Creating a risk-intelligent organization
In the aftermath of last year's debacles and governance meltdowns, stakeholders are demanding greater transparency about the risks an enterprise faces and a commensurate level of assurance about the robustness of the organization's risk-management processes and the achievability of its business, reporting, and compliance objectives. Regulators, markets, boards of directors, analysts, and insurers are realizing the importance of managing risk proactively and have introduced many new and far-reaching measures to assist in the effort. n Continuous changes in marketplace dynamics are also bringing about changes in how risk is viewed. In addition, the definition of corporate risk has expanded to include not only financial risks but all business and compliance risks. As a result, many organizations are recognizing the need to use enterprise risk management (ERM), a systematic and disciplined approach to managing risk throughout the organization.
ERM is fundamentally a transformation process that changes the way an organization perceives and manages risk and provides reasonable assurance about the achievement of its objectives (see “The Enterprise Risk Management Process,” next page). Once deployed, ERM enables an organization to assess risks continuously, to identify the steps it can take and the resources it should allocate to overcome or mitigate risk, and to provide reasonable assurance about the achievability of the organization's objectives. Additionally, ERM helps organizations:
* Understand the interdependencies of risks and potential domino effects.
* Improve business plan execution through a better understanding of the nature of certain risks and their potential impacts on the organization's objectives and key stakeholders.
* Understand the level of exposure.
* Set priorities and allocate and align resources to overcome enterprisewide risks.
* Monitor risk and gauge the effectiveness of the enterprise's actions.
* Develop sustainable capability and increased confidence in the organization's ability to execute its business strategy.
* Provide reasonable assurance that all key risk-management processes and systems are robust and reliable and determine the extent to which organizational business objectives are achievable.
Internal auditors play an important role in designing and conducting the risk assessment, monitoring whether there are robust risk-management processes in place, and targeting internal audit resources to assurance priorities based on the assessment.
EVALUATING THE ORGANIZATION'S ENVIRONMENT AND STRATEGY
The ERM process begins with an evaluation of the context or environment in which the organization operates, its strategy for achieving its objectives, its organizational culture, and its appetite for risk. Understanding the external operating environment and the organization's business objectives and strategies is an essential first step in understanding the business conditions and the nature of the risks the organization may face.
Equally important is the internal environment. A weak internal control environment is often at the root of subsequent risk management and control breakdowns.
According to The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the organization's control environment includes management's philosophy, integrity, and ethical values; oversight from the board of directors and audit committee; human resources policies and practices; commitment to competence; assignment of authorities and responsibilities; and organizational structure. Although creating and sustaining an appropriate control environment is a primary responsibility of management, internal auditors can assist management in assessing it.
Competitive pressures and deficiencies in the control environment can create risk. Increased vulnerability typically is associated with a high degree of change in the operating and regulatory environment, personnel, processes, or systems, as well as growing performance pressures and related incentives and rationalizations of lax controls.
CREATING AN ERM FRAMEWORK
The next step in the ERM process is to develop a comprehensive risk-identification framework and a process for evaluating and prioritizing risks. Internal auditing often supports the development of the enterprise risk framework by obtaining a thorough understanding of the organization's objectives and maintaining a continuing dialogue with key stakeholders. In an environment of constant change, risk frameworks need to be refreshed regularly to reflect those changes. The risk framework also needs to be validated by management and challenged by internal auditing to ensure its continuing relevance.
Traditional methods of risk evaluation typically have considered impact and likelihood. Although it is necessary to examine these two aspects of risk, it is usually not enough. Events over the past 18 months have shown that estimates of likelihood are only relevant for risks that have already occurred and for which there is some history. Reliance on likelihood is insufficient, at best. At worst, it's misleading because organizations typically do not prepare themselves for relevant high-impact, but low likelihood, risks. Yet, it is precisely this class of risks that has the most destructive consequences.
For high-impact risks that are relevant to the business but have not yet, or have seldom, occurred, the organization's state of preparedness is extremely important. How the organization allocates resources to address risk should be based on potentially relevant impacts – not all possible causes – and the organization's state of preparedness to manage those impacts. Thus, a primary risk assessment challenge is the determination of relevant risks that are regularly refreshed and systematically reviewed. For example, although it is not possible or practical to anticipate all potential causes of supply disruption, it is possible to assess the impact of varying degrees of disruption and the organization's readiness to address them. If the risk is also considered likely, then further weighting ought to be given to it.
In its recent publication, “Risk Oversight – Board Lessons for Turbulent Times,” the National Association of Corporate Directors (NACD) reinforced the importance of improving preparedness. One of its 28 recommendations states that the board should review with management specific risks and possible “worst-case” scenarios at least annually and develop and regularly review crisis-management plans.
RISK MITIGATION AND CONTROL
If the organization is not well prepared to address a risk event that has been assessed as relevant and high-impact, it must choose among various risk mitigation options, such as avoidance, transfer, or retention. The organization should include risk as a fundamental consideration in its choices and decision-making. It also should determine its risk appetite and apply appropriate risk tolerances for each situation and the possible effect on the organization's portfolio (see “Risk-based Resource Allocation,” page 62).
If there is a high-impact risk event for which the organization is confident it is well prepared, there should be reasonable assurance that its confidence in the robustness of its risk management is justified. Audit resources should be deployed to these areas to provide independent assurance.
If the risk is assessed as low-impact but the organization's preparedness is very high and if the cost of such preparedness is also high, this may represent an opportunity to redeploy resources to other priorities. If the risk is assessed as low-impact and preparedness is also low, then the potential cumulative impact of risk events should be assessed to determine if the portfolio impact may be significant; thus, greater preparedness may be justified.
Internal auditing has an important role to play in testing and validating the organization's assessment of its preparedness for all relevant, high-impact risk events. Auditors should assess the organization's readiness to address these risks as part of the audit planning process.
ESTABLISHING A RISK NERVOUS SYSTEM
Recently, organizations have begun to recognize the importance of collecting risk intelligence within the company and are realizing that it takes intense planning and maintenance to gather the information regularly. In nature, healthy organisms have built-in pathways – a central nervous system – that allow bad news to travel fast to better anticipate, and thus avoid, pain or loss. Unfortunately, organizations do not inherently have such nervous systems; they must build and maintain them.
There are usually considerable cultural impediments to the establishment of such systems, including a reluctance to discuss sensitive issues; genuine, but misguided, attempts to manage risks within an organizational silo without communicating the potential cross-functional impacts to others that may be affected; and the traditional buffers that exist to shape and position negative information such that the urgency or importance of various risk events is lost in the translation. These impediments often lead to “big surprises” – risks that were not expected or exposures that were not understood and thus not approp\riately mitigated – with often far-reaching and long-lasting consequences.
Using ERM, organizations can establish a risk nervous system that enables them to systematically identify the risks associated with various choices and decisions, to be alert to potential exposures, to take corrective action earlier, and to learn from those actions. Risk intelligence can improve decision-making by enabling companies to better understand the potential consequences of various choices and improve the organization's state of preparedness by recognizing and responding quickly to risk events.
Risk intelligence requires effective systems, accurate information, and timely reporting to enable informed decisionmaking, organizational learning, and successful adaptation. The right information needs to get to the right people at the right time and this requires an appropriate infrastructure, enabling systems, and tools.
CONTINUOUS MONITORING AND REPORTING
In addition to evaluating the risk environment, the establishment and monitoring of risk tolerances and thresholds is essential to successfully managing risk. Continuous risk monitoring, both qualitative and quantitative, can identify potential out-of-control situations before they reach a crisis threshold. For example, process variability is a quantitative measure and a key indicator of process control – the greater the variability in the process, the less the degree of control. Reductions in process variability will improve process performance, reduce cost, and improve control.
Both management and internal auditing should be monitoring key performance metrics to identify process and system volatility quickly and determine how best to obtain reasonable assurance that appropriate risk management is being effected. In many organizations that do not have a systematic approach to risk management, the costs of poor risk management – the direct and collateral costs of failure – significantly outweigh the costs of good risk management, which includes assurance, prevention, and early detection and correction. ERM can facilitate improved governance through use of key metrics and a reporting system to gauge the effectiveness of risk management processes.
ASSESSING THE RISK INFRASTRUCTURE
To sustain an effective ERM process, the risk infrastructure must include management policies and procedures and mechanisms to communicate emerging risks and the effectiveness of risk management at all levels of the organization. The infrastructure should improve the readiness of the organization to address risk.
Specifically, a company's infrastructure should include:
* Its risk management policy — risk definitions, principles, risk tolerances, corporate governance and oversight, authorities, responsibilities, and accountabilities.
* Risk-management processes for risk identification, evaluation and prioritization, risk mitigation and control activities, monitoring, reporting, communication, and continuous improvement.
* Its risk organization, including expertise and leadership, oversight committees and charters, the integration of risk- management functions, and executive sponsorship and commitment.
* Mechanisms for monitoring and reporting risk, including escalating risk issues to ensure that “bad news travels fast,” valuation of risks, control activities, and related assurance activities as well as management representations and certifications.
* Supporting capabilities such as information tools, risk-event databases, risk analysis and modeling, management training, and change management capabilities.
TRANSFORMING RISK MANAGEMENT
Management and internal auditing must be able to answer the following questions to create a comprehensive ERM process:
* Is there a common language of risk? Is risk commonly understood across the organization, or do definitions of risk vary by organizational silo? Do people understand the effects of their decisions and actions on other parts of the organization?
* Is there an inventory of relevant risks? Is the risk inventory kept up to date?
* Have the interdependencies and interactions among various risks and the portfolio effects been identified?
Risk-based Resource Allocation
* Are significant risks regularly reported and reviewed at the board and executive levels?
* Have roles and responsibilities for risk management and oversight been defined clearly?
* Have appropriate policies and procedures regarding risk management and the organization's risk appetite been defined and communicated clearly?
* What is the current cost of risk management? What is the cost of poor risk management? What is the cost of good risk management?
* Is decision-making based on risk?
* Are there appropriate supporting capabilities, enabling technologies, and risk management training and awareness processes?
Transformation requires a proper foundation, including the development of risk-management policies and practices, training, risk knowledgebases, and ongoing information and communication mechanisms about emerging risks as well as lessons learned. For ERM to be implemented successfully, it must be “built into” rather than “bolted onto” management's planning and decisionmaking processes. If ERM is seen solely as another initiative, it will fail. ERM must be perceived as management's way of doing business successfully. Better anticipation and management of risk is bound to improve organizational performance.
MORE THAN A FOUR-LETTER WORD
Clearly, the work involved in structuring an ERM program is considerable and extends throughout the organization. Because some find the scope of such an effort daunting, they interpret risk as a four-letter word – contending that those who talk about risk are naysayers, worrywarts, and impediments to progress. Nothing could be further from the truth.
The speed, interaction, and volatility of today's global markets demand that there be greater assurance that risk management processes and systems are robust and reliable. Stakeholders both within and outside of the enterprise are demanding it.
Clearly, internal auditing has a critical role to play in providing such assurance. In many organizations, the internal audit group is one of the few bodies that systematically looks at all risks across the enterprise. Although most contemporary internal audit functions have moved to a risk-based approach to audit planning, an assessment of impact and preparedness may be a more meaningful model for audit planning purposes than likelihood of risk occurrence.
RICK FUNSTON is a principal and the national practice leader for Enterprise Risk Management and Risk Intelligent Solutions with Deloitte & Touche LLP in Detroit, USA.
