Enterprise Risk Management - Literature review Example

? Enterprise risk management BY YOU YOUR SCHOOL INFO HERE HERE Enterprise risk management Introduction As today’s economic and competitive environments become more complex in multiple industries, companies face ongoing risks to profitability, marketing, information systems security and many other imperative business functions. Risks are identified as any scenario that can cause detriment to achieving organisational goals dictated by strategic leadership that erode competitiveness or represent threat to financial stability. Many organisations have developed some form of risk management approach, however there is a modernised approach to achieving risk mitigation known as enterprise risk management (ERM). ERM involves taking a proactive view of the entire business or organisation rather than looking at risk as simply a matter of special project overview to identify threats. It goes far beyond the typical SWOT analysis that looks at different weaknesses and threats and recognises the whole of the business as a functional unit that is inter-connected whereby multitudes of risk possibilities exist. This literature review describes what constitutes enterprise risk management, its major components and also provides an identification of how an ERM programme can be designed into virtually any industry. 2. Defining a stable ERM programme Enterprise risk management is defined as: “The discipline by which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisation’s short- and long-term value to its stakeholders” (casact.org, 2003, p.8). What makes ERM different from typical risk management programmes is that it recognises strategic imperatives, thus making it an ongoing part of strategic analysis often dictated by executive leadership and Board governance. Generally, risk management programmes are short-term objectives associated with special project teams, thereby somewhat ignoring the long-term prospects of risk mitigation in multiple areas of the business. Kimmel & Anderson (2010) identify five specific elements of an ERM system to include: 1. Linking risk management to the organisation’s strategy, values and culture – This definition insists that enterprise risk management is linked to the operational and human capital components of the organisation and is tied directly to organisational structure and design. 2. Providing management with a comprehensive and repeatable knowledge base so as to understand how to identify and assess potential risk factors. 3. Assignment of specific roles and responsibilities tied to governance for ERM. 4. The ability to provide higher valued knowledge so that managers can make better operational and financial business decisions. 5. Providing risk-related knowledge so that auditing and monitoring is an ongoing part of the programme design. Most organisations that utilise ERM systems recognise four categories of objectives in order to assist organisations in meeting long- and short-term strategic goals. These include, as offered by Moore (2010): 1. Strategic imperatives – These are high-level goals that help align the organisation to its overall mission and value proposition. 2. Operational components – Helping to achieve efficient and effective use of resources organisation-wide, such as marketing, production and accounting (as relevant examples). 3. Reporting – Reporting aspects include financial figures and overall business strengths as related to stakeholders and shareholders. 4. Compliance – Laws and regulatory compliance such as Sarbanes Oxley and other labour-related laws that drive business structure and operations. These four objectives are part of the COSO model that is widely used in most organisations that have developed an ERM system, one of the most common models of ERM available. It is a comprehensive tool for identifying and managing risk factors (Moore, 2010). Enterprise risk management is beneficial to the business as it creates a teamwork methodology that includes Board governance, employees and mid-level and senior management so that the entire organisation is engaged in identifying potential risks for the purpose of managing these threats to many different business units. Many organisations that have well-developed ERM programmes link risk management with sales and marketing, logistics, customer service, human resources, information technology and manufacturing as well (Widup, 2010). What generally occurs in enterprise risk management is creating risk management teams that already specialise in their own business unit practices and assigns responsibilities to these groups who will then take proactive steps toward risk mitigation and report their findings throughout the entire organisation, whether it is centralised or decentralised. An ERM programme must take into consideration all business divisions in order to be successful. According to Mehta (2010, p.35) a common problem with ERM is that many organisations consider such programmes to be only effective in compliance issues and fail to identify risks attached to operational units. “If this happens, the CEO will inevitably lose interest, the program will not work and all efforts to implement ERM will be essentially futile” (Mehta, 2010, p.36). All of the literature on enterprise risk management seems to reinforce that without an entire business focus, risk management efforts will be unsuccessful and will not provide much long-term value to the organisation. 3. Risk definitions and statistics on ERM ERM programmes must identify the following factors in order to gain long-term value for the organisation, as provided by Makomaski (2008): 1. Manage the chances of loss or potential gains by first assessing different probabilities as they related to functional business units – This means that an ERM system must be proactive and consist of business professionals that fully understand the inter-linkages between functional business units. 2. Manage the different potential deviations from long-term goal targets and performance management – Many companies have performance management systems that provide incentives or other bonuses for effective group or individual performance as related directly to strategic mission and goals. An effective ERM system must become part of this existing system whereby the entire organisation is engaged from a human resources view. 3. Identify expected losses using budgeting techniques. 4. Identify uncertainty potential. One problem with ERM is that there are no solid benchmarks by which organisations can develop their own effective enterprise risk management strategy. A recent survey of 460 senior managers in multiple industries identified that 54.6 percent of respondents looked toward the COSO framework model for their ERM programmes, not always finding effective results through this benchmarking effort (Beasley, Branson & Hancock, 2010). Because ERM is in its infancy as a subset of traditional risk management practices, there is a risk in structuring an ERM based on COSO or other models as they might not necessarily pertain to the unique business environment in which a specific industry operates. Organisations need to identify how their business environment operates internally and how it is linked to the external environment and then structure their own unique ERM programme based on these factors. There is definitely no one-size-fits-all structure by which to build an assessment and risk management profile or model. “No clear, universally accepted definition of ERM exists, which makes it harder to assess the strength of an ERM program”, offers Alice Gannon, a C-Counsel consultant for EMB America (Cavanaugh, 2009, p.45). 4. How to implement an ERM system According to Chitakornkijsil (2010), in order to create an effective ERM programme, the following business units must also be included, other than just financial issues: 1. Employee benefits – Health insurance, life insurance, retirement planning, and benefits recognition must be included. These are risks to the financial state of the organisation and also represent risks as associated with the human capital development efforts that drive competitiveness in unique industries. 2. Human resources – These areas include employee relations, potential disability and health/safety losses, and unemployment insurance. Again, these are common risks that are often dismissed in typical risk management systems, however the enterprise view suggests that these are vital areas that must be included in order to have an effective and resourceful ERM programme in place. 3. Information technology – Most large-scale businesses, today, operate in multiple marketing environments and have a heavy reliance on technology and software support in order to sustain business momentum. Risks in this area include hacking, system integrity, and other internal and externalised threats to virtual knowledge. Because IT is vital to the integrity of most businesses, failure to include representatives from this specialised business unit could lead to an ineffective ERM system. One of the main factors often overlooked when businesses are attempting to build their own ERM model is the monitoring stage of the programme. There are many different qualitative and quantitative tools available for this, including surveys, interviews or workshop participation (Muzzy, 2008). Some CEOs and Board governors tend to believe that identification of risks is the most solid part of the ERM system and fail to create tools by which to measure successes or failures of the efforts of risk management. There must be a measurement system in place so that hard data can be produced that links human effort with actual outcomes in order for the enterprise risk management programme to be effective. Surveying includes internal employees and the customer as well, especially when the business relies on revenues from third-party customers in order to maintain competitiveness and secure shareholder interests. Interviews and workshops can also include these same individuals both internal and external. They provide important feedback regarding the ERM effort and can further identify risks, especially when from external parties, that might not have been considered by the efforts of different internal risk management teams. The goal is to identify all potential opportunities for risk and this involves taking the effort out of the internal political and operational structure and having a tool to understand how the business impacts the external environment. Such surveys are also effective when delivered to customers and then having this data integrated into new risk mitigation strategies at the marketing and sales levels. Whirlpool, a major appliance manufacturer and marketer, has developed their own ERM system that has brought considerable strength in risk reduction over its competition. Whirlpool incorporated the entire supply chain system into its ERM system, including supplier bargaining power and cost management, thereby creating a more financially sound system of procurement. Other factors identified by externalising risk management included “cost, quality, product liability, recall and potential supply interruptions” (Lenckus, 2006, p.18). Many businesses only look at the cost factors of procurement and fail to identify that the third-party vendors, themselves, can create significant risk if they have ineffective business models or are victimised by supply interruptions. Whirlpool used surveys and interviews, along with supply analysis models, and realised it could change suppliers to a foreign manufacturer of needed parts, thereby saving the firm almost $5 per unit on parts that had been procured domestically for many years. Without taking the ERM structure external, Whirlpool would have been forced to make budgetary cuts in other areas to ensure adequate manufacturing supply. The cost savings and efficiency in the supply chain was increased exponentially by viewing the organisation as an entire, inter-linked functional system rather than tackling ERM as a special project focus in just a few areas of business. In order for the effort of ERM to be successful, AON Analytics (2010) offers that the entire organisation must be involved in the programme in order for it to have full effectiveness and bring long-term value. Only 15 percent of today’s companies have a programme for ERM that includes more than merely Board leaders or senior executives (aon.com, 2010). This is a marginal number, offering further support for why ERM systems fail upon launch. Enterprise risk management must be linked with the existing organisational culture and structured based on this premise or principle. For example, the organisation might have a leaner type of authoritarian system, the decentralised hierarchy where decision-making is distributed throughout the organisation rather than simply trickling down from the top layers of management. In this system, employees are empowered as decision-makers and given autonomy in their job roles where development and learning are part of the organisational model. In this type of organisation, employees should be engaged to identify potential risks as they relate to their own unique, specialised job function and then report their findings periodically in staff meetings or other reporting mediums such as the intranet. By engaging workers to achieve proactive risk mitigation, the culture becomes one of risk identification. 5. Weaknesses of the ERM programme Moody (2009) identifies a variety of shortcomings and oversights common when organisations develop their own enterprise risk management model: 1. Availability of relevant and up-to-date information – Internal ERM teams do not necessarily have firsthand knowledge of certain business areas, such as the procurement team understanding the external sales team methodology, therefore they cannot make adequate decisions related to sales and marketing. A representative from all external teams must be included in some fashion in order to have recent and relevant knowledge to assist in the ERM model. 2. Lack of incentive systems – Much like traditional business, workers are motivated by receipt of reward, such as bonuses, when they have accomplished important organisational tasks or objectives. Usually, these are monitored and controlled by the human resources division and are part of the appraisal process. A long-term, structured ERM model that includes multiple business divisions must develop some form of incentive system to keep people engaged in their unique tasks related to ERM. These could include bonuses or promotions (as two examples) so that the psychological elements of human relations are sustained throughout the entire ERM programme. 3. No stress testing or scenario planning – Stress tests are a method to model potential outcomes of an ERM effort when assessing multiple business divisions. These can be accomplished through surveys or information technology-backed modelling. Scenario planning provides a what-if methodology that acts much like an organisation-wide brainstorming effort that is ongoing through the entire design of ERM. 4. Lack of consolidation – In most businesses, especially those where internal performance competition is common, workers tend to segregate themselves especially when bonus or promotions are potential outcomes of their efforts. This can create a scenario where ERM efforts remain individualised and do not bring full value to the risk mitigation and monitoring efforts. The entire effort must be enterprise-wide and avoid individualised competitiveness that is common to occur if not consolidated between functional business units. 5. Concerns over risk expertise and risk knowledge – Some organisations do not have skilled senior or mid-level management when it comes to identifying risk as many CEOs and line managers do not have full functional knowledge of how business divisions are inter-connected. There should be preliminary training and assessment provided regarding the competency levels of the risk management teams, both senior and junior level, before launching an enterprise-wide risk management model. Other risks to launching an effective ERM system include, according to De La Rosa (2007): 1. Poor business tone – Business cultures that are not cooperative and are centralised often have difficulty in creating team methodology. The ethical make-up of the organisation along with the generalised attitudes associated with workers and managers must be assessed before launching an ERM system if it hopes to succeed effectively. Centralised organisations are not accustomed, culturally, to having mid- or lower-level authority granted to workers. The capability of the entire organisational units to work together effectively must be present for ERM to be a success. 2. Poorly defined ERM language – As there is no universally-accepted model for enterprise risk management, the language by which a new model is driven could be confusing to workers or fail to fully identify what areas of business risk should be assessed. Before structuring such a system, there must be controls in place using language that is appropriate and relevant to the existing cultural and leadership mentalities within the organisation. 3. Poor consultant supervision – Many business leaders believe that once the ERM model has been created and the programme launched, ranking managers maintain the capabilities and competencies to tackle these projects without oversight. Especially if external, third party consultants are used, there must be a regulatory system by knowledge professionals to periodically check on the status and outcomes of management efforts in ERM. 4. Insufficient human resources and financial support – Organisations that do not have a dedicated human resources division might find ERM systems to be too complicated to sustain over the long-term. Further, internal budgets, especially during times of externalised economic slow-downs, could hinder an inter-linked, team-minded enterprise risk management system. The evidence provided would suggest that without an appropriate budget and without human resources support, the ERM programme will not last beyond its first year after launch (De La Rosa, 2007). 5. No appropriate auditing systems – There must a tool or checklist constructed that identifies what is expected of the ERM programme in order to audit properly and remove redundancies or streamline efforts to make them more effective. Muzzy (2008) identifies that it is common for duplication of efforts in risk management to exist and can lead to financial and management problems throughout the entire ERM effort. Such auditing systems must be developed for an effective outcome to be anticipated, including senior management regulatory presence, consultant expertise or other reporting systems. There must be a system to “track remediation and mitigation for each compliance risk, report risk areas with real-time data and continually identify new risks to ensure prioritized focus” (Kusserow, 2007, p.54). 6. Conclusion All of the research evidence provided suggests that virtually any business, in any industry, can develop an effective ERM system so long as all of the inter-linkages between staff, operations, finance and Board governance are made part of the ERM model. The difficulty with providing guidance to businesses that need a more structured risk management system is that there is no standard by which to mould an enterprise risk management system that can be used as a benchmark. This leaves it up to the organisation, itself, to structure a practice and principle that is unique to their own industry or business unit. However, the COSO template seems to provide the most value and it is recommended that it is used as a tool by which to lay the foundation of an ERM system. 7. References Aon.com. (2010). [internet] Global enterprise risk management survey, AON Analytics. [accessed 3.3.2011 at http://www.aon.com/attachments/2010_global_ERM_survey.pdf] Beasley, M., Branson, B. & Hancock, B. (2010). Are you identifying with your most significant risks?, Strategic Finance. 92(5), pp.29-36. Casact.org. (2003). [internet] Overview of enterprise risk management, Casualty Actuarial Society, Enterprise Risk Management Committee. [accessed 3.6.2011 at http://www.casact.org/research/erm/overview.pdf] Cavanaugh, B.B. (2009). Risking the enterprise, Best’s Review, Oldwick. 109(12), pp.44-48. Chitakornkijsil, P. (2010). Enterprise risk management, International Journal of Organisational Innovation. 3(2), pp.309-338. De La Rosa, S. (2007). Moving forward with ERM, The Internal Auditor. 64(3), pp.50-56. Kimmel, B. & Anderson, G. (2010). ERM myths & truths, Financial Executive. 26(10), pp.48-51. Kusserow, R. (2007). Enterprise risk management: the next evolutionary step in compliance, Journal of Health Care Compliance. 9(4), pp.53-55. Lenckus, D. (2006). Industries continue to apply ERM plans successfully, Business Insurance. 40(19), pp.18-20. Makomaski, J. (2008). So what exactly is ERM?, Risk Management. 55(4), pp.80-83. Mehta, S. (2010). It’s time for ERM, Financial Executive. 26(9), pp.34-38. Moody, M. J. (2009). ERM: clash of cultures, Rough Notes. 152(8), pp.26-28. Moore, J.W. (2010). From phishing to advanced persistent threats: the application of cybercrime risk to the enterprise risk management model, The Review of Business Information Systems. 14(4), pp.27-37. Muzzy, L. (2008). Approaching enterprise risk management, Financial Executive. 24(8), pp.59-62. Widup, R.E. (2010). An ESRM model for brand protection, Security. 47(12), pp.38-40. Appendix A: Value provided by ERM models Source: http://www.ucop.edu/riskmgt/erm/documents/protiviti_faqguide.pdf Read More