Add Value, Not Bureaucracy
Linking governance, enterprise risk management and internal controls.
March 1, 2010
As the economy begins to recover, many organizations are seeking to strengthen their processes related to risk management so that they will be better able to avoid or minimize negative impacts similar to those arising from the 2008 financial crisis. The push for improved risk management is coming from a number of different sources. Credit rating agencies such as Standard and Poor’s (S&P) have for more than a year assessed enterprise risk management (ERM) during analysis of corporate credit ratings. In addition, the U.S. Securities and Exchange Commission (SEC) in December 2009 approved rules that will expand corporate proxy disclosure regarding risk management, compensation and corporate governance matters. This heightened focus on enterprise risk management has some corporate executives wondering if this simply means a heavier compliance burden — or if value can be created by leveraging existing processes to more effectively manage risk.
A primary driver of ERM-related concerns is confusion about ERM and how its interrelationship with corporate governance and internal controls. Corporate governance is focused on holding management accountable for achieving its goals to the satisfaction of shareholders and other key stakeholders. An effective ERM process:
For example, a firm with a low appetite for risk should be setting more modest strategic objectives than a firm with a higher appetite for risk-taking. Due to the planning, organizing and controlling that are central to risk management, ERM is focused more at the strategic level. However, ERM recognizes that businesses face risks all the time; therefore, establishing risk appetite and risk tolerance facilitates the decision-making process and clarifies responsibilities and accountabilities consistent with effective corporate governance. Internal controls, on the other hand, are more focused on the day-to-day-process level – they are a subset of ERM, which is a subset of corporate governance (see chart).
Most organizations already have an effective system of internal controls that focuses on operations, reporting and compliance. ERM moves beyond internal controls in its connection to strategy-setting. The following table compares the Committee of Sponsoring Organizations (COSO) definition of internal controls with the COSO definition of ERM and highlights where ERM builds on and moves beyond internal controls: (see chart).
While internal control and ERM both have the purpose of providing greater assurance regarding the achievement of objectives, ERM is broadly applied: it takes an entity-level portfolio view of risks that will be considered in strategy setting, as well as the organization’s risk appetite. It is also helpful to compare the components of internal control to the components of ERM, again as defined by COSO: (see chart).
Two additional key components of ERM are: the role ERM plays in setting objectives by accounting for the organization’s existing risks and appetite for risk and the choice of response to risks — again based on the organization’s risk appetite. Internal controls are one means of responding to risks, but there are numerous others as well, such as insurance programs, disaster recovery plans, financial hedges, diversification efforts, etc.
How can a firm implement ERM so it will add value to shareholders’ satisfaction? An important first step is developing a list of the top risks facing an organization and then prioritizing those risks based on the expected severity of impact and likelihood of occurrence. Organizations should leverage risk-assessment work that has already been done by their independent and internal auditors. That top-level risk list can be used in strategy-setting, to help the organization consider how new strategic initiatives could add or reduce existing risks. It should also be used in communications with the board, to assist the board with its oversight role.
Having a shared understanding of the most significant risks should also help the organization focus on the best way to monitor those risks going forward — and to formulate a response plan before a risk event occurs. As the organization realizes value from these simple first steps, it can begin to extend ERM further into the organization and, ultimately, develop greater sophistication in its risk management processes by embedding ERM in the decision-making process and culture of the company.
Bonnie Hancock is the executive director of the NC State University Enterprise Risk Management (ERM) Initiative and a lecturer in accounting at NC State’s College of Management. She also is a director of AgFirst Farm Credit Bank and a consultant to boards and senior management teams on matters involving ERM and strategic planning.
She will be speaking at the AICPA and NC State’s ERM Initiative’s 1.5-day workshop, Board and Senior Management Roles in Risk Oversight: Taking a Strategic View of the Enterprise, Scottsdale, AZ, March 25-26, 2010.