Moving towards enterprise risk management

The following discussion is mostly taken from a material published by KPMG International entitled “Enterprise Risk Management Complacency Is No Longer an Option,  But a Practical Start Is”

2. Identify and prioritize top risks — and explore how well you manage them. A successful ERM endeavor begins with a focus on two fundamentals: content and process. “Content” refers to key risks, and “process” indicates how the program for managing them is sustained across the business. The risk council’s first goal is to facilitate the identification and prioritization of an organization’s key risk — those that may prevent it from meeting its corporate strategic goals. This list can be based on the likelihood of the risks occurring and the potential consequences to the organization should they occur. Leaders would identify risks that they believe threaten the business model, the organization’s strategy, and the organization’s existence. Members of management within the risk management council would examine carefully and critically these risks, develop an enterprise risk profile, and then identify priority risks (e.g., the top 10 to 20 risks). The risk management council’s second goal is to explore how well the business prevents and/or manages the key risks today and what changes may be necessary to improve that effort.

This process provides details about the effectiveness of the organization’s approach to managing risk and an assessment of vulnerabilities that could threaten the organization’s overall business strategy. This process can also assist leadership in critical decision making.

For example, if an organization is planning to buy another company, the relevant risk information could help illuminate whether the potential acquisition could have a negative impact on the company’s current top risks. So much business information is historical; risk information needs to be current and supported by a sustainable process to help enable a future focus.

3. Assign accountability: Turning the corner from risk assessment to risk management. Identifying key risks will help the organization understand accountability — who owns the risks, how effectively they are currently being managed, and whether the risks are being monitored. Internal audit or compliance departments may be in charge of monitoring certain risks, but often, because organizations are organized by function or geography and not risk, the highest risks may not have designated risk owners or risk monitors. Indeed, some risks may not be formally identified (for example, strategic risk is often not identified, and thus can be the source of some unwelcomed surprises).

Assigning formal accountability for identified risks to the right people helps create a greater level of assurance for the board and the audit committee and a greater level of confidence in the organization’s governance framework.

4. Begin working toward a single view of risk.  Many organizations have already invested in a variety of risk processes and functions, but these mechanisms often lack a unifying vision and clear objectives. Consequently, the potential benefits are unrealized.

The effective implementation of ERM is the much needed “glue” that delivers a performance-based focus on risk management and, thus, a reward for the risk management investment. Implementing a single ERM approach allows leaders to replace the “siloed” approach to risk management with a single view of risk that is articulated across the organization.

5. Consider your current position within an ERM framework. The risk management council can then build consensus on where the organization wants to go next, based on its risk profile. With a single view of risk identified and an ERM framework (i.e., a construct of common language and approach/methodology for risk management) in place, an organization can begin the critical work of articulating its own vision for ERM and ERM’s role in the organization. That vision will help determine the organization’s ERM approach and will likely be a call to more immediate action as leaders gain an appreciation of the gaps in their current efforts and can see a way forward.

Leaders take varying approaches to ERM, depending on the needs of the organization and its risks. ERM approaches can be plotted along a “maturity continuum” (that is, from Basic or “Compliance” through Mature or “Managed” to Advance or “Strategic” level). An organization’s approach, and the choices it reflects, affects the extent to which it makes ERM part of its governance and business operations.

The way forward

ERM has evolved from a largely theoretical construct to a highly practical performance tool.

Now, many leaders are beginning to recognize ERM’s value and practical applicability as a means of responding to business or governance changes and stakeholder demands, improving the management of identified risks, and ultimately creating a sustainable process for gaining competitive advantage. Organizations that embrace ERM and build it into the core of their enterprises can anticipate the benefits that are possible when:

Risks (the “content”) are assessed, evaluated, and correlated across the enterprise;

A common risk management framework (the “process”) is in place, with accountability established for measuring, managing, and monitoring risk;

Risk quantification and aggregation is enabled throughout the organization via common methodologies and tools;

Risk reporting to management and the board is effective (that is, it captures risk trends and emerging risks);

The ERM program supports strategic decision making and brand protection and has predictive value; and Corporate governance processes are strengthened.

Implementing an ERM approach is certainly not easy, and it cannot happen overnight. But as ERM’s practical applications evolve, leaders have learned that an ERM approach can help organizations with two critical challenges:

How to derive tangible value from regulatory compliance efforts and How to link risk and strategy to drive business performance and enhance the organization’s brand.

An ERM program is no longer an option; it is a mandatory program for any organization intending to create and preserve shareholder value, to improve investment decisions and support growth, to attract and retain stakeholders (such as employees, creditors, and investors), and to prevent financial disasters and survive corporate crises.

As the risk management guru James Lam in his book “Enterprise Risk Management: from Incentives to Controls” (2003) would often tell his audience when speaking on the importance of risk management, “over the long term, the only alternative to risk management is crisis management – and crisis management is much more expensive, time consuming, and embarrassing.”

Taking the practical first steps to build internal consensus can help enable leaders to meet rising external demands and, over time, to use ERM as the foundation for building competitive advantage.

(Reginald C. Nery is a Partner in the Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. The concepts, principles and approach practices in this article are derived from KPMG International’s thought leadership paper entitled “Enterprise Risk Management: Complacency is No Longer an Option, but a Practical Start Is”, KPMG’s resource persons and materials on ERM, “COSO Enterprise Risk Management – Integrated Framework” (2004), and risk management guru James Lam from his book, “Enterprise Risk Management: from Incentives to Controls” (2003).  This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice.  While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances.  For comments or inquiries, please email [email protected] or [email protected])

(KPMG International provides no client services and is a Swiss cooperative with which the independent firms of the KPMG network are affiliated)