Organizations have numerous worries and
concerns: earnings, customer complaints, liquidity, capital adequacy,
credit, adequate reserves, board supervision, strategic planning, fraud,
insider abuse, cyber security, compliance issues, macro-economic
threats, political instability, technology threats, disaster recovery,
etc.
One method to effectively address these
concerns and issues is the concept of Enterprise Risk Management
(“ERM”). Why is this type of Risk Management valuable and why is it
important? A formal and comprehensive risk management system as an
integral part of a company’s corporate governance structure is critical
in every situation. The strength of internal controls, monitoring
systems and independent evaluation of the risk management system drives
the success of the enterprise risk management (ERM) program. Simply put -
the ERM program prioritizes the time that the company should dedicate
to the most important/impactful items that properly govern the
organization each day, each month, each quarter and each year of its
operation.
The ERM program’s extent of coverage,
the portfolio of risks and “language” (terminology & definitions) of
risks must align with various groups. These groups include: customer
interests, shareholder/stakeholder objectives, board philosophy,
management goals, and their respective legal/regulatory
responsibilities. A given ERM program does not “fit” all organizations
in the same way. Each entity must tailor their ERM solution to the goals
and objectives of the specific entity. (i.e. an ERM solution cannot be
bought “off the shelf”). The result of a successful ERM implementation
within a comprehensive corporate governance program is that it will proactively create value. If not, ERM will simply be “another checklist to fill out and initial.”
Major elements of risk include:
Market-related, Liquidity-related, Operational (“catch-all” category),
Strategic, Legal, Technological, and Reputational. There are other types
that are viable and could be (sometimes should be) separately
identified and tracked. These elements depend on the given industry of
the corporation. These exposures or elements to track are also dependent
on the complexity and scope of the given organization. It is important
to note and understand that risk is not inherently a negative concept,
but should be thought of as a degree of opportunity to invest time,
talent and resources in elements within the company that helps attain
the organization’s goals. Why? – Because no organization can make a
profit without taking a risk. The “risk-return” philosophy is essential
in all types of corporations and ERM allows the organization to
prioritize the attention to critical and valuable opportunities
presented to the company and allow it to reach its goals and intentions.
(“Goals” could represent earnings, organic growth, acquisitions,
diversification as well as other objectives.)
“Risk Appetite” dictates the amount of
risk an entity will accept or will not accept. The given company’s board
and respective senior management will decide the risk appetite of the
organization. No consultant, auditor, or examiner can provide the risk
appetite or risk “tolerance” (threshold of risk that the entity can
bear).
Who is responsible for ERM? The clearest
response provided to date: “The Director’s major responsibility is to
provide a management structure that adequately identifies, measures,
controls, and monitors risk… Failure to establish a risk management
structure is considered unsafe and unsound conduct” (Source: “Basics for
Bank Directors”, Federal Reserve Bank, U.S., 2010). Similar
responsibilities of the board are documented in COSO and GARP
publications (“Committee of Sponsoring Organization of the Treadway
Commission” and the “Global Association of Risk Professionals”,
respectively).
How is ERM tracked? Usually by “Risk
Models” showing quantified levels of risk (e.g. High, Medium or Low) and
tracked on “Risk Maps” that graphically show the company’s risk
assessment at a given point in time. It is important to note that
although most Risk Models use quantified levels of risk, an important
component and weight in these models is a qualitative (“judgment or gut
feel”) aspect for the assessment. This must always exist, to some
degree, in any successful ERM program. Many times these Risk Maps are
color-coded with Red (high), Yellow (medium) or Green (low) to easily
depict to board members or managers as to where exposures are found
and/or concentrated; these maps are sometimes called “heat maps”. The
level of detail in a given Risk Map is relative to the reporting lines
of the organization. Board-level reports are more global and summarized,
with divisional or departmental Risk Maps of the organization being
more detailed.
What are the key characteristics to assess your ERM program? These are the essential elements:
- Active board and senior management oversight.
- Adequate policies, procedures, and limits.
- Adequate risk management, monitoring, and management information systems.
- Comprehensive internal controls (without controls, risk management is worthless and provides no true value or accuracy of the reported exposures/risks in an organization).
Sooner or later, authorities
assigned to oversee your organization will assess your risk management
program as part of their evaluation of your company’s governance
structure. They will, for example, rate the ERM program’s relative
strength (to regulatory guidelines, laws, standards and industry
experience) to be one of the following: “strong”, “adequate” or “weak”
(Source: Office of the Comptroller of the Currency (OCC), guidelines.)
Strong risk management:
“…effectively identifies and controls all major types of risk posed by
the relevant activity or function. The board and management participate
in managing risk and ensure that appropriate policies and limits exist,
and the board understands, reviews, and approves them...”
Adequate risk management:
“…risk management systems, although largely effective, may be lacking to
some modest degree. It reflects an ability to cope successfully with
existing and foreseeable exposure that may arise in carrying out the
institution’s (company’s) business plan...”
Weak risk management: “…risk
management systems that are lacking in important ways and, therefore,
are a cause for more than normal supervisory attention. The internal
control system may be lacking in important respects, particularly as
indicated by continued control exceptions or by the failure to adhere to
written policies and procedures... could have adverse effects on the
safety and soundness of the financial institution (organization) or
could lead to a material misstatement of its financial statements if
corrective actions are not taken.”
No comments:
Post a Comment