Professional Documents
Culture Documents
A clear framework for accountability provides the board with assurance that management is on top of things and that
important risks are being managed effectively and, where necessary escalated.
Such a framework strengthens ownership for delivery, but will only be effective if responsibilities have been clearly defined
so that it is possible to challenge and hold individuals to account. Similarly, a clear framework for accountability will provide
the leadership with assurance that the performance of the operational teams is in accordance with expectations and that
risks are being managed effectively and will be escalated where necessary – see Table 3.6.
1
A focused, systematic and integrated approach recognizes that all decisions involve management of risk, whether in routine
operations or for major initiatives involving significant resources. It is important that the risk management process be
applied at all levels, from the organizational level to programs and major projects to local systems and operations.
To kick off implementing an Integrated Enterprise Risk Management approach the organization should assemble a project
team, steering committee, and adopt a charter. A project charter clearly establishes the objectives: what the project team
plans to deliver and in what time frame. Although Enterprise Risk Management (ERM) is a process, the charter recognizes
that this is a project with a defined time span and deliverables that will recommend best ways to move forward.
Since ERM is ultimately strategic in nature, it will never succeed without support from the CEO and other C-suite officers;
this is where a steering committee is useful. Before embarking on implementation, it is necessary to determine which
risk framework and model is most appropriate. The COSO ERM model is comprehensive and useful, particularly for large
organizations with significant resources. Many organizations, however, need a simplified approach. Start with the one
detailed in Table 3.5.
2
A common understanding of key terms is also necessary so that stakeholders are on the same page when it comes to
comprehending risk, risk management, and enterprise risk management point will not happen in most organizations, unless
they have significant resources and project management skills in abundance and sophisticated tools to support the
process.
There are a number of tools that could be used to undertake risk analysis. Most organizations however rely heavily on
spreadsheets and other documents that are stored on personal computers throughout the organization and frequently use
email to informally communicate priorities, issues and results. The problem with this approach is that it inherently carries its
own risks: information may get lost if a person leaves; information may not get communicated to the right people;
information may be hoarded; and the holistic picture needed of risks may not be possible with a disparate and dispersed
3
repository of risk information. By using an automated system to manage risk assessment and control compliance it helps
streamline the process and align the disparate activities and people involved across the organization.
There are a number of techniques for risk assessment and analysis that can be used, some of the more common ones
include:
• Risk maps: summary charts and diagrams that help organizations identify, discuss, understand and address risks by
portraying sources and types of risks and disciplines involved/needed.
• Modelling tools: such as scenario analysis and forecasting models to show the range of possibilities and to build scenarios
into contingency plans.
• Qualitative techniques: such as checklists, questionnaires, and self- assessment to identify and assess risks.
• Workshops and brainstorming: collecting and sharing of ideas, with discussions around events that could impact the
objectives, stakeholder expectations or key dependencies.
• Inspections and audits: physical inspections of premises and activities and audits of compliance with established systems
and procedures.
• Flowcharts and dependency: analysis of processes and operations to identify critical components that represent potential
risks.
The risk assessment needs to be quite broad and capable of addressing a range of risks, as highlighted in Fig. 3.7
4
Risk Treatment
Risk treatment is presented in ISO 31000 as ‘the activity of selecting and implementing appropriate control measures to
modify the risk’. Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for
example, risk avoidance, risk transfer and risk financing. Any system of risk treatment should provide efficient and effective
internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the
proposed control measures.
Effective risk management is not about showering money or imposing draconian controls, but about achieving the most
effective and efficient use of risk treatment activities.
Organizations should consider comparing their inventory of current risk responses to their top ten priorities. Once you know
the top ten risks that can impede achievement of your organization’s objectives, along with the risk response activities
currently being conducted, you can compare the two lists. Which risks are being adequately managed? Which are missing
from the radar screen? Where is an initiative already in place to better understand and manage risks? Once the gaps in risk
response have been identified, the next step is to develop an approach to closing the gaps. This begins with prioritizing
which gaps have the greatest potential to derail achievement of the organizational objectives.
Which would require the greatest deployment of human or financial capital?
Which ones would demand outside resources?
Which ones could be accomplished in the shortest time?
What most organizations will find is that many elements of an organization’s existing structure may well be sufficient and
should be retained, but significant gaps are likely to be found. These may be in risk management leadership, risk assessment
methodology, specific technical skills, common processes, or technology capabilities. Having identified these gaps, it is
important to close them. Weighing the urgency with resource requirement, organizations can then develop specific
strategies to close the most critical gaps.
5
that might signal issues developing internally within the organization or potential risks emerging from external events, such
as macroeconomic shifts that affect the demand for the organization’s products or services, may provide rich information
for management and boards to consider as they develop and execute strategies within the organization.
The board, audit committee and senior management should require the results of the ERM process to be reported to them
in their oversight capacity and to gain assurance that risks are being managed within approved risk levels.
At a minimum report to the audit committee (or other designated committee) and/or board should:
• Summaries the nature and magnitude of significant risks;
• Highlight all significant risks and those risks that exceed their acceptable risk levels;
• Identify the timeframe and status of any additional risk management activities that may be required to bring risks within
approved risk levels;
• Identify any negative trends of higher risk areas and any changes to risk management activities;
• Highlight any new risks including their risk assessment, risk response and management activities;
• Identify any material emerging risks; and
• summarize any exceptions to established policies or limits for key risks.
On a periodic basis, the board should review all high-risk areas (even those that are appropriately mitigated within
acceptable levels) in order to have a full understanding of all the significant risks facing the organization.
6
7
8
Control and Compliance Processes
Control is a broad concept that means different things to different people. The Chartered Institute of Internal Auditors (IIA)5
definition explains it in concise terms as: “Any action taken by management, the board and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the
performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved”. You will
notice this sounds very similar to risk management, which it is.
The control environment refers to the way the board and senior management set the tone of the organization. It is part of
the culture of the organization influencing how risk is viewed and how control enters the consciousness of the people. It is
an expression of the ‘way things are done’. Every organization operates differently, which is revealed through organizational
ethics, values, structure, reporting lines, authority, rules and the documentation of policy.
The IIA defines control processes as: “the policies, procedures and activities that are part of a control framework, designed
to ensure that risks are contained within the risk tolerances established by the risk management process”.
Governance all too often focuses on control and compliance, largely driven by legislation or regulation. However, control
and compliance can be a process that helps improve business performance more widely beyond those areas that are
governed by legislation and regulation. Often organizations forget to ask themselves the purpose of control.
There are therefore a range of control categories that may need to be addressed, some which have received much attention
and have been largely driven by external influences, and others which have received less attention and are largely internally
driven – see Table 3.8.
9
The overriding challenge within the area of control and compliance is how you practically link policy and processes with
compliance, in a manner that is not overtly complicated. For the more complex you make the process, the less it will get
used,
and the less strategic alignment it will deliver. The only real mechanism of doing so is through automation, where policies,
processes and controls are inter-linked and responsibility of each is assigned and progress monitored on a scheduled basis
automatically through software. In order to avoid redundant compliance activities, it is critical to create a matrix that
captures the relationships among business processes, the risks associated with processes, the internal controls deployed to
mitigate the risks, the tests used to validate the effectiveness of the controls and finally the regulations or internal policies
to which the internal controls apply.
There is no right or wrong approach to looking at control: it is more a case of developing a control environment that suits
your organization. Control is a means to an end, not an end in itself.
COSO explains there are a number of components that need to work together within a control framework to help an
organization achieve its objectives, see Fig. 3.8.
An organization where all the components are working well and are embedded is more likely to achieve its objectives and
have a strong and sustainable future.
10