1. 8 Drivers of Effective
Enterprise Risk
Management
2.
3. 1. Risk management
strategy
–Before adopting leading risk management concepts for risk
identification, analysis, mitigation, monitoring and reporting,
the organization should first decide on its risk management
priorities, objectives, approach and risk governance
structure based on its business model, size and complexity.
–A risk management strategy should also include an
assessment of the required roles and competencies of the
risk management, compliance and internal control-related
functions, whether in-house or outsourced, their positions
and reporting lines within the organization structure.
4. 2. Risk ownership
–Risk ownership is often assigned to a person
responsible for executing the risk responses.
This is not an appropriate allocation of
accountability. The head of the risk
management function — whose role should
only be to communicate, coordinate and
administer the organization's risk
management policies and activities, and
ensure identification and mitigation of
material risks by the appropriate risk owners.
5. –Risk ownership is often mistaken as the person
responsible for the actual management of risks, with the
rest of the management team just doing “form filling” to
meet the Board’s requirements. The right risk owner
should instead be the individual ultimately accountable
for ensuring that the risk is managed appropriately and
adjusting the risk response within the desirable risk
appetite and tolerance of his risk domain. Another
critical point to note is that the risk owner should not be
the same person responsible for monitoring the
effectiveness of the risk response.
6. 3. Risk management competency
–With regard to risk management, persons within an
organisation can be classified into four groups: those in
charge of risk governance, those responsible for
managing risk, those assigned the task of executing risk
responses, and those monitoring and reporting the
effectiveness of risk responses. They need to have
appropriate skill sets, experience and training to
understand as well as perform their roles and
responsibilities effectively. The organisation should also
consider where and when external professional advice
may be required.
7. 4. Decision-
making Risk
management
–efforts tend to focus on post-
decision implementation risks
and overlook risks inherent in
strategic choices. As many
corporate failures are due to
strategic missteps, risk
management should be
applied to the decision-
making process by
understanding the risks
associated with each strategic
choice before making the
selection.
8. –Risk management personnel
should therefore be consulted
at the early stage of strategic
planning. For the selected
strategic choice, an
appropriate risk appetite
should be established to
ensure alignment of views
between the management and
the Board, and to limit
exposure within the
organisation’s financial
capability.
9. 5. Day-to-day operations
–A risk management system should include the
establishment of an appropriate organisational reporting
structure and processes to ensure effective and efficient
execution of business plans. These should also include
training and communication of policies and procedures
for key processes, segregation of duties to provide
checks and balances and prevent manipulation, suitable
delegation of authority, the business plan and operating
budget, key performance indicators, key risk indicators
and key control indicators.
10. 6. Ongoing monitoring
–Depending on the business model, size and
complexity of the organisation and the relevant
regulatory requirements, effective second-line
defence functions should be established to
provide ongoing monitoring of actual performance
against agreed metrics and timely reporting to risk
owners and those in charge of governance. This
will ensure that business operations stay within
the established risk appetite and risk tolerance.
11. Examples of second-line
defence functions include
Financial Controllership
(also generally known as
Financial Planning and
Analysis or “FP&A”),
Quality Assurance, Risk
Management, Legal and
Regulatory Compliance,
Health and Safety, and
Environmental
Compliance.
No individual should be
assigned a role to
monitor performance
within his or her domain
of responsibility. And to
ensure the integrity of the
monitoring functions, the
head of these functions
must have direct access
or a reporting line to a
relevant Board member
or Board Committee.
12. 7. Periodic monitoring
–An internal audit function with
adequate resources and
appropriate skills and experience
should be established to perform
periodic monitoring to ensure
compliance with policies and
procedures. To ensure the
integrity of the internal audit
function, the chief internal auditor
must have direct access or a
reporting line to the Audit
Committee.
13. –Collaboration between the internal
audit function and risk
management function is critical.
The internal audit function must
understand all key risk areas, not
just financial exposure, and review
them at regular intervals. On the
other hand, the risk management
function should ensure that
corrective actions taken by the
management are adequate to
address the internal audit findings.
14. 8. Culture and Board
oversight
–Finally and most importantly,
effective risk management can only
be achieved with an appropriate risk
culture. The Board should establish
policies and guidelines to build a
strong control environment within
the organisation and set the right
tone at the top.
15. –The Board should set an
appropriate risk appetite for material
risks and take responsibility for risk
governance by establishing an
appropriate committee structure to
supervise the management in the
identification and mitigation of
material strategic, operational,
compliance and financial risks.
16. Sufficient emphasis should be placed on effective management of
risks in assessing the management’s performance. For some
organisations, it may be necessary to set up specialised Board
Committees to deal with certain key risks that require more
specific focus, expertise and experience.
For material risks, the Board should ensure that there are robust
ongoing and periodic monitoring functions in place to provide
accurate and timely reporting to relevant committees and the
Board. The Board should also act firmly and promptly on reported
deficiencies, non-compliance and deviations.
17. Conclusion
–Effective risk management is not about
and should not stop at submission of the
risk register to the Board. Organizations
should review and build on the strengths
of these eight drivers so that they may be
well equipped to manage the various risks
and remain resilient in the face of any
adversity.
19. The new COSO ERM framework document, Enterprise
Risk Management—Integrating With Strategy and
Performance,1 is expected to have a level of global
influence similar to Internal Control–Integrated
Framework.2
The ERM framework is designed to provide reasonable expectation
that an entity that adopts it understands and manages all kinds of
risk associated with business strategy and performance objectives.
It provides a strong foundation for integrating the management
of all types of risk.
Technology innovation is acknowledged as a key enabler
for strategy decision support and an example of a strategic
business objective. Technology risk is one of many
examples of enterprise risk the document uses to illustrate
the ERM framework.
21. –Like COBIT 5, the COSO ERM framework is principles-based
and emphasizes that strategic plans to support the mission and
vision of an organization must be supported with governance
elements, performance measurement and internal control. It
describes how risk managers in all professions weigh the
probability that activities prompted by a given strategy may
result in foreseeable future events that impact an entity’s
mission. Also like COBIT 5, the COSO ERM framework
advocates continuous process improvement that relies heavily
on governance structures to assist in framing decisions.
22.
23.
24.
25.
26.
27. –Where technology risk management is aligned
with corporate risk management organizations
conducting ERM activities at the board level,
technology strategic plans may be expected to
be in lockstep with the enterprise’s mission,
vision and core principles. The COSO ERM and
COBIT 5 frameworks represent a body of
knowledge shared across a large community of
practitioners that may be utilized to create that
alignment. Technology and cybersecurity risk
and audit professionals should be conversant
with both frameworks, and be familiar with the
integration touchpoints between them.
28. Key Takeaways
–Effective technology risk management requires that the
ERM framework encompass technology.
–As technology risk management professionals are
specialists in risk related to information integrity and
availability, they play a special role in ERM. The processes
they use to identify, assess, quantify and monitor
technology risk apply not just to risk in the technology or
cybersecurity category, but should be designed to support
the integrity of information used by risk managers in other
risk domains.
29. Key Takeaways
–Technology professionals are uniquely positioned to
identify issues related to risk aggregation strategies,
and to support ERM activities with information life
cycle process and quality control objectives.
–Where both COSO ERM and COBIT 5 are explicitly
used by an organization, both enterprise risk and
technology professionals should be educated on
how they are compatible and why they should be
used together and not separately.