An Enterprise Risk Management FAQ
Protiviti, an international consultancy headquartered in California, has prepared an exhaustive set of 168 questions and answers to help interested parties, such as prospective clients, understand the ins and outs of enterprise risk management (ERM). In return for providing your contact information, you can download the 153-page pdf document, published in 2006, and browse through it at your leisure.Naturally, the FAQ begins with Protiviti's definition of enterprise risk management, which it takes from the Committee of Sponsoring Organizations of the Treadway Commission (COSO — see this earlier post):
Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.The FAQ then proceeds to address questions in fifteen areas:
- The fundamentals of ERM
For example, steps a company can take to begin implementing ERM are listed:- Adopt a common risk language.
- Conduct an enterprise risk assessment to identify and prioritize the organization's critical risks.
- Perform a gap analysis of the current and desired capabilities around managing the critical risks.
- Articulate the risk management vision, goals and objectives, along with a compelling value proposition to provide the economic justification for going forward.
- Advance the risk management capability of the organization for one or two critical risks, i.e., start with a risk area where senior management knows improvements are needed to successfully execute the business strategy.
- The COSO Enterprise Risk Management – Integrated Framework
For example, the eight components the COSO framework specifies for evaluating ERM are detailed:- Internal environment
- Setting of strategic objectives
- Identification of potential events (incidents or occurrences, from sources internal or external to an entity, that affect achievement of objectives)
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring
- The role of executive management
- The role of the board of directors
- The role of the chief risk officer (CRO)
(The CRO will get focused attention in a subsequent post.) - The risk management oversight structure
- The role of internal audit
- Risk management vision and objectives
This section includes a definition of risk appetite: the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity's risk management philosophy, and in turn influences the entity's culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, medium or low, while others take a quantitative approach, reflecting and balancing goals for growth, return and risk. A company with a higher risk appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital by investing only in mature, stable markets. - Conducting risk assessments
This section includes an exhaustive list of pitfalls. - Getting started
This section includes an explanation of what a risk-sensitive and risk-aware culture is: one in which risk management is effectively integrated with strategy-setting. In this environment, roles and responsibilities relating to risk management are clearly articulated at all levels of the organization so that managers are encouraged to portray realistically the potential outcomes of prospective transactions, deals, investments and projects. They are expected to understand and portray the full picture. For example, they must look at the downside and the upside relative to taking advantage of an opportunity. - Taking a process view — building capabilities
This section includes discussions of how dashboard/scorecard reporting is used in an ERM environment, and of how continuous improvement is applied to risk management. - Taking it to the next level — enhancing capabilities
This section includes a discussion of how management can use ERM to establish a sustainable competitive advantage. - Building a compelling business case
- Making it happen
This section includes an exhaustive list of pitfalls. - Relevance to Sarbanes-Oxley compliance
- Other questions
Labels: Risk management
posted by Karen Nelson @ 11:47 PM
<< Home