Risk is a major issue for most organisations. A discussion of what is meant by risk, different types of risks and identifying them is covered here. Principles of risk management are discussed here. This page looks at controlling risk.
The controlling of risk will be performed by many parties throughout a company. Here we consider the reasons why, and who these people might be.
Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) can be defined as the:
'process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.'
Enterprise Risk Management - Integrated Framework, the Committee of Sponsoring Organisations, COSO, 2004
Principles of ERM
The key principles of ERM include:
- consideration of risk management in the context of business strategy
- risk management is everyone's responsibility, with the tone set from the top
- the creation of a risk aware culture
- a comprehensive and holistic approach to risk management
- consideration of a broad range of risks (strategic, financial, operational and compliance)
- a focused risk management strategy, led by the board (embedding risk within an organisation's culture ).
COSO ERM framework matrix
The COSO ERM framework is represented as a three dimensional matrix in the form of a cube which reflects the relationships between objectives, components and different organisational levels.
The eight components are closely aligned to the risk management process, and also reflect elements from the COSO view of an effective internal control system:
Internal environment: This is the tone of the organisation, including the risk management philosophy and risk appetite.
Objective setting: Objectives should be aligned with the organisation's mission and need to be consistent with the organisation's defined risk appetite.
Event identification: These are internal and external events (both positive and negative) which impact upon the achievement of an entity's objectives and must be identified.
Risk assessment: Risks are analysed to consider their likelihood and impact as a basis for determining how they should be managed.
Risk response: Management selects risk response(s) to avoid, accept, reduce or share risk. The intention is to develop a set of actions to align risks with the entity's risk tolerances and risk appetite.
Control activities: Policies and procedures help ensure the risk responses are effectively carried out.
Information and communication: The relevant information is identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities.
Monitoring: The entire ERM process is monitored and modifications made as necessary.
Benefits of ERM enhanced decision-making by integrating risks the resultant improvement in investor confidence, and hence shareholder value focus of management attention on the most significant risks a common language of risk management which is understood throughout the organisation
- reduced cost of finance through effective management of risk
Risk and corporate governance
The issue of corporate governance and how to manage risk has become an important area of concern across the world.
- Reviews such as the UK Turnbull Committee have identified risk management as key to effective internal control.
- In turn, following good corporate governance procedures (including having sound internal control systems) will decrease the impact of many risks on an organisation.
- Risk analysis is best carried out in the context of the OECD principles of good corporate governance.
- An overriding risk is that an organisation fails to meet the appropriate corporate governance regulations.
OECD principles of good corporate governance are:
The role of the Board
The board of an organisation plays an important role in risk management.
- It considers risk at the strategic level and defines the organisation's appetite and approach to risk.
- The board is responsible for driving the risk management process and ensuring that managers responsible for implementing risk management have adequate resources.
- The board is responsible for ensuring that risk management supports the strategic objectives of the organisation.
- The board will determine the level of risk which the organisation can accept in order to meet its strategic objectives.
- The board ensures that the risk management strategy is communicated to the rest of the organisation and integrated with all the other activities.
- The board reviews risks and identifies and monitors progress of the risk management plans.
- The board will determine which risks will be accepted which cannot be managed, or which it is not cost-effective to manage, i.e. residual risk.
- The board will generally delegate these activities to a risk committee.
Risk appetite is a measure of the general attitude to accepting risk
It can be determined by:
- risk capacity - the amount of risk that the organisation can bear, and
- risk attitude - the overall character of the board, in terms of the board being risk averse or risk seeking.
Risk appetite has an important influence on the risk strategies an organisation has in place.
For example a charity or public sector organisation will be characteristically risk averse - the organisation would seek to avoid risky situations. Therefore the risk management system the organisation develops may be less sophisticated and less costly
Conversely an organisation actively seeking additional risk, financial derivative traders for example. Should:
- See risk management as of strategic importance.
- Invest in a comprehensive risk management system
The factors or business strategies, which could affect the risk appetite of the board of a company include:
Risk attitude can be seen on a continuum from risk averse to risk seeking.
There is no easy correlation between the risk attitude of an organisation and its size, structure and development. In general terms:
- a small, young company may have a higher risk attitude as it takes risks in order to get its product into the market.
- a larger, older company may appear to be more risk averse as it seeks to protect its current market position.
Risk attitude factors
The overall point here is that general trends can be established. However, there is no definitive link between size, structure and development and the level of risk within an organisation.
Though corporate governance codes do not specifically require a risk committee to be established, many companies will set up a separate risk committee or establish the audit committee as a 'risk and audit committee'. The risk committee is sometimes referred to as a risk management committee. Where no risk committee is formed, the audit committee will usually perform similar duties.
Composition of risk committee
The committee will include both executive and non-executive directors, with the majority being NEDs. Executive directors are involved as they are responsible for the day-to-day operations and therefore have a more detailed understanding of the associated risks.
Roles of the risk committee
In broad terms, the risk (management) committee within an organisation has the following main aims:
- Raising risk awareness and ensuring appropriate risk management within the organisation.
- Establishing policies for risk management.
- Ensuring that adequate and efficient processes are in place to identify, report and monitor risks.
- Updating the company's risk profile, reporting to the board and making recommendations on the risk appetite of the company.
Supporting these objectives of the risk (management) committee, there are many secondary objectives. These objectives may also be contained in the terms of reference of the risk (management) committee.
- Advising the board on the risk profile and appetite of the company and as part of this process overseeing the risk assurance process within the company.
- Acting on behalf of the board, to ensure that appropriate mechanisms are in place with respect to risk identification, risk assessment, risk assurance and overall risk management.
- Continual review of the company's risk management policy including making recommendations for amendment of that policy to the board.
- Ensuring that there is appropriate communication of risks, policies and controls within the company to employees at all management levels.
- Ensuring that there are adequate training arrangements in place so management at all levels are aware of their responsibilities for risk management.
- Where necessary, obtaining appropriate external advice to ensure that risk management processes are up to date and appropriate to the circumstances of the company.
- Ensuring that best practices in risk management are used by the company, including obtaining and implementing external advice where necessary.
Responsibilities of the risk committee
Detailed tasks of the risk committee are to:
- Assess risk management procedures (for the identification, measurement and control of key risk exposures) in accordance with changes in the operating environment.
- Emphasise and demonstrate the benefits of a risk-based approach to internal control.
- If appropriate, consider risk audit reports on key business areas to assess the level of business risk exposure.
- Assess risks of any new ventures and other strategic initiatives.
- If appropriate, review credit risk, interest rate risk, liquidity risk and operational risk exposures with regard to full board risk appetite.
- Consider whether public disclosure of information regarding internal control and risk management policies and key risk exposures is in accordance with the statutory requirement and financial reporting standards.
- Make recommendations to the full board on all significant matters relating to risk strategy and policies.
Some of these tasks may be directed toward the audit committee,especially the areas of internal control where there already is an internal audit function.
Role of the risk manager
The risk manager is a member of the risk management committee, reporting directly to that committee and the board. The role focuses primarily on implementation of risk management policies. The manager is supported and monitored by the risk management committee. The role is more operational than strategic. Policy is set by the board and the risk management committee and implemented by the risk manager.
Risk manager activities
Typical activities carried out by a risk manager include:
- Provision of overall leadership for risk management team.
- Identification and evaluation of the risks affecting an organisation from that organisation's business, operations and policies.
- Implementation of risk mitigation strategies including appropriate internal controls to manage identified risks.
- Seeking opportunities to improve risk management methodologies and practices within the organisation.
- Monitoring the status of risk mitigation strategies and internal audits, and ensuring that all recommendations are acted upon.
- Developing, implementing and managing risk management programmes and initiatives including establishment of risk management awareness programmes within the organisation.
- Maintaining good working relationships with the board and the risk management committee.
- Ensuring compliance with any laws and regulations affecting the business.
- Implementing a set of risk indicators and reports, including losses, incidents, key risk exposures and early warning indicators.
- Liaising with insurance companies, particularly with regards to claims, conditions and cover available.
- Depending on specific laws of the jurisdiction in which the organisation is based, working with the external auditors to provide assurance and assistance in their work in appraising risks and controls within the organisation.
Again, depending on the jurisdiction, producing reports on risk management, including any statutory reports (e.g. Sarbanes-Oxley (SOX) reports in the US).
Embedding risk management
The aim of embedding risk management is to ensure that it is 'part of the way we do business' (to misquote Handy).
It can be considered at two levels:
- embedding risk management in systems
- embedding risk management in culture.
Embedding risk management in systems
Embedding risk management in systems applies to the concept of ensuring that risk management is included within the control systems of an organisation.
- In this context, a control system helps ensure that other systems (e.g. the accounting system) are working correctly.
- Risk management is not seen as a separate system.
- In many jurisdictions, this is a statutory requirement (e.g. US) while in others it is a code of best practice (e.g. UK).
- To be successful, embedding risk management needs approval and support from the board.
The process of embedding risk management within an organisation's systems and procedures can be outlined as follows:
(1) Identify the controls that are already operating within the organisation.
(2) Monitor those controls to ensure that they work.
(3) Improve and refine the controls as required.
(4)Document evidence of monitoring and control operation (using performance metrics or independent assessment such as internal or external audit).
Success of embedding risk in systems
Embedding risk management is unlikely to be successful within an organisation unless it is:
- supported by the board and communicated to all managers and employees within the organisation
- supported by experts in risk management
- incorporated into the whole organisation, i.e. not part of a separate department seen as 'responsible' for risk
- linked to strategic and operational objectives supported by existing processes such as strategy reviews, planning and budgeting, e.g. again not seen as an entirely separate process
- supported by existing committees, e.g. audit committee and board meetings rather than simply the remit of one 'risk management' committee
- given sufficient time by management to provide reports to the board.
Embedding risk management in culture
Risk management needs to be embedded into policies and procedures in an organisation. However, the policy may still fail unless all workers in a company (board to employees) accept the need for risk management. Embedding risk management into culture and values therefore implies that risk management is 'normal' for the organisation.
Methods of embedding risk management in the culture and values of an organisation include:
- aligning individual goals with those of the organisation
- including risk management responsibilities within job descriptions
- establishing reward systems which recognise that risks have to be taken in practice (e.g. not having a 'blame' culture)
- establishing metrics and performance indicators that can monitor risks and provide an early warning if it is seen that risks will actually occur and affect the organisation
- informing all staff in an organisation of the need for risk management, and publishing success stories to show how embedding risk management in the culture has benefited both organisation and staff.
Success of embedding risk management in culture
Various cultural factors which affect the extent to which risk management can be embedded into the culture and values of an organisation include:
- whether the culture is open or closed, i.e. open to new ideas, procedures and change
- the overall commitment to risk management policies at all levels in the organisation
- the attitude to internal controls, i.e. to cause constraints within the organisation or provide benefits in terms of lowering risk?
- governance, i.e. the need include risk management in the organisation to meet the needs and expectations of external stakeholders
- whether risk management is a normal part of the organisation's culture, i.e. whether it is taken for granted or not.
Created at 8/9/2012 12:17 PM by System Account
(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 9/27/2013 4:40 PM by System Account
(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Ratings & Comments
(Click the stars to rate the page)