Building Risk Management

Category: 

Only 20% of organizations feel extremely confident to manage risks within the organization."1

In my last article, Building an Effective Enterprise Risk Management Program, I provided an introduction to what 18 Asset Management (18 AM) believes is required to build an effective enterprise risk management (ERM) program. In this article, I will expand on that topic by providing valuable insight into the risk management landscape within North America and what 18 AM is doing to demonstrate industry best practices when it comes to managing risk within our organization.

Before looking at the essential components of an ERM program, it is important to understand a few key terms in order to provide context for this article.

What is Risk

The Institute of Risk Management defines risk as “the combination of the probability of an event and its consequence. Consequences can range from positive to negative.”2 It is important for every organization to define what risk means to them in order to be able to effectively address it. In doing so, organizations should note that the definition of risk may differ across its various departments.

What is ERM

ERM is “a continuous process that seeks to identify, analyze, mitigate and monitor potential events that create uncertainty to the achievement of a company’s objectives.”3 An effective ERM program is one overseen by individuals who lead the organization (board members, senior management), and aids in the identification of an organization’s risks from a top-down strategic point of view. This identification will allow the organization’s leaders to proactively manage and take action on those risks which could affect the organization’s ability to achieve its principal strategic objectives.4

Importance of ERM

In 2015, there were 125,716 bankruptcies in Canada, a statistic which further illustrates the importance of organizations adopting an ERM program.5 ERM is an important component of a company’s proactive plan to demonstrate that risk management is being taken seriously by the leaders of the organization in order to remain viable and a going concern. Without an ERM, an organization can be destroyed by problems within or actions taken that can give rise to operational, reputational, regulatory or financial risks. “Simply put, firms that comprehend and adopt ERM as a way of thinking typically outperform those that do not”.6

Building an Effective ERM program

An effective ERM program needs to have the following:7

  • A champion to lead the program who is equipped with proper resources
  • Policies and procedures
  • Agreement on risk criteria
  • Regular risk conversations at workplace
  • Risk prioritization incorporated into business planning
  • Program monitoring
  • A risk culture and transparency

In addition to the above, we would also add:

  • Acknowledgement, approval and monitoring by senior management/board

A champion to lead the program who is equipped with proper resources:

An organization must identify a champion who embodies the culture and equip that individual with appropriate resources to oversee the program and its implementation.8 A study conducted by NC State’s Poole College of Management indicates that a minority of organizations, 32%, designated an individual to serve as a chief risk officer or equivalent. The majority of organizations were more likely to pursue the less advantageous route of having management-level risk committees.9 Large companies with revenues greater than $1B, public companies and organizations within the financial industry were the bulk of the organizations that exhibited best practices of appointing a champion/risk officer.

The ERM program at 18 AM has a dedicated senior risk executive. This individual is ultimately responsible for the development and management of the risk policy and philosophy and accompanying procedures. Responsibilities also include the identification and documentation of all actual and potential risks and measuring, managing and monitoring those risks. The senior risk executive reviews all the above documentation on a regular basis to ensure the ERM program is current, accurate and running successfully.

The most important aspect of the senior risk executive’s role at 18 AM is reporting to the Advisory Committee. The senior risk executive provides a quarterly update to the Advisory Committee on the risk landscape at 18 AM, the risks the organization is facing and what steps are being taken to mitigate those risks. This process provides the senior risk executive and the overall organization vital, independent third party oversight into the 18 AM ERM program. This is a significant requirement for any ERM program to be effective and accountable. It is interesting to note that organizations with a Chief Risk Officer or equivalent, 21% formally report to a Board of Directors, with the majority reporting to the CEO and 14% reporting to the CFO.10

Policy and procedures:

Having a written risk management policy and accompanying procedures is an essential part of an effective ERM program and a solid foundation upon which a strong organization can build. A survey conducted jointly by CPA Canada and FEI Canada revealed that the existence and thoroughness of policies and procedures is highly correlated with the degree of success of an ERM program.11 Despite documentation being a critical component, the survey found that only 15% of organizations have a documented risk management program.12

At 18 AM, we have a documented policy and philosophy on risk management which is reviewed annually to ensure it is current and accurately describes our views on risk management within the organization. This document is prepared by senior management and governed by our Advisory Committee which is equivalent to a Board of Directors. Members on the Committee possess critical experience having served in a risk management/oversight role within the finance industry for 20+ years.

Agreement on risk criteria:

The organization must agree on the risk criteria. As per ISO 31000, risk criteria would include:13

  • the nature and types of causes and consequences that can occur and how they will be measured
  • how the likelihood of a risk arising will be defined
  • the timeframe(s) of the likelihood and/or consequences
  • the views of the stakeholders
  • the level at which risk becomes acceptable or tolerable

Only 36% of organizations maintain risk inventories at the enterprise level.14 Larger and public organizations, rather than smaller and private companies are more likely to have formal processes and structures in place to identify and manage risk.15 A mere 22% of organizations update their risk inventories on a monthly or quarterly basis with 37% of organizations updating their risk inventories on an annual basis.16

18 AM has a risk assessment chart which outlines our consensus on our risk criteria. These include:

  • identifying what the risks are
  • what type of risk it is – strategic, financial, operational, reputational, regulatory
  • the causes of the risk
  • the consequences of the risk
  • the levels of inherent and actual risk
  • the mitigation strategies
  • the policies/procedures/regulations relating to that risk
  • the individual in charge of monitoring the risk
  • the timeline for review of that risk

The senior risk executive reviews this risk chart on a monthly basis to ensure its completeness and accuracy and to adjust risk criteria as required.

Regular risk conversations at workplace:

It is essential that all staff are aware of the risks to the organization and the role they play in helping to mitigate those risks. Training increases the probability of success of the organization and its ability to serve the best interests of the client. This concept was reinforced by CPA/FEI Canada survey where it stated, “What makes risk management a greater concern is that employees might inadvertently accept risks that the organization wishes to avoid (or vice versa of course). It is imperative therefore that all employees understand the risk appetite of the organization, both in qualitative and quantitative terms, …”.17 In this regard, 18 AM joins the 31% of companies that believe that their employees mostly or fully understand the opportunities and threats relevant to their organization.18

A crucial aspect of the senior risk executive’s role at 18 AM is to provide training sessions to all staff on the ERM policy, philosophy, procedures and identified risks. This person is also in charge of the entire risk assessment chart and its accuracy. Having said that, all employees are engaged in discussions to aid in the identification of risks they see within their day-to-day activities. This engagement of employees in the risk management process allows there to be ownership of the ERM program by the entire organization and not just the individuals directly in charge of the management of the program. It becomes a company wide endeavour.

Risk prioritization incorporated into business planning:

It is imperative to the success of an organization that it integrate risk oversight with their strategic planning. Considering the importance of having risk oversight, there is a surprisingly low number of organizations that are doing so. It was found that only 30% of organizations have boards that mostly or extensively review the top risk exposures facing a company when the board discusses the organizations strategic plan.19 Having risk oversight at the beginning of the strategic planning stages is hugely beneficial from a risk, operational and financial perspective. Having the ability to refrain from beginning a project once the risk assessment is completed could save the organization time, money and employee resources. A risk assessment at the beginning stages could reveal that the project could create enough risk that it would be unsuccessful in the long run or ultimately be harmful to the organization.

At 18 AM, the senior risk executive is a member of senior management and at the table when discussing strategic planning and new business initiatives. The Advisory Committee is also part of the strategic planning process and each new strategic business plan is reviewed from a risk perspective in order to identify and quantify those risks. This in turn, allows an informed decision to be made as to whether the organization will accept the risks and/or opportunities and move forward with the strategic initiative or not. If a decision is made to move forward on the strategic initiative, approaches to manage, mitigate and monitor the risks are documented. These discussions are also another example of the regular risk conversations taking place within the 18 AM organization.

Program monitoring:

Establishing a successful ERM program within an organization is fundamental in order for the organization to survive and flourish. Maintaining, monitoring and improving the ERM program is key to a successful ERM program. Yes, you need to have a documented corporate risk policy and philosophy. Yes, you need to have a list or inventory of the risks your organization faces or could face in the future. Yes, you need to have an appointed risk executive or risk officer. However, if the documents are stale, out of date or do not reflect the current reality of the organization, or if the risk officer has failed to properly oversee or improve the ERM program, the organization will ultimately be unsuccessful or have a much more difficult time in meeting its corporate objectives. When asked to evaluate the maturity of their ERM program, 40% of organizations described the sophistication of their ERM programs as immature to developing. Only a minute 4% felt that their organization’s ERM programs were robust.20 These statistics demonstrate there are a substantial number of organizations that need to continue to improve and develop their ERM programs in order to manage risks competently and effectively.

At 18 AM, the senior risk executive reviews the risk philosophy and policy on an annual basis. The risk inventory is reviewed on a monthly basis, with new risks being added as they arise. This process ensures the ERM program is up-to-date and complete allowing 18 AM to exemplify industry best practices.

A risk culture and transparency:

Culture is the most important aspect of any good ERM competency."21

18 AM has a risk aware and compliant culture which is the essential foundation for a successful ERM program. Every employee is engaged in the process and the outcome and has a vested interest in the management of risk within the business. At 18 AM, risk management is an enterprise wide endeavour. The culture is such that risk management is not thought of as one person’s or one department’s responsibility. It is a team effort where everyone plays a pivotal role in protecting our clients and our business. All employees are engaged in the compiling of risk inventory and providing valuable feedback on the risks they see within their day to day activities. All employees have direct access to the senior risk executive to discuss risk concerns, bring forth new risks they encounter or provide updates on current risks they deal with. The senior risk executive has the authority as senior management to implement changes to our risk management program in a timely manner. There is no red tape or bureaucracy, and therefore no delay, in making changes to the risk management program (ie. adding risks, removing risks, adjusting risk quantification levels) when the need arises. This ability to be nimble and flexible allows the 18 AM ERM program to remain current, accurate and valuable as a tool in managing risks.

Key tenets of the culture at 18 AM are communication and transparency. The entire staff is aware of what the risks are to the organization and what the organization is doing to mitigate those risks. This awareness is created through formal and informal discussions, training sessions, offsite meetings and strategic planning sessions. Each department is involved in risk discussions where they provide their insight and feedback, supporting the open communication and transparency that is required to manage risks on an enterprise wide level. Training staff on the ERM program and having risk conversations within each department are examples of this communication and transparency. They provide a chance for open discussions where ideas can be shared and reviewed regarding the risk management program and any risks that require particular attention at any given time. For all employees, the training also reinforces the important and active role they play in helping to reduce the risk to our clients and our business.

Acknowledgement, approval and monitoring by board/senior management

It is evident that there must be a greater involvement by senior management or a board of directors or similar type group in order for an ERM program to be truly effective. As stated earlier within this paper, a board type entity provides essential independent third party oversight. It is the independent review which is the critical component that allows an unbiased review of the ERM program and its functioning. In this regard, 44% of the board of directors of organizations have formally assigned risk oversight responsibilities to a board committee.22 In addition to overseeing the ERM program, the board/senior management must set an example to the rest of the organization by emulating the principles of a risk aware culture. As leaders, they need to ensure that they acknowledge, understand and accept the organization’s philosophy and policy on risk management and support those values through their own individual or collective actions.

18 AM’s Advisory Committee, which acts very similar to a board of directors, provides third party independent review of the ERM program within the organization. The Advisory Committee is kept apprised of the risks facing the organization through a quarterly report that they receive from the senior risk executive. As some members of the committee have 20+ years of risk management experience within the investment industry, 18 AM receives valuable insight, feedback and guidance with regards to the ERM program. The Advisory Committee oversight provides a strong foundation for a high calibre and best in class ERM program.

Summary

For an organization to be successful in achieving its objectives, it is essential for it to have an ERM program. There are some important components of a robust ERM program, including a risk officer to lead the development and implementation of the program, policies and procedures and a risk aware culture. As data has indicated, there is much work that needs to be carried out by organizations to implement or improve their risk management programs so that they may better serve their clients and survive as a thriving business.

Footnotes:

  1. “The State of Enterprise Risk Management in Canada.” Chartered Professional Accountants Canada and FEI Canada. n.p., n.d. Web. 22 Feb. 2016. <www.cpacanada.ca/en/business-and-accounting-resources/strategy-risk-and-governance/enterprise-risk-management/publications/the-state-of-enterprise-risk-management-in-canada>
  2. “A Risk Management Standard.” The Institute of Risk Management. n.p., n.d. Web. 15 Jan. 2016. <http://www.theirm.org/media/886059/ARMS_2002_IRM.pdf>
  3. Kristen Hampshire. “Why Enterprise Risk Management is Good for Business.” Smart Business. n.p., 01 Mar. 2012. Web. 15 Jan. 2016. <http://www.sbnonline.com/article/why-enterprise-risk-management-is-good-for-business/>
  4. ibid
  5. “Insolvency Statistics in Canada.” Office of the Superintendent of Bankruptcy Canada, Industry Canada n.p., n.d., Web. 15 Mar. 2016. <https://www.ic.gc.ca/eic/site/bsf-osb.nsf/vwapj/Stats-for-Annual-Report-2015-EN.pdf/$file/Stats-for-Annual-Report-2015-EN.pdf>
  6. “Enterprise Risk Management Framework. What is ERM?” The Risk Management Association, n.p., n.d., Web. 23 Apr. 2016 <http://www.rmahq.org/erm-framework/>
  7. John Fraser. (2016) Fundamentals of Risk Integration. [Powerpoint slides]
  8. ibid
  9. Mark Beasley and Bruce Branson and Bonnie Hancock, “The State of Risk Oversight: An Oversight of Enterprise Risk Management Practices.” NC State University 13 Apr. 2016 Web 22 Mar. 2016. <https://erm.ncsu.edu/library/research-report/2016-the-state-of-risk-oversight-report-an-overview-of-enterprise-risk-mana>
  10. ibid
  11. “The State of Enterprise Risk Management in Canada.” Chartered Professional Accountants Canada and FEI Canada. n.p., n.d. Web. 22 Feb. 2016. <www.cpacanada.ca/en/business-and-accounting-resources/strategy-risk-and-governance/enterprise-risk-management/publications/the-state-of-enterprise-risk-management-in-canada>
  12. ibid
  13. Fraser, John. (2016) Fundamentals of Risk Integration. [Powerpoint slides]
  14. Mark Beasley and Bruce Branson and Bonnie Hancock, “The State of Risk Oversight: An Oversight of Enterprise Risk Management Practices.” NC State University 13 Apr. 2016 Web 22 Mar. 2016. <https://erm.ncsu.edu/library/research-report/2016-the-state-of-risk-oversight-report-an-overview-of-enterprise-risk-mana>
  15. ibid
  16. ibid
  17. “The State of Enterprise Risk Management in Canada.” Chartered Professional Accountants Canada and FEI Canada. n.p., n.d. Web. 22 Feb. 2016. <www.cpacanada.ca/en/business-and-accounting-resources/strategy-risk-and-governance/enterprise-risk-management/publications/the-state-of-enterprise-risk-management-in-canada
  18. ibid
  19. Mark Beasley and Bruce Branson and Bonnie Hancock, “The State of Risk Oversight: An Oversight of Enterprise Risk Management Practices.” NC State University 13 Apr. 2016 Web 22 Mar. 2016. <https://erm.ncsu.edu/library/research-report/2016-the-state-of-risk-oversight-report-an-overview-of-enterprise-risk-mana>
  20. ibid
  21. “Enterprise Risk Management Framework. What is ERM?” The Risk Management Association, n.p., n.d., Web. 23 Apr. 2016 <http://www.rmahq.org/erm-framework/>
  22. Mark Beasley and Bruce Branson and Bonnie Hancock, “The State of Risk Oversight: An Oversight of Enterprise Risk Management Practices.” NC State University 13 Apr. 2016 Web 22 Mar. 2016. <https://erm.ncsu.edu/library/research-report/2016-the-state-of-risk-oversight-report-an-overview-of-enterprise-risk-mana>