When Enterprise Risk Management ("ERM") is sound business management, it becomes an integral part of the organization’s DNA. Integration of ERM can occur in the following management activities a) Strategic planning; b) Budgeting; c) Quality control d) Scenario planning; e) Corporate governance; and f) Risk disclosures.
The COSO definition of ERM states that ERM is part of strategy setting. ERM and strategy setting should be viewed as complementing each other and forming the basis for a strategy-risk-focused organization. When formulating the company’s strategy, management analyzes its strategic alternatives and identifies events that could threaten their achievement. Strategy formulation is enhanced by ERM because risks are identified, and the strategic alternatives are assessed given the company’s risk appetite.
A company’s budget reflects the current-year financial commitment to achieve the organization’s long-term strategy. The annual budget can be integrated with ERM to provide insights on what the strategic leadership sees as the threats, to meeting its financial plan. A risk map presented with the budget provides information to senior management on what the major threats are to meet the financial plan for the year, allowing comparison at both the business and enterprise wide level. Responses could include understanding to what extent the cost of mitigating or accepting a risk has been built into the price of the product or service.
Quality initiatives focus on improving the efficiency and effectiveness of detailed processes. ERM requires clarity of objectives at all levels of the enterprise, and the objectives of specific processes can be addressed by utilizing quality tools and methodologies. Information can be evaluated within the larger context of the enterprise to identify risks in an ERM implementation, leading to better internal controls. Stronger internal controls can lead to improved stability, reaction time, and increased shareholder value. Furthermore, a risk-based ERM approach can help reduce the number of key controls that companies are testing and documenting, significantly lowering the cost of compliance.
Regardless of how robust the effort of risk identification is, some unknown risks will remain unknown at the end of the process. A company prepares for these unknown risks through its scenario planning—an essential element of the ERM process, giving it an ability through preparation and planning for a more controlled and appropriate response.
ERM ties in closely with corporate governance because it: a) Improves information flows between the company and the board regarding risks; • b) Enhances discussions of strategy and the related risks between executives and the board; c) Identifies acceptable levels of risks to be taken and assumed; d) Focuses management on the risks identified; and e) Improves disclosures to stakeholders about risks taken and risks yet to be managed.
Increasingly, companies are disclosing more information about the risks and with that, the ERM process could be a valuable source for gathering and reporting the potential implications of this risk information. SEC registrants must disclose risk factors in their annual reports, as specified in Item 503(c) of Regulation S-K, 3 which instructs registrants to present risks that are specific to the company. Furthermore, Form 10-K instructions require registrants to discuss risk factors in “plain English.”
Good solid governance principals would include
a) Forward looking language assessing the potential effect of the risk to the company
Examples would be tax policies affecting profitability and/or corporate expansion plans.
b) References to company efforts to manage or mitigate the risk —
Examples include company strategies to address cybersecurity, and policies, practices and training to mitigate culture risk. (employee compliance-related).
c) Language describing risk-related trends and developments
Examples includes changes in the likelihood, nature or severity of the risk affecting the company, such as changes in the global competitive landscape, trends in asset allocation and technological changes that affect a company’s business model.
d) Level of detail provided in the risk factor disclosure —
Examples references to operating units, markets, products, specific individuals, and company-specific developments such as operational improvement programs and restructuring efforts.
ERM capability is a sign of an organizations maturity, with a far reaching optic both inside and outside the organization. #risksmartinc