Building an Effective Enterprise Risk Management Program
Unmanaged risk is the greatest source of waste in your business and in our economy as a whole."1
Every organization faces various risks throughout the lifetime of the business. Some risks are ever-present while other risks can be dealt with so that they are either eliminated or have a reduced impact. An effective enterprise risk management (ERM) program is a crucial foundation of an institutional quality firm, which can help mitigate such risks. Taking the time, money and energy required to build out a thorough ERM program exemplifies the diligence of the organization in protecting its clients and its business from unnecessary and avoidable harm. Investment returns will not matter if a firm is threatened with regulatory suspension, cyberattack, a confidentiality breach or reputational damage from employee misconduct. At 18 AM, we strive to manage our back office risks with the same efficiency and manner as our portfolio risks; which we believe is essential in order to be trusted and successful.
The focus of this paper is to provide the reader with three things:
- an understanding of the value of an ERM program;
- the process involved in successfully building an ERM program; and
- the effective implementation and oversight of an ERM program.
“There appears to be a disconnect between the recognition of today’s high risk business environment and the decision to invest more in structured risk oversight.”2
As the volume and complexity of risks facing an organization has significantly increased, many organizations are turning their attention to implementing a formal ERM program. The first crucial step in building an ERM program is to understand its importance and value. It is essential that senior management recognize the requirement for a formal ERM program within their organization. It is widely understood that, “A good ERM program enhances a company’s value through reduced costs, decreased variability in financial results, enhanced market reputation, and improved business decision-making (i.e., no surprises)”.3
Having a system in place to manage, monitor and mitigate risk is not just good business practice but a regulatory requirement. In accordance with NI 31-103, the Ontario Securities Commission (OSC) has stated:
“A registered firm must establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to:
(a) provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation, and
(b) manage the risks associated with its business in accordance with prudent business practices.”4
In order to adhere to this mandate, it is prudent to develop and implement an ERM program within a firm.
An efficient ERM program will not only satisfy regulatory standards but also ensure that the organization and its clients are not exposed to any unnecessary or uncalculated risks. Providing comfort to clients that the organization is compliant with regulatory requirements and is effectively managing its business, ultimately serves the clients’ best interests.
At 18 AM, to build an effective ERM program we concluded comprehensive research would be needed and that several sources of information would need to be taken into account. In building 18 AM’s ERM program, we first reviewed numerous regulatory documents pertaining to risk management obligations. 18 AM consulted the OSC and the Securities and Exchange Commission for guidance on risk management for investment firms. We reviewed the questions asked within the Risk Assessment Questionnaire provided by the OSC. This research enabled us to identify, document and monitor perceived risks within our ERM program.
In addition, we engaged with several compliance officers inside and outside the financial industry, working in organizations that ranged from small firms to large institutions. This consultation allowed us to gather ideas as to how risk is documented, monitored, mitigated and managed in other institutions. Consequently, we were able to gauge industry best practices and gain perspective on the depth of an effective ERM program.
We also researched the process of developing and implementing an ERM program within an organization. This research included reviewing numerous articles written on risk management as well as attending seminars and presentations given on the topic. We discussed key findings with our senior management and Advisory Committee, who provided valuable insight and perspective garnered from their many years of experience within their respective roles and industries. This dialogue allowed us to further hone and enhance our ERM program.
Lastly, to ensure that we were identifying and capturing all of the actual and perceived risks within the organization, managers from the back and front office were consulted on their particular area of expertise. These consultations provided us with confidence that we were creating a detailed ERM program that directly pertained to our organization and covered all aspects of our business. Once the research was completed, we identified all the risks (actual and potential) to the organization and documented them in chart form. For each risk identified, we:
- quantified the inherent and actual risk levels;
- documented the strategy developed or already in place to mitigate those identified risks;
- ensured there was a periodic timeframe in which the identified risks were to be reviewed and tested; and
- identified the person responsible for oversight of the particular risk.
Once the policy and risk assessment chart were developed and documented, it was reviewed by 18 AM’s Advisory Committee and then by senior management for suggestions and comments. Upon final approval of the documents by senior management, the final product was prepared.
The end product is a Risk Management philosophy and policy (“P&P”) document capturing 18 AM’s ideas and beliefs on risk management; together with a risk assessment chart for the organization that documents every actual or potential risk to our clients and our business.
Successful implementation is the key to an effective ERM program. This process includes dissemination of documents, training, oversight, testing and cultivating a culture of risk awareness. Once the final documents were in place, the P&P, along with the risk assessment chart, were dispersed to all employees for their review and understanding. All employees were given ample time to review the document in its entirety and provide feedback on its content, accuracy and completeness. This enabled all staff to be a part of the process and engaged in the program.
Successful implementation must include oversight on a periodic basis in order for the ERM program to be run effectively and efficiently as well as be current and accurate. At 18 AM, the ERM program as a whole, including the P&P and risk assessment chart, are reviewed on a quarterly basis, with high-level risks being reviewed on a monthly basis. Any new risks that arise or come to the attention of the organization are catalogued within the risk assessment chart. Key risks are brought to the attention of our Advisory Committee once a quarter for review and disclosure purposes. As a result, the ERM program is always up to date, accurately cataloguing the risks within the organization.
Implementation also includes periodic testing of the strategies set in place to mitigate any and all of the risks identified. Any risk mitigation strategies that had not been tested within the previous one-year period were then retested. This retesting allowed the risk management/compliance team to assess the overall effectiveness and accuracy of the mitigation strategy in place for an identified risk. Any deficiencies in mitigation strategies are noted and changes are made accordingly and documented within the risk management chart.
Training is an essential/integral component of an effective ERM program. Some research has found that, “While most view the risk landscape as increasing in complexity over time, the majority of organizations have provided no formal training or guidance on risk management for employees”.5 This is not the case at 18 AM where training sessions occur on an annual basis with all changes being highlighted and discussed with all staff. ERM training should accomplish the following objectives:
- discuss the P&P and the various risks to the organization
- emphasize the importance of the ERM program as a whole
- outline the organization’s regulatory obligations pertaining to risk management
- highlight the essential role the employees play in the execution of the program
- cultivate a culture within the organization that places an importance on risk management, compliance and teamwork.
Creating a risk aware culture within an organization is a key component in building and implementing an effective ERM program. It starts with senior management understanding and championing the concept that effective risk management is a vital component to any successful business. There should be an understanding throughout the organization that managing risk is an enterprise wide endeavor. The culture needs to establish that managing risk in the back office is just as important a consideration as managing risk within a portfolio.
In a 2011 whitepaper on risk management, it was stated that to achieve effective enterprise risk management, “Organisations planning to implement ERM should pay great attention to cultivate a risk culture that supports their objectives.” 6 At 18 AM, creating a risk aware culture has been a top priority. Enterprise risk management is a concept that senior management has bought into, promoted, and actively takes part in. In response to senior management expectations, ERM is reported on and discussed at quarterly board meetings by the risk/compliance team, which is responsible for providing an update on risk management processes and initiatives. This is in addition to ERM being discussed on a daily basis within the workplace amongst management and staff.
18 AM staff members are provided with risk management training, which emphasizes how it pertains to their day-to-day activities and how each employee actively plays a part in managing risk within the enterprise. Staff members are encouraged to provide input and guidance on areas of risk in their area of the business. 18 AM’s approach is supported by the notion that “The practice of enterprise risk management instigates a holistic or integrated risk management culture within an organisation, which is characterized by a general oneness and co-operation, culture of managing risks, clear assignments, authority, responsibility and accountability”.7
18 AM has endeavoured to create a very thorough ERM program, evidenced by our process of identification, mitigation, management and monitoring of actual or potential risks to our clients and our business. These processes are supplemented with proper implementation of the ERM program within the organization, staff training, and cultivating a strong risk management culture.
At 18 AM, we understand the value of being prepared to address risks, as we strongly concur with the view that, “…consequences of not being prepared for risk can have a damaging effect on our economy, our companies, our employees and the communities in which we operate.”8 At 18 AM, we have made a great effort to ensure we are managing our enterprise risk in order to protect our clients and our business.
- The Upside: The 7 Strategies for Turning Big Threats into Growth Breakthroughs, by Adrian J. Slywotsky, Crown Business, an imprint of the Crown Publishing Group, 2007, p.231
- ERM Initiative Faculty, ‘2015 Report on the Current State of Enterprise Risk Management: Update of Trends and Opportunities’, NC State University (published online 1 Feb. 2015) para. 3, accessed 11 Nov. 2015
- John Farrell et al., ‘Placing a Value on Enterprise Risk Management’ KPMG [webpage], (2009) para. 3, accessed 5 Oct. 2015.
- National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations, Ontario Securities Commission, sec. 11.1 (b)
- ERM Initiative Faculty, ‘2015 Report on the Current State of Enterprise Risk Management: Update of Trends and Opportunities’, NC State University (published online 1 Feb. 2015) para. 13, accessed 11 Nov. 2015
- Ezeosa Dafikpaku, ‘The Strategic Implications of Enterprise Risk Management: A Framework’, Enterprise Risk Management Symposium [webpage], (2011) pg. 41, para 1, accessed 13 Nov. 2015
- Ezeosa Dafikpaku, ‘The Strategic Implications of Enterprise Risk Management: A Framework’, Enterprise Risk Management Symposium [webpage], (2011) pg. 34, para 1, accessed 13 Nov. 2015
- Carol A. Fox & Michael S. Epstein, ‘Why is Enterprise Risk Management Important for Preparedness?’, Risk and Insurance Management Society, Inc. [webpage], (2010) para. 2, accessed 8 Sept. 2015