Professional Documents
Culture Documents
The context 08
for ERM
Changing face of risk management
As with any management initiative that becomes embedded within the way the or-
ganization operates, a successful risk initiative should develop and become more
sophisticated over time. Developments in the discipline of risk management, espe-
cially during the past 10 years, have been dramatic; technology has enabled better
reporting, recording, analysis and quantification of risk. Regulation, which has
forced some sectors to introduce new risk techniques such as enhanced accountabil-
ity, could be said to have ‘seeped’ into other sectors, in particular for listed compa-
nies, and has driven the requirement for more extensive risk management reporting
and transparency. In the UK, the Wates principles require boards to have a clear
understanding of the views of shareholders, including those with a minority interest;
larger companies must report on their stakeholders.
The universally accepted terminology for the broad application of risk management
across the whole organization is enterprise risk management. Similarly, operational
risk management (ORM) has been established and developed very substantially. The
risk management discipline as a whole continues to develop and derive opportunity
from newly available techniques, brought about by enhanced availability of data
sources and rapidly advanced processing power.
There is a need for the continued education and training of boards and senior
members of those boards to maintain knowledge of the changing basis on which risk
management analysis and advice is offered. Without ‘laying the groundwork’, the
risk management department could stand accused of changing the nature of the risk
management process and sow confusion and lack of interest amongst the senior
board members.
crisis (GFC) of 2008/9. These global events have similarities but can also show us
how the risk management practice has developed over the intervening years.
The argument might be offered that risk management failed to adequately prevent
the financial crisis and also failed to mitigate the effect of the pandemic. In some
circles a cynicism may have arisen as to the application of ERM processes, and the
risk manager needs to be aware of evidence to rebut these ideas and to argue their
case for resources.
Firstly, as to risk identification, both Covid-19 and the GFC were foreseen events.
For example, the warning from Mr Moore to HBOS (in Chapter 3) was not the only
counsel to go unheeded in the financial services sector prior to 2008. The probability
of a pandemic had been identified as a likely global risk event, and indeed it had been
foreshadowed by the SARS, Ebola, and Zika viruses. Risk management responses
had been applied to the extent that the USA set up the Directorate of Global Health
Security and Biodefense (DGHSB) in 2016 specifically to respond to these events.
The UK had run Exercise Cygnus in 2017 to identify any weaknesses in their health
preparedness for similar events.
Secondly, in terms of actions to limit loss (the inherent and residual risk), it is in-
structive to note how these events were handled differently in different regions. For
Covid-19 in particular, some countries took little coherent action, Brazil being a case
in point, which may be our best example of an inherent risk without any control meas-
ures. In the East, governments had experience of health crises (for example, SARS) and
had better-developed and recently deployed systems to use to protect their citizens.
Here we might see a target risk after control measures taking place.
There had also been a banking crisis, ‘the Asian contagion’ in 1997, which meant ac-
tion was taken swiftly to provide liquidity in Asian economies, which was not replicated
in the West. Whilst interconnectedness meant Covid-19 and the GFC impacted both re-
gions, the East could be said to have mitigated the effects of both better than the West.
Lastly, both events can provide learning points for the impact of timely actions.
During the GFC, governments acted quickly and in a co-ordinated fashion to pro-
vide immediate relief, albeit that the West required this to a greater extent. Regulators
followed with new rules on capital building and management behaviour.
In the aftermath of Covid-19 lessons will be learnt, but it could be said that most
governments acted quickly and science resources were co-ordinated to speed vaccine
development. The country with the highest health spend and seemingly best prepared
to provide mitigating actions, the USA, failed to act in a concerted fashion, with the
resultant negative impact on its citizens. In the UK the government failed to take the
threat seriously at an early stage, was consistently poor in implementing actions in a
timely manner, and has been said to have repeated the same mistakes time after time.
For the risk management profession there are lessons on how risk management
was deployed. In the GFC the example from HBOS in Chapter 3 is clear that techni-
cally qualified risk managers are important. In respect of Covid-19 the USA would
The context for ERM 101
undoubtedly have been better off if they had not dismantled the DGHSB in 2018 for
political reasons. Both of these examples indicate that risk management messages are
sometimes disregarded with calamitous consequences. Senior risk managers need to
provide compelling evidence and argument to enable the deployment of effective and
well-resourced risk management practices, and sometimes need to show courage to
make sure their messages are heard.
risks facing the organization. The International Risk Governance Council defines
these risks as:
a risk that is new, or a familiar risk in a new or unfamiliar context or under new context
conditions (re-emerging). Emerging risks are issues that are perceived to be potentially
significant but which may not be fully understood and assessed, thus not allowing risk
management options to be developed with confidence.1
Consideration of these risks can be difficult unless the organization clearly under-
stands the nature of the emerging risks that it faces. Following the above definition
emerging risks can be divided into three categories:
●● new risks that have emerged in the external environment, but are associated with
the existing strategy of the organization – new risks in a known context;
●● existing risks that were already known to the organization, but have developed or
changed circumstances have triggered the risk – known risks in a new context;
●● risks that were not previously faced by the organization, because the risks are
associated with changed core processes – new risks in a new context. This last
category is where the risk manager will have the least confidence and will need to
actively seek further information.
The level of risk faced by organizations is constantly shifting, caused by increased in-
terconnectedness, new technology and increasingly complex supply chains. Some of
these increasing risks will be under the control of the organization itself but many
emerging risks will not be within the control of an individual organization, including:
●● government direction;
●● climate change;
●● sovereign debt;
●● national security;
●● changing demographics.
Note
1 IRG (2019) Governance of emerging risks, https://irgc.org/risk-governance/emerging-risk
(archived at https://perma.cc/XTE9-GV7T)
105
Setting objectives 09
for ERM
Setting objectives for the ERM approach is intrinsically associated with the o bjectives
for the organization as a whole. Making sure that the ERM objectives are aligned
with the organization’s objectives is therefore critical if the ERM approach is to be
embedded correctly.
In terms of the risks to be managed, Figure 1.2 showed where risks attach in terms
of the mission of the organization and flowing down from the strategic plan. Here it
could be considered that certain risks ‘attached’ to aspects of the business in terms of
key dependencies, core processes, stakeholder expectations or, finally, corporate ob-
jectives. It can be seen therefore that both the risk management process and the
identification of the risks themselves are intimately related to the objectives of the
organization.
Therefore, a clear understanding of the organization’s objectives is critical. Any
misalignment of these objectives could be a risk in itself, as this could mean the risk
management activity may support incorrect, unclear or vague objectives, leading to
excellent risk management but of the wrong risks. In this section we consider the
aspect of risks attaching to the objectives of the organization.
is a direct relationship between objectives, which are what an entity strives to achieve,
and enterprise risk management components, which represent what is needed to
achieve them’.1
Fourthly, and linked to both the cultural issue discussed above and the
r equirement for consensus amongst management to the strategy, there is a need
for the strategy to be accepted by all. There will be different agendas amongst
management who have to deliver on the objectives that have been set and it will
be important that those ‘informal’ objectives are aligned as far as possible to the
formal objectives of the organization. Where they are not it can become toxic
for an organization and at the extreme may need some ‘fresh thinking’ to deliver
the objectives.
Lastly, it is important that the ERM approach does not overwhelm the setting
of strategy, and therefore objectives. If ERM plays too great a role in the activity it
may lead to the organization becoming overly risk averse and reducing its expo-
sure to risk by being less ambitious in its strategy and setting too easily achievable
targets.
Implementing objectives
The objectives once agreed will need to be cascaded in some form from the c entre to
each division or business unit that delivers the output of the organization and from
there to each team or individual. It will be necessary to set some form of time period
within which the objectives are to be achieved, and this should also be communi-
cated at the organizational, divisional and team or individual level. Typically, or-
ganizations will seek to implement objectives over a one- to-three-year time horizon
depending upon complexity. That time p eriod will shorten as objectives are cascaded
downwards, as shown in Figure 9.1.
Along with time period in which to achieve objectives, it is important that there is
a way of determining whether an objective has been achieved, and if so by how
much. In other words, to be able to measure its realization some way. This may be
challenging in an ERM setting where the ERM practitioner is being set objectives
and at a strategic level the objective is to reduce risk.
From the tactical level this may be translated into quantitative terms in order to
provide a measurability. This may not be available for all objectives, however, and
more qualitative aspects of reducing risk may have objectives set around specific
tasks to accomplish in a set period. For example, improving culture as a strategic
objective may be translated to tactics such as running training or workshops.
Measurability may be provided by some form of feedback scores from attendees.
Care needs to be taken in more qualitative areas as they can provide an opportunity
for ‘gaming’ the system by that individual, which would not achieve the stated
intention of reducing risk.
108 Enterprise risk management
External Internal
analysis analysis
Organizational mission
Consensus forming
amongst management
and stakeholders
Alignment Delegation
required process
Informed
Tactical objectives Level 2: Tactical
by ERM
Division or department Typically annual
approach
Alignment Delegation
required process
Objectives need to be set in reality and with sufficient resources available to achieve
them. And, finally, there must be a specific outcome to be achieved. The objectives
will need to meet the SMART test as shown here. SMART objectives are:
Specific
Measurable
Achievable
Realistic and resourced
Time limited
For example, how staff are rewarded according to the achievement of their
bjectives can have a significant effect on risk culture. Rewards that provide
o
immediate and large bonus payments for the achievement of short-term gains may
promote a culture of excessive risk taking, for instance by the aggressive selling
tactics of banks prior to the global financial crisis. It was for this reason that ‘claw-
backs’ were introduced to many financial services bonus arrangements in order to
promote a longer-term perspective on risk taking. These clawbacks allow an or-
ganization to recover some element of previously paid bonuses should outcomes
change over the longer term.
The Institute of Operational Risk recommends that ‘relevant professionals, from
the operational risk function and the HR function, should be consulted about the
organization’s performance management and appraisal strategy to ensure that it pro-
motes an appropriate risk culture’.2 They recommend, for example, that to help
promote an appropriate risk culture, rewards are based on longer-term performance
criteria such as customer satisfaction and retention, or profits over periods longer
than one year, and that appraisals should reflect concern for operational risk and its
management, as well as profit and sales growth.
Notes
1 COSO (2017) Enterprise Risk Management: Integrating with strategy and performance,
www.coso.org/documents/2017-coso-erm-integrating-with-strategy-and-performance-
executive-summary.pdf (archived at https://perma.cc/DV2C-EDT5)
2 Institute of Operational Risk (2021) Sound practice guidance, www.ior-institute.org/
sound-practice-guidance (archived at https://perma.cc/RT4C-WX6K)