7 Key Elements of Effective Enterprise Risk Management
Risk appetite, risk measurement, culture and governance, data management, risk controls, scenario planning and stress testing are among the critical components of a successful enterprise risk management program. How can firms blend these ingredients on the path to implementation?
If a company wants to minimize the effects of risk on its capital and earnings, reputation and shareholder value, it must implement a comprehensive enterprise risk management (ERM) program. A successful ERM framework not only aligns a firm’s people, processes and infrastructure but also yields a benchmark for risk/reward and aids in risk visibility for operational activities.
Ultimately, ERM should provide a firm with a competitive advantage – but what factors should be evaluated as one goes about developing it? Here are seven key components that must be considered:
1. Business Objectives and Strategy
Risk management must function in the context of business strategy, and the first step in this integration is for the organization to determine its goals and objectives. Typical organizational strategic objectives include market share, earnings stability/growth, investor returns, market value targets and service to all stakeholders.
From there, an institution can assess the risk implied in its strategy implementation and determine the level of risk it is willing to assume in executing that strategy. The firm’s internal risk capacity, existing risk profile, vision, mission and capability are among the factors that must be considered when making this determination.
All strategies are predicated on assumptions (beware of those that are unspoken and unverified) and calculations that may or may not be accurate; the role of ERM is to challenge these assumptions and, moreover, to execute the strategy. ERM and strategic management are not two separate things. Rather, they are two wheels of a bicycle that must be built uniformly to contribute to the stability of the whole.
2. Risk Appetite
Risk direction is defined by the risk appetite, which in turn is defined as “the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns).”
A risk appetite statement is the critical link that combines strategy setting, business plans, capital and risk. It reflects the entity’s risk management philosophy and influences the culture and operating style. A firm’s existing risk profile, risk capacity, risk tolerances and attitudes toward risk are among the considerations that must be taken into account when developing the risk appetite.
The risk appetite statement should be developed by management (with board review) and must be translated into a written form. The overall risk appetite is communicated through a broad risk statement, but should also be expressed, individually, for each of the firm’s different categories of risk. Most companies will include a mixture of financial risk categories such as credit, strategic, market, liquidity and operations and non-financial risk such as fraud, regulatory, reputation, compliance, model, cyber, depending on their business model, operating environment and more importantly their financial/regulatory disclosures and obligations.
An effective risk appetite statement needs should be precise, so that it cannot only be communicated and operationalized but also aid in decision making. More importantly, it needs to be broken down into specific operating metrics that can be monitored. Examples would be in the credit risk category, % of bad debts/net sales, % of payment outstanding over 30 days/ payments received. Each metric must be meaningful and material to the firm resulting in a call to action if the metric deteriorates and exceeds the required standard.
Once the risk appetite is set, it needs to be embedded, and then continuously monitored and revised. As strategies and objectives change, the risk appetite must also evolve.
Any risk system is about balance, balancing the cost of preventing a risk versus the cost of the risk occurring. For more on this, read Balancing Act: Do You Have Too Many Controls, or Too Few?
3. Culture, Governance and Taxonomy
The risk appetite statement should be conveyed through culture, governance and taxonomy. These three factors help an organization manage and oversee its risk-taking activities.
A strong risk culture – set from the top and augmented by comprehensively defined roles and responsibilities, with clear escalation protocols – is a must for successful ERM implementation. Robust, well-thought-out risk management principals, combined with ownership and culture training, help promote, reinforce and maintain an effective risk culture. Evidence of this strong risk culture can be seen in open communication, both in conflict resolution and top-down/bottoms-up decision making.
Governance of a healthy ERM program not only includes the measurement and reporting of risk but embraces operating and support areas, from the perspectives of engagement, training and support. In fact, with tone from the top, these areas can become partners and even owners with the ability to manage outcomes, ensuring transparency and accountability.
Good ERM is about understanding change and managing that change within the overall mandate – rather than in isolation. Intertwined with this change is a need for a risk taxonomy, which can help better identify and assess the impact of the risks undertaken.
4. Risk Data and Delivery
It’s all about the data – more specifically, collecting, aggregating and distributing the correct data. Risk data and delivery must be robust and to scale, so that the information collected, integrated and analyzed can be translated into cohesive, credible narratives and reports.
5. Internal Controls
The internal control environment helps senior management reduce the level of inherent risk to an acceptable level, known as residual risk. Undoubtedly, it is one of the most important tools in the risk manager’s toolbox. Read more about effective controls here: Don’t Miss the Danger Signs: How to Monitor Your Risk Controls
Residual risk is the level of risk remaining after internal controls have been applied. An effective control environment must encourage and allow for a consistent structure that is balanced and realistic, within the context of a company’s internal workings.
Invest in your risk management skills, take CFO.University’s course, Introduction to Risk Management
6. Measurement and Evaluation
Measurement and evaluation determine which risks are significant, both individually and collectively, as well as where to invest time, energy and effort in response to these risks. Various risk management techniques and tools should be used to measure and quantify the risks, on both aggregate and portfolio levels. Examples include Value at Risk models to measure market risk, and the Sharpe Ratio[1] to measure investment risk.
To meet the requirements of different stakeholders and oversight/governance bodies, all risks, responses and controls must be effectively communicated and reported. The oversight/governance bodies are tasked with ensuring that a firm’s risk profile aligns with its business and capital plans.
7. Scenario Planning and Stress Testing
Given that management must address known and unknown risks, tools like scenario planning and stress testing are used to help shed light on these missing risks and, more importantly, the interconnection of these risks. Armed with this information, the organization can develop contingency plans to model these risks and to at least counter their effects on future operational viability.
Parting Thoughts
ERM is not a passing fad. Indeed, it is now instrumental to the survival of many organizations. By integrating an effective enterprise risk management system into the culture of your business, not only will key risks be mitigated but operations and profitability will improve as you gain deeper and deeper insight into your business.
It allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. In short, ERM is good business practice.
[1] (a measure that indicates the average return minus the risk-free return divided by the standard deviation of return on an investment.
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
Become a Member today and get 30% off on-demand courses and tools!
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.
Follow us on Linkedin!
