Enterprise Risk Management - Are you ready?

"Now, ERM Counts" . . . says who?

Says Standard & Poor's, one of the world's leading credit rating agencies which, in 2008, began evaluating nonfinancial companies' Enterprise Risk Management ( ERM ) programs, and then factoring their assessments into credit ratings. Additionally, other rating agencies, such as Moody's and A.M. Best, have also acknowledged that ERM is a critical component of good corporate governance.

Perhaps more importantly, the SEC has recently proposed new regulations that will require the boards of corporations to report in greater depth on how they and their company's management work together to identify risk, analyze and set risk tolerances and materiality, and prioritize the mitigation of risk using an objective Enterprise Risk Management type process.

In today's business environment, board members and senior management can ill afford to be caught off guard. During the past ten years, huge corporate scandals focused much publicity and attention upon the compliance and financial controls aspects of good corporate governance. Legislative initiatives, such as Sarbanes Oxley, required companies to adopt more stringent financial controls. Interestingly, however, recent statistics suggest that more often than not it is strategic and operational issues, rather than financial control and compliance issues, that are responsible when a company's performance goes awry. This is the reason for the current, heightened focus by corporate board members, senior management, numerous regulatory agencies, and financial rating agencies, such as S&P and Moody's, on the identification and control of non-financial risks as a critical component of good corporate governance.

This is why ERM is here to stay. Stakeholders demand previously unheard of levels of transparency and candid assessment of risks that could prove material to the company. Senior managers that do not recognize and forthrightly respond to these demands do so at their own peril. No matter the acronym by which it is referenced (e.g. some call it Enterprise-Wide Risk Management (EWRM), while Governance, Risk and Compliance (GRC) is preferred by others), the size of your company, or where your company is headquartered, the concepts and principles that underlay ERM, when combined with good financial controls, provide a solid basis of good corporate governance.

So, what exactly is ERM, what can you expect from your ERM program and where do you start? Probably the most recognized definition is provided by COSO II (The Committee of Sponsoring Organizations of the Treadway Commission): Enterprise Risk Management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Many are probably familiar with the "COSO Cube" (see chart to the left).

In reality, however, there really is not any one "hard and fast" definition of ERM. While COSO and other approaches (such as AS/NZ 4360) reflect certain fundamental concepts that are reasonably standard to any ERM implementation effort, it is critical to recognize that for your company's ERM program to be successful (i.e. sustainable), its definition of ERM, as well as its approach to identifying and mitigating material risks and lost opportunities must fit its unique organizational structure and culture. It is the only way to truly embed ERM into your company's annual budget and strategic planning cycles as a continuous process. In our experience, successful ERM programs share a number of similar goals and objectives. As a process, ERM programs are generally designed to:

• Identify real and potential risks (threats) that may affect the organization's strategy and/or operations;
• Manage/Mitigate such risks so that they align with the company's goals and objectives;
• Assist the organization to identify and leverage previously unrecognized opportunities that could create benefit to the company, enhancing stakeholder value;
• Supplement and enhance existing controls and capabilities, while fitting the culture of the organization. ERM should not add bureaucracy.

The significance of the first point cannot be understated. Successful programs are "strategic" programs . . . they create a framework for evaluating risks across the entire enterprise - cross-functionally and at every level -- in relation to the company's overall strategic goals.

As a result of assessing identified risks this way, the organization is able to "break down the silos" and gain a more realistic appreciation of truly "mission critical" risks, as well as potential lost opportunities. By then assigning ownership and proactively implementing the steps necessary to mitigate identified material risks, the organization becomes more resilient, providing reasonable assurances to the board, management, and stakeholders that it can achieve its stated goals and objectives.

What can you expect, in practical terms, from your ERM program? It depends on what is desired ... as you begin the ERM evaluation process, there are two important considerations:

• what does your organization want its ERM program to deliver?
• how will your ERM program fit with and enhance other enterprise-level initiatives?

In reality, ERM encompasses a range of essential business protection disciplines and there are some critical steps that should be taken to effectively set the foundation for a sustainable program. "Rome was not built in a day" and neither will your ERM program. Successful ERM programs are generally developed via a multi-phase process (often 3 phases, with possible subsets depending on the complexity of an organization's corporate structure). The success of such a corporate-wide initiative requires both a "Top Down" (strategic) and "Bottom Up" (operational) approach and most critically, the support of senior management.

Phase 1:
Phase 1 focuses primarily upon the "top down" component and usually begins with a series of meetings involving senior management (and perhaps a Board member or two). The initial sessions are used to provide executives with a common understanding of ERM and highlight its value to the organization in practical, pragmatic terms. Senior management then establishes the scope, goals and objectives for the company's ERM program and identifies a project leader and team.

Phase 1, in many ways, is the most critical, defining the initiative's scope and setting the course. To facilitate success, selected ERM team members should be cross-functional and representative of all key business areas and functions. Using the guidance provided during the senior management session, this team will develop the Company's definition of ERM and craft its strategic ERM implementation plan. The ERM "Core" team will develop the ERM vocabulary that the organization will use to objectively identify, compare and assess disparate risks across the organization. This vocabulary will include organizationally unique definitions of "Materiality", "Frequency/Probability" and concise risk synonyms that will permit risks to be identified, quantified and measured in the language of each specific business, function or corporate unit. It will also use the feedback gleaned from the senior management interviews and questionnaires to develop the company's initial "perceived" map of key risk drivers. The ERM "Core" team sets the stage for the critical Phase 2 Risk Driver workshops that will validate the "perceived" risk map and identify new risk drivers for mitigation consideration.

Phase 2:
During Phase 2, the ""Bottom Up" validation process, the practical aspects and benefits of ERM become more apparent. Cross-functional workshops, involving operational management and functional experts who are closest to and most knowledgeable about the risks, allow for a frank dialogue. Using the Company's adopted ERM definitions, risk synonyms and anonymous voting techniques, Risk Drivers identified through the Phase 1 interviews and questionnaires and during the actual workshop sessions will be assessed and a validated "risk map" will be developed. This "risk map", which assesses risk drivers based upon their voted upon materiality and likelihood, as well as the level of current controls, allows the company to prioritize risk drivers that should be considered for mitigation.

The "Core" working group, (which often later morphs into a corporate committee that will be responsible for overseeing the company's ERM process, such as a "Risk Council"), consolidates the results from all Workshops and then presents the findings to a selected group of company executives (e.g. Risk Council or Compliance Committee), who then provide recommendations to senior management (and possibly the Audit Committee of the Board of Directors) as to the risk drivers that should be considered for Risk Mitigation initiatives during the upcoming budget and strategic planning cycle. Potential "Risk Owners" might also be identified at this time. It is at this point that ERM shifts from perception and theory into quantifiable, measurable action plans. The "talk" turns into the "walk"!

Senior management evaluates the consolidated ERM recommendations and then ratifies specific risk mitigation initiatives. Risk Owners are then confirmed and requested to develop specific, quantifiable Mitigation Plans (including the identification of project team members and a defined budget, as required. It is also important to develop and agree upon metrics to measure progress towards stated objectives at this stage).

Phase 3:
Phase 3 is when more formal reporting requirements, which are an essential component of good corporate governance, become increasingly important. The processes and templates that will be used to monitor and report upon Mitigation Plan progress must be well thought out, practical and easy to use. They must also create a disciplined process that affords accountability and allows for effective communications within the organization, to senior management and to the Board.

During Phase 3, the Company's annual ERM cycle of risk identification and analysis will begin again, ensuring that the company's risk map and profile is not just a "snap shot", but a "living", continuous process. The goal: regular tracking of already known risks and proactive identification of new trends and risks on an annual basis so that they can be addressed before they can adversely impact the organization.

How we can help

All companies, no matter their size or geographic location, will benefit from and can afford to adopt ERM. As noted above, your company's ERM program should be specifically tailored to fit your culture, needs, capabilities, and risk profile. In this respect, Core Risks Ltd. is uniquely qualified to support your efforts. Our multi-disciplinary team has extensive, practical experience in assessing companies true risk profiles and needs and in supporting them in their efforts to develop a comprehensive ERM programs to address their risk profile.

The Principals of Core Risks Ltd, Ken Krenicky, Ken Pina, and Andrew Tait, and their team are experienced risk management and compliance practitioners. In addition to Enterprise Risk Management, CRL provides its clients with Compliance and Supply Chain solutions, Risk Management, Business Continuity and Disaster Recovery, including broad based IT/IS support, Crisis Management and Planning, Pandemic Business Continuity, and Complex Claims Settlement consulting services.