top of page

    Corporate Governance (Enterprise Risk Management – ERM)

 

  • Enterprise risk management (ERM) should be an enterprise-wide, holistic, methodical, ongoing process used to address, mitigate, remediate and sometimes even to predict events that may cause risk to the enterprise, in terms of disrupting or preventing altogether the strategic goals identified by management for the long-term success of the enterprise.

  • The generally-accepted risk response strategies used by the risk analysts within the enterprise to cope with various types of risks within an ERM framework may be: risk acceptance – such as balancing the probability of damage to the enterprise in the event of failure against the probability of high profit to the enterprise in the event of success, as when a business “self-insures”; risk avoidance – such as constructing a warehouse intended to hold flammable materials out of concrete and steel, rather than of wood; risk mitigation – such as enabling effective controls and training within the enterprise so that personnel will have knowledge of how to react in an emergency; risk prevention – although complete prevention of all possible risk is impossible, whenever possible, the enterprise must seek to avoid situations that may be seem very attractive, but which are also very risk-intensive, such as purposefully deviating from a business plan that remains within the core competencies of the enterprise, in order to delve into reckless ventures for which the enterprise has no experience and has no qualified personnel; risk reduction – such as not engaging in a new and untested manufacturing process in the only facility within the enterprise that produces some particular critical product, unless arrangements are made in advance to lease some other facility nearby in the event the new and untested process causes catastrophic failure; risk sharing – such as purchasing appropriate insurance or engaging a guarantor; risk termination – such as abandoning some non-critical and inefficient operation in the enterprise that is causing harm to people and great financial losses to the enterprise; risk transfer – such as establishing joint ventures and partnering arrangements with other entities for particular situations.

  • In order for an ERM framework to be implemented effectively within an enterprise, all personnel (from the directors, to the C-suite, to the internal employees, to the external field personnel) within the enterprise must be educated about the need for an ERM framework and accept that all “silos” (individuals, groups, departments or divisions within the enterprise that hoard data and knowledge beneficial to the enterprise, and fail to cooperate with any other individuals, groups, departments or divisions, or with anyone within the enterprise in general) must be eliminated as rapidly as possible; thus, although one of the critical keys to ERM framework success is the agility of its adoption and implementation by the enterprise, the reality is that depending on the receptivity of the existing enterprise culture at the time the ERM framework is implemented, it may actually take 3-5 years before the culture completely accepts the ERM framework.

  • The Board of Directors may have overall responsibility (which may delegate such responsibility to a Chief Risk Officer – CRO – and an ERM oversight committee of officers and senior managers, with allowance for appropriate personnel) to: acknowledge the need for an ERM framework; initiate the process of creating and installing the ERM framework; purchasing the software platform necessary to propagate the ERM framework of risk architecture throughout the enterprise; managing and monitoring the ERM framework through internal audits; and then toidentify risk, asses any risk, implement any risk strategies and plan responses to any risks.

  • One of the most-important duties of the Board and any individuals to whom the Board delegates authority is to establish an effective system of internal controls for the ERM framework, such as: arranging for internal controls to be tested by both independent internal auditors and by external auditors; defining official lines of authority; documenting all controls failures, making immediate reports to the Board, and then implement policies to address such failures immediately; ensuring that all controls comply with all applicable laws and regulations; segregating monitoring and reporting duties; performing constant reviews of the ERM framework and all related information technology (IT) resources.

  • Other entities and individuals within the enterprise must also participate in the ERM framework in various ways, such as: business units (assess, identify, measure, monitor, control and report risks to senior management; manage relevant risks established by senior management within the ERM framework; ensure compliance with corporate policies and procedures); individual employees (accept, implement and understand the ERM framework risk architecture and processes; cooperate with management on incident investigations; report inefficient, unnecessary or unworkable controls; report loss events and near-miss incidents); senior management (designs, implements and maintains the ERM framework; develops corporate policies and procedures; establishes and monitors the risk appetite; report regularly to the Board; promotes a risk-aware culture); internal audit and compliance units (monitor data from the ERM framework and provide independent assurance of the effectiveness thereof); risk management (the unit traditionally-task with responsibility for implementing maintaining and updating the ERM framework; compile risk data and prepare reports for the Board; develop and update the risk management corporate policy; develop contingency and recovery plans; document the internal risk policies and structures; support investigations); support units such as IT, HR, legal (provide support as may be required  to the Board, business units, internal audit and compliance units, and senior management).

  • Some of the agencies, frameworks, guidelines, laws, regulations, rules, strategies and statutes relevant to ERM applications are: Bank Secrecy Act & Anti-Money Laundering Examinations (BSA/AML); Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated Framework; Consumer Financial Protection Bureau (CFPB); Control Objectives for IT (COBIT); Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd Frank); Financial Industry Regulatory Authority (FINRA); Foreign Account Tax Compliance Act (FATCA); Home Mortgage Disclosure Act (HMDA); International Standards Organization (ISO) and International Electrotechnical Commission ISO/IEC 27005 (Information technology – Security techniques); ISO 31000 series risk management guidelines; Real Estate Settlement Procedures Act (RESPA); Sarbanes-Oxley (SOx) Act.

  • An effective ERM framework has many tangible benefits for an enterprise, such as; attempting to analyze all operations within an enterprise and then to identify all risks thereto and formulate responses (which is much more complex than perhaps a Sarbanes-Oxley analysis, which generally just lists and diagrams all departments, divisions, processes and personnel within an enterprise); brining all enterprise operations and personnel into alignment with the vision of management for the future of the enterprise; cost savings and increased efficiencies resulting from reducing the frequency of catastrophic events through pre-planning to address risks, and thus constantly improving operations and processes; forcing personnel to consider all possibilities when planning for contingencies and when making decisions in response to emergency situations.

  • In order for the ERM framework to function efficiently, the risk architecture of the ERM framework itself should be a harmonious compilation of complimentary management principles, such as: constant review and revision of all enterprise operations, policies and strategies, to increase efficiency and reduce economic and social impact; culture based upon collaboration, communication, cooperation, ethics and a desire to further the interests of the enterprise in a socially-responsible fashion (and such an enterprise-wide culture must come from the top down); governance by management that sets the norms for the operations and personnel of the enterprise; prioritization of risks as required to minimize the financial and social impact to the enterprise and all stakeholders (including not just shareholders, but also non-owing individuals, such as consumers, employees, local community residents and global community residents); strategies that promote the most-efficient, socially-responsible manner for achieving the objectives of management.

  • Perhaps the strongest argument in favor of implementing an ERM framework risk architecture is to hopefully change an entrenched enterprise mindset that is continually reacting to critical situations into accelerating the agility of the enterprise mindset to a point where risk planners imagine new risk possibilities, and then attempt to plan for as many contingencies as possible to deal with them in advance, through analysis tools such as; assumption risk analysis (focusing in detail on each assumption applicable to a particular operation or process and then attempting to deconstruct each such assumption and eliminate all associated risk points within such assumption); black swan events (business lingo for unanticipated and unplanned, extremely catastrophic events); bow-tie analysis (a simple 3-step analysis of a risk event that starts with potential causes for a particular risk event, then analyzes the element of the particular risk event itself, and then determines the consequences of the particular risk event to the enterprise); business modeling generators; Failure Mode Effects Analysis (FMEA); futurist constructs; Hazard and Operability (HAZOP) studies; heat maps; political economic social technological legal environmental (PESTLE) analysis; post-mortem analysis (a/k/a “lessons learned”); pre-mortem analysis (imagining a disastrous event before it happens and attempting to solve its cause); risk control self-assessment (RCSA); risk mapping; risk mitigation plan (RMP) – prioritizes various risks by establishing what enterprise resources may be available to address the various risks; strategic disruption scenarios; strengths weaknesses opportunities threats (SWOT) analysis; trend analysis; value propositions; and the like.

  • A critical advantage of an ERM framework risk architecture is the use of key risk indicators (KRIs) – similar to key performance indicators (KPIs) that are also generally included in ERM frameworks, but which are more risk-specific – which are data points linked to every risk event documented by the ERM framework, which, if tracked properly, may assist the risk analysts in monitoring any developing external or internal risk trends that may signal an impending risk event for the enterprise – analogous to seismograph that monitors and records seismic disturbances in the hope of predicting potential earthquake activity.

  • KRIs are also useful when performing a risk assessment process, another important tool in an ERM framework, since the KRIs will provide the basis for compiling the current risk inventory, which is the first step of the process, and other, succeeding steps of the risk assessment process may include: identifying appropriate personnel to compile risk assessment data; developing a risk assessment methodology; creating a framework for gathering the risk data; choosing descriptive categories to characterize various risks; developing objective scales to measure risk impacts; scoring the totality of the risks identified; authoring the risk assessment report; and, disseminating the report to all relevant enterprise-wide personnel for review and comment.

  • Although scoring the impact of each risk in the risk assessment may seem to rely on subjective determinations, there may be some useful objective guidelines to assist in quantifying impacts on the enterprise, each of which may be given a number value, depending upon the importance to the enterprise of the damage caused by the impact, such as: agility of the enterprise in remediating the impact; control the enterprise had over the impact; financial impact; interdependency of the subject impact as affecting other enterprise operations; likelihood of impact occurrence; overall impact; persistence of the impact; possible future trends for similar impacts; preparedness of the enterprise; reputational impact; scope of the impact; significance of the impact on operations; speed of the impact occurrence.

  • Compiling, drafting, managing, legal support, negotiating and presenting all ERM-related activities, documents and processes, such as: assumption risk analysis; audits; black swan event analysis; business modeling generators; checklists; compliance assessments; compliance change management protocols; corporate policies; futurist constructs; governance assessments; enhancement of internal controls; PESTLE analysis; post-mortem analysis; pre-mortem analysis; risk assessments; risk control self-assessment; risk mapping; risk mitigation plan; risk strategies; reports; strategic disruption scenarios; SWOT analysis; training programs; trend analysis; value propositions; and the like.

    Progress_Page_Last_Updated_220827_1505

bottom of page