Beruflich Dokumente
Kultur Dokumente
One of the most critical challenges for management today is determining how much risk the business is prepared to accept as it strives to create value. Yet, research consistently indicates that six of ten senior executives lack high confidence that their companys risk management practices identify and manage all potentially significant business risks. With the heightened focus on risk management, it has become increasingly clear that traditional risk management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalized. These risk management approaches often limit the focus to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in this rapidly changing world. Under enterprise risk management (ERM), the focus is on integrating risk management with existing management processes, identifying future events that can have both positive and negative effects, and evaluating effective strategies for managing the organizations exposure to those possible future events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity.
Risk Management
Focus
Financial and hazard risks and internal controls
Objective
Scope
Emphasis
Management
Strategy-setting
Application
The COSO Enterprise Risk Management - Integrated Framework, issued in September 2004, defines ERM in broad terms that underscore some fundamental concepts and provides a common language as well as guidance on how to effectively manage risk across the enterprise. Like its internal control counterpart, the COSO ERM framework is presented as a three-dimensional matrix. It includes four categories of objectives across the top: strategic, operations, reporting and compliance. There are eight components of enterprise risk management across the face of the cube. Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix along the side. This ERM framework does not replace the internal control framework. Instead, it incorporates it. As a result, businesses may decide to implement ERM to address their internal control needs and to move toward a more robust risk management process.
There are many possible starting points. Examples include: Compliance with the Sarbanes-Oxley Act (specifically Sections 404 and 302 of the Act). Risks other than financial reporting risk (for example, one or two priority financial or operational risks, operational risk in a financial institution, other regulatory compliance risks and/or governance reform issues, etc.). Evaluating enterprise-wide risk assessment results to identify priority areas. (In other words, migration to ERM begins with first selecting the priority risks and assessing the current state of risk management capabilities addressing those risks, as discussed in Step 1.) Integration of ERM with the management and operating processes that matter (for example, strategic management, annual business planning, new product launch or channel expansion, quality initiatives, performance measurement and assessment, capital expenditure planning, etc.). Many public companies in the U.S. may begin their evolution to ERM with Section 404 compliance because the first-year compliance investment is significant and a company cannot have sound governance without transparency in its financial reporting. A strong focus on reliable financial reporting is a good foundation on which to build ERM capabilities. Regardless of where an organization begins its journey, the focus of ERM is the same: to advance the maturity of risk management capabilities for the organizations priority business risks. STEP 4: Evaluate the existing ERM infrastructure capability and develop a strategy for advancing it. It takes discipline to advance the capabilities around managing the critical risks. The policies, processes, organization and reporting that instill that discipline is called ERM infrastructure. We have asserted that the purpose of ERM is to eliminate significant gaps between the current state and the desired state of the organizations capabilities around managing its key risks. We provided some examples of ERM infrastructure above when discussing Step 2. Other examples include a common risk language and other frameworks, knowledge sharing to identify best practices, common training, a chief risk officer (or equivalent executive), definition of risk appetite and risk tolerances, integration of risk responses with business plans and supporting technology. ERM infrastructure facilitates three very important things with respect to ERM implementation. First, it establishes fact-based understanding about the enterprises risks and risk management capabilities. Second, it ensures there is ownership over the critical risks. Finally, it drives closure of gaps. ERM infrastructure is not one-size-fits-all. What works for one organization might not work for another. The elements of ERM infrastructure vary according to the techniques and tools deployed to implement the eight ERM components (see the COSO ERM framework introduced on page 2), the breadth of the objectives addressed, the organizations culture and the extent of coverage desired across the organizations operating units. Management should decide the elements of ERM infrastructure needed according to these and other appropriate factors. STEP 5: Advance the risk management capabilities for key risks. This step begins with selecting the enterprises priority risks. After the first four steps are completed, it will often be necessary to update the ERA for change. Once the priority risks are defined, based on the updated ERA, management must determine the current state of the capabilities for managing each risk and then assess the desired state with the objective of advancing the maturity of the capabilities around managing those risks. This has already been accomplished for one or two priority risks (see Step 3). Now management broadens the focus to other priority risks.
Continuum
Capability Attributes
(Continuous Feedback) Risk management a source of competitive advantage
Method of Achievement
Increased emphasis on exploiting opportunities Best of class processes Knowledge accumulated and shared Rigorous measurement methodologies/analysis Intensive debate on risk/reward trade-off issues Process uniformly applied across the firm Remaining elements of infrastructure Rigorous methodologies Common language Quality people assigned Defined tasks Initial infrastructure elements Undefined tasks Relies on initiative Just do it Reliance on key people
Optimizing
Managed
Process Evolution
Defined
(Qualitative/Quantitative} Policies, process and standards defined and institutionalized (Intuitive) Process established and repeating: reliance on people continues (Ad Hoc/Chaotic) Dependent on heroics; institutional capability lacking
Repeatable
Initial
Source: Adapted from the Carnegie Mellon University Software Engineering Institute, 1994
Risk management capabilities must be designed and advanced, consistent with an organizations finite resources. For each priority risk, management evaluates the relative maturity of the enterprises risk management capabilities. From there, management needs to make a conscious decision: How much added capability do we need to continually achieve our business objectives? Further, what are the expected costs and benefits of increasing risk management capabilities? The goal is to identify the organizations most pressing exposures and uncertainties and to focus the improvement of capabilities for managing those exposures and uncertainties. The ERM infrastructure that management has chosen to put in place drives progress toward this goal. Companies in the early stages of developing their ERM infrastructure often lay the foundation with a common language, a risk management oversight structure and an enterprise-wide risk assessment process. Some companies have applied ERM in specific business units. And a few companies have evolved toward more advanced stages, such as the management of market and credit risks in financial institutions and the management of compliance risks in other industries. Wherever a company stands with respect to developing its risk management, directors and executive management would benefit from a dialogue around how capable they want the entitys risk management to be with respect to each of its priority risks. The capability maturity model provides a scale for evaluating the maturity of an organizations risk management capabilities. The model provides five states for rating the maturity or capability of any process ranging from initial to optimizing. The capability maturity model, shown above is a powerful tool for evaluating sustainability. Using this model, management rates the enterprises capabilities in key risk areas, identifies gaps based on the level of capability desired in specific areas, and shifts the dialogue on operating metrics to incorporate appropriate emphasis on process maturity. The ERM infrastructure ensures that the rating process is fact-based and conducted with integrity by the participating risk owners.
The model provides a valuable framework for facilitating substantive dialogue among directors, management and others regarding the capability of the organizations processes as compared to the critical risk areas identified in their risk assessments. Armed with this tool, Boards and management are able to satisfy themselves that risk management improvements are directed to the areas of greatest concern and exposure. The focus is then directed to implementing those improvements according to managements plan over time. Again, the ERM infrastructure provides oversight to ensure that improvements are on schedule.
This is a summary of a presentation delivered by James DeLoach, Managing Director for Protiviti, at the MIS SuperStrategies Conference, April 26-29, 2005, in Las Vegas, Nevada.
Protiviti offers a suite of technology tools to help organizations manage risk and individuals to improve their professional development. For more information, call 888-556-7420 or visit protiviti.com.
Discoveri
Discoveri is a web-enabled, integrated application suite designed to link risk intelligence management and data analysis/mining techniques with internal audit execution. Discoveri enables Protiviti professionals to analyze and mine data for the purpose of mitigating business risks and uncovering and transforming data into profitable information for our clients.
KnowledgeLeader
KnowledgeLeader is a subscription-based website that provides tools, templates and resources to help save time, stay up-to-date and manage business risk. The sample work programs, policies and procedures, and performance tools for internal audit and IT audit are updated weekly. Visit www.knowledgeleader.com for a free 30-day trial.
SarbOx Portal
SarbOx is a web-based solution designed to facilitate improved corporate governance, compliance with Sarbanes-Oxley requirements and enhanced business performance. It serves as a repository for control documentation, evaluation and testing. As a component of the Protiviti Governance Portal, SarbOx integrates with Self Assessor and the Operational Risk Management Portal.
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
protiviti.com
888.556.7420