Introduction To Enterprise Risk Management
The process whereby an organization optimizes the manner in which it takes risks. When conducted appropriately, enterprise risk management recognizes that business (including non-profit business) is about taking risks. All organizations accumulate resources and invest them in activities which are uncertain. Successful organizations take risks which are necessary for their goals, while avoiding other risks. Accordingly, enterprise risk management is not about seeking or avoiding risk. It is about optimizing risk.
Risk management involves different individuals in various positions performing different functions. These positions / functions can be reviewed to check for appropriate communication, interaction and co-operation. Some of them are:
- Traditional Risk Manager handles hazard risk and risk financing, which often includes input and overlap into some or all of the areas listed
- Chief Risk Officer or Chief Audit Executive focuses, integrates, and communicates the activities of internal audit and other risk management functions across the organization
- Internal auditor assesses control risks
- Chief Continuity Officer is repsonsible for disaster / continutiy planning
- VP Finance controls and supervises various areas of financial risk and hazard risk
- Financial Risk Manager handles Financial Risks
- Strategic business units develop controls for operational risk
- Occupational safety officer handles employee safety.
- Medical supervisors handle clinical risk management
- Quality assurance officer co-ordinates quality assurance and continuous improvement efforts
- Product Steward is responsible for quality control of the manufacture of the product
- Chief food safety officer is responsible for quality control of the food supplied
- Chief Security Officer handles security
- Plant / Building manager handles equipment and building safety
- Environmental officer handles environmental / pollution exposures
- Corporate counsel controls legal / contractual exposures in all areas
- Marketing and public relations personnel focus on reputation risk
- Human resources department addresses employment risk
- Technology / Information officer controls computer security and e-commerce risks
- Treasury focuses on credit and monetary risk
- Commodities traders hedge price fluctuation risks
- Senior management and the board of directors focus on strategic challenges
Throughout an organization, each individual has responsibility to manage risks within his or her own area, often with a lack of regular interaction, resulting in duplication of efforts and missed opportunities. Where appropriate, these various branches of risk management can be augmented by a system of control which is supervised by a coordinator who can assist the various specialists in the risk management techniques of:
- Identifying the major risks faced by the organization;
- Measuring those risks. Measuring is the process of assigning a value to a given risk level, either quantitatively or qualitatively;
- Controlling risks, which is the process of modifying the risk level to comply with the risk taking appetite and policies set by shareholders and board of directors. This includes transferring, eliminating, financing or reducing losses or potential losses by way of:
- Examining feasibility of risk management techniques, e.g., avoid and transfer risks through safety, engineering, contractual, retaining those risks which are within the organization’s financial capacity, insuring risks which are above the organization’s retention capacity, hedging through use of derivative instruments, insuring for traditionally insured hazard risks together with financial risk contingencies in a specially designed package policy etc.;
- Selecting the apparently best techniques;
- Implementing the chosen risk management techniques;
- Monitoring and improving. Monitoring is the process of tracking changes in the measure of risk over time, often reported against a limit or benchmark.
The overall aim of a coordinated approach to risk management is to focus on :
- Revenue Growth – customer, product, or market goals.
- Margin – cost reduction, including restructuring of costs and provision of services and supply-chain efficiencies.
- Assets – asset turnover, flexibility, effectiveness, and efficiency targets; safeguarding of assets.
- Expectations – various expectations of stakeholders, regulators, rating agencies, banks, creditors, employees, customers, partners, and suppliers.
This responsibility can sometimes be handled by a CRO (Chief Risk Officer) or a Chief Audit Executive (CAE). It will not eliminate the need for any of the separate functions, but will simply formalize an integrated approach to risk management. Where the CRO position has succeeded in both meeting senior management’s needs and overcoming organizational resistance, it has been in the role of a leader and facilitator and integrator and not as a technician. In this role, the CRO serves as a coordinator, more than a manager, of risks. He or she is a communicator who can facilitate dialog among the individual risk managers, both reassuring them of their individual value to the organization and maximizing that value.
Whether such a position is appropriate for your organization is open to examination and discussion. It is not for every organization.
Each organization will place different emphasis on the various categories or risk depending on the nature of the business. The areas of risk can be divided into the following categories: (Some of the risks are externally driven and other internally driven). These categories cross over is some instances.
- Policies, procedures, structure, and authorities that oversee key company directions and decisions.
Strategic and Execution Risk
- Business strategy and future initiatives, such as plans to enter new markets, form new alliances, or launch new products
- Capital availability
- Customer changes, demographic, social / cultural trends
- Customer demand
- Industry changes
- Legal and regulatory – Also Operational Risk
- Merger & acquisition integrations
- Regulatory and political trends
- Reputational risk (e.g., trademark / brand erosion, fraud, unfavorable publicity) – also operational risk
- Research & development, Intellectual capital, technological innovation
- Price (e.g., asset value, interest rate, foreign exchange, commodity)
- Liquidity (e.g., cash flow, call risk, opportunity cost)
- Credit (e.g., asset ratings, default, downgrade)
- Inflation / purchasing power
- Equity risk, Project financing
- Hedging / basis risk
- Liability risk, reserve type and size
- Input cost
- Controls and the control infrastructure, particularly with respect to the protection and utilization of existing assets and operations
- Board composition, compliance, regulation – Also Governance Risk
- Human resources, recruitment
- Empowerment (e.g., leadership, change readiness)
- Fraud – Also classified as Hazard Risk
- Human error, incompetence
- Systems, information technology (e.g., relevance and availability)
- Information / business reporting (e.g., budgeting and planning, accounting information, pension fund, investment evaluation, taxation
- Product development
- Product service, failure
- Capacity, efficiency
- Reputation – Also strategic risk
- Supply chain, channel management
- Business cyclicality
- Catastrophic risk – Also classified as Hazard Risk
- Performance of people, processes, and systems that support the company’s operations
- Environment in which the company operates or external factors beyond the company’s control
- Fire and other property damage, terrorism, theft & crime risks etc.
- Natural events, windstorm, flood, earthquake
- Business interruption, suppliers, public access
- Liability, contracts, environment, employees, products & services
- Disease and disability, including work related injuries
- Ins-Cert.com – Agents post data and “Holders” view certificates on-line. No paper, fax or images! FREE service for Holders, with compliance checking & reports.
Charting & Mapping
- Andrew Robinson International
- Association of Insurance and Risk Managers (AIRMIC)
- Certificate in Enterprise Risk Management (ERM)
- Conference Board of Canada
- Corporate Governance
- Global Association of Risk Professionals – Site for financial risk management professionals.
- Glossary of Financial Risk Management
- Incisive Media Plc
- Insurance & Finance Research Station – By M. Okubo.
- Kevin Quinley on Risk Management
- Risk Advisory
- Risk Management Magazine
- Strategic Risk Council – The Conference Board of Canada.
- Treasury and Risk Management Magazine
- Wikipedia Article and links
- Workforce – Human Resources trends and tools.
NEXT SUBJECT > < PREVIOUS SUBJECT