(First of two parts)
What keeps you up at night? How well are you in managing your risks? Are you achieving an acceptable return on the risks you take? Have you identified and assessed all your risks? What are your top 10 or 20 risks? Are you still into the traditional or “silo” risk management? Or, have you adopted the new, better and integrated approach to risk management? Do you have a fully integrated risk management program to assess and manage risks on a more integrated basis, across all lines of business and activities of the company?
These questions are just a few concerns that somehow pepper the thoughts of senior management and boards of directors in numerous organizations, especially publicly-listed companies. Ensuring good corporate governance requires a broader, a more integrated and enterprise-wide approach to risk management – the approach called enterprise risk management or ERM.
What risk management is and is not?
Risk management is not aimed at reducing the organization’s risk to zero. Without risk, there is no return. Rather, it is to ensure the enterprise is well compensated for the risk that it takes provided that the risks taken are within the organization’s risk tolerance or risk appetite.
According to the 1997 Group of Thirty (G30) landmark report Global Institutions, National Supervision and Systemic Risk, “there is no way to eliminate risk or failure completely. The business of market intervention is to accept an appropriate amount of risk and manage it effectively. A financial system that attempts to eliminate risk rather than managing it well would be costly and inefficient.” Indeed, companies cannot eradicate all risks without greatly hampering their operations and financial performance.
Risk management is not just about using financial securities or derivatives (such as options, futures, swaps, etc.) to manage financial risk – it is about adopting a portfolio approach to manage a full range of risks faced by organizations. Risk management is not just about setting the right control policies, standards, systems, and processes – it is also about having the right people and the right culture. Risk management is not just about reducing downside potential or the likelihood of pains – it is also about increasing upside opportunity or the prospects of gains.
What is important therefore is for the organization to have a risk management strategy, organization, culture, policy, tools (that is, software, models, analytics, and metrics), and process in place to: identify, analyze, prioritize, assign accountability to, monitor and report risks; determine whether controls are in place to address the risks; and ensure that the residual risks or exposures are acceptable (that is, within tolerable level) and, if not, are properly managed (that is, monitored, mitigated or transferred, and reported).
Practical approach to ERM
According to a material published by KPMG International entitled “Enterprise Risk Managemen: Complacency Is No Longer an Option, But a Practical Start Is,” recent trends in globalization, electronic commerce, mergers and acquisitions, corporate governance, changing market structures, increasing regulations, and rating agencies are drawing attention towards the urgent need to establish an effective ERM program. In response to external pressures, many board members are expecting their management teams to implement an effective ERM program.
The same material explains that consequently, many leaders are seeking guidance in developing a practical approach to ERM—an approach that is tailored to their culture and structure, aligned with their business strategy, embedded in their business processes, and focused on their most critical risks.
Getting started with a clear and practical vision is critical, and a few key steps can enable leaders to build on existing risk assessments and get an ERM effort under way. Leaders who have successfully pioneered ERM tend to embrace several important practices, which may help others meet regulatory demands and add business value.
Described below, these leading practices can provide the means of overcoming old barriers, achieving new buy-in, and ultimately realizing ERM’s potential for enabling organizations to add business value and achieve competitive advantage.
1. Gain buy-in from those running the business. Often in the past, ERM was a finance department “bolt-on” project, the champions of which likely had little broad support or leverage. As a result, ERM’s potential value to the business was never fully realized. A key step now is to establish a risk management council or a management risk committee that is charged with obtaining buy-in for the ERM program across the organization. With a lead/sponsor reporting to the CEO, the risk management council will include individuals who lead key areas within operations and support, such as legal, HR, compliance, finance, operations, strategy/corporate development, and IT. The management risk committee is a subcommittee of the Risk Management Committee (board committee)
The risk management council:
Assists in educating and training employees and coordinating development of the risk profile (i.e., prioritized assessment of key risks);
Confirms and approves the organization’s risk “language” and parameters (e.g., the point at which, for example, something would be considered a catastrophic risk, based on reduced cash flow, loss of operations, loss of reputation, and so forth);
Sponsors and participates in reviewing the key risks and debating the risk profile, risk priorities, and important risk causes and consequences;
Evaluates emerging risks, discusses and reviews the risk reports, and reports frequently to the CEO and the board; and Facilitates process of keeping risk profile current and relevant.
Having obtained consensus, the risk management council is in a position to steer the ERM execution effort.
(Reginald C. Nery is a Partner in the Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. KPMG International provides no client services and is a Swiss cooperative with which the independent firms of the KPMG network are affiliated.)
(To be concluded)