ERM 101, An Introduction to Enterprise Risk Management
To understand the importance and relevance of enterprise risk management (ERM) in the current financial regulatory environment, one need only look to the real-life challenges faced by Boards of Directors (Boards)(Directors) in the development of their strategic plan and Senior Management (Management) in the implementation and execution of the subsequent strategic objectives.
Risk identification follows (both upside risk “opportunities” and downside risk “challenges”) as the natural progressive step in the execution of a Board’s strategic plan. A simple way to think about this process is to remember that a Board’s strategic plan answers the question- where do you want to go? A board’s strategic objectives answer – how do we get there? And risk identification answers the question – what uncertainties could help or hinder us in achieving these objectives?
ERM is a process designed to: help identify potential risk events that may affect an institution; manage risk to be within an acceptable level, and to provide reasonable assurance regarding the achievement of institutional objectives.
A brief history
Originally formed in 1985, the National Commission on Fraudulent Financial Reporting (usually referred to by the name of its chairman, former SEC Commissioner James C. Treadway, Jr.) the “Treadway Commission” was formed out of need for improved internal controls and reductions in fraudulent corporate financial reporting.
Due to questionable corporate political campaign finance practices and foreign corruption practices in the mid-1970s and such domestic failures of the mid-80s as Drysdale Government Securities, Washington Public Power Supply System, Baldwin-United Corp., and E.S.M. Government Securities, the U.S. Securities and Exchange Commission (SEC) and Congress held hearings into the causes for these failures focused upon whether they could have been avoided by, among other things, better audit practice. Soon after, Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices Act (FCPA) which criminalized trans-national bribery and required companies to implement internal control programs. In response, the Treadway Commission was formed.
The Treadway Commission studied the financial information reporting system over the period from October 1985 to September 1987 and issued a report of findings and recommendations in October 1987, Report of the National Commission on Fraudulent Financial Reporting. As a result of this initial report, the Committee of Sponsoring Organizations (COSO) was formed to study the specific audit/control issues and author a report regarding an integrated framework of internal control.
COSO is a voluntary private sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management and fraud deterrence. COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), IMA (Institute of Management Accountants), and The Institute of Internal Auditors (IIA).
COSO’s primary goal is to provide “thought leadership” in dealing with three (3) inter-related subjects: ERM, internal control and fraud deterrence.
In September 1992, the four-volume report entitled Internal Control— Integrated Framework was released by COSO and later re-published with minor amendments in 1994. This report presented a common definition of internal control and provided an early ERM framework against which internal control systems may be assessed and improved.
Regarding ERM, in 2004, COSO issued Enterprise Risk Management – Integrated Framework. This framework was since updated in 2017 with the release of Enterprise Risk Management – Integrating with Strategy & Performance which highlights the importance of considering risk in both the strategy-setting process and in driving performance.
What is Risk?
In its most basic form, risk is defined as – an uncertain event, which exists in the future, has a cause and effect which may be positive or negative and impacts an institution’s/organization’s strategic objectives. Risks which have a positive effect on an institution, such as a competitor’s downfall or an improved market-share, are known as “upside risks.” Conversely, those with a negative impact on an institution/organization, such as data breach or natural disaster, are considered “downside risks.” In short, risk can easily be defined as the effect of uncertainty on objectives, in our case, a financial institution’s strategic objectives ad defined by their board of director’s strategic plan.
In the COSO/ERM context, you may see risks referred to in terms of “risk categories.” These risk categories were established to assist in the broad identification of types of risk across an enterprise. This categorization of risks allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular risk/objective can fall into more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of risk.
- STRATEGIC RISK arises from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the financial institution’s strategic goals. The use of a third party to perform financial institution functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment exposes the financial institution to Strategic Risk.
- REPUTATION RISK arises from negative public opinion that could harm the reputation and standing of the financial institution. Examples of reputation risks include dissatisfied customers, interactions not consistent with financial institution policies, inappropriate recommendations, lawsuits or enforcement actions, security breaches resulting in the disclosure of customer information, and violations of law and regulation. Any negative publicity involving the institution or an affiliated third party, whether or not it’s related to the financial institution’s use of the third party, could result in Reputation Risk.
- OPERATIONAL RISK arises from inadequate or failed internal processes, people, and systems, or from external events. Third-party relationships can often integrate the internal processes of other organizations with the financial institution ‘s processes and can increase overall operational complexity.
- TRANSACTION RISK arises from service or product delivery issues due to problems like inadequate capacity, technological failure, human error, or fraud, which could result in threats to security and the integrity of the financial institution’s systems and resources, unauthorized transactions, or the inability of the financial institution to transact business as expected. The lack of an effective business resumption plan and appropriate contingency plans or weak control over technology used in the third-party arrangement may also result in Transaction Risk.
- CREDIT RISK arises if a third party (or any other creditor necessary to the third-party relationship), is unable to meet the terms of the contract with the financial institution or otherwise financially perform as agreed. The basic form of Credit Risk involves the financial condition of the financial institution itself. Credit Risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis, or set up products for the financial institution. Appropriate monitoring of the activity of the third party is necessary to ensure that Credit Risk is understood and remains within board-approved limits.
- COMPLIANCE RISK arises from violations of laws, rules, or regulations, or from noncompliance with the financial institution’s internal policies, procedures, or business standards and exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, ethical standards, or lending practices that are discriminatory. Third party ability to maintain the privacy of financial institution customer records and to implement an appropriate information security and disclosure program is another compliance concern due to the potential liability when third parties experience security breaches involving financial institution customer information. Compliance risk is exacerbated when a financial institution has inadequate oversight, monitoring or audit functions.
What is ERM?
Enterprise-wide risk management is a process designed to identify potential events that may affect an institution, and manage risk to be within an acceptable level, to provide reasonable assurance regarding the achievement of institutional objectives. A tool to enhance management decision‐making, corporate governance, and accountability. ERM facilitates effective management of the uncertainty and associated risks and opportunities facing an organization and helps an organization get to where it wants to go and avoid pitfalls and surprises along the way.
ERM as broader and deeper than the traditional risk models of the past. The enterprise-wide approach considers the potential impact of all types of risks on all processes, activities, stakeholders, products and services. It looks at both upside risk (opportunities) and downside risk (potential losses or damage). It provides a proven method to assesses risk and opportunity in the context of strategic objectives. ERM further enhances existing strategic planning and budgeting processes by tying strategic goals and objectives to identified risks and using ERM to manage said risks.
The ERM Risk Management Process
- Strategic Plan development – the Board must first develop and declare an institution’s mission, goals and values in its strategic plan.
- Strategic Objective setting – the Board then must then set measurable objectives/goals for achieving its strategic plan.
- Risk Identification – internal and external events affecting achievement of objectives must be identified, distinguishing between risks and opportunities. Risks are identified on an inherent and a residual basis. Identification of risks also assists the institution in development of an acceptable risk appetite and acceptable residual risk threshold(s).
- Risk Assessment – risks are analyzed, considering likelihood (probability) and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
- Key Risk Indicators (KRIs) – the institution can then brainstorm and establish key risk indicators (i.e. measurable quantitative or qualitative factors which must be addressed in terms of the institution’s risk appetite) that can be monitored and that shall assist in the monitoring of identified risks.
- Risk Response – management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with desired outcomes.
- Mitigation Activities – policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
- Monitoring – accomplished through ongoing management activities and separate internal and external evaluations.
ERM = Identify, assess, mitigate and monitor
In conclusion, ERM is the process which governs the modern institution’s ability to set goals, identify risks to achieving those goals, and establishing a solid process for ongoing mitigation and monitoring to ensure successes. It begins with the strategic plan. An institution’s strategic plan identifies and assesses the institution’s mission, goals and values. The plan in turn drives the identification and assessment of strategic objectives/goals key to achieving the plan. Once goals/objectives are identified and assessed, the upside and downside risks associated with achieving those goals/objectives are identified and assessed. Risk assessments are then used to analyze risk impact and probability, as well as identify and assess the effectiveness of controls. The risk assessment process provides the institution an accurate snapshot of both inherent risk, controls and residual risk. Once strategic goals and objectives are tied to identified risks, the institution can identify and assess KRIs as a means of successful mitigation and ongoing monitoring. Assessments and KRIs can be invaluable tools for an institution to take intelligent and effective actions (i.e. risk responses, mitigation activities and ongoing monitoring). Ultimately, that institution makes decisions on risk response and adjusts its ongoing monitoring to accommodate changing risks.
Get ERM Resources Delivered to Your Inbox
Enterprise risk management, sometimes called GRC or IRM, in the banking and financial services industry is an ever-changing, dynamic topic. We stay on top of the current updates from regulators and create whitepapers, webinars and other content to make your job easier and more predictable.
Nrisk – Your Control Center for Enterprise Risk Management
Still using fragmented, manual processes for risk management? Step into the 21st century. Nrisk is a dynamic enterprise risk management solution that measures potential impacts continuously, for the closest thing to real-time risk management you can get. Constant control monitoring in the form of weekly data collection prevents risk factors from building up, as opposed to quarterly manual processes, which produce results that are out-of-date by the time you’re reading them.