ERM in The Miami Herald

Enterprise Risk Management (ERM) featured in The Miami Herald. You can read the full article either by visiting The Miami Herald or by downloading it in PDF format:

 

 

Enterprise Risk Management Assessments

Organizations have numerous worries and concerns: earnings, customer complaints, liquidity, capital adequacy, credit, adequate reserves, board supervision, strategic planning, fraud, insider abuse, cyber security, compliance issues, macro-economic threats, political instability, technology threats, disaster recovery, etc.
 

One method to effectively address these concerns and issues is the concept of Enterprise Risk Management (“ERM”). Why is this type of Risk Management valuable and why is it important? A formal and comprehensive risk management system as an integral part of a company’s corporate governance structure is critical in every situation. The strength of internal controls, monitoring systems and independent evaluation of the risk management system drives the success of the enterprise risk management (ERM) program. Simply put - the ERM program prioritizes the time that the company should dedicate to the most important/impactful items that properly govern the organization each day, each month, each quarter and each year of its operation.
 

The ERM program’s extent of coverage, the portfolio of risks and “language” (terminology & definitions) of risks must align with various groups. These groups include: customer interests, shareholder/stakeholder objectives, board philosophy, management goals, and their respective legal/regulatory responsibilities. A given ERM program does not “fit” all organizations in the same way. Each entity must tailor their ERM solution to the goals and objectives of the specific entity. (i.e. an ERM solution cannot be bought “off the shelf”). The result of a successful ERM implementation within a comprehensive corporate governance program is that it will proactively create value. If not, ERM will simply be “another checklist to fill out and initial.”
 

Major elements of risk include: Market-related, Liquidity-related, Operational (“catch-all” category), Strategic, Legal, Technological, and Reputational. There are other types that are viable and could be (sometimes should be) separately identified and tracked. These elements depend on the given industry of the corporation. These exposures or elements to track are also dependent on the complexity and scope of the given organization. It is important to note and understand that risk is not inherently a negative concept, but should be thought of as a degree of opportunity to invest time, talent and resources in elements within the company that helps attain the organization’s goals. Why? – Because no organization can make a profit without taking a risk. The “risk-return” philosophy is essential in all types of corporations and ERM allows the organization to prioritize the attention to critical and valuable opportunities presented to the company and allow it to reach its goals and intentions. (“Goals” could represent earnings, organic growth, acquisitions, diversification as well as other objectives.)
 

“Risk Appetite” dictates the amount of risk an entity will accept or will not accept. The given company’s board and respective senior management will decide the risk appetite of the organization. No consultant, auditor, or examiner can provide the risk appetite or risk “tolerance” (threshold of risk that the entity can bear).
 

Who is responsible for ERM? The clearest response provided to date: “The Director’s major responsibility is to provide a management structure that adequately identifies, measures, controls, and monitors risk… Failure to establish a risk management structure is considered unsafe and unsound conduct” (Source: “Basics for Bank Directors”, Federal Reserve Bank, U.S., 2010). Similar responsibilities of the board are documented in COSO and GARP publications (“Committee of Sponsoring Organization of the Treadway Commission” and the “Global Association of Risk Professionals”, respectively).
 

How is ERM tracked? Usually by “Risk Models” showing quantified levels of risk (e.g. High, Medium or Low) and tracked on “Risk Maps” that graphically show the company’s risk assessment at a given point in time. It is important to note that although most Risk Models use quantified levels of risk, an important component and weight in these models is a qualitative (“judgment or gut feel”) aspect for the assessment. This must always exist, to some degree, in any successful ERM program. Many times these Risk Maps are color-coded with Red (high), Yellow (medium) or Green (low) to easily depict to board members or managers as to where exposures are found and/or concentrated; these maps are sometimes called “heat maps”. The level of detail in a given Risk Map is relative to the reporting lines of the organization. Board-level reports are more global and summarized, with divisional or departmental Risk Maps of the organization being more detailed.
 

What are the key characteristics to assess your ERM program? These are the essential elements:
 

• Active board and senior management oversight.
 
 
• Adequate policies, procedures, and limits.
 
 
• Adequate risk management, monitoring, and management information systems.
 
 
• Comprehensive internal controls (without controls, risk management is worthless and provides no true value or accuracy of the reported exposures/risks in an organization).
 
 

Sooner or later, authorities assigned to oversee your organization will assess your risk management program as part of their evaluation of your company’s governance structure. They will, for example, rate the ERM program’s relative strength (to regulatory guidelines, laws, standards and industry experience) to be one of the following: “strong”, “adequate” or “weak” (Source: Office of the Comptroller of the Currency (OCC), guidelines.)
 

Strong risk management: “…effectively identifies and controls all major types of risk posed by the relevant activity or function. The board and management participate in managing risk and ensure that appropriate policies and limits exist, and the board understands, reviews, and approves them...”
 

Adequate risk management: “…risk management systems, although largely effective, may be lacking to some modest degree. It reflects an ability to cope successfully with existing and foreseeable exposure that may arise in carrying out the institution’s (company’s) business plan...”
 

Weak risk management: “…risk management systems that are lacking in important ways and, therefore, are a cause for more than normal supervisory attention. The internal control system may be lacking in important respects, particularly as indicated by continued control exceptions or by the failure to adhere to written policies and procedures... could have adverse effects on the safety and soundness of the financial institution (organization) or could lead to a material misstatement of its financial statements if corrective actions are not taken.”
 

 

 

Enterprise Risk Management Program Framework

Board members, Presidents, CIOs, CISOs, and pretty much every decision-maker in the risk management space deals with various concerns and issues.  The Enterprise Risk Management (ERM) framework can assist in effectively prioritizing the necessary attention that you need to give to your most valuable and important issues.  This is an integral part of good overall governance in private and government organizations.  The strength of internal controls, monitoring systems, and independent evaluations of the risk management system drive the success of such an ERM framework implementation.