Beruflich Dokumente
Kultur Dokumente
7KEY TRENDS IN
ENTERPRISE RISK MANAGEMENT
A guide to enhancing strategic performance with smart ERM
By John Verver, CPA CA, CISA, CMC
Contents
Defining ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6 key characteristics of performance-enhancing ERM . . . . . . . . 18
How do you spell success? E…R…M. . . . . . . . . . . . . . . . . . . . . . . . . 6 1} Meaningful, centralized risk identification. . . . . . . . . . . . . 19
An ongoing journey: ERM capability model. . . . . . . . . . . . . . . . . . . 8 2} Linking OF strategic risks to control objectives,
7 key trends in the “era of ERM”. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 processes and policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1} Move beyond a compartmentalized “silo” 3} Continuous monitoring and data analytics
view of risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 lead to continuous risk assessment . . . . . . . . . . . . . . . . . . 21
2} Provide management with a whole new level 4} A consistent* enterprise-wide approach . . . . . . . . . . . . . . 22
of quantified insight into risks—and do it efficiently. . . . . 12 5} Reporting the things that matter…
3} Capitalize on big data and smart analytics for and responding with action. . . . . . . . . . . . . . . . . . . . . . . . . 23
fact-driven, real-time risk monitoring. . . . . . . . . . . . . . . . . 13 6} Reporting the things that matter…
4} Take a whole new cost-effective, analytics-driven in the right way to the right people . . . . . . . . . . . . . . . . . . 24
approach to internal controls . . . . . . . . . . . . . . . . . . . . . . . 14 ERM Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5} Data-informed decision making Take this simple test:
= smart risk management . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Are you making these common (and risky)
enterprise risk management errors? . . . . . . . . . . . . . . . . . . . . . . . . 26
6} Integrate risk management into
daily business activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 What now? Next steps to getting started
on the journey to performance-enhancing ERM… . . . . . . . . . . . . 28
7} Bridge the gap between business
and risk professionals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Struggling to bridge the chasm between ERM and
performance of your organization’s strategic agenda?. . . . . . . . . 29
Excellence in enterprise risk management (ERM) practices is key to business performance success and involves
embracing risks to fully realize business opportunities. It means that the full spectrum of risks across the
enterprise—including strategic, operational, financial and compliance—must be seen in the context of achieving
corporate objectives and maximizing operational performance. It also means having constant insight into what
is actually happening (both inside and outside the organization), and what requires action and response to
achieve these objectives.
The reality is that it is not always easy to align and compare ERM Poor risk management can spell disaster for an organization.
processes in ways that convey the significance of relative risks to Just look at the impact on brand and share price of Wells Fargo’s
executive management. It can be challenging to align and relate phony account scandal, or Volkswagen’s vehicle emissions fraud.
differing industry standards within a common risk management And it is not just an issue for the private sector; government
framework, such as COSO or ISO. Organizations struggle to agencies can lose trust and credibility when they fail to address
objectively quantify risk and to dynamically monitor risks in a way risks, such as the levy failures during Hurricane Katrina, which in
that clearly indicates the impact on corporate performance and turn led to many deaths and widespread misery.
objectives. It often proves difficult to obtain clarity from ERM
processes around what should be the priorities for response Taking a smarter approach to managing risk and compliance
actions in operational departments. processes at all levels makes good business sense. What is clear is
that the benefits of an integrated enterprise approach to risk
management cannot be achieved through traditional, often
retrospectively-driven activities, using traditional technology.
In this eBook, we unpack what it means to perform successful risk management based on
work with thousands of organizations. Learn about 7 key trends in ERM and several
common risk management challenges—as well as best practices in overcoming them. We also
reveal 6 characteristics of data-driven ERM to enhance organizational performance and
help avoid the common ERM mistakes that organizations often make.
Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by
addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
ERM represents a significant evolution beyond previous approaches to risk management in that it:
01 Encompasses all areas of organizational exposure to risk 04 Recognizes that individual risks across the organization are
(financial, operational, reporting, compliance, governance, interrelated and can create a combined exposure that differs
strategic, reputational, etc.). from the sum of the individual risks.
02 Prioritizes and manages those exposures as an interrelated 05 Provides a structured process for the management of all
risk portfolio rather than as individual “silos.” risks, whether those risks are primarily quantitative or
03 Evaluates the risk portfolio in the context of all significant qualitative in nature.
internal and external environments, systems, circumstances 06 Views the effective management of risk as a competitive
and stakeholders. advantage.
07 Seeks to embed risk management as a component in all
critical decisions throughout the organization.
7 key trends in enterprise risk management 5
HOW DO YOU SPELL SUCCESS? E…R…M.
ERM can be the “silver bullet” that takes an organization from good to great—
enabling a scientific approach to systematically dealing with the obstacles to
success and driving performance excellence.
The most successful, high-performing organizations have ERM processes that share the following characteristics:
✔✔ Roadmap to excellence—take a phased approach to evolve the
program.
✔✔ Driven by data—built on a foundation of the facts of what is
actually taking place, by accessing and blending data in unique
ways to identify risk trends and indicators.
✔✔ Dynamic—responsive to ever-changing risks and related events.
✔✔ Continuous—provide constant and timely insights in real time.
✔✔ Comprehensive—consider all aspects of all forms of risks, and
their impact on each other, and in aggregate.
✔✔ Collaborative—ensure that all three lines of defense are working
in an aligned way around their respective responsibilities.
✔✔ Forward-looking—provide notification of what is happening,
what is likely to occur and what must be done in response.
✔✔ Action-oriented and time-bound—ensure that appropriate
responses are identified and take place within a critical time
frame.
✔✔ Contextual—provide insights that are relevant to the function of
managers at different levels and with different roles as relevant
to achieving overall corporate objectives.
✔✔ Highly efficient—driven by technology that is designed
specifically for achieving all of the above.
7 key trends in enterprise risk management 7
AN ONGOING JOURNEY: ERM CAPABILITY MODEL
For most organizations, achieving optimal practices in risk management takes time and involves progressing
through various levels of capabilities. The important thing is that all those involved—in all three lines of
defense—are aligned around the ultimate objectives and understand their respective roles.
How mature
The reality is that there is a learning curve as management in the In fact, based on our engagements with organizations in all
are your front lines of business, as well as those in formal risk management industries in 150 countries around the globe, a phased approach is
organization’s and compliance roles, along with audit, transform their processes the most effective way to introduce and mature effective risk
and learn the most effective methods of collaboration. management. The snapshot below is the typical evolution of ERM
ERM in most organizations, which can be used as guidance for planning.
capabilities?
Industry Best Practice
VALUE CONTRIBUTION
Differentiated Program
ERM Integrated
with Strategy &
Optimized Performance -
Industry Best Practice
Risk ROI - Value
Baseline Program Creation
Value
Protection
Integrated
ERM across
Lines of
Defense
ERM
Driven by
Data
Centralized
ERM
Read on to find out what you really need to know—and do—to get up to speed in the “era of ERM.”
1} MOVE BEYOND A COMPARTMENTALIZED “SILO” VIEW OF RISKS
It has become obvious that failures in risk management processes can cause serious damage to an
organization. Frequently, this is due to an inability to see both the “big picture” issues at the same time as a
multitude of apparently minor risks.
Executive management may have little interest in regulatory On the other hand, a more advanced risk management process
compliance risks if historically a compliance infraction has simply enables early recognition of the potential risk—and the ability to
meant paying a relatively small fine and moving on. Similarly, a respond in a timely fashion to the early warning indicators revealed
breakdown in a financial control that allows some fraud to take through trend analysis and risk aggregation. The solution is to
place with negligible impact on corporate results will barely register implement a framework and an efficient oversight system for
on the radar. relating risks to each other, and a consistent way of measuring risk
Business managers responsible for operational risks in one impact on the achievement of corporate objectives by aligning key
business area may have no insights into patterns of operational risk indicators (KRIs) with key performance indicators (KPIs).
and compliance failures in another area. They may also be focused
heavily on their own mandate, without the context of impact on
overall corporate objectives.
Each risk area, when viewed in isolation, may not be cause for
concern in terms of achieving corporate objectives.
Then, seemingly from nowhere, a combination of events turns out
to create a major problem. All of a sudden, for example, a series of
apparently low impact compliance failures can attract the attention
of regulatory authorities and then the media, resulting in what can
turn out to be major damage to brand reputation, financial
penalties and a long-lasting impact on share price. The root cause
of the problem is often the inability to determine the impact of
combining and aggregating different categories of risks.
In a traditional approach, getting an overview of the current state of risks faced by the enterprise is often a
cumbersome and highly subjective process. Assessment of different types of risks is often managed with
disparate processes in separate parts of the organization. Attempting to consolidate the multiple reports and
spreadsheets that are typically used is a resource-intensive process—and is frustrating for executive
management, who end up trying to make sense of a typically confusing attempt to mix the apples and oranges
of different risk categories and assessment processes.
Subjectivity and bias in risk assessment can also create a
fundamental flaw in risk management processes, especially in
cases where business managers are responsible for completely
different business lines and there is no effective mechanism for
comparing and normalizing risks in a meaningful way. Fact-based
analytics can overcome this weakness by normalizing risk
assessments, to provide more valid quantified risk comparison and
aggregation. Current trends rely on technology to enable re-
engineered processes that are simpler and more reliable. ERM
technology provides management at all levels and across all three
lines of defense with the ability to review up-to-date dashboards
reflecting the most current and quantified state of risk assessment,
allowing immediate and more informed decision making.
Big data can too easily mean “massive overload” and lead to “analysis paralysis.” However, the intelligent
analysis of data from multiple sources provides a uniquely scientific and objective ability to put all levels of risks
into context. Millions of daily operational and financial transactions can be monitored to determine whether, in
aggregate, risks are increasing to a point where action must be taken.
The ability to continually monitor what is actually happening within
multiple business processes over time allows management to
identify the critical trends that need to be addressed and acted
upon before relatively small issues turn into major problems.
Analytics can also provide insights into new and emerging risks:
ones that would never be noticed until it is too late when relying
on traditional risk management approaches.
The world of big data is also constantly growing and changing.
McKinsey reports, for example, that 90% of data did not exist two
years ago—and yet only an incredibly small 1% has actually been
analyzed1. This means that the potential for data-driven risk
assessment and monitoring is enormous, using new and different
types of data and analyzing data in ways that were just not
possible previously.
As organizations mature their risk management processes and
capabilities, they typically move from a retrospective and defensive
point of view on risk to a more forward-looking one that enables
smarter decision making. When this point is reached, risk
management practices can enable the organization to perform
better and drive at higher speeds, owing to the ability to both spot
likely obstacles that need avoidance steering and to accelerate as
fast as possible.
1
McKinsey & Company. How to win in the age of analytics.
7 key trends in enterprise risk management 13
4} TAKE A WHOLE NEW COST-EFFECTIVE, ANALYTICS-
DRIVEN APPROACH TO INTERNAL CONTROLS
Internal controls often have a bad reputation among business operational managers. They are seen as
impediments to “getting the job done” and meeting performance objectives. These views are sometimes
justified, especially when controls become expensive to maintain and negatively impact productivity despite
the risks being relatively low. Yet, allowing a culture in which controls are routinely bypassed or ignored is
unhealthy at best, and catastrophic at worst.
The answer is (for some forms of risks at least) to rely on analytics
to monitor activities continuously. Instances of regulatory non-
compliance, fraud, waste and abuse can be monitored so
appropriate responses can be made as necessary.
Instead of preventing every single possibly risky transaction from
ever occurring with endless controls, the objective is to zero in on
the bad stuff that is actually happening. If the risk exposure or
financial impact is relatively low, it may be sufficient to simply
monitor for instances that violate controls or risk thresholds. And if
the risk, or impact, is high, transactions can immediately be
red-flagged—to inform which specific controls can be implemented
to prevent critical issues arising in the future.
As long as individual employees know the policy that is in place
and know that adherence is being monitored, traditional and often
expensive control approaches become unnecessary. Data analysis
and transaction monitoring allows the fine-tuning needed to build
a system that is neither over-controlled nor under-controlled.
5} DATA-INFORMED DECISION MAKING = SMART RISK MANAGEMENT
The traditional approach to risk management emphasized risk avoidance, with multiple processes and controls
designed to reduce the risks of poor decisions, poor performance or failures in compliance.
Some executives and business process managers may take the view
that ERM is making a big deal over something that they do
instinctively, as part of their jobs. They take risks and opportunities
into account whenever deciding a course of action around achieving
corporate objectives. But a word of caution: change is constant—
both within and outside the organization—and even the smartest
business manager struggles to keep informed of everything that is
happening and respond effectively, at the right time.
There is now widespread recognition within high-performance
organizations that risk management is not so much about avoiding
risks, but about making the most of opportunities. Information is
key to this; and using technology to make sense out of masses of
data is an essential tool in this process.
It is never practical to completely eliminate risks, nor is it usually
important to do so. What is important is to understand what is
currently happening and the most likely impact on opportunities,
strategic objectives and the impact of different courses of action.
It is this intelligent and highly informed culture of risk-taking that is
now understood to be key to exceptional corporate performance—
one that nearly always outperforms a traditional risk-averse culture.
At this stage in ERM processes, it becomes more apparent to all
stakeholders that instead of all risks being considered as inherently
bad, there are many forms of risk that are important to take (and to
manage intelligently), as healthy risk-taking is fundamental to
superior business performance.
An awareness of the overall benefits of seeing opportunity and risk as two sides of the same coin should lead
to an important outcome: driving an intelligent approach to risk management into day-to-day decision making
throughout the organization.
A smart, risk-intelligent culture means that employees understand
the impact of their decisions on the achievement of overall
corporate objectives. It also means that employees seek to be
continually informed about both the risks and the opportunities
within their area of responsibility—and take a proactive approach
to managing both.
A culture that addresses risk and opportunity in a smart way
results in employees that feel empowered to take on informed
risks, rather than focusing on an expectation that their
performance is measured on how much risk they eliminated.
Scenario analysis and the use of risk visualization dashboards
become a standard part of management practices.
7} BRIDGE THE GAP BETWEEN BUSINESS AND RISK PROFESSIONALS
Another common challenge to successful ERM in many organizations is the divide between risk management
professionals and business management. Risk professionals often lack the business context to fully understand
risks, and business managers lack practical understanding of the role of risk and compliance control
frameworks.
The solution is to achieve an integrated approach in which risk Integrating these stakeholders as part of a single program, and on
management frameworks, regulatory requirements, controls and a single shared platform, transforms the traditional, disjointed,
compliance processes are all linked together in ways that allow siloed approach into unified oversight—and gets the entire
both business managers and risk management professionals to see organization working together in the same direction: achieving
the world through a similar lens and context. objectives and driving performance.
In order to manage risks in a smart way you need to know, of course, what the risks are—as well as how likely and
how extensive they are. You also need to know how they compare and relate to each other. Most importantly,
they need to be put in the context of impact on the achievement of strategic and corporate objectives.
One of the typical characteristics of a traditional siloed approach
to risk management is that risks are viewed in isolation. Regulatory
risks may be managed by a compliance team and financial risks by
the CFO’s team. And there may be no specific process to assess
and manage operational and strategic risks; they are just part of
the job for various business areas and executive management.
A better approach is to clearly categorize risks by type, such as
strategic level and process level risks—and show how they relate to
each other and, ultimately, impact corporate objectives. This
provides all three lines of defense with a centralized system in
which to perform their respective roles and collaborate. In
addition, it forms the basis for a combined and aggregated view of
risks that enables the organization to manage risk overall in a far
more intelligent and informed manner.
One of the most important benefits of a technology-enabled and data-driven approach to ERM is the ability to
get insights into what is likely to happen—and to be able to do something about it, on a timely basis.
Continuous monitoring and analytics produce trend reports that Trends relating to risks can be shown in multiple dimensions (e.g.,
are critical to identifying areas of concern from a risk perspective, by time, business area, geography, risk and control type). The value
as well as areas of opportunity. This makes it possible to respond of trend reporting far surpasses a traditional retroactive, point-in-
quickly, and change a process or a control procedure that is not time assessment of risk.
working effectively. It also enables the ability to spot a business
opportunity or a process improvement that would otherwise not
have been apparent.
Identify Monitor
and Analytics
Assess
Modify Data
Analytics
Control Control
Risks Objectives Frameworks
Data from within and
Policies and Regulations outside the organization
Processes Analysis
Results
16 8
Manage Responses
15 14 13 12 11 10 9
Identify and respond to risks Monitor and continuously assess risks and controls Report results and update assessments
01 Create a registry of risks, including both strategic and 06 Assess the risk of control weaknesses and failure to 11 Use the results of monitoring and exception
operational risks. comply with policies. management to produce up-to-date risk assessments.
02 Assess risks and define responses to risks, including 07 Monitor the effectiveness of controls and compliance 12 Identify new and changing risks regulations as they
assigning ownership. activities through transaction monitoring. occur and update repositories, and control and
03 Define control objectives and control processes. 08 Assess changing risks and identify new risk trends compliance procedures.
04 Link risks to relevant control objectives and processes. through data analysis. 13 Report on the current status of risk management
09 Obtain up-to-date confirmation of the effectiveness of activities from high to low detail levels.
05 Link related risks to strategic risks and to each other.
control and compliance activities from owners by 14 Produce dynamic risk assessment dashboards.
means of automated questionnaires and, where
appropriate, verification of adherence. Improve the process
15 Identify duplicative processes and enhance procedures
Manage results and respond to combine and improve controls and compliance tests
10 Manage the entire process of responding to results and wherever appropriate.
exceptions generated from analytics monitoring and 16 Provide the ability to integrate regulatory compliance
from questionnaires and verifications. risk management, monitoring and reporting with overall
risk management activities.
7 key trends in enterprise risk management 25
TAKE THIS SIMPLE TEST:
ARE YOU MAKING THESE COMMON (AND RISKY)
ENTERPRISE RISK MANAGEMENT ERRORS?
Do the risk management processes in your organization suffer from any of these risky characteristics?
Take this quick quiz by checking all that apply to your current enterprise risk management (ERM) process…
□□Spreadsheet-driven
Spreadsheets are incredibly versatile tools and, for certain activities, are impossible to beat in terms of ease-of-use and cost effectiveness. But ERM is not one of
these activities.
There are at least two major drawbacks:
»» Spreadsheets are difficult and unwieldy to consolidate. Even if the same »» Spreadsheets are highly prone to error. The great benefits of spreadsheet
consistent spreadsheet template is mandated for use across the ERM process, flexibility also represent a big risk to the integrity of the ERM process. Even
the task of compiling large numbers of spreadsheets (potentially hundreds or the best-designed and best-controlled spreadsheet template can get altered
more!) is often highly inefficient and frustrating. by accident and result in incorrect data. The impact on enterprise risk
assessment can be serious. (And the irony of managing risk in a risky tool
undermines credibility in the whole undertaking!)
According to GRC20202, financial services regulators in the US are stating that spreadsheets and documents for audits and risk/compliance assessments are no
longer acceptable without additional tools to enhance the data. The post further states additional reasons why spreadsheets are not suited to GRC functions,
including: lack of audit trails, easier malicious data manipulation, lack of workflow structures, compilation nightmares, and increased risk of compilation errors.
□□Consists of silos
You are probably already well aware of the problems with risk management and Various forms of risk management silos often exist for almost every different
compliance silos. The extent of the issue varies from one organization to another aspect of risk (including strategic, financial and operational) each of which may
(sometimes dramatically so), reflecting the way that processes evolved over time, have its own sub-categories for function, or geography or business unit.
usually having emerged from the days before organizations thought about ERM. If From a process point of view (and a technology one) the problem is that every
there was a need to manage compliance with SOX, EPA regulations, FCPA or any silo takes a different approach to tracking, managing, assessing and reporting on
of the tens of thousands of other regulatory requirements that exist, then it was different risks. The result is nearly always less than efficient and often
likely that some form of team developed to focus on specific types of compliance duplicative and wasteful of resources. And a lot of expensive time spent copy,
requirements. And that’s just for compliance… pasting and amalgamating reports.
2
GRC2020. “Why Spreadsheets, Documents & Emails Fail for GRC” 7 key trends in enterprise risk management 27
WHAT NOW? NEXT STEPS TO GETTING STARTED ON THE JOURNEY
TO PERFORMANCE-ENHANCING ERM…
If you have read this far, there’s a strong chance that you already know the ERM processes
in your organization need improvement…
or perhaps a complete transformation.
What can you do next?
Take a moment to assess your current ERM approach:
»» How does your organization’s approach compare to what you have just read in this eBook?
»» Could your risk and compliance management program deliver more value to your organization if it
evolved into a true performance-focused, enterprise-wide process?
»» What benefits could you achieve?
»» What obstacles do you foresee in getting where you want to be?
We have worked with many organizations which were intent on accelerating corporate performance
through a better approach to risk management. Technology is a critical enabler of a high-performance
ERM process, and ACL’s risk management platform has been designed to support the most intelligent and
effective processes. Get in touch. We want to do our job by listening to what you have to say, learning
more about what you want to achieve—and sharing our methodology, developed through our work with
thousands of customers like you.
In part two of this eBook series, we show you how modern technology
can transform your ERM processes to enhance strategic performance,
and provide a technology evaluation checklist to help you assess your
internal processes and reveal where technology gaps are holding your
organization back. Visit acl.com for more resources to jumpstart your
journey to performance-enhancing ERM.
STRUGGLING TO BRIDGE THE CHASM BETWEEN ERM AND
PERFORMANCE OF YOUR ORGANIZATION’S STRATEGIC AGENDA?
© 2017 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd.
All other trademarks are the property of their respective owners.