Many may feel that enterprise risk management is a passing fad, but evidence shows otherwise.
As organizations continue to operate in such a volatile business environment and experience the woes of the current economic crisis (characterized as one of the worst since the Great Depression), companies are looking for ways to hedge their risks and minimize their losses.
According to the State of the Profession Survey, Strategic, business and operational factors contributed to rapid shareholder losses in more than 80 percent of cases involving large organizations in recent market studies, while financial risks accounted for 15 percent of the losses. Given the amount of exposure, companies need to, at a minimum, be proactive in institutionalizing ERM. Regulators and credit agencies are also taking notice of ERM and implementing ERM or portions of ERM in their evaluations.
Organizations cannot ignore ERM anymore. The traditional risk management approach of looking at risks in silos is long gone. Instead, companies must view risks from an enterprise-wide perspective, focusing on strategic, operational and financial factors.
As defined by the Committee of Sponsoring Organizations of the Treadway Commission, ERM is a process, effected by an entitys board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity objectives.
In institutionalizing ERM, organizations will have to rely heavily on their internal auditors to help them transition away from Sarbanes-Oxley. These internal auditors will be used in both the traditional assurance role as well as non-traditional roles.
From a traditional standpoint, organizations will continue to look to their internal auditors to provide independent, objective assurance in evaluating the effectiveness of their internal control framework as it relates to ERM, as well as to assist in the identification and assessment of key risks and processes.
In implementing ERM, internal auditors do not necessarily have to start from scratch. In the past several years, public companies have focused on financial risks in compliance with the Sarbanes-Oxley Act, and can leverage the internal controls and risk assessments identified there to provide a good foundation for ERM. But this does not complete ERM. Remember, ERM includes additional risks, both strategic and operational. Risks must be evaluated from the traditional impact and likelihood standards, but the timeframe should also be considered. The timeframe of when the risks affect the viability and success of the organization will impact the prioritization of that risk. Internal auditors may use a risk matrix to help with the prioritization of the risk: low, moderate and high.
Internal auditors should never be involved in setting any risk tolerance levels or risk response. Those are the responsibilities of the organizations. It is also the responsibility of the organization to develop or identify key performance indicators, those metrics or data that indicate whether an objective is being met and provide early warnings of risks.
As the organizations ERM process matures, internal auditors may be asked to periodically re-evaluate or audit the ERM framework, including KPIs, to ensure that the framework still addresses significant risks and produces reliable data to make informed decisions.
Organizations will also look to internal auditors to provide some non-traditional roles, including trainer, educator, and coordinator, or facilitator. As trainers or educators, auditors must understand that ERM is a process or methodology in the identification, assessment and management of risks enterprise-wide. This process provides for a structured and disciplined approach to implementing risk management.
ERM will not eliminate all risks or even guarantee that an organization will never experience a loss. It only allows organizations to anticipate the consequences of future risk events that may positively or negatively impact the viability of the organization. It also allows organizations to be proactive rather than reactive.
As coordinators, auditors are often relied upon to consolidate data. One can not underestimate the importance of data, the quality of which drives the success of ERM. Organizations may use various forms of business intelligence, such as a risk heat map, robust dashboards, etc., to help identify where problems can be and how to respond to them. Gap analysis of current and desired capabilities around managing critical risks may also be performed.
Without standards, risks and objectives are not left for various interpretations. Inconsistent definition will result in an incorrect measurement of risks and a false picture of the risk environment. Companies must identify stakeholders beyond the C-level to assist in the translation of the mission statement or the companys objectives to actionable items and incorporate those in the organizations operations and culture
The most important thing to remember about ERM is that it is not a one-size-fits-all solution, and it takes time. Organizations must tailor their approach to fit their culture and risk profile. Each ERM framework is unique based on the organizations culture and risk profile. It does not happen overnight, and organizations should not expect to see a return on investment immediately. ERM implementation will require active participation from all levels of the organization, and will include periodic re-evaluation as significant changes occur. On average, full implementation takes three to five years.
ERM does not replace internal controls or managements responsibility to ensure proper risk management. Internal auditors are used to assist the organization in integrating ERM with other management initiatives, such as strategic planning, merger and acquisition evaluations, budgeting, Sarbanes-Oxley, internal audit, crisis management, etc., to provide for good corporate governance. ERM should be reflected in the day-to-day operations.
Elaine Nguyen is part of Business Advisory Services at Hein & Associates LLP.
