Академический Документы
Профессиональный Документы
Культура Документы
ENTERPRISE
RISK MANAGEMENT
Untuk Direktur dan Komisaris
Disusun oleh:
Antonius Alijoyo
with Deddy Jacobus
The Essentials of
ENTERPRISE
RISK MANAGEMENT
For Directors and Commissioners
Antonius Alijoyo
with Deddy Jacobus
TABLE OF CONTENTS
TABLE OF CONTENTS 1
PROFILE OF LKDI 5
Case Study 69
Such modules serve as a reference for the facilitators as well as participants of LKDI
training program which have become a standardized reference comparable to the
curriculum of the directorship program conducted by the UK Institute of Directors,
Australian Institute of Company Directors, and Singapore Institute of Directors.
In this first stage, LKDI prepared five modules: "GCG Concepts, Principles and
Practices", "Boards' Duties, Liabilities and Responsibilities", "Enterprise Risk
Management", "Corporate Social Responsibility", and "High Quality Corporate
Reporting". These modules were developed by senior academicians under the
umbrella of Academic Network Indonesia on Governance (ANIG), a network
established and run by the Board Member of National Committee on Governance, or
commonly known as KNKG.
At last, please allow us to take this opportunity to express our gratitude to CIPE,
KNKG, and ANIG for their good support in the preparation of these training modules,
and we hope that we will continue this solid collaboration for the enhancement of
GCG in Indonesia.
Best wishes,
Hoesein Wiriadinata
Chairman
LKDI was aimed to enchance the quality of members who become the avant
garde of corporate governance practices by providing networking
opportunities and continous professional education programs.
In this chapter, we will discuss about the significance and importance of ERM
for Directors and Commisioners, and the need of board's competencies in
enterprise risk management. We will set out all aspects that are needed for
Directors and Commissioners to undertand and implement ERM. At the end of
this chapter we will present 5 questions in multiple choice for material
review.
On the contrary, risk management helps an entity achieve its performance and
profitability targets, and prevent loss of resources. It helps ensure effective
reporting. And, it helps ensure that the entity complies with laws and
regulations, avoiding damage to its reputation and other consequences. In
sum, it helps an entity get to where it wants to go and avoid pitfalls and
surprises along the way.
Align risk appetite and strategy Risk appetite is the degree of risk, on a
and preservation, and they expect return commensurate with the risk.
Enterprise risk management provides an enhanced ability to identify and
assess risks, and establish acceptable levels of risk relative to growth and
return objectives.
Enhance risk response decisions Enterprise risk management provides
the rigor to identify and select among alternative risk responses risk
avoidance, reduction, sharing and acceptance. Enterprise risk
management provides methodologies and techniques for making these
decisions.
Minimize operational surprises and losses Entities have enhanced
Bausch
& Lombs Korporasi Kesalahan laporan revenu $ 42 juta
PCA Perusahaan
energi Klaim $ 236 juta
MG Perusahaan
energi Kerugian perdagangan $1 miliar
LTCM Manajemen
aset Rescue fund required $ 3.5 miliar
Source: James Lam, Enterprise Risk Management, From Incentives to Controls, JWS, 2003, p. 10.
In most of the above cases, either boards were provided with misleading
information or there was a breakdown in the process by which information
was transmitted to the board and shareholders. In many cases, the breakdown
involved financial engineering and the nondisclosure of economic risks as well
as outright fraud.
value. Uncertainty presents both risk and opportunity, with the potential to
erode or enhance value. Enterprise risk management provides a framework for
management to effectively deal with uncertainty and associated risk and
opportunity and thereby enhance its capacity to build value.
Uncertainty
Enterprises operate in environments where factors such as globalization,
technology, regulation, restructurings, changing markets, and competition
create uncertainty. Uncertainty emanates from an inability to precisely
determine the likelihood that potential events will occur and the associated
outcomes.
Value
Value is created, preserved or eroded by management decisions ranging from
strategy setting to operating the enterprise day-to-day. Inherent in decisions is
recognition of risk and opportunity, requiring that management
considers information about internal and external environments, deploys
precious resources and recalibrates enterprise activities to changing
circumstances.
Entities realize value when stakeholders derive recognizable benefits that they
in turn value. For companies, shareholders realize value when they recognize
value creation from share-value growth. For governmental entities, value is
realized when constituents recognize receipt of valued services at an
acceptable cost. Stakeholders of not-for-profit entities realize value when they
recognize receipt of valued social benefits. Enterprise risk management
facilitates management's ability to both create sustainable value and
communicate the value created to stakeholders.
Boards can't monitor and control the financial condition of a risk taking
institution without excellent risk management and risk metrics. Meanwhile,
the risk management function depends on sponsors at the senior executive
and board level to gain the investment it requires and the influence it needs to
balance out powerful business leaders.
The risk committee of the institution also need to be involved, to some degree,
in setting the basic risk measurement methodologies employeed by the
institution. It's important that risk committees understand the strengths and
weaknesses of any new operational-risk metrics if they are to make sens of risk
reports.
In this chapter, we will discuss further on the concepts, framework, and the
importance of integrating enterprise risk management program into business
process and show how risk management has evolved from a control function
strictly concerned about minimizing downside risk to one that enables
performance optimization.
Risk Concepts
Risk in the widest sense is not new to business. All companies are exposed to
traditional business risks: earnings go up and down as a result of such things
as changes in the business environment, in the nature of competition, in
production technologies, and in factors affecting suppliers. This is a classic
understanding of risk.
Risks come in all shapes and sizes. It has been defined in the previous part
as"the chance of something happening that will have an impact on objectives."
In this sense risk is often specified in terms of an event or circumtances and the
consequences that may flow from it. It is measured in terms of a combination of
the consequences of an event and their likelihood. Risk may have a positive or
negative impact.
Market Risk
Market Risk
Operasional Risk } Finansial Risk
Risk needs to be recognized and assessed in ways that are relatively easy to
understand. However this requires a substantial effort in training and
education. Many board members, staff, whether junior or senior, will not be
familiar with risk management, and particularly not with quantitative forms of
risk analysis. Furtunately, there are key risk concepts that will help us to have
a better understanding of risk and would apply to the risks of any kind of
business and must be addressed by any effective risk management program.
Time Horizon How long will I be exposed to the risk. The longer the
duration of an exposure, the higher the risk.
At least there are two available framework widely accepted and can be adopted
by institutions planning for enterprise risk management initiative. The two
framework or standards are AS/NZS 4360:2004 and COSO Enterprise Risk
Management Integrated Framework.
AS/NZS 4360:2004
AS/NZS 4360:2004 is a Joint Australian/New Zealand Standard on risk
management. This standard provides a generic guide for managing risk. This
standard may be applied to a very wide range of activities, decisions or
operations of any public, private or community enterprise, group or individual.
This standard specifies the elements of the risk management process which
should be applied at all stages in the life of an activity, function, project,
product or asset. The maximum benefit is ussually obtained by applying the
risk management process from the beginning.
Improved incident management and reduction in loss and the cost of risk,
For each stage of the process records should be kept to enable decisions to be
understood as part of a process of continual improvement.
The main elements of the risk managemen process, as shown in Figure 2.2, can
be elaborated further as follows:
RISK ASSESSMENT
ANALYZE RISKS
EVALUATE RISKS
TREAT RISKS
(c) Risk identification - This step seeks to identify the risks to be managed.
Comprehensive identification using a well-structured systematic process is
critical because a risk not identified at this stage may be excluded from
further analysis. Identification should include risks whether or not they
are under the control of the organization.
(d) Risk analysis - Risk analysis is about developing an understanding of the
risk. It provides an input to decision on whether risks need to be treated
and the most appropriate and cos-effective risk treatment strategies. Risk
analysis involves consequences and the likelihood that those
consequences may occur. Factors that affect consequences and likelihood
may be identified, risk is analyzed by combining consequences and their
likelihood. In most circumstances existing controls are taken into account.
Problem
Range
of credible
outcomes
Probability
"Catastrophe
Low
Low High
Consequense
(e) Risk evaluation - The purpose of risk evaluation is to make decisions, based
on the outcomes of risk analysis, about which risks need treatment and
treatment priorities.
(f) Risk treatment - Risk treatment involves the range of options fro treating
risks, assessing these options and the preparation and implementation of
treatment plans. The starting point for identifying options is often a review
of existing guides for treating that particular type of risk. For example, in
many safety, environmental and construction areas there are requirements
laid down in legislation and standards. However, these will need to be
reviewed for completeness and suitability.
(g) Monitoring and review - Ongoing review is essential to ensure that the
management plan remains relevant. Factors that may affect the likelihood
and consequences of an outcomes may change, as may the factors that
affect the suitability or cost of the treatment options. It is therefore
necessary to repeat the risk management cycle regularly.
(h) Recording the risk management process - Each stage of the risk
management process should be recorded appropriately. Assumptions,
methods, data sources, analyses, results and reasons for decisions should
all be recorded.
A Process
Enterprise risk management is not one event or circumstance, but a series of
actions that permeate an entity's activities. These actions are pervasive and
inherent in the way management runs the business.
Effected by People
Enterprise risk management is effected by a board of directors, management
and other personnel. It is accomplished by the people of an organization, by
what they do and say.
People establish the entity's mission/vision, strategy and objectives and put
enterprise risk management mechanisms in place.
These realities affect, and are affected by, enterprise risk management. Each
person has a unique point of reference which influences how they identify,
assess and respond to risk. Enterprise risk management provides the
mechanisms needed to help people understand risk in the context of the
entity's objectives. People must know their responsibilities and limits of
authority. Accordingly, a clear and close linkage needs to exist between
people's duties and the way in which they are carried out, as well as with the
entity's strategy and objectives.
Risk Appetite
Risk appetite is the amount of risk an entity is willing to accept in pursuit of
value. Entities often consider risk appetite qualitatively, with such categories
as high, moderate or low, or they may take a quantitative approach, reflecting
and balancing goals for growth, return and risk.
Risk tolerances are the acceptable level of variation relative to the achievement
of objectives. In setting specific risk tolerances, management considers the
relative importance of the related objectives and aligns risk tolerances with its
risk appetite. Operating within risk tolerances provides management greater
Reasonable assurance reflects the notion that uncertainty and risk relate to
the future, which no one can predict with certainty. Limitations also result
from the realities that human judgment in decision making can be faulty,
decisions on risk responses and establishing controls need to consider the
relative costs and benefits, breakdowns can occur because of human failures
such as simple errors or mistakes, controls can be circumvented by collusion
of two or more people, and management has the ability to override enterprise
risk management decisions. These limitations preclude board of directors and
commissioners from having absolute assurance that objectives will be
achieved.
Achievement of Objectives
Effective enterprise risk management can be expected to provide reasonable
assurance of achieving objectives relating to the reliability of reporting and to
compliance with laws and regulations. Achievement of those categories of
objectives is within the entity's control and depends on how well the entity's
related activities are performed.
Internal Environment
The entity's internal environment is the foundation for all other components of
enterprise risk management, providing discipline and structure. The internal
environment influences how strategy and objectives are established, business
activities are structured and risks are identified, assessed and acted upon. It
influences the design and functioning of control activities, information and
communication systems, and monitoring activities.
Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities. For many
companies, the risk culture flows from the entity's risk philosophy and risk
appetite. For those entities that do not explicitly define their risk philosophy,
the risk culture may form haphazardly, resulting in significantly different risk
cultures within an enterprise or even within a particular business unit,
function or department.
Objective Setting
Within the context of the established mission or vision, board of directors
establishes strategic objectives, selects strategy and establishes related
objectives, cascading through the enterprise and aligned with and linked to
the strategy. Objectives must exist before management can identify events
potentially affecting their achievement. Enterprise risk management ensures
that board of directors and management have a process in place to both set
objectives and align the objectives with the entity's mission/vision and are
consistent with the entity's risk appetite.
Event Identification
Board of directors recognizes that uncertainties exist that it cannot know with
certainty whether and when an event will occur, or its outcome should it occur.
As part of event identification, board of directors and management consider
external and internal factors that affect event occurrence. External factors
Risk Assessment
Risk assessment allows an entity to consider how potential events might affect
the achievement of objectives. Management assesses events from two
perspectives: likelihood and impact.
Likelihood represents the possibility that a given event will occur, while impact
represents its effect should it occur. Estimates of risk likelihood and impact
often are determined using data from past observable events, which may
Quantitative techniques typically bring more precision and are used in more
complex and sophisticated activities to supplement qualitative techniques. An
entity need not use common assessment techniques across all business units.
Rather, the choice of techniques should reflect the need for precision and the
culture of the business unit. In any event, the methods used by individual
business units should facilitate the entity's assessment of risks across the
entity.
Risk assessment is applied first to inherent risk the risk to the entity in the
absence of any actions management might take to alter either the risk's
likelihood or impact. Once risk responses have been developed, management
then uses risk assessment techniques in determining residual risk the risk
remaining after management's action to alter the risk's likelihood or impact.
Risk Response
Management identifies risk response options and considers their effect on
event likelihood and impact, in relation to risk tolerances and costs versus
benefits, and designs and implements response options. The consideration of
risk responses and selecting and implementing a risk response are integral to
enterprise risk management. Effective enterprise risk management requires
that management select a response that is expected to bring risk likelihood
and impact within the entity's risk tolerance.
Risk responses fall within the categories of risk avoidance, reduction, sharing
and acceptance (see Figure 2.5). As part of enterprise risk management, for
each significant risk an entity considers potential responses from a range of
response categories. This gives sufficient depth to response selection and also
challenges the "status quo."
Control Activities
Control activities are the policies and procedures that help ensure risk
responses are properly executed. Control activities occur throughout the
organization, at all levels and in all functions. Control activities are part of the
process by which an enterprise strives to achieve its business objectives. They
usually involve two elements: a policy establishing what should be done and
procedures to affect the policy.
Because each entity has its own set of objectives and implementation
approaches, there will be differences in objectives, structure and related
control activities. Even if two entities had identical objectives and structures,
their control activities would likely be different. Each entity is managed by
different people who use individual judgments in effecting internal control.
Moreover, controls reflect the environment and industry in which an entity
operates, as well as the complexity of its organization, its history and its
culture.
The challenge for management is to process and refine large volumes of data
into actionable information. This challenge is met by establishing an
information systems infrastructure to source, capture, and process, analyze
and report relevant information. These information systems usually
computerized but also involving manual inputs or interfaces often are viewed
in the context of processing internally generated data relating to transactions.
Monitoring
Enterprise risk management is monitored a process that assesses both the
presence and functioning of its components and the quality of their
performance over time. Monitoring can be done in two ways: through ongoing
activities or separate evaluations. Ongoing and separate monitoring ensures
that enterprise risk management continues to be applied at all levels and
across the entity.
Risk governance
All the above discussion provide us a relatively comprehensive understanding
of how the risk governance should be established in an organization. It comes
to the front that the primary responsibility of the corporate boards (board of
commissioners and board of directors) is to ensure that it develops a clear
understanding of the company's business strategy and the fundamental risks
and rewards that this implies. The board also needs to make sure that risks are
made transparent to al stakeholders through adequate internal and external
disclosure.
In particular, the board should ensure that business and risk management
strategis are directed at economic rather than accounting performance,
contrary to what happened at Enron and some of the other firms involved in
highly publicized corporate goverannce scandals.
The board should also ensure that the information it obtains about the risk
management is accurate and reliable. Board of commissioners demonstrate
healthy skepticism and require information frokm a cross section of
knowledgeable and reliable resources, such as the CEO, senior management,
and internal and external auditors. Commissioners should be prepared to ask
tough questions, and they should make themselves able to understand the
answers.
Chapter Three is our effort to put ERM into Indonesian context, its related
corporate regulations either for private, public or state-owned enterprises, its
legal and litigation risk, its culture and circumstances. This chapter will
provide the readers with a contextual understanding of how relevance and
importance of ERM in Indonesia's today's business and regulatory
environment. By the end of this chapter we also mention the important roles of
the committees to board in ensuring that risk management policies and
strategies (e.i., its risk appetite and tolerances) are transmitted and monitored
down the lines.
Risk Environment
Since a company does not operate in a vacuum, rather it owes its very
existence to its environment, it subjects or exposed to any relevant or related
rules and regulations. For that reason, the
regulator and regulatary environment become
very crucial to consider and comprehend. In fact,
the very basic requirement of a sound risk
management practice, is that a company is run in
compliance with all relevant and related rules and
regulations.
Risk appetite and risk tolerances (in terms of limits) along with a statement of
commitement to risk management is formulated as risk policy of a company.
We have mentioned that at a best-practice institution, everything flows from a
clear and agreed-upon risk management policy at the top. Thus it is a very
sound practice for board of directors to approve a clear notion of the
institution's risk appetite and how this can be linked to a system of limits and
risk metrics.
Without this kind of platform, it's very difficult for risk managers further down
the management chain to make key decisions on how they approach and
measure risk. For example, without a clearly communicated concept of an
institution's risk appetite, how would risk managers define a "worst-case risk"
in any extreme risk scenario analysis?
A clear definition of organization's risk appetite in terms of its risk policies and
risk tolerance constitutes an element of a strong commitment at the top along
with appropriate organizational structure, and the awareness that the boards
need to ensure that their behavior is in line with their risk management policy.
As already discussed in early chapter, this is to ensure the integration of risk
into a company's culture and values.
A board of directors with a sound understanding of the risk profile of its key
existing or anticipated business lines can support aggressive strategic
decisions with much more confidence. The adoption of sophisticated risk
measures such as Value-at-Risk (VaR) and economic capital offer could be very
useful in this case, not only as a way of setting risk limits but also in helping the
institution decide which business lines are profitable (once risk is taken into
account).
The challenge remains: how can agreed risk appetite and tolerance be
transmitted down the line to business managers in a way that can be
monitored and that makes sense in terms of day-to-day business decisions?
How does the board of commissioners know that the executives and business
managers are living up to the minimum legal and regulatory requirements, for
intance.
It is clear that the duty of the boards is not, however, to undertake risk
management on a day-to-day basis, but to make sure that all the mechanism
used to delegate risk management decisions are functioning properly.
In most cases, the board of commissioners may charges its main committess,
e.g., the audit and risk management committees, with reviewing and
examining the key policies and associated procedures of the entity's risk
management activities. These committees also make sure that the
implementation of these key policies is effective.
The committees may also help recommends the best way to translate the
overall risk appetite of the company, approved by the board of directors and
commissioners, into a set of limits that flow down through the corporate
executive officers and business divisions.
Specifically worth mention here is the role of the Audit Committee, since this
committee is now found in mostly Indonesian limited companies, both private
or public, SOEs or non-SOEs. The role of the Audit Committee is critical to the
board's oversight of the company. According to the Audit Committee Manual
The Audit Committee's duties involve not just checking for infringements, but
also overseeing the quality of the processes that underpin financial reporting,
regulatory compliance, internal controls, and risk management.
Audit also should evaluate the soundness of elements of the risk management
information system (the "Risk MIS"), such as the processes used for coding and
implementation of internal models (for Banks). This should include examining
controls over market position data capture, as well as controls over the
parameter estimation processes (such as the volatility and correlation
assumptions). It should also examine the documentation relating to
compliance with the qualitative/quantitative criteria outlined in any
regulatory guidelines. It should comment on the reliability of any value-at-risk
reporting framework.
5. Based on the best practice, the followings are the role of the risk
management committee, except for:
(a) Independently review the risk management process
(b) Reviewing the adequacy of policy guidelines and systems.
(c) Working with the Audit Committee on reviewing the issues relating to
the operational risk.
Risk culture
Much of the focus of risk management has to date been on building
infrastructure such as independent risk functions and oversight committee;
risk assessments and audits; risk management policies and procedures;
systems and models; measures and reports; and risk limits and exception
processes. However, it is equally important that companies focus on the other
side, the "softside", of risk management.
Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities. For many
companies, the risk culture flows from the entity's risk philosophy and risk
appetite. For those entities that do not explicitly define their risk philosophy,
the risk culture may form haphazardly, resulting in significantly different risk
cultures within an enterprise or even within a particular business unit,
function or department.
In this regard, the board of directors should make sure that the flow of
information through an effective communication channel should be in place.
The communication should address behavioral expectations and the
responsibilities of personnel. It should facilitate the cascading down of a clear
statement of the entity's enterprise risk management philosophy and
approach and delegation of authority. It also should facilitate open
discussions on risk issues, escalating exposures, and facilitating sharing
lessons learned and best practices. Communicate about processes and
procedures should align with, and underpin, the desired risk culture.
Internal capacity
At the end of the day, risk management is about people, process, and
infrastructure, e.g., the internal capacity of the company to manage risks. The
failure to address these three components will bring so much a disaster to any
company.
The quality output of a risk management process is very much affected by the
realities that human judgment in decision making can be faulty, breakdowns
can occur because of human failures such as simple errors or mistakes,
controls can be circumvented by collusion of two or more people, and
management has the ability to override enterprise risk management decisions.
Therefore, tone from the top and people's training and education in risk
management is a critical part of buidling the internal capaticity of a company
that is about to implement a successful enterprise risk management program.
Risks come in all shapes and sizes; risks are liquid. In chapter two, we have
discussed about the various types of risks such as market risk, credit risk,
oprational risk, legal and regulatory risk, business risk, strategic risk, and
reputation risk. The question is: how can a manager with responsibilities for
enterprise-wide risk hope to stay on top of all these various risks? It is
impractical to simply hire an expert for every risk since risk is a part of every
business decision, this approach would require a risk manager for every
business manager.
For that reason, a systemic process for capturing and learning from incidents
and losses should be in place. An organization open to learning is less likely to
repeat past mistakes, and more likely to benefit from new development and
innovations in the field of risk management that is to be smart and wise, and
not to make a fool of itself. Lessons learned from mistakes and from the best
practices of other companies can be a valuable supplement to those learned
from examination of a company's own operations.
People naturally pay the most attention to what their job accountabilities are
and how their financial incentives are tied to their performance. Clearly risk
awareness can be most powerfully cultivated by making sure that employee
undertand that risk management is part of their job, and that their incentive
compensation is linked to the business and risk performance at both the
business and individual levels. It is important that these facts should be seen
Process
Enterprise risk management is different from the perspective of some
observers who view it as something added on to an entity's activities, or as a
necessary burden. Enterprise risk management is most effective when it is
built into the entity's infrastructure and is part of the essence of the enterprise.
There are three critical processes that should be in place to ensure that our
enterprise risk management process is rigorous:
Decisions concerning the making and capture of records should take into
account:
Infrastructure
Enterprise risk management process requires a well-designed risk
infrastructure. Risk infrastructure necessary to effectively respond to and
monitor risks. But a note should be made here that though a well-designed risk
infrastructure is a necessary, it does not mean that having it alone is sufficient.
Only with having the right people and process, risk infrastructure will then
provide real benefits. Risk infrastructure includes all management
infrastructure such as the control infrastructure and information system
infrastructure. The challenge for management is to process and refine large
volumes of data into actionable information. This challenge will be met by
establishing an information systems infrastructure to source, capture,
process, analyze and report relevant information.
Alignment with
entitys risk
appetite
Misalignment 1 MIsalignment 2
Not taking Accepting undue
enough risk - risks
Zone of optimum
risk taking
An entity's mission (others prefer the terms such as vision or purpose) in broad
terms is what the entity aspires to achieve, or its reason for being. It is an
important duty of the Board of Directors (executives) ? with Board of
Commissioners oversight ? to explicitly establishes the entity's broad-based
reason for being. From this statement for being, BoD and management set the
strategic objectives, formulate strategy and establish related objectives for the
organization. While an entity's mission and strategic objectives are generally
stable, its strategy and related objectives are more dynamic and are adjusted
for changing internal and external conditions.
Strategic objectives are high-level goals, aligned with and supporting the
entity's mission/vision. Strategic objectives reflect Board of Directors' choice
as to how the entity will seek to create value for its stakeholders. In considering
alternative strategies to achieve its strategic objectives, the BoD and
management identify risks associated with a range of strategy choices and
consider their implications. Various event identification and risk assessment
techniques can be used in the strategy-setting process. In this way, enterprise
risk management techniques are used in setting strategy and objectives.
1. The followings are true statements abour risk culture, except for:
(a) It is a crucial role of the boards to set out the right risk culture and
corporate values, both through relevant behavior and written policies.
(b) Risk culture and corporate values is a very important "softside" of risk
management, but most frequently neglected.
(c) Risk culture is the set of shared attitudes, values and practices that
characterize how an entity considers risk in its day-to-day activities.
(d) Risk culture is the risk that caused by the entity weakness in relevant
culture.
2. Chose the correct answer for the objective of risk awareness training is
to ensure that:
(a) Everyone within a business is able to proactively identifying the key
risks for the company
(b) Seriously thinking about the consequences of the risks for which he or
she is responsible
(c) Communicating up and down the organization those risks that warrant
others' attention
(d) All the above answers are correct.
This chapter is dedicated to dig out available tools and approach to measure
the successful implementation of ERM. We will also present a simple checklist
to the readers which could be used for self-evaluation or self-assessment as far
as the ERM initiative concerns.
ERM clearly links the risk management with the creation of organizational
value and expresses risk in terms of impact on organizational objectives. An
important aspect of ERM is therefore the strong linkage between measures of
risks and measures of overall organizational performance. It is very important
for the boards to ensure that the performance are measured using risk based
metrics reflecting capital consumption, return, and volatility.
RORAC - Return on risk adjusted ECAP - Economic capital. Embedded value CAR
capital; RAROC Risk adjusted Market value of assets a measure of the Capital Adequacy
return on capital; RARORAC Risk minus fair value of value of business Ratio;
adjusted return on risk adjusted liabilities. Used in currently on the
capital. practice as a risk books of an RBC
adjusted capital measure; insurance company. Risk based capital
RORAC is a target ROE measure in specifically the amount of
which the denominator is adjusted capital required to meet CAR or RBC
depending on the risk associated an explicit solvency is a specific regulatory
with the instrument or project. constraint capital requirement.
( e.g., a certain probability CAR for banks and
RAROC is a target ROE measure in of ruin) RBC for insurance
which the numerator is reduced companies
depending on the risk associated
with the instrument or project.
RARORAC is a combination or
RAROC and RORAC in which both
the numerator and denominator are
adjusted (for different risks).
physical inspections
Report and communications from Value-at-risk models Internal, external auditors and Training seminars,
internal and external. are used to evaluate advisors may provide planning sessions
the impacts of recommendations to and other
Example: potential market strengthen enterprise risk meetings provide
An insurance company's review of movements on an management. important
safety policies and practices provides entity's financial feedback to
information on the functioning of position. Auditors can assess the key management on
enterprise risk management, from risks of the enterprise or unit, whether enterprise
both operational safety and These models can the risk response selections risk management
compliance perspectives, thereby serve as effective and the related design of is effective.
serving as a monitoring technique. tools in determining control activities, and on
whether business testing their effectiveness.
Regulators may also communicate units or functions
with the entity on compliance or are staying within Potential weaknesses may be
other matters that reflect on the identified risk identified, and alternative
functioning of the enterprise risk tolerances. actions recommended to
management process. management, accompanied by
information useful in making
cost-benefit determinations.
A simple checklist
Most companies are interested in how their enterprise risk management
programs compare to industry practices. Developing a checklist based on
international best practices is one of the widely adopted approaches in doing
this.
This checlist is devided into five different levels related to the maturity of ERM
level of a given company.