-profit margin when compared with sales, an important yardstick for measuring the business' profitability. Expressed as a percentage of total sales, cost of goods varies from one type of business to another.

Determining Margin

Margin, or gross margin, is the difference between total sales and the cost of those sales. For example: If total sales equal $1,000 and cost of sales equals $300, then the margin equals $700.

Gross-profit margin can be expressed in dollars or as a percentage. As a percentage, the gross-profit margin is always stated as a percentage of net sales. The equation: (Gross-profit / Sales) = Gross-profit margin

Using the preceding example, the margin would be 70 percent.

When all operating expenses (rent, salaries, utilities, insurance, advertising, and so on) and other expenses are deducted from the gross-profit margin, the remainder is net profit before taxes. If the gross-profit margin is not sufficiently large, there will be little or no net profit from sales.

Some businesses require a higher gross-profit margin than others to be profitable because the costs of operating different kinds of businesses vary greatly. If operating expenses for one type of business are comparatively low, then a lower gross-profit margin can still yield the owners an acceptable profit.

The following comparison illustrates this point. Keep in mind that operating expenses and net profit are shown as the two components of gross-profit margin, that is, their combined percentages (of net sales) equal the gross-profit margin:

	Business A	Business B
Net sales	100%	100%
Cost of sales	40	65
Gross-profit margin	60	35
Operating expenses	43	19
Net profit	17	16

Markup and (gross-profit) margin on a single product, or group of products, are often confused. The reason for this is that when expressed as a percentage, margin is always figured as a percentage of the selling price, while markup is traditionally figured as a percentage of the seller's cost. The equation is:

(Total sales - Cost of sales)/Cost of sales = Markup

Using the numbers from the preceding example, if you purchase goods for $300 and price them for sale at $1,000, your markup is $700. As a percentage, this markup comes to 233 percent:

($1,000 - $300) / $300 = 233%

In other words, if your business requires a 70 percent margin to show a profit, your average markup will have to be 233 percent.

You can now see from the example that although markup and margin may be the same in dollars ($700), they represent two different concepts as percentages (233% versus 70%). More than a few new businesses have failed to make their expected profits because the owner assumed that if his markup is X percent, his or her margin will also be X percent. This is not usually the case.