Enterprise Risk Management and the Road to Success

Submitted by: Carl Burch, CMA, CIA

Finance and Accounting Lecturer
Moscow, Russia
Cburch@global.t-bird.edu

Introduction
In our last article we discussed the five components of internal control, including:
1) Control Environment,
2) Risk Assessment,
3) Control Activities,
4) Information and Communication, and
5) Monitoring.
We discussed how all of these components are interrelated and necessary for the
establishment of a strong internal control system. It’s through internal control that
management is able to control and direct operations; thereby having reasonable
assurance that objectives will be achieved. It is ultimately the achievement of objectives
that makes companies successful. This will be true whether companies are operating in
China, US, UK, or even Russia.
Now, we want to turn our attention to the subject of Enterprise Risk Management (ERM).

Why Enterprise Risk Management?

The underlying basis of every company is to create value for its owners. If value is not
created, then it’s not likely the company will be able to survive. But, in order to create
value companies have to take on some amount of uncertainty. Now, this uncertainty
incorporates both risks and opportunities, with the potential to erode or enhance value.
The purpose of establishing an enterprise risk management process is to give
management a way in which they are able to effectively deal with this uncertainty
associated with risks and opportunities. Management can then determine how much risk
the company is willing to take on as it strives to create value.

COSO’s Enterprise Risk Management – Integrated Framework

COSO’s Internal Control – Integrated Framework established the above mentioned
internal control components in order to help companies assess and improve their internal
control systems. The result of the recent accounting scandals of Enron, WorldCom, Tyco,
Parmalat, etc. caused companies to put more focus on risk management. But, to do this
management needed a framework to help them more effectively identify, assess, and
manage risk. To meet this demand, COSO developed the Enterprise Risk Management –
Integrated Framework.
Enterprise risk management differs from risk management in that ERM represents a more
“integrated and holistic perspective” on risks facing the company. The ERM framework
simply became an expansion of COSO’s Internal Control framework, not a replacement.

1
Whereas, COSO’s Internal Control framework has five components, COSO’s ERM
framework has eight components. These components are listed below with a brief
description of each component:
1) Internal Environment. This would include the tone at the top, management’s
tolerance for risk, and oversight by the board.
2) Objective Setting. Objectives must first exist before management can identify
the events that might affect their achievement.
3) Event Identification. Internal and external events that can affect the
organization’s objectives must be identified
4) Risk Assessment. Risks must be analyzed and assessed for the likelihood and
impact on the objectives.
5) Risk Response. Management then has to select responses to the risks.
6) Control Activities. These are the policies and procedures in place to help
ensure that risk responses are carried out in an effective manner.
7) Information and Communication. Relevant information about risks has to be
communicated so people can carry out their responsibilities.
8) Monitoring. The entire ERM program has to be monitored and modifications
made if necessary. Monitoring can be ongoing, or it can be a separate
evaluation.

While COSO’s ERM framework is one of the most comprehensive frameworks, it certainly
is not the only one. A number of different ERM frameworks have been suggested by
various professional organizations and consulting firms (i.e. IMA, Standards & Poor’s,
Basal Committee on Banking Supervision, etc.), but the essential components of these
frameworks are similar. These ERM frameworks differ only in the language they use to
describe the components and in the number of specific steps.
When implementing an ERM process, a company may choose a more common framework
that fits its culture, management philosophy, needs, and size.

The basic components found in most ERM frameworks are (see exhibit A):
 Setting objectives,
 Identifying risks,
 Assessing risks,
 Treating and Controlling risks, and
 Communicating and monitoring risks.

2
EXHIBIT A: Continuous Risk Management Process
SETTING OBJECTIVES

COMMUNICATE &
IDENTIFY RISKS
MONITOR

CONTROL RISKS ASSESS RISKS

TREAT RISKS

Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and
Integration, pg. 17.

Setting Objectives
The first step in the ERM process is the setting of objectives. Objectives are simply what
an entity strives to achieve. Objectives can be short-term, or long-term, or they can be
quantitative (numeric), or qualitative (non-numeric).
Objectives should be:
 Specific: Objectives should be precisely defined.
 Measurable: The method of measuring the objective should be defined.
 Agreed to: All interested parties need to agree to the objectives.
 Realistic and Attainable: Objectives must realistic and they must be attainable. If
they’re not, then they are superfluous.
 Timely: Objectives should be specific as to when they are to be achieved.
Note: As we can see, objectives should be SMART.
A direct benefit of ERM is that it may reveal some objectives that are not clear or
understood by those responsible to achieving them. It’s recommended that time be taken
in an effort to clarify the objectives before moving on to the next step – identifying risks.

Identifying and Assessing Risks

The next step in the ERM process is the identification of risks. The goal in this step is
to produce a list of risks and then assess them. There are a number techniques used to
identify risks. Some of these techniques are shown in Exhibit B.
In the process of using the list, it may be necessary to use more than one item on the
list. The key is to make sure that as many risks are identified as possible. If some risk fail
to be recognized, this could result in problems for the company.

3
EXHIBIT B: Risk Identification Techniques
INTERNAL INTERVIEWING and DISCUSSION:
 Interviews.
 Questionnaires.
 Brainstorming.
 Control Self-assessment and other facilitated workshops.
 SWOT analysis (Strength, weaknesses, opportunities, and threats).

EXTERNAL SOURCES:
 Comparison with other organizations.
 Discussion with peers.
 Benchmarking.
 Risk consultants.

TOOLS, DIAGNOSTICS, and PROCESSES:

 Checklists.
 Flowcharts.
 Scenario analysis.
 Value chain analysis
 Business process analysis.
 Systems engineering.
 Process mapping.
Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and
Integration, pg. 19.

Once the risks have been identified, the next step is risk assessment. With risk
assessment we are in essence asking: “What can go wrong here?” and “What assets do
we need to protect?”
According to the COSO study, Internal Control – Integrated Framework, risk assessment
is summarized in the following way:
“Every entity faces a variety of risks from external and internal sources that must be assessed.
A precondition to risk assessment is establishment of objectives, linked at different levels and
internally consistent. Risk assessment is the identification and analysis of relevant risks to
achievement of objectives, forming a basis for determining how the risks should be managed.
Because economic, industry, regulatory and operating conditions will continue to change,
mechanisms are needed to identify and deal with the special risks associated with change.”

A key to ERM is to know which risks the company can control and which risks it cannot
control. This is the purpose of the risk assessment stage. Another key is to know which
risks can and cannot be measured. “Knowing the importance of a risk through risk
assessment can lead to better management and resource allocation. Further knowing how
that risk interrelates with other risks in the company can enhance the ERM process.”1

1
Statements on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration,
pg. 18-19.

4
Once management has gone through the assessment part of the ERM process, the next
step is the most difficult – treating and controlling the risks.

Treating and Controlling Risks

Once the risks have been assessed, management must then decide how it is going to
manage them. In the ERM process there should be a conscious decision about risk. There
are different actions that management can take for any given risk, including:
 Transfer the risk to another party. This can be done through signing a long-term
contract with a supplier. You transfer the risk of future price increases.
 Avoid the risk. This is generally the not most desirable thing to do, but in some
cases, it may be unavoidable.
 Reduce the negative effect of the risk. This might include hedging, or some other
method.
 Accept some or all of the consequences of the particular risk. You take on the risk
because you know that if you are successful, you will indeed be very successful.

In this stage, the risks with the greatest loss and the greatest probability of occurring are
handled first, and risks with lower probability of occurrence and lower loss are handled
later. In practice the process can be very difficult, and balancing between risks with a
high probability of occurrence but lower loss vs. a risk with high loss but lower probability
of occurrence can often be mishandled.

Communicating and Monitoring Risks

This is the final stage of the ERM process. In this final stage, management has the
responsibility to review and make necessary changes in order to mitigate potential risks
that can hinder the achievement of objectives. The goal of ERM is not to become risk
adverse, but to develop and implement a system whereby risk-related information is able
to flow downward, across, and up the company.
In regards to monitoring, activities should periodically reassess risk and the effectiveness
of controls to manage risk.

Conclusion
Enterprise risk management can be a powerful management tool, but its successful
implementation will require education and training of managers at all levels of the
organization, including the board. But, there are limitations to ERM. Like any program,
human judgment is still required, and human judgment in regards to risks can be faulty;
thus leading to errors or mistakes.
A major weakness to the ERM system is that two or more people can collude together, or
management can override ERM decisions. Thus, even with the best of ERM systems,
“these limitations preclude a board and management from having absolute assurance as
to the achievement of the company’s objectives.”2
In regards to Russia, it is mostly the larger organizations that have implemented ERM at
this time. But, unfortunately, it seems that most of these companies have done so
because of some external requirement (Sarbanes Oxley, etc.) reason and not because it
is something that they actually believes provides benefit. In time this attitude should
change as more Russian managers start seeing the benefits of ERM.

2
Enterprise Risk Management – Integrated Framework, Executive Summary, September 2004.

5
Below is a list of best practices that companies can use as a reference when
implementing ERM.
1) Engage senior management and board of directors that set “the tone from the
top” and provide organizational support and resources.
2) Independent ERM function under the leadership of chief risk officer (CRO), who
reports directly to the CEO with a dotted line to the board.
3) Top-down governance structure with risk committees at the management and
board levels, reinforced by internal and external audit.
4) Established ERM framework that incorporates all of the company’s key risks:
strategic risk, business risk, operational risk, market risk, and credit risk.
5) A risk-aware culture fostered by a common language, training, and education, as
well as risk-adjusted measures of success and incentives.
6) Written policies with specific risk limits and business boundaries, which
collectively represent the risk appetite of the company.
7) An ERM dashboard technology and reporting capability that integrates key
quantitative risk metrics and qualitative risk assessments.
8) Robust risk analytics to measure risk concentrations and interdependencies,
such as scenario and simulation models.
9) Integration of ERM in strategic planning, business processes, and performance
measurement.
10) Optimization of the company’s risk-adjusted profitability via risk-based product
pricing, capital management, and risk-transfer strategies.
Source: Statement on Management Accounting, Enterprise Risk Management: Framework, Elements, and
Integration, pg. 34.

In summary, “ERM is essential in today’s business environment, where companies are

required to disclose risk factors in the financial reports and the board of directors
regularly questions top management about the company’s risk.”3

3
Statements on Management Accounting, Enterprise Risk Management: Framework, Elements, and Integration,
pg. 34.