TO STUDY ENTERPRISE RISK MANAGEMENT

A COMPETITIVE EDGE FOR THE COMPANY

AND

HOW IT ADDS VALUE TO ITS SHAREHOLDERS

This term paper is submitted in partial completion of MBA

Page 1 of 48

SUBMITTED TO:

Faculty Guide: Mr. C.T. Sunil

Assistant Prof - Finance & Accounts

Amity University, Dubai, U.A.E.

SUBMITTED BY:

Student: Ms. Anu Damodaran

Registration No: AUD0260

Program: MBA - General (Semester 2)

Year: 2012 to 2014

CERTIFICATE FROM FACULTY GUIDE

This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA –

General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term

paper - “To study ERM - A competitive edge for the company and how it adds value to

its shareholders” from 01-Apr-2013 to 12-May-2013.

She has completed the term paper successfully. She has done this term paper work

independently and submitted the same on 19-May-2013.

Mr. C.T. Sunil, Faculty Guide,

Assistant Professor of Finance & Accounts,

Amity University, Dubai, UAE

Page 2 of 48

ACKNOWLEDGEMENT

I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance

extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity

University, Dubai, U.A.E. toward successful completion of this term paper “To study ERM

- A competitive edge for the company and how it adds value to its shareholders”.

I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the

guidance toward completion of this term paper.

Thanking you,

Yours sincerely,

Ms. Anu Damodaran

Reg. No. AUD0260,

1st Year MBA – General, 2nd Semester

Amity University, Dubai, U.A.E.

Page 3 of 48

TABLE OF CONTENTS

No.

TOPICPAGE

NO

EXECUTIVE SUMMARY 7

OBJECTIVE 8

1 CHAPTER 1 – INTRODUCTION 9

1.1 – BACKGROUND 10

1.2 – RELATED INFORMATION 11

1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT 13

1.4 – RELEVANCE OF ERM 13

1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM - PROTECT AND ENHANCE ENTERPRISE VALUE

14

1.6 – WHAT IF THERE IS NO ERM 14

2 CHAPTER 2 – REVIEW OF LITERATURE 15

2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK APPETITE AND EVENT

16

2.2 – INDUSTRY SPECIFIC EXAMPLES 26

2.3 – HEALTH CARE ORGANIZATION 30

2.4 – AEROSPACE SUPPLIER 31

2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III) 32

3 CHAPTER 3 – EXPLORATION COMMENT ON ERM 33

3.1 - RISK MAPPING 33

3.2 - THE CAPABILITY MATURITY MODEL 37

3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES WITH IMPLEMENTING ERM

40

3.4– ADVANTAGES 42

3.5 – SUITABILITY 44

3.6 – LIMITATIONS 45

CONCLUSION 47

REFERENCES 48

Page 4 of 48

TABLE OF TABLES

No. TABLE NAMEPAGE

NO

Table 1DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK MANAGEMENT AND ENTERPRISE RISK MANAGEMENT

23

Table 2 TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES 23

Table 3EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT

26

Table 4 STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION 27

Table 5OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER EDUCATION

28

Table 6 LIST OF RISKS SEPARATED BY CATEGORY 29

Table 7 A RISK MODEL 34

Table 8SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT RISK

37

Table 9 PRIORITIZATIONS OF FUNCTIONALITY 41

Page 5 of 48

TABLE OF FIGURES

No. FIGURE NAMEPAGE

NO

Fig.1 THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK 13

Fig.2 CONSOLIDATED RISK PROFILE 33

Fig.3 A RISK DRIVERS MAP 35

Fig.4A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION

36

Fig.5 KEY QUESTIONS A BUSINESS CASE MUST ADDRESS 44

Page 6 of 48

EXECUTIVE SUMMARY

ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage

the variety of strategic, market, credit, operational and financial risks they confront.

ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete

management by different risk overseers.

ERM has given rise to a question: Who should head the risk management process internal

audit or a chief risk officer? Some believe internal audit should take a back seat to preserve

the checks and balances the audit function provides. Others say risk leadership should

depend on what a company is comfortable with.

Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a

per-project basis.

ERM also gives the company a means to assess the controls in place to handle each risk and

identify any gaps. This consistent approach also offers businesses an opportunity to

determine authority and responsibility and allocate resources appropriately.

To Extract Risk Data, Many Organizations use business intelligence software. Many

packages feature "traffic-light" systems that show a red light if risk exceeds acceptable

levels. The chief risk officer then can "drill down" to see the reasons and make more

informed decisions.

Overall responsibility for enterprise risk is changing because of new standards from the

Institute of Internal Auditors. They require the internal audit function in a company to

monitor and evaluate the effectiveness of the organization's risk management and control

systems.

ERM can help CPAs (Certified Public Accountants) determine the right amount of capital

companies should direct toward risk by gathering or otherwise polling risk overseers to

identify the threats to the organization, their financial impact and the effectiveness of risk

mitigation options.

By mapping major risks on a matrix, companies can align their business processes to ensure

they are routinely collecting and storing related information in a database the chief risk

officer or executive risk committee can monitor. This will make it easier to identify

exception risks extending beyond the company's tolerance or threshold levels.

Page 7 of 48

OBJECTIVE

To understand what Enterprise Risk Management is, why it is important for any business

and how it can be measured.

To know whether by measuring and managing the risks consistently and systematically can

a company strengthen its ability to carry out its strategic plan.

To understand the methods/ tools used by firms to manage Enterprise Risk.

To study the processes and challenges in implementing Enterprise Risk Management and to

identify how much risk can be retained and how much should be laid off.

Page 8 of 48

CHAPTER 1 – INTRODUCTION

Enterprise Risk Management (ERM) is a data intensive process that measures all of a

company's risks. Enterprise Risk Management (ERM) is an integrated approach to

enterprise-wide risk management intended to protect and increase value for all parties with

an interest in the organization. Businesses have always faced a variety of risks, but these are

times when the pace of change and the resulting consequences to a business seem to be

greater than ever.

Example:

1. Globalization has increased exposure to international events

2. The need for increased and escalated efficiency, innovation and differentiation

3. Cost of strategic error is rising in the global marketplace

4. Understanding and responding to customer wants in this demanding era of

increasingly focused niche markets

5. Outsourcing raises questions about clarifying the retention and transfer of risk

6. The unthinkable can happen

7. Due to highly publicized public fiascos and high demands on certifying officers,

financial reporting is now a significant risk area as companies focus on sustainability

of their disclosure process and internal control structure

At most institutions today, the responsibility for enterprise risk management ultimately falls

to the chief executive officer since many of the senior people in the company who manage

risk on a day-to-day basis already report to him or her, including the CFO and chief lending

or credit officer. But institutions need to consider appointing a chief risk officer and forming

a management level risk committee."

The risk management function should be as independent as possible. However, true

independence would require the use of parallel structures where one team of individuals

would be responsible for a business unit like small business banking or an activity like

regulatory compliance, while a separate team of individuals would be focused solely on

Page 9 of 48

managing risk. "To be successful, the business units must view the risk management

function as a partner and a facilitator, rather than being in charge of saying no. There is a

danger, if ERM looks interchangeable with internal audit, that the business units will view it

as either an impediment or redundant, but one size does not fit all."

1.1– BACKGROUND

Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the

ultimate approach to risk management. Risk management has been practiced for thousands

of years. One can imagine a risk manager burning a fire at night to keep wild animals away.

Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one

individual and by restricting loans to those considered most likely to repay them. Individuals

and firms learned to manage the risk of fire through the choice of building materials and

safety practices, or after the introduction of fire insurance, by shifting it to an insurer.

Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management.

They enumerated the following steps for the risk management process:

Identifying loss exposures

Measuring loss exposures

Evaluating the different methods for handling risk assumption

Risk transfer

Risk reduction

Selecting a method

Monitoring results

Initially, the risk management process focused on what has been termed “pure risks”. Pure

risks are those in which there is either a loss or no loss. A typical example of a pure risk is

that your house may burn down or be hit by an earthquake. If none of these occur then you

are in the no loss position.

Beginning in the 1970s, financial risk became an important source of uncertainty for firms

and, shortly thereafter, tools for handling financial risk were developed. These new tools

Page 10 of 48

allowed financial risks to be managed in a similar fashion to the ways that pure risks had

been managed for decades.

Although financial risk had become a major concern for institutions by the early 1980s,

organizations did not begin to apply the standard risk management tools and techniques to

this area. The reason for this failure was because risk managers had built a wall around their

specialty, called pure risk, within which they operated. Thus, the refusal to expand into other

areas of risk has simply delayed by a number of decades.

1.2– RELATED INFORMATION

The US 'Committee Of Sponsoring Organizations Of Treadway Commission' (COSO)

defines Enterprise Risk Management as, "a process, effected by an entity's board of

directors, management and other personnel, applied in strategy setting and across the

enterprise, designed to identify potential events that may affect the entity, and manage risks

to be within its risk appetite, to provide reasonable assurance regarding the achievement of

entity objectives.

“COSO divides ERM process into eight components:

(1) Internal environment,

(2) Objective setting,

(3) Event identification,

(4) Risk assessment,

(5) Risk response,

(6) Control activities,

(7) Information and communication,

(8) Monitoring.

Page 11 of 48

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a

joint initiative of five private sector organizations, including the Institute of Management

Accountants (IMA), the American Accounting Association (AAA), the American Institute

of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and

Financial Executives International (FEI) established in the United States, dedicated to

providing thought leadership to executive management and governance entities on critical

aspects of organizational governance, business ethics, internal control, enterprise risk

management, fraud, and financial reporting.

1.2.1 - ENTERPRISE RISK MANAGEMENT — INTEGRATED FRAMEWORK

In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a

framework that would be readily usable by managements to evaluate and improve their

organizations' enterprise risk management. High-profile business scandals and failures (e.g.

Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) led to calls for

enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act

was enacted. This law extends the long-standing requirement for public companies to

maintain systems of internal control, requiring management to certify and the independent

auditor to attest to the effectiveness of those systems. In 2004 COSO published Enterprise

Risk Management - Integrated Framework. COSO believes this framework expands on

internal control, providing a more robust and extensive focus on the broader subject of

enterprise risk management.

Four categories of business objectives

Strategic: high-level goals, aligned with and supporting its mission

Operations: effective and efficient use of its resources

Reporting: reliability of reporting

Compliance: compliance with applicable laws and regulations

Page 12 of 48

Fig.1

1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT

The scope of ERM is much broader than protecting physical and financial assets. With an

ERM approach, the scope of risk management is enterprise wide and the application of risk

management is targeted to enhancing as well as protecting the unique combination of

tangible and intangible assets comprising the organization’s business model.

1.4 – RELEVANCE OF ERM

1. Reduce unacceptable performance variability

2. Align and integrate varying views of risk management

3. Build confidence of investment community and stakeholders

4. Enhance corporate governance

5. Successfully respond to a changing business environment

6. Align strategy and corporate culture

Page 13 of 48

1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM -

PROTECT AND ENHANCE ENTERPRISE VALUE

1. Optimize Risk Management Cost

2. Improve Business Performance

3. Establish Competitive Advantage

1.6 – WHAT IF THERE IS NO ERM

ERM doesn’t guarantee the success of a business. It provides better information to managers

and a more robust process for them to deploy, but does not necessarily transform a poor

manager into a good manager. All organizations face business risk, regardless of size.

Organizations ignore risk at their own peril. No organization can afford to stand pat with its

existing risk management capabilities; therefore, every organization should evaluate how it

can improve its risk management.

Page 14 of 48

CHAPTER 2 – REVIEW OF LITERATURE

Although many companies have used ERM over the last decade, the economic downturn of

2008 showed that some companies had not done well when it came to managing their risks

(Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that

corporate executives were not taking newly developed models of risk analysis as seriously

as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the

ERM concept is changing as more and more companies attempt to recover from the

downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy

base for using ERM to help manage companies through all phases of business cycles (Van

der Stede, 2009)

After Enron, WorldCom, Tyco, and other large business failed, the United States Congress

passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial

reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM.

Section 302 mandates disclosure controls and procedures so that companies could disclose

developments and risks of the business and section 404 requires an assessment of the

effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).

The United States Securities and Exchange Commission (SEC) has also implemented

requirements for publicly traded companies to disclose risk factors in section lA of their 10-

Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed

Section 404 guidance that supports top-down risk assessment that holds boards of directors

more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir &

Walker, 2009).

The types of risks that companies face:

1. External risk is the risk of events that may strike organizations or individuals

unexpectedly (from the outside) but that happen regularly enough and often enough

to be generally predictable.

Page 15 of 48

2. Manufactured risk is a result of the use of technologies or even business practices

that an organization chooses to adopt.

3. A technological risk is caused or created by technologies that can include trains

wrecking, bridges falling, and planes crashing (Giddens, 1999).

4. Business practice risk is caused or created by actions which the company takes

which could include investing, purchasing, sales, or financing customer purchases.

2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND

RISK APPETITE AND EVENT

Risk is defined as “the possibility that an event will occur and adversely affect the

achievement of objectives.”

Risk assessment is a systematic process for identifying and evaluating events (i.e. possible

risks and opportunities) that could affect the achievement of objectives, positively or

negatively. Such events can be identified in the external environment (e.g., economic trends,

regulatory landscape, and competition) and within an organization’s internal environment

(e.g., people, process, and infrastructure).

Risk assessments can be mandated by regulatory demands for example, anti-money

laundering, Basel III, and Sarbanes-Oxley compliance all require formalized risk

assessment, and focus on such processes as monitoring of client accounts, operational risk

management, and internal control over financial reporting. Risk assessments can also be

driven by an organization’s own goals, such as business development, talent retention, and

operational efficiency.

Risk tolerance is the acceptable level of variation relative to the achievement of a specific

objective, and should be weighed using the same unit of measure applied to the related

objective.

Risk appetite is the amount of risk, on a broad level; an organization is willing to accept in

pursuit of value.

Page 16 of 48

An event and a risk are related concepts. Events can have either a negative or a positive

impact. An event with a negative impact represents a risk whereas an event with a positive

impact represents an opportunity.

2.1.1 - THE PROCESS

The ERM process begins with risk identification. This creative wide-open process may

have a tendency to produce a large and unwieldy list. To keep things organized, a

computerized risk register is often recommended. Once a list has been created and

organized, the cause and effect of each item should be considered and the appropriate

experts consulted. Each risk should be assessed to separate minor risks from more serious

risks and should be assigned a score.

For example, a number from one to ten can be determined for each of the two dimensions:

Probability and severity. A zero score may mean a risk almost never happens or is of

trivial consequence. On the other hand, a score of ten may mean that a particular risk almost

always happens or carries potentially catastrophic consequences. These scores can then be

multiplied together to generate a final risk score that can be used to communicate the

magnitude of impact posed by a risk and the urgency required. The scores along with a

detailed description and evaluation can be placed in a risk register. That risk register creates

a record on which to base future action and strategy.

Participation of stakeholders is critical to the success of an ERM program and good

communication is important to maintaining interest in the program. Unless an initiative has

the support of the top management and the CEO, it would very difficult to get a program off

the ground. It may be difficult for separate units to effectively communicate with one

another. Accordingly, a company that wishes to implement an ERM may consider defining a

common risk language or glossary that defines and implements a risk ranking system to

prioritize risk both within and across departments. To address implementation issues related

to responsibility, a company may establish a risk committee or chief risk officer to

coordinate the activities across function areas and assign ownership for particular risks and

responses.

Page 17 of 48

2.1.2 - RISK ASSESSMENT CAN BE CONDUCTED AT VARIOUS LEVELS OF

THE ORGANIZATION

Frequently performed risk assessments include:

Strategic risk assessment - Evaluation of risks relating to the organizations mission and

strategic objectives, typically performed by senior management teams in strategic planning

meetings, with varying degrees of formality

Operational risk assessment - Evaluation of the risk of loss (including risks to financial

performance and condition) resulting from inadequate or failed internal processes, people,

and systems, or from external events.

Compliance risk assessment - Evaluation of risk factors relative to the organization’s

compliance obligations, considering laws and regulations, policies and procedures, ethics

and business conduct standards, and contracts, as well as strategic voluntary standards and

best practices to which the organization has committed

Internal audit risk assessment - Evaluation of risks related to the value drivers of the

organization, covering strategic, financial, operational, and compliance objectives. The

assessment considers the impact of risks to shareholder value as a basis to define the audit

plan and monitor key risks.

Financial statement risk assessment - Evaluation of risks related to a material misstatement

of the organization’s financial statements through input from various parties such as the

controller, internal audit, and operations.

Fraud risk assessment - Evaluation of potential instances of fraud. This is typically

performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk

assessment, and involves subject matter experts from key business functions where fraud

could occur (e.g., procurement, accounting, and sales) as well as forensic specialists.

Market risk assessment - Evaluation of market movements that could affect the

organization’s performance or risk exposure, considering interest rate risk, currency risk,

option risk, and commodity risk. This is typically performed by market risk specialists.

Page 18 of 48

Credit risk assessment - Evaluation of the potential that a borrower or counterparty will fail

to meet its obligations in accordance with agreed terms

Customer risk assessment - Evaluation of the risk profile of customers that could potentially

impact the organization’s reputation and financial position. This assessment weighs the

customer’s intent, creditworthiness, affiliations, and other relevant factors.

Supply chain risk assessment - Evaluation of the risks associated with identifying the inputs

and logistics needed to support the creation of products and services, including selection and

management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing

quality assurance reviews to assess any changes that could impact the achievement of the

organization’s business objectives).

Product risk assessment - Evaluation of the risk factors associated with an organization’s

product, from design and development through manufacturing, distribution, use, and

disposal. This assessment aims to understand not only the revenue or cost impact, but also

the impact on the brand, interrelationships with other products, dependency on third parties,

and other relevant factors.

Security risk assessment - Evaluation of potential breaches in an organization’s physical

assets and information protection and security. This considers infrastructure, applications,

operations, and people, and is typically performed by an organization’s information security

function.

Information technology risk assessment - Evaluation of potential for technology system

failures and the organization’s return on information technology investments. This

assessment would consider such factors as processing capacity, access control, data

protection, and cybercrime.

Project risk assessment - Evaluation of the risk factors associated with the delivery or

implementation of a project, considering stakeholders, dependencies, timelines, cost, and

other key considerations.

Page 19 of 48

Every organization should consider what types of risk assessments are relevant to its

objectives. The scope of risk assessment that management chooses to perform depends upon

priorities and objectives.

For risk assessments to yield meaningful results, certain key principles must be considered.

They are:

1. Begin and end with specific business objectives that are anchored in key value

drivers.

2. Governance over the risk assessment process must be clearly established

3. Risk rating scales are defined in relation to organizations’ objectives in scope

4. Capturing leading indicators enhances the ability to anticipate possible risks and

opportunities before they materialize.

5. Management forms a portfolio view of risks to support decision making.

6. Interpret the results of their risk assessment process to set a foundation for

establishing an effective enterprise risk management (ERM) program

7. Determine risk tolerance.

8. Risk appetite must be clearly defined and reflected in risk tolerances and risk limits

to help ensure that organizational objectives can be achieved.

2.1.3 - COMMON CHALLENGES TO EFFECTIVE RISK ASSESSMENT

Risk assessment is viewed as an episodic initiative providing limited value.

The owner of a risk assessment must clearly communicate its purpose, process, and

expected benefits.

The right parties must be engaged to ensure relevant input, informed assessment, and

meaningful and actionable results.

The assessment must be a repeatable process that integrates into regular business

practices, adapts to change, and delivers more than one-time value.

The amount of information and data gathered is difficult to interpret and use.

Failure to effectively organize and manage the volume and quality of assessment

data makes interpreting that data a challenge.

Page 20 of 48

Tools, templates, and guidance are necessary to ensure consistency in data capture,

assessment, and reporting.

Results of the risk assessment are not acted upon.

Lack of an effective risk assessment process and defined risk tolerance could result

in an organization over controlling a risk, which could place an excessive cost

burden on the organization and/or stifle its ability to seize opportunities.

Risk assessments become stale, providing the same results every time.

Without refreshing their data capture, process, and reporting from time to time, risk

assessments may lose relevance.

Breakdowns may occur without triggering key risk indicators to management.

Risk assessment is added onto day-to-day responsibilities without being integrated

into business processes.

Too many different risk assessments are performed across the organization.

Risk assessment will not prevent the next big failure.

Risk assessments need to invoke the right subject matter experts and consider not

only past experience but also forward-looking analysis.

2.1.4 – FORMS OF RISK ASSESSMENTS

Qualitative assessments are the most basic form of risk assessment, categorizing potential

risks based on either minimal or ordinal scales. External validation should be obtained to

guard against potential management biases.

Rigorous quantitative techniques ranging from benchmarking to probabilistic and non-

probabilistic modeling can be used for assessing risk as more data becomes available

through tracking of internal events (e.g., transaction errors, customer complaints, litigation)

and external events (e.g., loss events recorded by peer organizations and made available

through subscription to services such as the ORX or Fitch First databases).

Such data enables greater analysis of potential risk exposures, development of relevant

indicators that can be tracked regularly, and more rapid and efficient responses to risk

Page 21 of 48

situations. Risk categories, loss-event data, and key risk indicators are often refined through

iterative efforts to support issue and trend analysis.

Analysis is often enriched by various modeling techniques using assumptions regarding

distributions. Probabilistic models (e.g., “at-risk” models, assessment of loss events, back

testing) measure both the likelihood and impact of events, whereas non-probabilistic models

(e.g., sensitivity analysis, scenario analysis, stress testing) measure only the impact and

require separate measurement of likelihood using other techniques. Non-probabilistic

models are relied upon when available data is limited. Both types of models are based on

assumptions regarding how potential risks will play out.

The more mature risk assessment processes yield quantitative results that can be used to

allocate capital based on risk, as required by regulation in certain industries (e.g., Basel II or

III for the financial services industry). For organizations in industries not subject to such

requirements, the best approach should be determined based on a cost/benefit analysis of the

process for enabling timely and relevant discussion of risks, monitoring predictive

indicators, escalating information on increased risk exposures, and making risk-informed

decisions in an integrated manner.

Page 22 of 48

2.1.5 – DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK

MANAGEMENT AND ENTERPRISE RISK MANAGEMENT

RM BRM ERM

FocusFinance, hazard, internal controls

Business, internal controls

Business, internal controls, taking entity – level portfolio view of risk

ObjectiveProtect enterprise value

Protect enterprise valueProtect and enhance enterprise value

ScopeTreasury, insurance and operations

Business managersAcross the enterprise, at every level and unit

EmphasisFinance and operations

Management Strategy – setting

ApplicationSelected risk areas, units and process

Selected risk areas, units and process

Enterprise wide to all sources of value

Vision “Current State” Capabilities “Future State”

Table 1

2.1.5. A - TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES

Risk as individual hazards Risk in the context of business strategy

Risk identification and assessment Risk portfolio development

Focus on discrete risks Focus on critical risks

Risk mitigation Risk optimization

Risk limits Risk strategy

Risks with no owners Defined risk responsibilities

Haphazard risk quantification Monitoring and measuring of risks

"Risk is not my responsibility" “Risk is everyone's responsibility"

Table 2

Page 23 of 48

2.1.6 - APPLICATION OF ERM ACROSS INDUSTRIES

The nature of the industry will drive the value of the risks and the risk management practices

the organization adopts to manage those risks. For example, a bank will focus on managing

market and credit risk to a greater extent than other institutions because the assumption of

those risks is the essence of its business model. A pharmaceutical company will focus on

managing its research and development pipeline because that is the lifeline to its future

revenue streams. Regardless of the industry the components of the framework as defined by

COSO still apply.

2.1.7 – RISK MANAGEMENT REPORT

These reports serve the purpose of providing information for decision making to executive

management.

1. A summary of the enterprise’s risks, broken down by operating unit, geographic

location, product group.

2. A summary of existing gaps in the capabilities for managing the priority risks.

3. A summary of the top and worst performing investments and reasons why?

4. From an “environment scan” process or early warning system, a report of emerging

issues or risks that warrant immediate attention.

5. Value at risk reports to assess the sensitivity of existing portfolio positions to market

rate changes beyond specified limits and consider the exposure of earnings or cash

flow to severe losses.

6. Summary of scenario analyses evaluating the impact of changes in other key

variables beyond management’s control (e.g. inflation, weather, competitor acts and

supplier performance levels) on earnings, cash flow, capital and the business plans.

7. Operational risk reports summarizing exceptions that have occurred versus policies

or established limits (i.e. limit breaches), including any significant breakdowns,

errors, accidents, incidents, losses (as well as lost opportunities) or “close calls” and

“near misses”

Page 24 of 48

8. Specific studies or targeted analyses to evaluate questions about specific events or

anticipated concerns that could “stop the show”

9. Summary of significant findings of business process audits performed by internal

audit or reviews conducted by other independent parties such as the organization’s

regulators.

10. Summary of the status of the improvement initiatives.

Good governance facilitates implementation of ERM because ERM is built on transparency.

Conversely, an effectively functioning ERM infrastructure would provide greater confidence

to the board and to executive management that risks and opportunities are being

systematically identified, rigorously analyzed and effectively managed on an enterprise wide

basis.

2.1.8 - INTERNAL AUDIT

The Institute of Internal Auditors (IIA) regards internal auditing as an independent, objective

assurance and consulting function while objective reporting is the primary value of an

auditor from outside the company. Accordingly, the IIA identifies suitable activities for the

internal auditor in the ERM process. This is accomplished by advising upon the accuracy of

the company's risk evaluation, evaluating the ERM processes and the method employed for

reporting those risks, and reviewing the management of risk. The IIA considers activities

such as facilitating, coaching, coordinating, educating, integrating, evaluating and

developing an ERM framework as appropriate activities for internal auditors. However, the

IIA considers setting risk appetite, imposing the ERM process, decision-making or

implementation of risk response as roles an internal auditor should not undertake.

Page 25 of 48

2.1.9 – EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT

InterviewsOnline surveys

Paper surveys

Document review

Facilitated workshops

Targeted reviews

Des

crip

tion

Individual stakeholder interviews to identify potential events and prioritize associated risk

Consisting of either a checklist of events or risks or an open – ended request

Hard copy survey consisting of either a checklist of events or risks or an open – ended request

Review of existing public documents, regulatory reviews, audit reports, special purpose studies and other materials

An in – person or online workshop attended by key stakeholders

Special studies to evaluate questions about specific events or anticipated concerns or targeted analyses

Table 3

Any combination of these options is appropriate.

2.2 – INDUSTRY SPECIFIC EXAMPLES

2.2.1 – COMPONENTS OF A HIGHER EDUCATION SPECIFIC ERM FRAMEWORK

Internal environment – organization’s code of conduct, management’s leadership,

communication and decision making style. Training should begin at the level of academic

deans, department heads, business managers and administrators

Objective setting – suppose the institution wants to build a new science and technology

block. The proposal should consider the return on investment risk in qualitative and

quantitative terms

Event identification – requires the institution to identify activities that may impact its

ability to achieve objectives

Page 26 of 48

Risk assessment and risk response – Low probability/ high impact events or high

probability/ high impact situations

Control and monitoring activities – adherence to policies and procedures that reduce risk,

follow up activity which ensures that the policies and procedures have been carried out as

intended

Information and communication – Administrators and other members of the campus need

to have access to accurate information that is communicated widely.

2.2.2 - WHY IS ERM RELEVANT IN THE HIGHER EDUCATION

ENVIRONMENT?

The higher education system operates in an inherently risky environment. By strategically

managing risk, they can reduce the chance of loss, create greater financial stability and

protect their resources so that they can support the university's mission of supporting

teaching, research and public service.

2.2.3 – STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION

Risk driver Stakeholders

Emerging educational delivery systemsStudents, faculty, executive management, staff, accrediting agencies

Inability of governance processes to support strategic objectives

Trustees, executive management, faculty

Increasing opportunities to leverage intellectual capital

Executive management, faculty

Excess physical capacity Trustees, executive management, donors

Quality of academic program Students, faculty, executive management

Increasing customer expectations (e.g. financial aid, student life, access, capacity)

Students, parents

Table 4

Page 27 of 48

2.2.4 – OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER

EDUCATION

Risk driver Stakeholders

New technologiesTrustees, executive management, staff (for selected issues)

Reimbursement and financial issues Dean, faculty, regulators, trustees

Increased regulatory scrutiny and accountability

Trustees, executive management, internal audit, public

Research and intellectual property Executive management, research

Human resource management HRM, unions, staff

Decentralized responsibility Staff, faculty, auditors

Security, internet access, electronic recordsStudents, executive management, faculty, staff

New constructionReal estate office, executive management, donors

New business creation (international operations)

Staff, faculty

Increased competition Trustees, executive management, faculty

Student behavior and community Alumni, parents, students, faculty, president

Contracting and related processes Attorneys and executive management

Endowment management Trustees, staff, alumni, other donors

Table 5

Page 28 of 48

2.2.5 - LIST OF RISKS SEPARATED BY CATEGORY

Risk category Sample risks

Hazard risks

Domestic terrorismCatastrophic natural eventsPandemicLaboratory safetyFacilities and ground safety

Financial risks

Conflicts of interest in financial transactions and agreementsBudget impairmentIneffective service center, auxiliary managementNon – compliant cost transfersInsufficient oversight over third party vendorsImproper governmental activities including fraud, embezzlement or misuse of university resources

Information technology risks

Unauthorized modification of dataDecentralization of systems leading to data inconsistencies and fragmentationDisclosure of confidential informationObsolescence of systems/technologyLack of common data definitionsInability to recover from system lossLack of comfort with third party vendor system security

Human resource risks

Personal issues or workplace violenceProfessional liability claimsWorkers compensation claimsEmployee recruitment and retention

Research risks

Falsification of data or resultsIntellectual property infringementUnethical or unapproved researchInadequate lab practices and processes for the promotion of environmental health and safetyThreat to safety of researchers

Contract and grant risks

Regulatory fines or penaltiesNon - compliance with sponsoring agency terms and conditions and agreementFunds used but agreement terms and conditions not followedFailure to maintain equipment inventories in accordance with grant requirementsSub – recipients not managed properly

Student life risksSports or public event disturbancesStudent mental healthSafety and security of students on and off campus

Facilities and maintenance risks

Deferred maintenanceIncrease in energy costsEquipment/ facility malfunction

Table 6

Page 29 of 48

2.2.6 – ERMIS

As a key support, a University can develop the ERM information system (ERMIS) to

provide management with current information in minutes in the form of key performance

indicators (KPIs). ERMIS reduces the cost of risk by improving the efficiency of

retrospective reviews and monitoring the effectiveness of controls to prevent reoccurrences.

The ERMIS includes:

1. Dashboard reporting on major risks

2. Risk assessment tools

3. Control and accountability tracking platform

4. Risk mitigation and monitoring tools

5. Survey capabilities

2.3 – HEALTH CARE ORGANIZATION

Specific objectives:

1. Quality of customer care

2. Attracting and retaining high quality physicians

3. Building sustainable levels of profit to provide access to needed capital and fund

existing activities

Statement of risk appetite:

The organization’s lowest risk appetite relates to safety and compliance objectives,

including employee health and safety, with a marginally higher risk appetite towards its

strategic, reporting and operations objective.

Page 30 of 48

2.4 – AEROSPACE SUPPLIER

A high level objective is to work with customers to improve products and market share.

There is a low risk appetite for allowing the capital structure to be leveraged that it hinders

the company’s future flexibility or ability to make strategic acquisitions.

Operations tolerances:

1. Near zero risk tolerance for product defects

2. Low risk tolerance for sourcing products that fail to meet the company’s quality

standards

3. Low risk tolerance for meeting customer orders on time

4. High risk tolerance for potential failure in pursuing research that will enable the

company’s product to better control and increase the efficiency of energy use

Reporting tolerances:

1. Low risk tolerance concerning the quality, timing and accessibility of data needed to

run the business

2. Very low risk tolerance concerning the possibility of material deficiencies in internal

control

3. Low risk tolerance related to financial reporting quality (timeliness, transparency,

Generally accepted accounting principles)

Compliance tolerances:

1. Near zero risk tolerance for violations of regulatory requirements or the company’s

code of ethics.

Page 31 of 48

2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS

(BASEL III)

The Basel Accords are a set of rules on banking regulations in regards to capital. Basel III is a series of additions to the existing accords designed to limit the likelihood and impact of a future financial crisis. It requires banks to hold more higher-quality capital against more conservatively calculated risk weighted assets (RWAs). It also looks to ensure sufficient liquidity during times of stress and to reduce excess leverage.

Capital: A minimum of 7 per cent of a bank’s RWAs must be core tier one to act as a buffer against losses. This compares with the 2 per cent required under Basel II. The definition of which liabilities can be classified as core tier one will narrow. There is a counter-cyclical buffer of 0 to 2.5 per cent, which is to be built up when the economy is strong so that it can be called upon in tougher times. Additional requirements will also be introduced for large banks deemed vital to the global financial system. Important Financial Institutions (G-SIFIs) – to hold an extra 1 to 2.5 per cent of core tier one capital. Risk Weighted Assets: In addition to increasing the quality and quantity of capital, Basel III also updates the risk weighted asset (RWA) calculation for counterparty credit risk. This will see the introduction of the Credit Valuation Adjustment (CVA) capital charge, which increases the capital, held against the risk that the mark-to-market value of derivatives will deteriorate due to a change in counterparty credit worthiness. The Financial Institution Asset Value Correlation (FI AVC) will be amended to increase the RWAs for banks’ exposures to large and / or unregulated financial institutions. Liquidity: The Liquidity Coverage Ratio (LCR) defines the amount of unencumbered, low risk assets (such as cash or gilts) that banks must hold to offset forecast cash outflows during a 30-day crisis. Outflows are estimated, based on the nature of the customer relationship and the type of product Leverage. A new leverage ratio of 3 per cent is due to become mandatory in 2018. This seeks to ensure banks apply adequate capital to all their exposures, including those off balance sheets, and without applying any risk weightings. Timing: Basel III requirements are being introduced from 2013 but some areas are still subject to change and total compliance is not expected until 2019. The long lead-in is designed to prevent sudden lending freezes as banks improve their balance sheets. These measures aim to: Improve the banking sector's ability to absorb shocks arising from financial and economic stress, whatever the source improve risk management and governance to strengthen banks' transparency and disclosures.

Page 32 of 48

CHAPTER 3 – EXPLORATION COMMENT ON ERM

3.1 - RISK MAPPING

Risk mapping is probably the most common tool used by companies to identify and

prioritize the risks associated with their business activities. It is a directional tool.

Consolidated risk profile

Imp

act

Man

agea

ble

Maj

or

C

riti

cal

Critical

Remote Possible Likely

Likelihood

Fig.2

Page 33 of 48

A RISK MODEL

Environment risk Process riskInformation for

decision making riskCompetitorCustomer wantsTechnological innovationSensitivityShareholder expectationsCapital availabilitySovereign/PoliticalLegalRegulatoryIndustryFinancial mattersCatastrophic loss

Financial Empowerment GovernancePriceInterest rateCurrencyEquityCommodityFinancial Instrument

LeadershipAuthority/LimitOutsourcingPerformance incentivesChange readinessCommunications

Organizational cultureEthical behaviorBoard effectivenessSuccession planning

LiquidityCash flowOpportunity costConcentration

Information Technology

Integrity

Access

Availability

Infrastructure

ReputationImage and Branding

Stakeholder relations

CreditDefaultConcentrationSettlementCollateral

IntegrityManagement fraudEmployee fraudThird party fraudIllegal actsUnauthorized use

OperationsCustomer satisfactionHuman ResourcesKnowledge capitalProduct developmentEfficiencyCapacity

ScalabilityPerformance gapCycle timeSourcingChannel effectivenessPartnering

ComplianceBusiness interruptionProduct/service failureEnvironmentalHealth and safetyTrademark/ brand erosion

StrategicEnvironment scanBusiness modelBusiness portfolioInvestment valuation/evaluationOrganization structureMeasurement (strategy)Resource allocationPlanningLife cyclePublic reportingFinancial reporting evaluationInternal control evaluationExecutive certificationTaxationPension fundRegulatory reporting

OperationalBudget and planningProduct/service pricingContract commitmentMeasurement (operations)AlignmentAccounting information

Table 7

Page 34 of 48

A RISK DRIVERS MAP

Fig.3

Page 35 of 48

Company expectations are unrealistic

Industry demand declines due to Environmental protection age issues

Performance measurement and reward system is not aligned with performance expectations

Executive management is not perceived as committed

Career or succession plan is poorly defined

Teamwork contradicts acceptance of individual accountability

Compensation levels are not competitive

Loss of reputation due to poor financial results

Hiring practices lack background checks

Hiring process

People are hired with dubious or questionable histories

Increased costs due to inflexible union rules

Market demand for company products significantly declines

Fewer entrants into higher education programs

High turnover occurs at remote locations

Loss of morale

Higher costs of expatriates due to transfers

Internal factorsHUMAN RESOURCES RISK

External factors

Job security declines resulting in good people leaving

Cost of retaining top and experienced performer increases

Company decides to restructure

Top and experienced performers conclude company not as attractive

Competition for talent increases

A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION

Fig.4

Page 36 of 48

Legal and regulatory compliance

Risk management compliance

Internal audit

Assurance units

Shared services

Functional support

Support units

Unit B

Unit A

Risk units

Program Management

CIO/CLO

CFO Unit C

Unit B

Unit A

COO

Business units

Chief risk officer

Business risk

Executive committeeRisk management executive committee

CEO

Board of Directors

3.2 - THE CAPABILITY MATURITY MODEL

The Capability maturity model is a tool for assisting management in thinking more clearly

about questions such as:

1. How capable do we want our risk management to be?

2. Do we vary the rigor and robustness of our risk responses and related control

activities?

3. Do we rely on a few well – qualified individuals in an ad hoc manner and regularly

put out fires?

4. Do we improve our capabilities?

3.2.1 - SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT

RISK

Business policies

Business processes

People and organizations

Management reports

MethodologiesSystems and

data

Init

ial

Procurement not addressed as a strategic opportunity, no direction or policies

Purchases not leveraged, no strategic partnerships

No leadership and lack of qualified staff

Critical information not available and no internet auditing

No models, reliance on people

Disparate, inefficient, purchasing and accounts payable systems

Rep

eata

ble Occasional

strategic focus on sourcing and informal policies

Occasional supply leverage, few strategic partnerships

Some procurement professionals as staff, limited training

Key internal procurement information available with audits occurring

Simple models are used inconsistently

Suite of fairly effective systems, procedure manual

Def

ined

Annual procurement plans, strategic sourcing for key commodities

Defined processes, strategic partnerships in place

Accounts payable centralized, training offered and special purpose teams

Key suppliers tracked, standard benchmarks and internal audits

Well – developed models available for decision making

Organization operates with contracts

Man

aged Increased

execution of strategic sourcing

Effective use of formal risk management technique

Consolidated leveraged supply base in place, trained commodity teams

High quality procurement information, self - assessment commonplace

Sophisticated robust models and tools

Procurement data warehouse in place and utilized, P – cards and automation

Op

tim

izin

g

Aligned strategic plans, defined and integrated policies and responsibilities

Integrated and effective procurement processes and continuous benchmarking

Ability to adapt to changing environments and customer demands, outsourcing of non – core competencies

Fully developed automated, consistent function and planning

Aligned strategic methodologies that emphasize continuous improvement

Complete suite of systems across the supply chain for analysis

Table 8

Page 37 of 48

3.2.2 - RISK MEASUREMENT TECHNIQUES AT EACH STATE OF CAPABILITY MATURITY MODEL

Initial state: Simple and straightforward methodologies

1. Self - assessment techniques

2. Facilitated assessments

3. Risk indicator analysis

4. Position reports

5. Gap analyses

Repeatable state: Basic

1. Risk rating or scoring

2. Claims exposure and cost analysis

3. Sensitivity analysis

4. Deterministic stress testing

5. Parametric value at risk

6. Uncertainty measures

Defined state: Refined methodologies

1. Surrogate performance measures

2. Historical simulation value at risk

3. Scenario analysis

Managed state: Managed quantitatively and aggregated at the corporate level

1. Monte Carlo value at risk

2. Earnings at risk

3. Integrated measurement methodologies

4. Risk – adjusted performance measurement

Optimizing state: Organization is focused on continuous improvement. Risks are aggregated

and managed as a portfolio; the quantitative means to transfer and scrutinize risk are

developed.

Page 38 of 48

3.2.3 - WAYS TO AGGREGATE MULTIPLE RISK MEASURES USING A COMBINATION OF A RIGOROUS METHODOLOGY AND THE APPLICATION OF JUDGMENT

1. Risk pooling - positively and negatively correlated

2. Risk appetite and risk tolerances

3. Hurdle rates - Discounted cash flow

4. At risk frameworks - Value at risk, earnings at risk, gross margin at risk and cash

flow at risk

5. Risk adjusted performance measurement - Risk adjusted return on capital

3.2.4 - RISK MEASUREMENT CAPABILITIES ACHIEVE

1. More robust risk reporting

2. Greater investment confidence

3. Greater integration and alignment

4. Higher valuation

The most important contribution of ERM to improving business performance is to help

managers make better choices in protecting and enhance the enterprise value.

Shareholder value is generally accepted measure of value and is therefore an example of a

useful context for defining enterprise value. Economic value added (EVA) is such a

measure.

The basic formula for calculating EVA is:

EVA = NOPAT less WACoC

NOPAT = Net operating profit after tax

WACoC = Weighted average cost of capital

Page 39 of 48

3.2.5 - APPLYING AN ERM PERSPECTIVE

Identify several opportunities for enhancing risk management processes to improve business

performance using the application of EVA

1. Create new opportunities

2. Improve performance

3. Harvest existing value

4. Adjust and align cost of capital

3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST

COMPANIES WITH IMPLEMENTING ERM

1. ERA – Enterprise risk assessment tools (decision support, survey and risk registers)

2. ORM – Operational risk management tools (qualitative and quantitative)

3. IA - Integrated compliance and risk management platform solutions

Page 40 of 48

3.3.1 - PRIORITIZATIONS OF FUNCTIONALITY

Feature COSO ERM component Solution

Entity definition and objectives

Internal environment, objective setting ERA, ERM, ORM

Risk identification Event identification, risk assessment ERA, ERM, ORM

Framework support Various ERA, ERM, ORM

Risk control and monitoring

Risk assessment, risk response, control activities ERM, ORM

Risk workflow scheduling and notification

Risk assessment, risk response, control activities, monitoring

ERM, ORM

Risk and audit issue tracking

Risk response, control activities, information and communication, monitoring

ERM, ORM

Data collection, event tracking

Information and communication, monitoring ORM

Risk and control self - assessment

Risk assessment, risk response ERA, ERM, ORM

KPI definition and trackingRisk response, control activities, information and communication, monitoring

ERM, ORM

Frequency and severity estimation and other statistical analyses

Risk assessment ORM

Exposure calculationRisk assessment, risk response, information and communication, monitoring

ORM

Scenario analysesRisk assessment, risk response, information and communication, monitoring

ORM

Capital calculationRisk response, information and communication, monitoring

ORM

RAROC analysisRisk response, information and communication, monitoring

ORM

VaR modelRisk assessment, risk response, information and communication, monitoring

ERM

Internal reportingInternal environment, information and communication, monitoring

ERA, ERM, ORM

Regulatory reportingInternal environment, information and communication, monitoring

ORM

Risk response Risk response ERM

Compliance templates Various ERM

Audit planning Risk assessment, monitoring IA

Project management Monitoring IA

Table 9

Page 41 of 48

3.3.2 - CHARACTERISTICS OF SUCCESSFUL ERM SOFTWARE VENDORS:

1. In – depth RM knowledge

2. Ability to educate prospects and customers

3. Ability to execute and support

4. Professional services

5. Global presence

6. Firm’s overall size

7. Ability to leverage existing relationships to build technology

8. Operational and financial risk expertise

3.3.3 - ERM VS. QUALITY INITIATIVES

ERM is an enterprise level process that is integral to strategy setting. Quality initiatives

provide the methodology and tools to help organizations understand measure and

continuously improve the efficiency and quality of their processes at a detailed level.

3.4– ADVANTAGES

3.4.1 - MANAGEMENT ALTERS AN ENTITY'S RISK CHARACTERISTICS BY

REDUCING:

1. The enterprise's net exposure

2. The variability of the enterprises expected returns caused by specific sources of

uncertainty (fluctuating currency rates)

3. The likelihood of financial distress in the event of realized changes in key variables

(changes in interest rates for highly leveraged company)

4. Other uncertainties in the attainment of expected returns

Page 42 of 48

3.4.2 - ERM TO ESTABLISH A SUSTAINABLE COMPETITIVE ADVANTAGE

1. Integrate risk management with business planning and strategy setting

2. Implement more rigorous risk assessment process

3. Improve management of common risks across the enterprise

4. Improve capital deployment and resource allocation

5. Configure the enterprise's risk taking with its core competencies

6. Seize opportunities through rational assumption of risk

Page 43 of 48

3.5 - SUITABILITY

Key questions a business case must address

Fig.5

Page 44 of 48

3.6 - LIMITATIONS

3.6.1 - VALUE IN USING QUALITATIVE INFORMATION WHEN ASSESSING

RISK

Some risks do not lend themselves to quantitative measurement because the related events

occur so infrequently and, if and when they do occur, they are subject to such a wide range

of possible outcomes in terms of severity that it is difficult if not impossible, to quantify

them.

3.6.2 - COMMON MISTAKES AND PITFALLS DURING RISK ASSESSMENT

PROCESS

1. Lack of clarification and common understanding of the meaning or definition of risk

2. Not including all stakeholders

3. Not considering or giving appropriate weight to knowledgeable positions

4. Setting unclear or unrealistic objectives

3.6.3 - THE PROBLEMS ERM PRACTITIONERS MAY FACE

It comes when identifying, collecting, cleansing, and analyzing data. Often adding to this

frustration is a lack of guidance on how to create an information infrastructure to accomplish

their goals. ERM practitioners also face the challenge of dealing with cultural,

organizational, and political obstacles to data transformation efforts that seem to be almost

universal in organizations of all types (Fraser, Schoening-Thiessen & Simkins, 2008).

ERM information systems are facing the same hurdles as other systems that have required

changes in procedures, processes, or culture; there are many lessons to be learned from the

past implementation of other large systems. Above all, patience and persistence are keys to

the process of implementation.

Page 45 of 48

3.6.4 - DEMONSTRATION OF ERM'S USEFULNESS KEY TO WINNING OVER

MANAGEMENT

Risk managers should expect resistance from their managers.

Risk managers who are preparing to implement an enterprise risk management

process should be ready to mitigate opposition from middle and lower management.

To counter resistance, risk managers must address it before implementing the

process.

Risk managers should demonstrate that ERM is a tool managers can use to improve

unit performance and promote their individual worth.

Risk managers also need a senior manager to co-champion ERM in addition to top

management support.

Unit managers perceive ERM as a spotlight that illuminates losses and potential

risks, which "doesn't paint them in a positive light.

Risk managers must adopt seven principles which will obtain and retain middle- and lower-

management support:

1. Simplify the ERM process, because "people don't do what they don't understand."

2. Communicate its purpose.

3. Provide training.

4. Personalize it to help managers achieve their objectives.

5. Demonstrate how it adds value to the managers' business operation.

6. Monitor performance.

7. Tie performance to compensation.

Of course, finding an individual whose expertise spans the full spectrum of enterprise wide

risks in a financial institution from loan quality and interest-rate mismatches to fraud and

natural disasters will be a significant challenge.

Page 46 of 48

CONCLUSION

I have done an exploratory self-study about Enterprise Risk Management and would like to

conclude that it is a relatively new and vast topic and needs much time and expertise

comprehend. In this study I did not obtain actual numbers and figures of any organization in

particular and I have also not used any advanced statistical techniques. There are different

approaches and models to obtain optimal risk management which needs much detailed

research and practical knowledge. Hence, I have not given any specific recommendations

regarding the implementation, application and use of ERM. But nevertheless it can be

understood that ERM is not just the simple sum of all risks facing an organization.

ERM basically becomes a means of shifting of focus from crisis response management and

compliance to evaluating risks in business strategies proactively to enhance investment

decision making and maximize stakeholder value. Enterprises (regardless of size) need to

protect themselves from the adverse effects of risk and need to exploit risk. ERM solutions

need to be tailored for each organization according to the factors affecting that enterprise.

Risk exists all around us, you can choose to use it or let it destroy you. The concept of ERM

is debatable in terms of time, cost and effectiveness for an enterprise.

Page 47 of 48

REFERENCES

https://web.ebscohost.com/ehost/detail

http://pwc.com/us/grc

http://www.pwc.com/us/en/issues/enterprise-risk-management/publications/guide-to-risk-assessment-risk-management-from-pwc.jhtml

http://www.ucop.edu/enterprise-risk-management/

http://www.zurich.com/internet/main/sitecollectiondocuments/insight/risk-management-in-a-time-of-global-uncertainty.pdf

http://www.zurich.com/insight/global-issues/hbr-study/

http://www.forbes.com/sites/tatianaserafin/2012/07/02/risky-business-managing-risk-in-a-volatile-world/

http://www.forbes.com/forbesinsights/risk_management_2012/index.html

http://business.illinois.edu/~s-darcy/Fin321/2007/Readings/erm%20(conference%20board).pdf

mib.rbs.com/Basel-III

Page 48 of 48