enterprise risk management (erm); from theory to practice

Enterprise Risk Management: From Theory to Practice

Michael Siyanbola Bsc. MBA, FCII, FIMC FIIN,FIoD

© 2012 All rights reserved

This paper:

illustrates how ERM works in practice

affirms that a one-sized ERM does not fit both Private and Public Sector Organisations

highlights the differences in risk and risk tolerance between Private and Public Sector organizations.

suggests that ERM process must reflect the delegation of risk-taking authority within the system.

articulates a model for reporting on ERM through annual reports and management certification.

Introduction

ERM is an ongoing process not an event-task.

ERM focuses on risks that could be significant to an organisation with significance been measured in terms of impact of risk event (decision point) and probability of occurrence.

ERM takes an enterprise level view of every significant risk or decision issue.

ERM demonstrates that significant decision issues are well managed.

Understanding Key Concepts around ERM

ERM is a principle of good management which represent an important part of an organisation’s overall governance and management framework

ERM helps the organisation to reap the benefit form good management decisions.

ERM helps to focus the organisations business plan on right issues such that resources are allocated to the areas of greatest value.

ERM protects the value of the firm.

Rationale for ERM Practice

Framework for Implementing ERM

S/N Phase Description of Phases

1. Risk Governance Develop an approach for understanding, building, supporting and embedding risk strategies and accountabilities.

2. Risk Assessment Identification, assessment and categorisation of risks across the organisation.

3. Risk quantification and aggregation

Measurement , analysis and consolidation of enterprise risks.

4.

Risk monitoring and reporting

Reporting, monitoring and assurance activities.

5. Risk and Control Optimisation

Using risk and control information to increase performance.


An organisations goals and ownership impact the type and nature of its risks. For example

Strategic risks exist mostly for private sector organisations but rarely for

public sector organisations.

Liquidity risks in public sector organisations takes on a different nature than in private sector organisations

Reputational risks impact private sector organisations more than public sector organisations.


An organisations performance measures goals and ownership dictates how it perceives risks. For instance private sector firms view risks as opportunities with potentials for adding value while public sector firms are concerned about potential adverse outcomes based on political exigencies or threats to fulfilment of public policy mandates.

Steps in Implementing ERM

Get ERM Buy in Build an ERM foundation

Initiate Enterprise level Risk assessment

Conduct an on-going assessment of

significant risks

Develop ERM reporting

framework.


1. Get ERM buy in. Convince management/governing body about the value of ERM.

Receive direction and oversight and obtain resources for ERM implementation.

Receive support from Board and make the CEO the ERM champion.

Build and effective but cost efficient ERM process.


2. Building an ERM foundation

Set goals for the implementation of ERM in the organisation.

Formalise the roles and responsibilities of management and board through the establishment of an ERM policy.

Obtain an understanding of significant risk to which the firm is exposed.

Establish appropriate risk management policies for those significant risks with periodic review. Manage risks according to ERM policies.

Give report to Board and Management on ERM issues

Charge a Chief Risk Office with the responsibility for coordinating and facilitating ERM

Set up Management Committee to confirm ERM implementation approach and ongoing result.


3. Initiate Enterprise level Risk assessment Update list of corporate risk, risk register and categories, definitions and identification of examples of risk. Conduct individual interviews with Executive and Non Executive Members to get their understanding of the key risks facing their direct area of responsibility and those facing the firm as a whole. Assess the significance of each risk identified and summarise the practices and controls unique to the firm. Create an acceptable qualitative rating-scale, e.g. low, moderate, and high and assess the impact of a potential worst-case risk event and the likelihood that the event would occur. Categorize each resulting risk exposure as stable, decreasing, or increasing.

Compare each risk initiative against corporate plans

Conduct gap analysis to confirm whether Board policies are in place for each significant risk.


4. Conduct an on-going assessment of significant risks

Since organisations are not static, even so are the significant risks, Therefore carry out a re-evaluation of risks, from time to time.

Identify emerging risks and categorise them appropriately

Build risk assessment into day-to day decision making


5. Develop ERM reporting framework.

ERM-related information should be given to those making decisions about

significant risks on a day to day basis.

ERM reports should be given to management, internal and external auditors

and other external stakeholders.

ERM reports, should contain the following

a) Catalogue of significant risks;

b) risk categories;

c) risk exposure map;

d) detailed risk report and a

e) summary risk report.

Road Blocks in ERM Implementation

Resistance to ERM comes through questions, such as what is it,

why do I need and what value will it provide?

Resistance to change from old to new.

Managing expectations of how long it takes to implement ERM

Completing ERM, when are we there?

Determining the risk tolerance level for the firm

Conclusion

The goals of public sector organisations are different from private sector, since public sector organisations are public policy- driven, rather than owner value-driven Public sector organisations see risks as obstacles to fulfilling their mandates, whereas, private sector organisations, see risks as opportunities to maximise value. A one sized ERM, does not fit all, therefore tailor ERM to reflect the way the organisation delegates risk-taking authority. Attend and resolve challenges posed by the implementation of ERM. The ERM process is like filming of an epic movie: first, hire a director, next, write a clear story, and then engage studio executives and actors and shoot the film from act 1 scene 1 while keeping the camera focused on the end goal.

Thank you

enterprise risk management (erm); from theory to practice

Business