Professional Documents
Culture Documents
B U S I N E S S S E RV I C E S
B U S I N E S S R I S K S E RV I C E S
!@#
Managing Risk
Across the Enterprise
Connecting New Challenges With Opportunities
Overview
Enterprise risk management, or ERM, has been around for more than a decade.
During that time we have witnessed several waves of interest and enthusiasm—
and we currently are in the midst of one of those waves. In response, organizations
from across the globe have issued various ERM frameworks designed to help
companies understand and implement ERM. Some of these have taken the form
of comprehensive ERM frameworks and guidelines, while other ERM elements and
approaches are embedded within governance regulations.
This publication does not seek to detail either these existing frameworks or offer
a new detailed methodology for ERM. Instead, we focus on some practical
approaches that have helped companies achieve early success in improving their
management of risk across the enterprise. Some companies have called it ERM
and have been very successful in developing and launching a formal program.
Other companies have opted for a leaner approach, identifying opportunities to
enhance their overall approach to risk management. Across both approaches,
there exists a common set of key challenges and related opportunities to enjoy
early value. We discuss seven of the most significant success factors here,
together with case studies that provide practical insight to the nature of the
challenges and the strategies used to address them successfully.
Our key emphasis is to help you promote effective, efficient risk management
across the enterprise. Call it ERM if you’d like. Our hope is that you find the
information practical and relatively easy to apply, and that tangible results and
value follow soon thereafter.
2
The path to ERM—
Is it a journey or just a brisk walk?
ERM often is described as a journey, a major Enterprise risk management is a process, effected
initiative, which implies that it’s big and requires
significant new infrastructure, investment, change,
and time—rare commodities in today’s complex
business and regulatory environment. Fortunately,
most companies have already made and continue to
“ by an entity’s board of directors, management
and other personnel, applied in strategy setting
and across the enterprise, designed to identify
potential events that may affect the entity, and
manage risk to be within its risk appetite, to
make very large investments in risk management provide reasonable assurance regarding the
Leveraged
across the enterprise. The key is to determine the
”
Paradoxically, most companies recognize the elements
and activities inherent in that definition as processes
they already have in place and perform within the
course of business. So why not call them ERM?
ERM Approach infrastructure and
processes that already Some companies may hesitate because their risk
INFRASTRUCTURE
company, and
an
4
Key Challenges,
Effective Strategies
Strategies Assess
Companies deploy multiple strategies— Risk functions, including internal audit (with management),
from formulating strategic direction to continually assess the evolving risk profile
complying with regulatory changes Strategy
Monitor
Evolving Risk Profile Based on the risk assessment, management—
MON
ESS
Multiple strategies generate risks and a continually supported by risk functions— performs monitoring
Risk
ITO
ASS
R
designed, controls are effective and risks are managed
ENHANCE
Clear alignment to existing internal control, risk management, and business processes
Use of clear, consistent, and familiar language in describing and discussing risk
Sample frameworks
Australia-New Zealand 4360 The Federation of European Risk Management
Associations (FERMA) Risk Management
This standard, often recognized for its straight-
Standard
forward and clear approach, presents a generic
framework for establishing the context, and The Risk Management Standard sets out a strategic
identifying, analyzing, evaluating, treating, process, starting with an organization’s overall
monitoring and communicating risk. objectives and aspirations, through to the
identification, evaluation and mitigation of risk, and
http://www.standards.com.au
finally the transfer of some of that risk to an
Committee of Sponsoring Organizations insurer.
(COSO) Enterprise Risk Management (ERM) –
http://www.ferma-asso.org/
Integrated Framework
Open Compliance and Ethics Group (OCEG)
COSO’s Internal Control – Integrated Framework
Framework
has been adopted by many companies in support of
their regulatory compliance initiatives, including The OCEG Framework comprises two broad
implementation of Section 404 of the Sarbanes- components: the Foundation and the Domains. The
Oxley Act of 2002. The COSO ERM framework, Foundation embodies key elements common to all
although not designed to replace the existing types of compliance and ethics programs. The
Internal Control framework, does provide a more Domains provide guidelines that are specific to a
extensive foundation for addressing risk across the particular topic, industry, function, geographic
enterprise. The framework also is supported by location, or size/structure of an organization.
separate implementation guidance.
http://www.oceg.org/
http://www.coso.org
6
Demand a clear, concise view of risk
For all the talk of ERM and its myriad related A key risk summary report can help directors
assessment approaches, frameworks, and other understand, in a palatable and action-oriented form,
potential considerations, directors and executives the key risks facing the company. Executive
alike share one common and pervasive desire—to managers can better track and oversee the status of
benefit from a risk summary report that describes key key risks, and function and line management can
risks, how they are being managed and monitored, better prioritize focus and report the status of key
key issues and accountability. In fact, a simple key risks and related activities. Fortunately for most
risk summary report is perhaps the single most companies, producing a preliminary report can be
important monitoring output within an effective, achieved in short order by leveraging existing
entity-wide approach to ERM. Imagine having business planning and risk assessment processes.
everyone on the same page from a risk perspective! Given the value and importance of a risk summary
report, we provide suggested
elements below. These elements
can serve as a starting point for
audit directors or executives to
outline their own desires and
requests for a risk summary report
for their own companies.
8
Avoid enterprise list management
An unfortunate output of many ERM initiatives is a One of the contributing factors to enterprise list
long and unwieldy list of risks that focuses little on management is risk assessment criteria that are
guiding and driving responsive action. In fact, poorly conceived and applied. In particular, most
“enterprise list management” is cited by many as the companies use criteria to assess risk across only two
first stumbling block in implementing ERM and dimensions – impact and likelihood. Although
often is the reason most ERM initiatives fail to helpful, these criteria alone may fall short of helping
achieve buy-in from executive management. focus and drive responsive action to risk. While these
criteria may help to analyze and prioritize within a
list, they do not focus on actions or response.
By also employing a third criterion—management’s
recommended response to the risk—ERM will drive
the potential improvement or assurance actions. In
fact, the full value of an ERM approach cannot be
realized without this focus on driving action.
Broadly speaking, there are two categories of
responsive action to any risk that may be selected,
Strategy and at times, applied in tandem. These include:
Monitor – If management feels that a risk is
MON
Impact Management’s
High
Enhancement
Priorities
Internal Audit
Focus
Moderate Other Monitoring
Approach
(e.g., CSA)
Low Recommended
Monitor Enhance Priority Enhance Response
10
Seek to know what you don’t know
“The risks that keep me up at night are the ones that I don’t yet risk awareness and communication are significant as well.
know” is a common sentiment shared by CEOs and others with Again, these benefits can be achieved efficiently in what is
primary responsibility for managing and monitoring risk. This is often just an annual process.
especially true for companies that have recently experienced a
Analytics – Interest in and application of analytical techniques
surprise risk event, or are in the midst of significant change. In
to support risk assessment is increasing. As with any tool, the
some cases, recent regulatory-driven risk assessments focused on
key to success is an awareness of available techniques and
financial reporting may have revealed and addressed previously
tools, how and when to apply them, and what to do with the
unknown, yet significant, risks. This has caused many at the top,
results. Thanks to the increasing use and availability of
and in some cases investors, to wonder what new risks a broader
consistent data formats, the historical challenge of simply
risk assessment might reveal. Without a regulatory mandate,
pulling together data for analysis has reduced. In some cases,
however, there may not be resources available to broaden the risk
the analysis can even be run continuously, with significant
scope while maintaining equal rigor. Fortunately, there are a
variations and exceptions escalated down a prescribed path.
number of techniques that may broaden the reach, candor, and
quality of risk assessment inputs without necessarily straining Although these and other techniques are being successfully
the budget. These include: applied by companies to help reveal new and emerging risks, the
process can actually create new challenges and additional risks
Surveys – Surveys are an efficient approach for gathering risk
that also must be considered.
input from across a company, and even beyond, to customers
and suppliers. They can be executed via email or Web-based Discoverability – If a wide net is cast in hope of revealing new
technology, allowing results to be readily aggregated, analyzed, risks and trends, and significant new risk issues are revealed
and reported. To help increase the focus and relevance of the and documented, they should be suitably acted upon. If not,
responses, ask the simple, open-ended question, “What are the there may be legal implications. Consult with your general
top three risks to achieving the goals and objectives set forth counsel or outside legal advisor.
by the company?” In order to increase the candor of responses, Disclosure – In some cases, risks that may be revealed and
consider engaging a third party to gather the results documented as part of a broader risk assessment process could
anonymously. Finally, consider targeting levels of the require subsequent disclosure. In response, the disclosure
organization most likely to have early insights on risk – sales, committee or equivalent should provide input to and
customer service, and even manufacturing areas can often participate in the risk assessment process, as appropriate.
provide these insights.
Experience and Insight – In some cases, it may be difficult to
Workshops – Many, if not most, risk assessment workshop recognize risks that haven’t yet been experienced within the
participants enter the room without much enthusiasm for the business. In this case, external benchmarks and/or outside
exercise. Fortunately, most leave the room with an entirely assistance from those with risk insights and experience in the
different perspective. This is especially true if the workshop is industry or risk area can be invaluable.
focused on clear and manageable goals, led by a skilled
facilitator, and supported by anonymous voting technology. By anticipating and addressing these and other challenges,
Properly executed, a three- to four-hour workshop can help companies can develop an efficient and effective risk assessment
produce a risk profile that drives appropriate action, process that may enable some in the organization to wake up –
accountability, and follow-through. Softer benefits of greater perhaps a bit more rested.
12
Enable internal audit coverage across key risk areas
The internal audit function is one of the board’s most powerful to oversee risk assessment and management activities across all
mechanisms for understanding the full spectrum of the key risks risk areas, one of their key mechanisms for achieving this end—
facing the company, and monitoring the effectiveness of related internal audit—may be stretched increasingly thin and unable to
controls and risk management processes. In addition, it is often provide the desired level of risk insight and coverage. As a result,
the only function with the requisite skill set and mandate to management may not be able to enjoy the same level of risk
conduct an entity-wide risk assessment. management insights and suggestions they’ve come to expect
from internal audit.
It may be increasingly difficult, however, for internal audit to
conduct a thorough risk assessment, let alone to develop audit To address this challenge, leading companies are taking
plans that are truly risk-based and cover the full spectrum of the proactive measures to begin closing the gap. These include:
company’s most significant risks. Although most internal audit
Leverage – Although internal audit may not be able to conduct
functions would like nothing better than to conduct a
risk assessments directly across the company, they can serve as
comprehensive risk assessment to help support and inform their
proactive developers, facilitators, and beneficiaries of a risk-
audit planning process, and to focus their monitoring efforts on
assessment process owned by, and executed within, existing
the company’s most significant risks and controls, they face
processes of both management and various corporate
many practical challenges, including:
functions.
Insufficient involvement within, and insight into, the
Outsourcing and Teaming – In circumstances where internal
company’s strategic and business planning processes—a key
audit faces either a resource or skill-based challenge,
area where risks to supporting future growth opportunities and
outsourcing to or teaming with a third party can be a
stakeholder value impacts may be identified
compelling option in achieving risk coverage.
Lack of adequate time, skill set, and budget to conduct a robust
Rotation and Cross-Training – In order to retain its best
risk assessment across all locations and risk areas
resources and to develop future leaders within the company,
Inadequate resources and skills to cover key risk areas within many internal audit functions are increasing their focus on
the company’s changing risk profile recruiting resources from within the company’s business areas.
In addition, internal audit resources are rotated through
Increasing pressure to focus primarily on financial reporting
various risk areas and responsibilities to help maintain a
risk
compelling work environment and to help increase their value
These challenges for internal audit also can create significant if they eventually choose to rotate back into a business
challenges for the board and audit committee. In fact, at a time management role.
when boards and audit committees are under increasing pressure
We hope that the approaches outlined here have provided some practical insights and ideas for helping your company achieve more
efficient, effective risk management across the enterprise. Call it ERM if you’d like. We hope the benefits speak for themselves. For
further information about Enterprise Risk Management, or to discuss other risk challenges and opportunities, please visit us on the
web at ey.com, or contact your local Ernst & Young office.
14
About Ernst & Young
Ernst & Young, a global leader in professional services, is committed to restoring the public’s trust in
professional services firms and in the quality of financial reporting. Its 106,000 people in 140 countries
pursue the highest levels of integrity, quality, and professionalism in providing a range of sophisticated
services centered on our core competencies of auditing, accounting, tax, and transactions. Further information
about Ernst & Young and its approach to a variety of business issues can be found at www.ey.com/perspectives.
Ernst & Young refers to all the members of the global Ernst & Young organization.
E R N S T & YO U N G www.ey.com
© 2005 EYGM Limited This publication has been carefully prepared but it necessarily
All Rights Reserved. contains information in summary form and is therefore intended
for general guidance only; it is not intended to be a substitute
EYG No. CX0006 for detailed research or the exercise of professional judgment.
Ernst & Young can accept no responsibility for loss occasioned
to any person acting or refraining from action as a result of any
material in this publication. On any specific matter, reference
should be made to the appropriate advisor.