If a company wants to minimize the effects of risk on its capital and earnings, reputation and shareholder value, it must implement a comprehensive enterprise risk management (ERM) program. A successful ERM framework not only aligns a firm’s people, processes and infrastructure but also yields a benchmark for risk/reward and aids in risk visibility for operational activities.
Ultimately, ERM should provide a firm with a competitive advantage – but what factors should be evaluated as one goes about developing it? Here are seven key components that must be considered:
1. Business Objectives and Strategy
Risk management must function in the context of business strategy, and the first step in this integration is for the organization to determine its goals and objectives. Typical organizational strategic objectives include market share, earnings stability/growth, investor returns, regulatory standing and capital conservation.
From there, an institution can assess the risk implied in its strategy implementation and determine the level of risk it is willing to assume in executing that strategy. The firm’s internal risk capacity, existing risk profile, vision, mission and capability are among the factors that must be considered when making this determination.
All strategies are predicated on assumptions (beware of those that are unspoken and unverified) and calculations that may or may not be accurate; the role of ERM is to challenge these assumptions and, moreover, to execute the strategy. ERM and strategic management are not two separate things. Rather, they are two wheels of a bicycle that must be built uniformly to contribute to the stability of the whole.
2. Risk Appetite
Risk direction is defined by the risk appetite, which in turn is defined as “the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns).”
A risk appetite statement is the critical link that combines strategy setting, business plans, capital and risk. It reflects the entity’s risk management philosophy and influences the culture and operating style. A firm’s existing risk profile, risk capacity, risk tolerances and attitudes toward risk are among the considerations that must be taken into account when developing the risk appetite.
The risk appetite statement should be developed by management (with board review) and must be translated into a written form. The overall risk appetite is communicated through a broad risk statement, but should also be expressed, individually, for each of the firm’s different categories of risk.
An effective risk appetite statement needs should be precise, so that it cannot only be communicated and operationalized but also aid in decision making. More importantly, it needs to be broken down into specific operating metrics that can be monitored.
Once the risk appetite is set, it needs to be embedded, and then continuously monitored and revised. As strategies and objectives change, the risk appetite must also evolve.
3. Culture, Governance and Taxonomy
The risk appetite statement should be conveyed through culture, governance and taxonomy. These three factors help an organization manage and oversee its risk-taking activities.
A strong risk culture – set from the top and augmented by comprehensively defined roles and responsibilities, with clear escalation protocols – is a must for successful ERM implementation. Strong, well-thought-out risk management principals, combined with ownership and culture training, help promote, reinforce and maintain an effective risk culture. Evidence of this strong risk culture can be seen in open communication, both in conflict resolution and top-down/bottoms-up decision making.
Operating and support areas, from the perspectives of engagement, training and support, must be included in a healthy ERM program. In fact, with tone from the top, these areas can become partners and even owners with the ability to manages outcomes, ensuring transparency and accountability.
Good ERM is about understanding change and managing that change within the overall mandate – rather than in isolation. Intertwined with this change is a need for a risk taxonomy, which can help better identify and assess the impact of the risks undertaken.
4. Risk Data and Delivery
It’s all about the data – more specifically, collecting, aggregating and distributing the correct data. Risk data and delivery must be robust and to scale, so that the information collected, integrated and analyzed can be translated into cohesive, credible narratives and reports.
5. Internal Controls
The internal control environment helps senior management reduce the level of inherent risk to an acceptable level, known as residual risk. Undoubtedly, it is one of the most important tools in the risk manager’s toolbox.
Residual risk is the level of inherent risks reduced by internal controls. An effective control environment must encourage and allow for a consistent structure that is balanced and realistic, within the context of a company’s internal workings.
6. Measurement and Evaluation
Measurement and evaluation determine which risks are significant, both individually and collectively, as well as where to invest time, energy and effort in response to these risks. Various risk management techniques and tools should be used to measure and quantify the risks, on both aggregate and portfolio levels.
To meet the requirements of different stakeholders and oversight/governance bodies, all risks, responses and controls must be effectively communicated and reported. The oversight/governance bodies are tasked with ensuring that a firm’s risk profile aligns with its business and capital plans.
7. Scenario Planning and Stress Testing
Given that management must address known and unknown risks, tools like scenario planning and stress testing are used to help shed light on these missing risks and, more importantly, the interconnection of these risks. Armed with this information, the organization can develop contingency plans to model these risks and to at least counter their effects on future operational viability.
ERM is not a passing fad. Indeed, it is now instrumental to the survival of an organization.
It allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. In short, ERM is good business practice.