Enterprise Risk Management


Published on

Published in: Business, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enterprise Risk Management

  1. 1. TO STUDY ENTERPRISE RISK MANAGEMENT A COMPETITIVE EDGE FOR THE COMPANY AND HOW IT ADDS VALUE TO ITS SHAREHOLDERS This term paper is submitted in partial completion of MBA SUBMITTED TO: SUBMITTED BY: Faculty Guide: Mr. C.T. Sunil Student: Ms. Anu Damodaran Assistant Prof - Finance & Accounts Registration No: AUD0260 Amity University, Dubai, U.A.E. Program: MBA - General (Semester 2) Year: 2012 to 2014 Page 1 of 48
  2. 2. CERTIFICATE FROM FACULTY GUIDE This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA – General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term paper - “To study ERM - A competitive edge for the company and how it adds value to its shareholders” from 01-Apr-2013 to 12-May-2013. She has completed the term paper successfully. She has done this term paper work independently and submitted the same on 19-May-2013. Mr. C.T. Sunil, Faculty Guide, Assistant Professor of Finance & Accounts, Amity University, Dubai, UAE Page 2 of 48
  3. 3. ACKNOWLEDGEMENT I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity University, Dubai, U.A.E. toward successful completion of this term paper “To study ERM - A competitive edge for the company and how it adds value to its shareholders”. I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the guidance toward completion of this term paper. Thanking you, Yours sincerely, Ms. Anu Damodaran Reg. No. AUD0260, 1st Year MBA – General, 2nd Semester Amity University, Dubai, U.A.E. Page 3 of 48
  7. 7. EXECUTIVE SUMMARY  ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage the variety of strategic, market, credit, operational and financial risks they confront.  ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete management by different risk overseers.  ERM has given rise to a question: Who should head the risk management process internal audit or a chief risk officer? Some believe internal audit should take a back seat to preserve the checks and balances the audit function provides. Others say risk leadership should depend on what a company is comfortable with.  Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a per-project basis.  ERM also gives the company a means to assess the controls in place to handle each risk and identify any gaps. This consistent approach also offers businesses an opportunity to determine authority and responsibility and allocate resources appropriately.  To Extract Risk Data, Many Organizations use business intelligence software. Many packages feature "traffic-light" systems that show a red light if risk exceeds acceptable levels. The chief risk officer then can "drill down" to see the reasons and make more informed decisions.  Overall responsibility for enterprise risk is changing because of new standards from the Institute of Internal Auditors. They require the internal audit function in a company to monitor and evaluate the effectiveness of the organization's risk management and control systems.  ERM can help CPAs (Certified Public Accountants) determine the right amount of capital companies should direct toward risk by gathering or otherwise polling risk overseers to identify the threats to the organization, their financial impact and the effectiveness of risk mitigation options.  By mapping major risks on a matrix, companies can align their business processes to ensure they are routinely collecting and storing related information in a database the chief risk officer or executive risk committee can monitor. This will make it easier to identify exception risks extending beyond the company's tolerance or threshold levels. Page 7 of 48
  8. 8. OBJECTIVE To understand what Enterprise Risk Management is, why it is important for any business and how it can be measured. To know whether by measuring and managing the risks consistently and systematically can a company strengthen its ability to carry out its strategic plan. To understand the methods/ tools used by firms to manage Enterprise Risk. To study the processes and challenges in implementing Enterprise Risk Management and to identify how much risk can be retained and how much should be laid off. Page 8 of 48
  9. 9. CHAPTER 1 – INTRODUCTION Enterprise Risk Management (ERM) is a data intensive process that measures all of a company's risks. Enterprise Risk Management (ERM) is an integrated approach to enterprise-wide risk management intended to protect and increase value for all parties with an interest in the organization. Businesses have always faced a variety of risks, but these are times when the pace of change and the resulting consequences to a business seem to be greater than ever. Example: 1. Globalization has increased exposure to international events 2. The need for increased and escalated efficiency, innovation and differentiation 3. Cost of strategic error is rising in the global marketplace 4. Understanding and responding to customer wants in this demanding era of increasingly focused niche markets 5. Outsourcing raises questions about clarifying the retention and transfer of risk 6. The unthinkable can happen 7. Due to highly publicized public fiascos and high demands on certifying officers, financial reporting is now a significant risk area as companies focus on sustainability of their disclosure process and internal control structure At most institutions today, the responsibility for enterprise risk management ultimately falls to the chief executive officer since many of the senior people in the company who manage risk on a day-to-day basis already report to him or her, including the CFO and chief lending or credit officer. But institutions need to consider appointing a chief risk officer and forming a management level risk committee." The risk management function should be as independent as possible. However, true independence would require the use of parallel structures where one team of individuals would be responsible for a business unit like small business banking or an activity like regulatory compliance, while a separate team of individuals would be focused solely on Page 9 of 48
  10. 10. managing risk. "To be successful, the business units must view the risk management function as a partner and a facilitator, rather than being in charge of saying no. There is a danger, if ERM looks interchangeable with internal audit, that the business units will view it as either an impediment or redundant, but one size does not fit all." 1.1 – BACKGROUND Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Risk management has been practiced for thousands of years. One can imagine a risk manager burning a fire at night to keep wild animals away. Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one individual and by restricting loans to those considered most likely to repay them. Individuals and firms learned to manage the risk of fire through the choice of building materials and safety practices, or after the introduction of fire insurance, by shifting it to an insurer. Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management. They enumerated the following steps for the risk management process:  Identifying loss exposures  Measuring loss exposures  Evaluating the different methods for handling risk assumption  Risk transfer  Risk reduction  Selecting a method  Monitoring results Initially, the risk management process focused on what has been termed “pure risks”. Pure risks are those in which there is either a loss or no loss. A typical example of a pure risk is that your house may burn down or be hit by an earthquake. If none of these occur then you are in the no loss position. Beginning in the 1970s, financial risk became an important source of uncertainty for firms and, shortly thereafter, tools for handling financial risk were developed. These new tools Page 10 of 48
  11. 11. allowed financial risks to be managed in a similar fashion to the ways that pure risks had been managed for decades. Although financial risk had become a major concern for institutions by the early 1980s, organizations did not begin to apply the standard risk management tools and techniques to this area. The reason for this failure was because risk managers had built a wall around their specialty, called pure risk, within which they operated. Thus, the refusal to expand into other areas of risk has simply delayed by a number of decades. 1.2 – RELATED INFORMATION The US 'Committee Of Sponsoring Organizations Of Treadway Commission' (COSO) defines Enterprise Risk Management as, "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. “COSO divides ERM process into eight components: (1) Internal environment, (2) Objective setting, (3) Event identification, (4) Risk assessment, (5) Risk response, (6) Control activities, (7) Information and communication, (8) Monitoring. Page 11 of 48
  12. 12. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, including the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI) established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. 1.2.1 - ENTERPRISE RISK MANAGEMENT — INTEGRATED FRAMEWORK In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations' enterprise risk management. High-profile business scandals and failures (e.g. Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) led to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act was enacted. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. In 2004 COSO published Enterprise Risk Management - Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. Four categories of business objectives  Strategic: high-level goals, aligned with and supporting its mission  Operations: effective and efficient use of its resources  Reporting: reliability of reporting  Compliance: compliance with applicable laws and regulations Page 12 of 48
  13. 13. Fig.1 1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT The scope of ERM is much broader than protecting physical and financial assets. With an ERM approach, the scope of risk management is enterprise wide and the application of risk management is targeted to enhancing as well as protecting the unique combination of tangible and intangible assets comprising the organization’s business model. 1.4 – RELEVANCE OF ERM 1. Reduce unacceptable performance variability 2. Align and integrate varying views of risk management 3. Build confidence of investment community and stakeholders 4. Enhance corporate governance 5. Successfully respond to a changing business environment 6. Align strategy and corporate culture Page 13 of 48
  14. 14. 1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM PROTECT AND ENHANCE ENTERPRISE VALUE 1. Optimize Risk Management Cost 2. Improve Business Performance 3. Establish Competitive Advantage 1.6 – WHAT IF THERE IS NO ERM ERM doesn’t guarantee the success of a business. It provides better information to managers and a more robust process for them to deploy, but does not necessarily transform a poor manager into a good manager. All organizations face business risk, regardless of size. Organizations ignore risk at their own peril. No organization can afford to stand pat with its existing risk management capabilities; therefore, every organization should evaluate how it can improve its risk management. Page 14 of 48
  15. 15. CHAPTER 2 – REVIEW OF LITERATURE Although many companies have used ERM over the last decade, the economic downturn of 2008 showed that some companies had not done well when it came to managing their risks (Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that corporate executives were not taking newly developed models of risk analysis as seriously as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the ERM concept is changing as more and more companies attempt to recover from the downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy base for using ERM to help manage companies through all phases of business cycles (Van der Stede, 2009) After Enron, WorldCom, Tyco, and other large business failed, the United States Congress passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM. Section 302 mandates disclosure controls and procedures so that companies could disclose developments and risks of the business and section 404 requires an assessment of the effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009). The United States Securities and Exchange Commission (SEC) has also implemented requirements for publicly traded companies to disclose risk factors in section lA of their 10Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed Section 404 guidance that supports top-down risk assessment that holds boards of directors more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir & Walker, 2009). The types of risks that companies face: 1. External risk is the risk of events that may strike organizations or individuals unexpectedly (from the outside) but that happen regularly enough and often enough to be generally predictable. Page 15 of 48
  16. 16. 2. Manufactured risk is a result of the use of technologies or even business practices that an organization chooses to adopt. 3. A technological risk is caused or created by technologies that can include trains wrecking, bridges falling, and planes crashing (Giddens, 1999). 4. Business practice risk is caused or created by actions which the company takes which could include investing, purchasing, sales, or financing customer purchases. 2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK APPETITE AND EVENT Risk is defined as “the possibility that an event will occur and adversely affect the achievement of objectives.” Risk assessment is a systematic process for identifying and evaluating events (i.e. possible risks and opportunities) that could affect the achievement of objectives, positively or negatively. Such events can be identified in the external environment (e.g., economic trends, regulatory landscape, and competition) and within an organization’s internal environment (e.g., people, process, and infrastructure). Risk assessments can be mandated by regulatory demands for example, anti-money laundering, Basel III, and Sarbanes-Oxley compliance all require formalized risk assessment, and focus on such processes as monitoring of client accounts, operational risk management, and internal control over financial reporting. Risk assessments can also be driven by an organization’s own goals, such as business development, talent retention, and operational efficiency. Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective, and should be weighed using the same unit of measure applied to the related objective. Risk appetite is the amount of risk, on a broad level; an organization is willing to accept in pursuit of value. Page 16 of 48
  17. 17. An event and a risk are related concepts. Events can have either a negative or a positive impact. An event with a negative impact represents a risk whereas an event with a positive impact represents an opportunity. 2.1.1 - THE PROCESS The ERM process begins with risk identification. This creative wide-open process may have a tendency to produce a large and unwieldy list. To keep things organized, a computerized risk register is often recommended. Once a list has been created and organized, the cause and effect of each item should be considered and the appropriate experts consulted. Each risk should be assessed to separate minor risks from more serious risks and should be assigned a score. For example, a number from one to ten can be determined for each of the two dimensions: Probability and severity. A zero score may mean a risk almost never happens or is of trivial consequence. On the other hand, a score of ten may mean that a particular risk almost always happens or carries potentially catastrophic consequences. These scores can then be multiplied together to generate a final risk score that can be used to communicate the magnitude of impact posed by a risk and the urgency required. The scores along with a detailed description and evaluation can be placed in a risk register. That risk register creates a record on which to base future action and strategy. Participation of stakeholders is critical to the success of an ERM program and good communication is important to maintaining interest in the program. Unless an initiative has the support of the top management and the CEO, it would very difficult to get a program off the ground. It may be difficult for separate units to effectively communicate with one another. Accordingly, a company that wishes to implement an ERM may consider defining a common risk language or glossary that defines and implements a risk ranking system to prioritize risk both within and across departments. To address implementation issues related to responsibility, a company may establish a risk committee or chief risk officer to coordinate the activities across function areas and assign ownership for particular risks and responses. Page 17 of 48
  18. 18. 2.1.2 - RISK ASSESSMENT CAN BE CONDUCTED AT VARIOUS LEVELS OF THE ORGANIZATION Frequently performed risk assessments include: Strategic risk assessment - Evaluation of risks relating to the organizations mission and strategic objectives, typically performed by senior management teams in strategic planning meetings, with varying degrees of formality Operational risk assessment - Evaluation of the risk of loss (including risks to financial performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. Compliance risk assessment - Evaluation of risk factors relative to the organization’s compliance obligations, considering laws and regulations, policies and procedures, ethics and business conduct standards, and contracts, as well as strategic voluntary standards and best practices to which the organization has committed Internal audit risk assessment - Evaluation of risks related to the value drivers of the organization, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to shareholder value as a basis to define the audit plan and monitor key risks. Financial statement risk assessment - Evaluation of risks related to a material misstatement of the organization’s financial statements through input from various parties such as the controller, internal audit, and operations. Fraud risk assessment - Evaluation of potential instances of fraud. This is typically performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk assessment, and involves subject matter experts from key business functions where fraud could occur (e.g., procurement, accounting, and sales) as well as forensic specialists. Market risk assessment - Evaluation of market movements that could affect the organization’s performance or risk exposure, considering interest rate risk, currency risk, option risk, and commodity risk. This is typically performed by market risk specialists. Page 18 of 48
  19. 19. Credit risk assessment - Evaluation of the potential that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms Customer risk assessment - Evaluation of the risk profile of customers that could potentially impact the organization’s reputation and financial position. This assessment weighs the customer’s intent, creditworthiness, affiliations, and other relevant factors. Supply chain risk assessment - Evaluation of the risks associated with identifying the inputs and logistics needed to support the creation of products and services, including selection and management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing quality assurance reviews to assess any changes that could impact the achievement of the organization’s business objectives). Product risk assessment - Evaluation of the risk factors associated with an organization’s product, from design and development through manufacturing, distribution, use, and disposal. This assessment aims to understand not only the revenue or cost impact, but also the impact on the brand, interrelationships with other products, dependency on third parties, and other relevant factors. Security risk assessment - Evaluation of potential breaches in an organization’s physical assets and information protection and security. This considers infrastructure, applications, operations, and people, and is typically performed by an organization’s information security function. Information technology risk assessment - Evaluation of potential for technology system failures and the organization’s return on information technology investments. This assessment would consider such factors as processing capacity, access control, data protection, and cybercrime. Project risk assessment - Evaluation of the risk factors associated with the delivery or implementation of a project, considering stakeholders, dependencies, timelines, cost, and other key considerations. Page 19 of 48
  20. 20. Every organization should consider what types of risk assessments are relevant to its objectives. The scope of risk assessment that management chooses to perform depends upon priorities and objectives. For risk assessments to yield meaningful results, certain key principles must be considered. They are: 1. Begin and end with specific business objectives that are anchored in key value drivers. 2. Governance over the risk assessment process must be clearly established 3. Risk rating scales are defined in relation to organizations’ objectives in scope 4. Capturing leading indicators enhances the ability to anticipate possible risks and opportunities before they materialize. 5. Management forms a portfolio view of risks to support decision making. 6. Interpret the results of their risk assessment process to set a foundation for establishing an effective enterprise risk management (ERM) program 7. Determine risk tolerance. 8. Risk appetite must be clearly defined and reflected in risk tolerances and risk limits to help ensure that organizational objectives can be achieved. 2.1.3 - COMMON CHALLENGES TO EFFECTIVE RISK ASSESSMENT  Risk assessment is viewed as an episodic initiative providing limited value.  The owner of a risk assessment must clearly communicate its purpose, process, and expected benefits.  The right parties must be engaged to ensure relevant input, informed assessment, and meaningful and actionable results.  The assessment must be a repeatable process that integrates into regular business practices, adapts to change, and delivers more than one-time value.  The amount of information and data gathered is difficult to interpret and use.  Failure to effectively organize and manage the volume and quality of assessment data makes interpreting that data a challenge. Page 20 of 48
  21. 21.  Tools, templates, and guidance are necessary to ensure consistency in data capture, assessment, and reporting.  Results of the risk assessment are not acted upon.  Lack of an effective risk assessment process and defined risk tolerance could result in an organization over controlling a risk, which could place an excessive cost burden on the organization and/or stifle its ability to seize opportunities.  Risk assessments become stale, providing the same results every time.  Without refreshing their data capture, process, and reporting from time to time, risk assessments may lose relevance.  Breakdowns may occur without triggering key risk indicators to management.  Risk assessment is added onto day-to-day responsibilities without being integrated into business processes.  Too many different risk assessments are performed across the organization.  Risk assessment will not prevent the next big failure.  Risk assessments need to invoke the right subject matter experts and consider not only past experience but also forward-looking analysis. 2.1.4 – FORMS OF RISK ASSESSMENTS Qualitative assessments are the most basic form of risk assessment, categorizing potential risks based on either minimal or ordinal scales. External validation should be obtained to guard against potential management biases. Rigorous quantitative techniques ranging from benchmarking to probabilistic and nonprobabilistic modeling can be used for assessing risk as more data becomes available through tracking of internal events (e.g., transaction errors, customer complaints, litigation) and external events (e.g., loss events recorded by peer organizations and made available through subscription to services such as the ORX or Fitch First databases). Such data enables greater analysis of potential risk exposures, development of relevant indicators that can be tracked regularly, and more rapid and efficient responses to risk Page 21 of 48
  22. 22. situations. Risk categories, loss-event data, and key risk indicators are often refined through iterative efforts to support issue and trend analysis. Analysis is often enriched by various modeling techniques using assumptions regarding distributions. Probabilistic models (e.g., “at-risk” models, assessment of loss events, back testing) measure both the likelihood and impact of events, whereas non-probabilistic models (e.g., sensitivity analysis, scenario analysis, stress testing) measure only the impact and require separate measurement of likelihood using other techniques. Non-probabilistic models are relied upon when available data is limited. Both types of models are based on assumptions regarding how potential risks will play out. The more mature risk assessment processes yield quantitative results that can be used to allocate capital based on risk, as required by regulation in certain industries (e.g., Basel II or III for the financial services industry). For organizations in industries not subject to such requirements, the best approach should be determined based on a cost/benefit analysis of the process for enabling timely and relevant discussion of risks, monitoring predictive indicators, escalating information on increased risk exposures, and making risk-informed decisions in an integrated manner. Page 22 of 48
  23. 23. 2.1.5 – DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK MANAGEMENT AND ENTERPRISE RISK MANAGEMENT RM BRM ERM Focus Finance, hazard, internal controls Business, internal controls Business, internal controls, taking entity – level portfolio view of risk Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value Scope Treasury, insurance and operations Business managers Across the enterprise, at every level and unit Emphasis Finance and operations Management Strategy – setting Application Selected risk areas, units and process Selected risk areas, units and process Enterprise wide to all sources of value Vision “Current State” Capabilities “Future State” Table 1 2.1.5. A - TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES Risk as individual hazards Risk identification and assessment Focus on discrete risks Risk mitigation Risk limits Risks with no owners Haphazard risk quantification "Risk is not my responsibility" Risk in the context of business strategy Risk portfolio development Focus on critical risks Risk optimization Risk strategy Defined risk responsibilities Monitoring and measuring of risks “Risk is everyone's responsibility" Table 2 Page 23 of 48
  24. 24. 2.1.6 - APPLICATION OF ERM ACROSS INDUSTRIES The nature of the industry will drive the value of the risks and the risk management practices the organization adopts to manage those risks. For example, a bank will focus on managing market and credit risk to a greater extent than other institutions because the assumption of those risks is the essence of its business model. A pharmaceutical company will focus on managing its research and development pipeline because that is the lifeline to its future revenue streams. Regardless of the industry the components of the framework as defined by COSO still apply. 2.1.7 – RISK MANAGEMENT REPORT These reports serve the purpose of providing information for decision making to executive management. 1. A summary of the enterprise’s risks, broken down by operating unit, geographic location, product group. 2. A summary of existing gaps in the capabilities for managing the priority risks. 3. A summary of the top and worst performing investments and reasons why? 4. From an “environment scan” process or early warning system, a report of emerging issues or risks that warrant immediate attention. 5. Value at risk reports to assess the sensitivity of existing portfolio positions to market rate changes beyond specified limits and consider the exposure of earnings or cash flow to severe losses. 6. Summary of scenario analyses evaluating the impact of changes in other key variables beyond management’s control (e.g. inflation, weather, competitor acts and supplier performance levels) on earnings, cash flow, capital and the business plans. 7. Operational risk reports summarizing exceptions that have occurred versus policies or established limits (i.e. limit breaches), including any significant breakdowns, errors, accidents, incidents, losses (as well as lost opportunities) or “close calls” and “near misses” Page 24 of 48
  25. 25. 8. Specific studies or targeted analyses to evaluate questions about specific events or anticipated concerns that could “stop the show” 9. Summary of significant findings of business process audits performed by internal audit or reviews conducted by other independent parties such as the organization’s regulators. 10. Summary of the status of the improvement initiatives. Good governance facilitates implementation of ERM because ERM is built on transparency. Conversely, an effectively functioning ERM infrastructure would provide greater confidence to the board and to executive management that risks and opportunities are being systematically identified, rigorously analyzed and effectively managed on an enterprise wide basis. 2.1.8 - INTERNAL AUDIT The Institute of Internal Auditors (IIA) regards internal auditing as an independent, objective assurance and consulting function while objective reporting is the primary value of an auditor from outside the company. Accordingly, the IIA identifies suitable activities for the internal auditor in the ERM process. This is accomplished by advising upon the accuracy of the company's risk evaluation, evaluating the ERM processes and the method employed for reporting those risks, and reviewing the management of risk. The IIA considers activities such as facilitating, coaching, coordinating, educating, integrating, evaluating and developing an ERM framework as appropriate activities for internal auditors. However, the IIA considers setting risk appetite, imposing the ERM process, decision-making or implementation of risk response as roles an internal auditor should not undertake. Page 25 of 48
  26. 26. 2.1.9 – EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT Description Interviews Individual stakeholder interviews to identify potential events and prioritize associated risk Online surveys Paper surveys Document review Consisting of either a checklist of events or risks or an open – ended request Hard copy survey consisting of either a checklist of events or risks or an open – ended request Review of existing public documents, regulatory reviews, audit reports, special purpose studies and other materials Facilitated workshops Targeted reviews An in – person or online workshop attended by key stakeholders Special studies to evaluate questions about specific events or anticipated concerns or targeted analyses Table 3 Any combination of these options is appropriate. 2.2 – INDUSTRY SPECIFIC EXAMPLES 2.2.1 – COMPONENTS FRAMEWORK OF A HIGHER EDUCATION SPECIFIC ERM Internal environment – organization’s code of conduct, management’s leadership, communication and decision making style. Training should begin at the level of academic deans, department heads, business managers and administrators Objective setting – suppose the institution wants to build a new science and technology block. The proposal should consider the return on investment risk in qualitative and quantitative terms Event identification – requires the institution to identify activities that may impact its ability to achieve objectives Page 26 of 48
  27. 27. Risk assessment and risk response – Low probability/ high impact events or high probability/ high impact situations Control and monitoring activities – adherence to policies and procedures that reduce risk, follow up activity which ensures that the policies and procedures have been carried out as intended Information and communication – Administrators and other members of the campus need to have access to accurate information that is communicated widely. 2.2.2 - WHY IS ERM RELEVANT IN THE HIGHER EDUCATION ENVIRONMENT? The higher education system operates in an inherently risky environment. By strategically managing risk, they can reduce the chance of loss, create greater financial stability and protect their resources so that they can support the university's mission of supporting teaching, research and public service. 2.2.3 – STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION Risk driver Stakeholders Students, faculty, executive management, staff, accrediting agencies Emerging educational delivery systems Inability of governance processes to support strategic objectives Increasing opportunities to leverage intellectual capital Trustees, executive management, faculty Executive management, faculty Excess physical capacity Trustees, executive management, donors Quality of academic program Students, faculty, executive management Increasing customer expectations (e.g. financial aid, student life, access, capacity) Students, parents Table 4 Page 27 of 48
  28. 28. 2.2.4 – OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER EDUCATION Risk driver Stakeholders New technologies Trustees, executive management, staff (for selected issues) Reimbursement and financial issues Dean, faculty, regulators, trustees Increased regulatory scrutiny and accountability Trustees, executive management, internal audit, public Research and intellectual property Executive management, research Human resource management HRM, unions, staff Decentralized responsibility Staff, faculty, auditors Security, internet access, electronic records Students, executive management, faculty, staff New construction Real estate office, executive management, donors New business creation (international operations) Staff, faculty Increased competition Trustees, executive management, faculty Student behavior and community Alumni, parents, students, faculty, president Contracting and related processes Attorneys and executive management Endowment management Trustees, staff, alumni, other donors Table 5 Page 28 of 48
  29. 29. 2.2.5 - LIST OF RISKS SEPARATED BY CATEGORY Risk category Hazard risks Financial risks Information technology risks Human resource risks Research risks Contract and grant risks Student life risks Facilities and maintenance risks Sample risks Domestic terrorism Catastrophic natural events Pandemic Laboratory safety Facilities and ground safety Conflicts of interest in financial transactions and agreements Budget impairment Ineffective service center, auxiliary management Non – compliant cost transfers Insufficient oversight over third party vendors Improper governmental activities including fraud, embezzlement or misuse of university resources Unauthorized modification of data Decentralization of systems leading to data inconsistencies and fragmentation Disclosure of confidential information Obsolescence of systems/technology Lack of common data definitions Inability to recover from system loss Lack of comfort with third party vendor system security Personal issues or workplace violence Professional liability claims Workers compensation claims Employee recruitment and retention Falsification of data or results Intellectual property infringement Unethical or unapproved research Inadequate lab practices and processes for the promotion of environmental health and safety Threat to safety of researchers Regulatory fines or penalties Non - compliance with sponsoring agency terms and conditions and agreement Funds used but agreement terms and conditions not followed Failure to maintain equipment inventories in accordance with grant requirements Sub – recipients not managed properly Sports or public event disturbances Student mental health Safety and security of students on and off campus Deferred maintenance Increase in energy costs Equipment/ facility malfunction Table 6 Page 29 of 48
  30. 30. 2.2.6 – ERMIS As a key support, a University can develop the ERM information system (ERMIS) to provide management with current information in minutes in the form of key performance indicators (KPIs). ERMIS reduces the cost of risk by improving the efficiency of retrospective reviews and monitoring the effectiveness of controls to prevent reoccurrences. The ERMIS includes: 1. Dashboard reporting on major risks 2. Risk assessment tools 3. Control and accountability tracking platform 4. Risk mitigation and monitoring tools 5. Survey capabilities 2.3 – HEALTH CARE ORGANIZATION Specific objectives: 1. Quality of customer care 2. Attracting and retaining high quality physicians 3. Building sustainable levels of profit to provide access to needed capital and fund existing activities Statement of risk appetite: The organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting and operations objective. Page 30 of 48
  31. 31. 2.4 – AEROSPACE SUPPLIER A high level objective is to work with customers to improve products and market share. There is a low risk appetite for allowing the capital structure to be leveraged that it hinders the company’s future flexibility or ability to make strategic acquisitions. Operations tolerances: 1. Near zero risk tolerance for product defects 2. Low risk tolerance for sourcing products that fail to meet the company’s quality standards 3. Low risk tolerance for meeting customer orders on time 4. High risk tolerance for potential failure in pursuing research that will enable the company’s product to better control and increase the efficiency of energy use Reporting tolerances: 1. Low risk tolerance concerning the quality, timing and accessibility of data needed to run the business 2. Very low risk tolerance concerning the possibility of material deficiencies in internal control 3. Low risk tolerance related to financial reporting quality (timeliness, transparency, Generally accepted accounting principles) Compliance tolerances: 1. Near zero risk tolerance for violations of regulatory requirements or the company’s code of ethics. Page 31 of 48
  32. 32. 2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III) The Basel Accords are a set of rules on banking regulations in regards to capital. Basel III is a series of additions to the existing accords designed to limit the likelihood and impact of a future financial crisis. It requires banks to hold more higher-quality capital against more conservatively calculated risk weighted assets (RWAs). It also looks to ensure sufficient liquidity during times of stress and to reduce excess leverage. Capital: A minimum of 7 per cent of a bank’s RWAs must be core tier one to act as a buffer against losses. This compares with the 2 per cent required under Basel II. The definition of which liabilities can be classified as core tier one will narrow. There is a counter-cyclical buffer of 0 to 2.5 per cent, which is to be built up when the economy is strong so that it can be called upon in tougher times. Additional requirements will also be introduced for large banks deemed vital to the global financial system. Important Financial Institutions (G-SIFIs) – to hold an extra 1 to 2.5 per cent of core tier one capital. Risk Weighted Assets: In addition to increasing the quality and quantity of capital, Basel III also updates the risk weighted asset (RWA) calculation for counterparty credit risk. This will see the introduction of the Credit Valuation Adjustment (CVA) capital charge, which increases the capital, held against the risk that the mark-to-market value of derivatives will deteriorate due to a change in counterparty credit worthiness. The Financial Institution Asset Value Correlation (FI AVC) will be amended to increase the RWAs for banks’ exposures to large and / or unregulated financial institutions. Liquidity: The Liquidity Coverage Ratio (LCR) defines the amount of unencumbered, low risk assets (such as cash or gilts) that banks must hold to offset forecast cash outflows during a 30-day crisis. Outflows are estimated, based on the nature of the customer relationship and the type of product Leverage. A new leverage ratio of 3 per cent is due to become mandatory in 2018. This seeks to ensure banks apply adequate capital to all their exposures, including those off balance sheets, and without applying any risk weightings. Timing: Basel III requirements are being introduced from 2013 but some areas are still subject to change and total compliance is not expected until 2019. The long lead-in is designed to prevent sudden lending freezes as banks improve their balance sheets. These measures aim to: Improve the banking sector's ability to absorb shocks arising from financial and economic stress, whatever the source improve risk management and governance to strengthen banks' transparency and disclosures. Page 32 of 48
  33. 33. CHAPTER 3 – EXPLORATION COMMENT ON ERM 3.1 - RISK MAPPING Risk mapping is probably the most common tool used by companies to identify and prioritize the risks associated with their business activities. It is a directional tool. Consolidated risk profile Manageable Major Critical Critical Impact Remote Possible Likely Likelihood Fig.2 Page 33 of 48
  34. 34. A RISK MODEL Environment risk Competitor Customer wants Technological innovation Sensitivity Shareholder expectations Capital availability Sovereign/Political Legal Regulatory Industry Financial matters Catastrophic loss Information for decision making risk Process risk Financial Price Interest rate Currency Equity Commodity Financial Instrument Liquidity Cash flow Opportunity cost Concentration Empowerment Leadership Authority/Limit Outsourcing Performance incentives Change readiness Communications Information Technology Integrity Access Availability Infrastructure Governance Organizational culture Ethical behavior Board effectiveness Succession planning Reputation Image and Branding Stakeholder relations Credit Default Concentration Settlement Collateral Integrity Management fraud Employee fraud Third party fraud Illegal acts Unauthorized use Operations Customer satisfaction Human Resources Knowledge capital Product development Efficiency Capacity Scalability Performance gap Cycle time Sourcing Channel effectiveness Partnering Compliance Business interruption Product/service failure Environmental Health and safety Trademark/ brand erosion Strategic Environment scan Business model Business portfolio Investment valuation/evaluation Organization structure Measurement (strategy) Resource allocation Planning Life cycle Public reporting Financial reporting evaluation Internal control evaluation Executive certification Taxation Pension fund Regulatory reporting Operational Budget and planning Product/service pricing Contract commitment Measurement (operations) Alignment Accounting information Table 7 Page 34 of 48
  35. 35. A RISK DRIVERS MAP Company decides to restructure Competition for talent increases Top and experienced performers conclude company not as attractive  Company expectations are unrealistic Job security declines resulting in good people leaving  Industry demand declines due to Environmental protection age issues Cost of retaining top and experienced performer increases HUMAN RESOURCES RISK External factors Higher costs of expatriates due to transfers Loss of morale  Performance measurement and reward system is not aligned with performance expectations Internal factors  Executive management is not perceived as committed High turnover occurs at remote locations  Career or succession plan is poorly defined Fewer entrants into higher education programs Loss of reputation due to poor financial results Market demand for company products significantl y declines Increased costs due to inflexible union rules People are hired with dubious or questionable histories Hiring process  Teamwork contradicts acceptance of individual accountability  Compensation levels are not competitive Hiring practices lack background checks Fig.3 Page 35 of 48
  36. 36. A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION Board of Directors CEO Executive committee Risk management executive committee Business risk Business units Chief risk officer Unit A Unit B COO Unit C CFO Risk units CIO/CLO Unit A Program Management Unit B Support units Functional support Shared services Assurance units Internal audit Risk management compliance Legal and regulatory compliance Fig.4 Page 36 of 48
  37. 37. 3.2 - THE CAPABILITY MATURITY MODEL The Capability maturity model is a tool for assisting management in thinking more clearly about questions such as: 1. How capable do we want our risk management to be? 2. Do we vary the rigor and robustness of our risk responses and related control activities? 3. Do we rely on a few well – qualified individuals in an ad hoc manner and regularly put out fires? 4. Do we improve our capabilities? 3.2.1 - SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT Management reports Purchases not leveraged, no strategic partnerships No leadership and lack of qualified staff Critical information not available and no internet auditing Repeatable Occasional strategic focus on sourcing and informal policies Occasional supply leverage, few strategic partnerships Some procurement professionals as staff, limited training Defined Annual procurement plans, strategic sourcing for key commodities Defined processes, strategic partnerships in place Accounts payable centralized, training offered and special purpose teams Managed Increased execution of strategic sourcing Effective use of formal risk management technique Consolidated leveraged supply base in place, trained commodity teams Aligned strategic plans, defined and integrated policies and responsibilities Integrated and effective procurement processes and continuous benchmarking Ability to adapt to changing environments and customer demands, outsourcing of non – core competencies Initial People and organizations Optimizing RISK Business policies Procurement not addressed as a strategic opportunity, no direction or policies Business processes Key internal procurement information available with audits occurring Key suppliers tracked, standard benchmarks and internal audits High quality procurement information, self assessment commonplace Fully developed automated, consistent function and planning Methodologies No models, reliance on people Systems and data Disparate, inefficient, purchasing and accounts payable systems Simple models are used inconsistently Suite of fairly effective systems, procedure manual Well – developed models available for decision making Organization operates with contracts Sophisticated robust models and tools Procurement data warehouse in place and utilized, P – cards and automation Aligned strategic methodologies that emphasize continuous improvement Complete suite of systems across the supply chain for analysis Table 8 Page 37 of 48
  38. 38. 3.2.2 - RISK MEASUREMENT TECHNIQUES AT EACH STATE OF CAPABILITY MATURITY MODEL Initial state: Simple and straightforward methodologies 1. Self - assessment techniques 2. Facilitated assessments 3. Risk indicator analysis 4. Position reports 5. Gap analyses Repeatable state: Basic 1. Risk rating or scoring 2. Claims exposure and cost analysis 3. Sensitivity analysis 4. Deterministic stress testing 5. Parametric value at risk 6. Uncertainty measures Defined state: Refined methodologies 1. Surrogate performance measures 2. Historical simulation value at risk 3. Scenario analysis Managed state: Managed quantitatively and aggregated at the corporate level 1. Monte Carlo value at risk 2. Earnings at risk 3. Integrated measurement methodologies 4. Risk – adjusted performance measurement Optimizing state: Organization is focused on continuous improvement. Risks are aggregated and managed as a portfolio; the quantitative means to transfer and scrutinize risk are developed. Page 38 of 48
  39. 39. 3.2.3 - WAYS TO AGGREGATE MULTIPLE RISK MEASURES USING A COMBINATION OF A RIGOROUS METHODOLOGY AND THE APPLICATION OF JUDGMENT 1. Risk pooling - positively and negatively correlated 2. Risk appetite and risk tolerances 3. Hurdle rates - Discounted cash flow 4. At risk frameworks - Value at risk, earnings at risk, gross margin at risk and cash flow at risk 5. Risk adjusted performance measurement - Risk adjusted return on capital 3.2.4 - RISK MEASUREMENT CAPABILITIES ACHIEVE 1. More robust risk reporting 2. Greater investment confidence 3. Greater integration and alignment 4. Higher valuation The most important contribution of ERM to improving business performance is to help managers make better choices in protecting and enhance the enterprise value. Shareholder value is generally accepted measure of value and is therefore an example of a useful context for defining enterprise value. Economic value added (EVA) is such a measure. The basic formula for calculating EVA is: EVA = NOPAT less WACoC NOPAT = Net operating profit after tax WACoC = Weighted average cost of capital Page 39 of 48
  40. 40. 3.2.5 - APPLYING AN ERM PERSPECTIVE Identify several opportunities for enhancing risk management processes to improve business performance using the application of EVA 1. Create new opportunities 2. Improve performance 3. Harvest existing value 4. Adjust and align cost of capital 3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES WITH IMPLEMENTING ERM 1. ERA – Enterprise risk assessment tools (decision support, survey and risk registers) 2. ORM – Operational risk management tools (qualitative and quantitative) 3. IA - Integrated compliance and risk management platform solutions Page 40 of 48
  41. 41. 3.3.1 - PRIORITIZATIONS OF FUNCTIONALITY Feature COSO ERM component Solution Entity definition and objectives Internal environment, objective setting ERA, ERM, ORM Risk identification Event identification, risk assessment ERA, ERM, ORM Framework support Various ERA, ERM, ORM Risk control and monitoring Risk assessment, risk response, control activities ERM, ORM Risk workflow scheduling and notification Risk assessment, risk response, control activities, monitoring ERM, ORM Risk and audit issue tracking Risk response, control activities, information and communication, monitoring ERM, ORM Data collection, event tracking Information and communication, monitoring ORM Risk and control self assessment Risk assessment, risk response ERA, ERM, ORM KPI definition and tracking Risk response, control activities, information and communication, monitoring ERM, ORM Frequency and severity estimation and other statistical analyses Risk assessment ORM Exposure calculation Risk assessment, risk response, information and communication, monitoring ORM Scenario analyses Risk assessment, risk response, information and communication, monitoring ORM Capital calculation Risk response, information and communication, monitoring ORM RAROC analysis Risk response, information and communication, monitoring ORM VaR model Risk assessment, risk response, information and communication, monitoring ERM Internal reporting Internal environment, information and communication, monitoring ERA, ERM, ORM Regulatory reporting Internal environment, information and communication, monitoring ORM Risk response Risk response ERM Compliance templates Various ERM Audit planning Risk assessment, monitoring IA Project management Monitoring IA Table 9 Page 41 of 48
  42. 42. 3.3.2 - CHARACTERISTICS OF SUCCESSFUL ERM SOFTWARE VENDORS: 1. In – depth RM knowledge 2. Ability to educate prospects and customers 3. Ability to execute and support 4. Professional services 5. Global presence 6. Firm’s overall size 7. Ability to leverage existing relationships to build technology 8. Operational and financial risk expertise 3.3.3 - ERM VS. QUALITY INITIATIVES ERM is an enterprise level process that is integral to strategy setting. Quality initiatives provide the methodology and tools to help organizations understand measure and continuously improve the efficiency and quality of their processes at a detailed level. 3.4– ADVANTAGES 3.4.1 - MANAGEMENT ALTERS AN ENTITY'S RISK CHARACTERISTICS BY REDUCING: 1. The enterprise's net exposure 2. The variability of the enterprises expected returns caused by specific sources of uncertainty (fluctuating currency rates) 3. The likelihood of financial distress in the event of realized changes in key variables (changes in interest rates for highly leveraged company) 4. Other uncertainties in the attainment of expected returns Page 42 of 48
  43. 43. 3.4.2 - ERM TO ESTABLISH A SUSTAINABLE COMPETITIVE ADVANTAGE 1. Integrate risk management with business planning and strategy setting 2. Implement more rigorous risk assessment process 3. Improve management of common risks across the enterprise 4. Improve capital deployment and resource allocation 5. Configure the enterprise's risk taking with its core competencies 6. Seize opportunities through rational assumption of risk Page 43 of 48
  44. 44. 3.5 - SUITABILITY Key questions a business case must address Fig.5 Page 44 of 48
  45. 45. 3.6 - LIMITATIONS 3.6.1 - VALUE IN USING QUALITATIVE INFORMATION WHEN ASSESSING RISK Some risks do not lend themselves to quantitative measurement because the related events occur so infrequently and, if and when they do occur, they are subject to such a wide range of possible outcomes in terms of severity that it is difficult if not impossible, to quantify them. 3.6.2 - COMMON MISTAKES AND PITFALLS DURING RISK ASSESSMENT PROCESS 1. Lack of clarification and common understanding of the meaning or definition of risk 2. Not including all stakeholders 3. Not considering or giving appropriate weight to knowledgeable positions 4. Setting unclear or unrealistic objectives 3.6.3 - THE PROBLEMS ERM PRACTITIONERS MAY FACE It comes when identifying, collecting, cleansing, and analyzing data. Often adding to this frustration is a lack of guidance on how to create an information infrastructure to accomplish their goals. ERM practitioners also face the challenge of dealing with cultural, organizational, and political obstacles to data transformation efforts that seem to be almost universal in organizations of all types (Fraser, Schoening-Thiessen & Simkins, 2008). ERM information systems are facing the same hurdles as other systems that have required changes in procedures, processes, or culture; there are many lessons to be learned from the past implementation of other large systems. Above all, patience and persistence are keys to the process of implementation. Page 45 of 48
  46. 46. 3.6.4 - DEMONSTRATION OF ERM'S USEFULNESS KEY TO WINNING OVER MANAGEMENT  Risk managers should expect resistance from their managers.  Risk managers who are preparing to implement an enterprise risk management process should be ready to mitigate opposition from middle and lower management.  To counter resistance, risk managers must address it before implementing the process.  Risk managers should demonstrate that ERM is a tool managers can use to improve unit performance and promote their individual worth.  Risk managers also need a senior manager to co-champion ERM in addition to top management support.  Unit managers perceive ERM as a spotlight that illuminates losses and potential risks, which "doesn't paint them in a positive light. Risk managers must adopt seven principles which will obtain and retain middle- and lowermanagement support: 1. Simplify the ERM process, because "people don't do what they don't understand." 2. Communicate its purpose. 3. Provide training. 4. Personalize it to help managers achieve their objectives. 5. Demonstrate how it adds value to the managers' business operation. 6. Monitor performance. 7. Tie performance to compensation. Of course, finding an individual whose expertise spans the full spectrum of enterprise wide risks in a financial institution from loan quality and interest-rate mismatches to fraud and natural disasters will be a significant challenge. Page 46 of 48
  47. 47. CONCLUSION I have done an exploratory self-study about Enterprise Risk Management and would like to conclude that it is a relatively new and vast topic and needs much time and expertise comprehend. In this study I did not obtain actual numbers and figures of any organization in particular and I have also not used any advanced statistical techniques. There are different approaches and models to obtain optimal risk management which needs much detailed research and practical knowledge. Hence, I have not given any specific recommendations regarding the implementation, application and use of ERM. But nevertheless it can be understood that ERM is not just the simple sum of all risks facing an organization. ERM basically becomes a means of shifting of focus from crisis response management and compliance to evaluating risks in business strategies proactively to enhance investment decision making and maximize stakeholder value. Enterprises (regardless of size) need to protect themselves from the adverse effects of risk and need to exploit risk. ERM solutions need to be tailored for each organization according to the factors affecting that enterprise. Risk exists all around us, you can choose to use it or let it destroy you. The concept of ERM is debatable in terms of time, cost and effectiveness for an enterprise. Page 47 of 48
  48. 48. REFERENCES https://web.ebscohost.com/ehost/detail http://pwc.com/us/grc http://www.pwc.com/us/en/issues/enterprise-risk-management/publications/guide-to-riskassessment-risk-management-from-pwc.jhtml http://www.ucop.edu/enterprise-risk-management/ http://www.zurich.com/internet/main/sitecollectiondocuments/insight/risk-management-in-atime-of-global-uncertainty.pdf http://www.zurich.com/insight/global-issues/hbr-study/ http://www.forbes.com/sites/tatianaserafin/2012/07/02/risky-business-managing-risk-in-avolatile-world/ http://www.forbes.com/forbesinsights/risk_management_2012/index.html http://business.illinois.edu/~s-darcy/Fin321/2007/Readings/erm%20(conference%20board).pdf mib.rbs.com/Basel-III Page 48 of 48