An effective risk management framework is critical to the sustainability of companies of all sizes and structures. Taking on some level of risk is imperative to executing a successful business strategy. In the midst of the financial crisis and various corporate scandals, the skepticism and scrutiny coming from regulators and investors continue to grow. As a result, enterprise risk management (ERM) is now seen as a necessity rather than an option for developing and executing an effective growth plan. Yet, according to NACD’s 2011 Public Company Governance Survey, only half of the companies surveyed have operational ERM programs in place today.
For board members who are not confident their companies have adequate programs in place, where to begin? Not all organizations are the same; there is no “one-size-fits-all” ERM solution or time frame for creating a manageable program. The following four-phase methodology, however, can help companies address the core components of risk and establish a framework that reflects the company’s specific needs.
Phase 1: Risk program development
Priority is given to the design and development of the ERM strategy and program. Identification of the key personnel who will be involved in program oversight is established at both the board and management levels. Additionally, an assessment of tone at the top, risk appetite, risk materiality and the tools and templates necessary to manage the program is conducted.
Phase 2: Risk prioritization
Identifying and documenting the organization’s portfolio of risks is the focus of phase two. The tasks may vary, but traditionally they include:
- Evaluating all key functional areas and benchmarking them against available risk universes or libraries
- Categorizing risks within the ERM Integrated Committee of Sponsoring Organizations of the Treadway Commission (COSO) elements of strategy, operations, reporting and compliance
- Ranking and prioritizing the identified risks according to impact and likelihood
This phase also includes regular meetings with key personnel to review various categorizations and prioritizations, ensuring a common understanding of scope and systemic risks.
Phase 3: Risk treatment
The third phase of implementation includes discussing and identifying mitigation strategies for the prioritized risks and defining the organization’s risk appetite and tolerance. Additionally, control gaps or improvement opportunities are documented.
Phase 4: Risk validation and monitoring
Validation is completed using a variety of assessment options, including self-assessment, internal audit and third-party assistance. The key to this phase is the effective design of a validation plan that verifies that mitigation strategies are working. Additionally, an ongoing monitoring and reporting strategy, such as a board level dashboard, is developed.
Two trends that illustrate the importance organizations and their boards are placing on ERM are the establishment of risk committees and the naming of chief risk officers (CRO). While every board member has responsibility for risk oversight, risk committees present an opportunity to bring more continuity to the way risk identification, assessment, mitigation and monitoring are handled.
CROs can establish clarity around who “owns” the day-to-day ERM process, though today they are rarely seen outside of highly regulated industries such as financial services and energy. Independence and an ability to facilitate a “no surprises” environment are important characteristics in a CRO’s function. In most cases, the CRO will have a dual reporting structure that ensures the appropriate interactions with executive management and the board simultaneously. The level of independence the CRO maintains can boost the confidence the board has in the ERM program.
The board’s role of providing proper oversight is best accomplished when risk is woven into every discussion and not set aside and addressed as a discrete activity. An effective, pragmatic ERM program can drive risk awareness throughout the organization and can help fulfill the board’s responsibilities to all stakeholders. Best of all, implementation and ongoing management don’t need to be onerous. So while you can’t operate or grow a business without risk, a robust ERM program definitely can help minimize unnecessary business disruptions.
John Brackett is a partner with McGladrey & Pullen, LLP, where he leads the firm’s national Enterprise Risk Management practice. He can be reached at firstname.lastname@example.org.