Hitting the Reset Button on ERM: How to Define ERM for Your Organization
Country dependent, the sign either states “Yield” or “Give-way,” the United Nations Convention on Road Signs and Signals (done at the Vienna Conference on 8th of November 1968), defines the requirement as:
“a driver shall “give way” to other vehicles means that he must not continue or resume his advance or manoeuvre if by so doing he might compel the drivers of other vehicles to change the direction or speed of their vehicles abruptly.”
A logical and lawful definition that requires both perspective and perception to be applied holistically and consistently. Unfortunately, it lacks the specificity or enough situation based precision to be applied holistically and consistently.
Similarly, Enterprise Risk Management (ERM) is so widely understood from a logical definition standpoint — an organization-wide initiative and process to define, identify, assess, track, and control an organization’s exposure to and awareness of unknowns. Such unknowns may or could impact an organization’s ability and/or performance to achieve certain objectives or strategic criterion. Even in Banking and Capital Markets, ERM has a legal context that is actively reviewed and evaluated by numerous regulatory agencies. Finally, it too lacks the perspectives and perceptions to be applied holistically and consistently within a singular organization or industry sector.
Judgement and ERM
ERM is most often used by organizations to direct organizational attention to the key and/or significant risks of the organization, to align resources with efforts in the pursuit of strategic objectives, and to highlight the need and opportunity for organizational change management. ERM is also known to be helpful to senior and executive management in more pro-actively managing the organization’s financial and operational performance. While that may sound spectacular, it requires a lot of judgment, consideration, and analysis of varying perspectives throughout the organization, including the involvement of organization stakeholders.
Enter a person’s judgment. This can happen way too often for both ‘yielding’ and ERM. By and large ERM has a number of global and domestic industry associations and governments that have sought to define ERM, provide some standardization (via frameworks), and provide their own context.
Risk Governance Definitions, Standards, and Frameworks
In this disarray, over the last 10–15 years, information technology and cybersecurity industry associations have staked their own claim to risk management practices, activities, and approaches. Thus, we find ourselves with numerous ERM, risk management, and risk governance definitions, standards, and frameworks. Here are only some that come immediately to mind:
International Risk Governance Council (IRGC) — Risk Governance Framework, “The International Risk Governance Council (IRGC) is an independent non-profit foundation which aims to help improve the understanding and management of risks and opportunities by providing insight into systemic risks that have impacts on human health and safety, on the environment, on the economy and on society at large.” https://www.irgc.org
Basel Committee on Banking Supervision (Basel, BCBS 239) — Principles for effective risk data aggregation and risk reporting, “Established on 17 May 1930, the Bank for International Settlements (BIS) is an international financial organisation owned by 60 member central banks, representing countries from around the world that together make up about 95% of world GDP. Its head office is in Basel, Switzerland and it has two representative offices: in the Hong Kong Special Administrative Region of the People’s Republic of China and in Mexico City.” ”The mission of the BIS is to serve central banks in their pursuit of monetary and financial stability, to foster international cooperation in those areas and to act as a bank for central banks.” http://www.bis.org/publ/bcbs239.pdf
Committee on Sponsoring Organizations (COSO) Enterprise Risk Management — Integrated Framework originally released 2004, and revised version expected to be re-released sometime in 2017. The organization is made up of [American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]).] “The Committee of Sponsoring Organizations’ (COSO) mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” https://www.coso.org/Pages/default.aspx
International Standards Organization (ISO) 31000:2009, which supersedes Australia / New Zealand Standard: 4360:2004. “ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies.” “The ISO 31000:2009 provides principles and generic can be used by any public, private or community enterprise, association, group or individual.”
Solvency II Directive (2009/138/EC) is a European Union legal directive that unifies, codifies, and harmonises the EU insurance regulation to reduce the risk of insolvency, agreed upon on 25 November 2009 and went into full effect on 1 January 2016 after numerous updates. It is a multistep directive based on the Lamfalussy Process, named after EU advisory committee chairperson, Alexandre Lamfalussy, its creator. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02009L0138-20140523
Own Risk and Solvency Assessment (ORSA), is a U.S. regulation by the National Association of Insurance Commissioners (NAIC) to operationalized ERM, specifically the consideration of the solvency within the risk profile of a U.S. insurance organization. The adoption of ORSA follows the Solvency II Directive stated above.
FERMA:2002 EU Federation of European Risk Management Association (FERMA) which uses the AIRMIC/IRM/ALARM standard from 2002, UK — The Institute of Risk Management (IRM),The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk Management in the Public Sector. In 2003 FERMA has adopted the Risk Management Standard to establish a uniform pan-European approach to risk management procedures sets out a strategic process, starting with an organisation’s overall objectives and aspirations, through to the identification, evaluation and mitigation of risk, and finally the transfer of some of that risk to an insurer.
BS 31100: : 2008 Code of Practice for Risk Management, a part of the British Standards
SP 800–37, U.S. National Institute of Standards & Technology Special Publication (SP) 800–37, “Guide for Applying the Risk Management Framework to Federal Information Systems”,
Organization of Compliance and Ethics Governance (OCEG) “Red Book” 2.0: 2009 GRC Capability Model
The above listing is not meant to be exhaustive in nature, rather it should merely pique your curiosity that ERM is not considered a universally defined term. Now, let’s define what an ERM initiative means for your organization.
Where to start?
As a result of various laws from the U.S. Foreign Corrupt Practices Act (FCPA) of 1977 to the U.S. Sarbanes-Oxley (SOX) Act of 2002 and numerous laws and regulations in-between, most organizations have some ‘perspective’ on risk and may also perform some general industry or process specific risk management activities. Rather than introducing a new initiative to the organization, it is usually easier and more beneficial to inventory all risk management activities. The rationale to perform such an inventory resides in the wake of the 2007 economic downturn. One of the most vital lessons learned was around the number of risk management activities performed throughout an organization, especially banks and other financial institutions. Consequently, if risk management activities were performed, then they were performed in a distinct and separate manner from each other. In other words, they lacked consideration of the other risk management activities, assumptions made, and inconsistent risk terms and risk data. This was the rationale for the Basel Committee on Banking Supervision (BCBS) regulation number 239 (BCBS 239) meant for the global list of systemically important banks and the domestic list of systemically important banks. BCBS 239 presents an overarching mandate for banks to increase their consideration and use of risk governance. The term risk governance was purposeful to relate corporate governance, data governance, and risk management, especially the corporate governance structure, the specific mandate, definition, ownership, oversight, and enforcement were paramount. It is also important to mention and realize the interconnective nature of corporate governance and data governance practices, not only because they share the term governance, but because it represents the known, unknown, and potential value of a corporation. Based on the bank’s and other financial institutions single or multiple mandates, the overarching organization will need to collaborate to create their own definition of risk. Some organizations may want to consider a multiple tier definition of risk at the enterprise-level and then the sub-enterprise level (Line of Business, Division, Group, Segment, Products, etc.). A significant aspect of that definition will be the tolerance of risk at the various levels within the organization (aka., risk appetite) including the risk terms and risk data elements adopted for consistent communication. While the above is occurring at the top of the organization, it is paramount that the organization work towards inventorying the `numerous risk management activities performed throughout the organization. The inventorying activities should include how each and every risk management activity defines, identifies, assesses, documents, and monitors their own activities. Specific attention should be made to understand the risk management activities’ perspective, assumptions, rubrics, quantifications / qualifications of activities. The initial inventorying activity is a significant undertaking and should be well resourced with objective individuals that are appreciate the micro and macro nature of this exercise. The organization should anticipate that some individual risk management activities will not align with the organization’s definition of risk, in those cases, additional efforts should be made to ensure a sufficient understanding of the approach. Finally, it should be considered an ongoing exercise / practice of some nature throughout the organization, especially within certain product/service lines that are required to perform additional activities than what is normally mandated.
Now, the Challenging Part…
To couple the organization’s definition of risk with the numerous inventoried risk management activities. Whether in an automated or manual fashion, document the potential alignment between the organization’s definition of risk and the individual risk management activities. This is done by reviewing, comparing, and contrasting the individual risk management activities and how they fit the organization’s definition of risk. The potential alignment should involve identifying which individual risk management activities are more high-level in that their impact and likelihood has the potential to reach the entire organization vs. the lower-level risk management activities that more than likely will not raise to a level across the entire organization. This can sometimes be problematic for areas such as IT and other areas of the organization that could be compounded across the organization. Therefore, throughout this entire activity, the owners of this activity should continuous validate their work through discussions and ongoing dialogue. Some factors to consider as part of the effort to align activities:
- The approach / methodology used by the individual risk management activities, specifically how each individual risk management activity: (a) identify their specific risk, including any categorization/grouping, etc., (b) assess the specific risk using either qualification or quantification means, etc., © address or treat the specific risk, noting whether / how it aligned with the identification and assessment, etc.,
- (d) monitor or track the specific risk, noting the frequency, types of communication and recipients.
- Each individual risk management activities perspective, specifically how they included the organization, organizational structure, processes, data, applications, etc., Also, how their vantage point included or excluded products, services, geography, customer(s), Law/Regulation, and other defining characteristics.
- Meet with the owners of the individual risk management activities to ensure agreement on the potential alignment.
- Develop some form of committee structure to facilitate coordination and collaboration across the individual risk management activities around above activities (1) and (2). Also, have the committee summarize the potential alignment of individual risk management activities.
- Finally, begin the next phase of alignment by establishing organization-wide commonality across: (a) data elements / taxonomy / qualifications or quantifications, (b) perspectives on organizational structure, geography, Laws/Regulations, processes, applications / systems, customers, etc., © organization-wide vs. non-organization-wide risks, (d) reporting / communication / issue monitoring,
Also, some consideration should be made to whether to engage the Internal Audit Department before, during, after, or throughout the activity to assist in a Pre-Implementation, Post-Implementation, or Advisory manner. The coupling and alignment of risk management activities involves a significant amount of organizational effort, corporate governance, and change management as it inflicts a tremendous amount of stress on people, processes, and organization culture. Throughout the alignment of risk management activities, consideration of the strategic plan and corporate objectives should be used to help guide significance, importance, and materiality. Therefore, it should be performed with plenty of Executive Management support and oversight.
Takeaway: Enterprise Risk Management, if established appropriately, can be extremely valuable to the organization, its stakeholders, and of course shareholders.
Originally published at www.logicgate.com.