Moving forward with ERM: by working together, chief risk officers and internal auditors can...

FROM ITS INSURANCE ORIGINS, enterprise risk management (ERM) has developed into a full-fledged management function that has progressed into business areas that were originally considered unrelated. This evolution toward a portfolio approach to risk recognizes that risks are interrelated and that

In recent years, it has become a best practice for organizations to provide more information in corporate reports about their progress in implementing ERM. These organizations are showing how risk management is integrated into their organizational structure and its interface with assurance activities such as internal auditing. Areas disclosed in corporate reporting on ERM include:

* Defining how ERM is linked to international best practice frameworks.

* Explaining the role of the organization's chief risk officer (CRO).

* Offering a high-level explanation of the ERM process within the context of strategy setting.

* Summarizing overall business objectives alongside external and internal risk factors.

* Providing information on the quantification technique for each risk category and details associated with key performance areas and indicators.

* Setting out the organization's risk appetite and tolerance ranges for strategic objectives.

As champion of the ERM process, the CRO plays a key part in bringing together disparate risk management processes to ensure that limited company resources are applied effectively (see "The CRO's Key Duties" on page 53). The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework defines the CRO's role as working with other managers to establish effective risk management, monitoring progress, and assisting other managers in reporting relevant risk information up, down, and across the organization.

Internal auditors should work with the CRO as part of their risk management duties. In this role, internal auditors are responsible for evaluating the accuracy of ERM reporting and providing independent and value-added recommendations to management about its ERM approach. The IIA's International Standards for the Professional Practice of Internal Auditing specifies that the scope of internal auditing should encompass risk management and control systems. This includes evaluating the reliability of reporting effectiveness, efficiency of operations, and compliance with laws and regulations.

ERM TOUCHSTONES

Attempts to initiate ERM in some organizations have either failed or have experienced setbacks that hinder the realization of expected benefits. A lack of buy-in from senior management and oversight committees, such as audit committees, is a major cause of such failures. Other causes include:

* Lack of theoretical ERM knowledge.

* A poorly customized ERM approach.

* Incorrect or incomplete set-up of oversight structures to support the ERM initiative, such as a risk management committee in cases where the audit committee is not responsible for the ERM function.

* Poor tone at the top, including ethical culture and lack of formalized business strategies.

* Insufficient financial and human resources to support implementation and maintenance of the ERM process.

* Inability to maintain the momentum of the ERM implementation project beyond the first year.

* Poorly defined ERM language.

* Inefficient supervision of consultants. ERM initiatives are frequently hindered by errors in perception and approach. However, internal auditors can point to three touchstones to forewarn management about challenges that can cause unnecessary delays and costs.

KEEP ERM SIMPLE IN THE BEGINNING With all the hype over corporate governance failures and the need for more transparency, many organizations are allocating large amounts of resources to get ERM projects started or moving faster. Some of these organizations bite off more than they can chew, which can result in a loss of focus and the inability to identify areas for quick victories. Executive management should ensure that the ERM initiative focuses on the top risks during its initial development phase. This means allowing the ERM discipline to get the basics right before launching, for example, a major three-year ERM project plan.

Internal auditors should advise management that the ERM approach should be "top-down,"" with the senior executive identifying the top issues linked to the key strategic objectives. They should recommend that managers familiarize themselves with ERM theory and understand its purpose and how it can provide them with a competitive advantage. It may be useful to obtain an external consultant to provide this training. Secondly, through manually facilitated sessions and good debate, management should identify its top 20 to 40 risks.

Although many ERM software products are available, as a business adage notes, "if you automate a mess, you have an automated mess." To prevent misuse of automation, organizations should have a working and flexible ERM approach in place before implementing software. Also, the management team must buy into this approach before embarking on implementation.

Only after it is apparent that the management team has an understanding of ERM should software be considered. Ideally, this would not be within the first year of an ERM roll-out. In addition, internal auditors should ensure that any ERM software implementation is flexible enough to accommodate the organization's unique ERM common language and that the reporting functionality can be customized to fit the needs of the organization's stakeholders.

MAP THE WAY AHEAD Many organizations embark on an ERM initiative without defining where they are and what they want to achieve. The executive management team should look to its corporate governance officer to provide a maturity model to help gauge the status of ERM practices and what the potential road map to improvement would entail. Also, management should ensure that consultants who assist in the ERM implementation have industry work experience.

Internal auditors could suggest that management use an ERM maturity model to assess the organization's ERM status and future expectations. Maturity scores are usually derived from facilitated sessions with various executive management teams or one-on-one interviews. It is important that the audit or risk management committee verify that the maturity model chosen is easily understandable by management and addresses the key components of best-practice ERM frameworks. Areas usually covered in maturity models include:

* Extent of leadership awareness within the organization.

* Management style (e.g., bureaucratic versus free management style).

* Employee attitudes toward change.

* Alignment of business objectives with risks and action plans.

* Risk management maturity within the organization.

* Human resource deficiencies and the extent to which the risk management roles and responsibilities of all employees are articulated.

* Extent of communication and training on ERM.

* Rigor of monitoring and management oversight of employees and committees.

Once the corporate governance officer has aggregated the results of where management believes its existing ERM approach lies and where management expects it to be, updates to the documented ERM approach can be made.

Many organizations believe they need to attain the most advanced levels of ERM maturity possible, but this is not practical. Internal auditors need to remind management that the more advanced ERM maturity levels will require significant financial and human resources. Organizations should seek a balance between performance and good corporate governance measures.

KNOW WHAT IS IMPORTANT In a time when the oversupply of information is evident everywhere, chief executive officers (CEOs) need to ensure that the most important issues receive sufficient airtime at strategy meetings and other executive management sessions. Many times, executive meeting agendas are filled with items that are too tactical or operational in nature. This results in a neglect of the big picture and those issues that require strategic debate. Structuring meeting agendas around the top 10 to 20 risks should ensure that the important strategic issues are addressed. Output from well-structured and maintained ERM software can help ensure that operational and other noncore issues do not make it onto the executive's list of priorities.

Internal auditors should ensure that the executive is relying on the output of the ERM process as a means of managing the organization more effectively. Output from the ERM process should be coordinated in a way that promotes accuracy and completeness of results. Auditors should also ensure that conclusions reached by relevant executives, based on the output of the ERM process, are sound and compare fairly with internal auditing's opinion on the same business activities or processes.

THE CHIEF RISK OFFICER

ERM responsibilities within organizations are becoming more delineated. The practice of formally designating a CRO in organizations' charters is becoming widespread. A key benefit of having a CRO is the ability to expand risk management to encompass a broader range of risk issues. However, organizations are unlikely to find a CRO who has expertise in everything from financial risk management to litigation or specific risks pertaining to different markets. A successful CRO must be a true generalist and a strong advocate of teamwork and communication.

Although the CRO role may seem exciting, it has its own unique challenges. CROs need to think strategically before committing the organization to an ERM road map. Moreover, they should supplement these traits with qualities including:

* A well-developed risk consciousness.

* A working understanding of the organization's core business processes.

* An advanced university degree and suitable training to stay abreast of changes in the risk management field.

* Interpersonal skills such as the ability to interact at varying levels of management and operations.

* Expert facilitation skills.

* Knowledge of finance, accounting, and insurance.

By aligning themselves closely to the CRO, chief audit executives can ensure that they are aware of new high-risk issues and breakdowns in significant controls that were previously considered effective. To formalize this relationship, it may be useful for internal auditors to meet frequently with the organization's ERM champions and for audit management to attend executive risk management meetings.

Ultimately the CRO should act as the glue that brings together all risk management activities across the organization and minimizes duplication of effort across the various assurance activities within the business. In the future, the CRO's main role will be ensuring regulatory compliance, followed by the need to effectively identify and monitor risks in emerging markets. Bringing together the qualitative and quantitative aspects of risks, supported by sound models based on past loss data, will also become important.

A RISK PORTFOLIO

Executive management should view ERM as a discipline that consolidates disparate risk management approaches throughout an organization and allows management to perceive risk from a portfolio perspective. Whether it be operational, market, or credit risk, it is only when all these risk domains are aggregated that management can determine what the most pressing issues are for the organization and what type of resource allocation is needed to address potential challenges.

Internal auditing adds value to the ERM process in two key areas. First, auditors can provide the audit committee and executive management team with the necessary assurances that the ERM process is effective, efficient, and complies with the agreed-upon approach. Second, internal auditing can use the output of the ERM process to develop its risk-based audit plan and to identify unexpected high-risk areas as the financial year progresses.

To comment on this article, e-mail the author at sean.delarosa@theiia.org.

SEAN DE LA ROSA, DCOM(UP), CIA, CISA, CCSA

MANAGER OF ERM SOLUTIONS IQ BUSINESS GROUP (PTY) LTD.

ILLUSTRATION BY RUSSELL COBB

RELATED ARTICLE: The CRO's Key Duties

Chief risk officers (CROs) play a variety of roles in an organization's ERM process. COSO's Enterprise Risk Management-Integrated Framework and other best practice frameworks provide some guidelines on what the CRO's key duties entail:

* Oversees the corporate risk management function and is the ultimate champion of the risk management framework process.

* Acts as business management's coach by assisting in designing and implementing a suitable risk management architecture and regularly reviewing the appropriateness and effectiveness of such systems.

* Monitors the organizationwide risk profile and ensures that major risks are identified and reported upward.

* Ensures appropriate risk management ownership by business unit leaders and effective oversight by management teams.

* Validates that ERM is functioning in each business unit according to the approved risk management policy and framework.

* Serves as an adviser to, and partner with, the chief executive officer (CEO), chief financial officer, and chief operating officer on risk management issues.

* Assists internal and external auditors in relying on ERM output for the purposes of audit planning and execution.

* Assists the board in fulfilling its corporate governance responsibilities.

* Assists in the execution of the approved risk management process.

* Facilitates, challenges, and drives the integrated approach to ERM.

* May have authority for managing a selection of significant risk types.

* Is a member of the risk management committee and reports either to the CEO or other board member.

The complexity of the ERM approach will be driven by the organization's level of ERM maturity. Accordingly, the expected role of the CRO should be matched to the desired level of ERM maturity that the business wants to achieve.