Description
Risk is a reality of doing business. Whether large or small, public or private, domestic or international, companies today operate in a risk-filled world.
Addressing the concerns of the Corporate Governance Community Summer 2009
CorporateGovernor Series:
Enterprise risk management:
Creating value in a volatile economy
1 Enterprise risk management: Creating value in a volatile economy
Contents
2 Introduction
3 ERM frameworks
4 Why enterprise risk management (ERM)?
5 Your credit rating may depend on it
7 Rethink risk management in a
down economy
10 Create stronger governance
and corporate compliance
12 Identify strategic opportunities
13 Next steps
14 Conclusion
15 Appendices
A Business unit risk organizational chart
B Business unit risk management roles
and responsibilities
2 Enterprise risk management: Creating value in a volatile economy
Risk is a reality of doing business. Whether large or small,
public or private, domestic or international, companies today
operate in a risk-filled world. In many cases, risk is necessary
for long-term operational success; however, failure to control
risk effectively can often lead to just the opposite, including
damaged reputation, loss of profits, disruption in productivity
or, in severe cases, the end of the entity altogether.
Although other priorities in running a business may
have trumped risk management in the past, the planning and
implementation of a formal program to better identify and
oversee risk is of particular importance today. That is, in the
current economic downturn, risk can emerge from both expected
and unexpected channels relative to the past. In order to weather
this economic storm, organizations must respond proactively,
taking the proper steps to ensure they are assessing, prioritizing
and managing all risks – both old and new – in a strategic and
consistent way.
Enterprise risk management (ERM) is the leading
approach to managing and optimizing risks, enabling a
company to determine how much uncertainty and risk
are acceptable to an organization. With a company-wide
scope, ERM serves as a strategic analysis of risk throughout
an organization, cutting across business units and departments,
and considering end-to-end processes. In adopting an ERM
approach, companies gain the ability to align their risk appetite
and tolerance with business strategy by identifying events that
could have an adverse effect on their organizations and then
developing an action plan to manage them.
Furthermore, by applying ERM in conjunction with
other operational elements in the current business environment,
companies can also accomplish many of their governance-related
tasks. Specifically, ERM can help organizations:
• Identify strategic risk opportunities that, if
undertaken, can facilitate achieving organizational goals.
• Provide senior management with the most up-to-date
information regarding risk that may be used in the
decision-making process.
• Use the Sarbanes-Oxley compliance process
to assist in identifying key financial risks.
• Establish co-dependency between the ERM
initiative and considerations for Securities and
Exchange Commission (SEC) reporting disclosures
and other laws and regulations.
• Align annual performance goals with
risk identification and management.
• Encourage and reward upstream reporting
of business-risk opportunities and challenges.
Proper risk management allows
organizations to examine and
evaluate opportunities and create
value by taking risks carefully.
Introduction
3 Enterprise risk management: Creating value in a volatile economy
ERM frameworks
There are various ERM frameworks that a company could potentially follow –
all of which should define the essential components, suggest a common language and
provide clear guidance for enterprise risk management. In addition, each framework
that is implemented should also describe an approach for identifying, analyzing,
responding to, and monitoring risks and opportunities facing the enterprise.
Among the more widely known frameworks and the related ERM definitions
that they promulgate are:
• Published in its 2004 ERM framework,
1
The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) defines ERM as “… a
process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.”
• The Australian and New Zealand Standard on risk management defines the risk
management process as “the systematic application of management policies,
procedures and practices to the tasks of communicating, establishing the context,
identifying, analysing, evaluating, treating, monitoring and reviewing risk” (1.3.21).
2
In addition, other ERM definitions that drive the establishment of risk
management frameworks include:
• The Institute of Internal Auditors (IIA) defines ERM as “a structured, consistent
and continuous process across the whole organization for identifying, assessing,
and deciding on responses to and reporting on opportunities and threats that
affect the achievement of its objectives.”
3
• The insurance rating agency A.M. Best defines ERM as “a process by which
companies systematically identify, measure, and manage the various types of
risk inherent within their operations.”
4
1
The Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management — Integrated Framework (2004)
2
Joint Technical Committee OB-007, Risk Management, “AS/NZS 4360:2004” (August 2004)
3
The Institute of Internal Auditors, Position Statement: “The Role of Internal Audit in Enterprise-wide Risk Management” (September 2004)
4
A.M. Best, “Best Rating Methodology: Risk Management and Rating Process for Insurance Companies” (January 2008)
4 Enterprise risk management: Creating value in a volatile economy
Why enterprise risk management?
North Carolina State University in partnership with the
American Institute of Certified Public Accountants recently
conducted the Report on the Current State of Enterprise Risk
Oversight in an effort to gain a better understanding of ERM
practices across a wide range of organizations. Surveying
approximately 700 companies, the research study found that
more than 60 percent of respondents believed that the volume
and complexity of risks have changed “extensively” or “a great
deal” in the last five years. However, despite these sentiments, 44
percent of respondents had no enterprise-wide risk management
process in place and had no plans to implement such a system.
In response to this answer, survey participants whose
organizations had not implemented an ERM process were
asked to provide some perspective into this decision.
While respondents could list more than one reason, the
most common response (53 percent) was that they believed
risks are monitored in other ways besides ERM. The next
most common responses were “no requests to change our risk
management approach” have been made (29 percent) and “too
many pressing needs” keep them from launching an ERM
process (24 percent). Of those same respondents, 18 percent also
noted a belief that they “do not see benefits exceeding the costs.”
The question becomes then, in a severe economic downturn
where companies are plagued with shrinking budgets and limited
personnel, what is the real value of investing time and money
into a strong ERM program?
5 Enterprise risk management: Creating value in a volatile economy
As a result, ERM became a far more serious focus for
corporate America in 2008 as S&P began incorporating
ERM analysis into the credit-rating process for nonfinancial
companies. As part of the new S&P approach, organizations
that fail to implement ERM in a formal, strategic way are in
danger of suffering ratings downgrades. Alternatively,
companies that fully adopt ERM can improve their credit
ratings, while also benefiting from the other aspects of having
a strong ERM program.
In evaluating the credit ratings of nonfinancial institutions,
S&P will focus on two universal components
6
of ERM – risk
management culture and strategic risk management.
Risk management culture includes:
• risk management organizational and
governance structures
• roles, capabilities and accountabilities
of risk management staff
• risk management communications
and transparency
• risk management policies and metrics
• influence of risk management on budgeting
and management compensation
Why ERM: Your credit rating
may depend on it
In the current economic state, lending has nearly come
to a standstill. Companies must now demonstrate their
creditworthiness more than ever before in order to gain
financing. The current credit crunch has squeezed many
organizations to their breaking point, leaving those companies
unable to pay back lenders in a dangerous position, potentially
leading to cut backs in production, decreased market share,
layoffs or even the end of the business.
With access to capital limited, a company’s credit rating
has become vital to its borrowing power, which is where
ERM comes into play. In 2005, Standard & Poor’s (S&P)
began analyzing the financial service industry’s ERM practices,
developing criteria for assessing the ERM procedures of
financial institutions and insurance companies. Then in 2006,
S&P expanded its analytical approach for assessing the trading
risk management practices of energy companies. This led to the
integration of ERM analysis into the rating process of energy
trading firms in electricity marketing and agribusiness.
5
Following the successful addition of ERM analyses to
the ratings of these sectors, S&P concluded that nonfinancial
organizations could also benefit from ERM analysis, providing
meaningful insight into those companies’ management
capabilities and corporate governance.
5
For more information about Standard & Poor’s review of ERM practices, visit www.erm.standardandpoors.com
6
For now, S&P has deferred consideration of the other two applicable components of ERM that they initially were going to also factor into the process – emerging risk management and
risk-control processes. The background and framework will be communicated later this year.
6 Enterprise risk management: Creating value in a volatile economy
Why ERM: Your credit rating may depend on it (continued)
Insurance Industry
The insurance industry is no stranger to enterprise risk management and its
role in the credit rating process. Since 2005, S&P has included an ERM analysis
in its rating evaluations of financial institutions and insurance companies,
utilizing a six-step economic capital (EC) model. Credit agency Fitch Ratings
has developed its “Prism” model that analyzes an insurer’s EC by determining
capital adequacy using a conjectural measure. The model was created in 2006
and has since been utilized as a “beta” version for testing and development
purposes. Moody’s is currently building its own model to analyze an insurer’s
EC adequacy that includes a scorecard for each component of its model. This
information, combined with Moody’s opinion of the EC method in use and of the
insurer’s capital strength, will determine a company’s overall ratings. Lastly,
credit agency A.M. Best Company has also developed a proprietary capital
model, which determines a Best’s Capital Adequacy Ratio (BCAR) that is based
on a company’s balance sheet, operating metrics and overall business health.
To learn more, please visit the rating agencies’ Web sites:
• Standards & Poor’s: www.standardandpoors.com
• Fitch Ratings: www.fitchratings.com
• Moody’s: www.moodys.com
• A.M. Best Company: www.ambest.com
Strategic risk management includes:
• management’s view of the most consequential risks,
including their likelihood and potential effect on credit
• frequency with which top risks are identified and how
often the identification is examined and updated
• influence of risk sensitivity on liability management
and financing decisions
• role of risk management in strategic decision-making
Throughout 2009, S&P plans to gather risk information
through its regular review meetings with rated nonfinancial
companies, resulting in the development of reliable ERM
performance benchmarks.
Once appropriate benchmarks are established, S&P plans to
publish criteria that will eventually lead to evaluation metrics and
possible scoring measures of ERM capabilities, with the end goal
being to enhance the evaluation of management performance, an
existing part of the rating agency’s analytical framework. S&P
intends to score ERM performance very broadly at first, using
qualitative terms such as “favorable ERM” versus “unfavorable
ERM,” with the hopes of developing more quantitative metrics
over time.
The touchstone for scoring ERM capabilities will be
evaluating whether a company consistently identifies,
assesses and manages exposures to risk and losses within
predetermined tolerance objectives. S&P does not expect
to score ERM capabilities until at least late 2009, giving
companies time to put robust ERM implementation
processes in place.
the achievement of business objectives. This begins by thinking
in a different way – creatively, abstractly, broadly – considering
all possible incidences on an entity and business unit level, as
well as those other factors that could combine and interact to
influence the risk profile (Table 1).
Quantifying all risk is difficult. For emerging risks,
very little, if any, relevant historical information is available.
Unfortunately, this can serve as a stumbling block for ERM,
which is contingent on ensuring that all significant risks are
captured and incorporated into a framework. This is done
to facilitate the holistic approach to managing risk that is
the foundation of an effective ERM process.
Why ERM: Rethink risk management
in a down economy
Risk is active, and therefore, constantly evolving due to
ongoing changes in external and internal factors. Whether
there are modifications in business systems or processes, or
events in the industry, a company with a strong ERM strategy
will periodically review its program and risk profile, allowing
management in charge to respond to these changes as needed.
Since the start of the current recession, an array of risks have
bombarded organizations – some emerging and others more
common – that may have been underestimated or overlooked
in the past when the economy was more stable. In light of
this change, companies must now take a more comprehensive
approach in identifying risk events that could potentially affect
5 Establishing an effective whistleblower complaint-handling process
Risk type
Financial
Compliance
Strategic
Operational
Table 1: Risks to consider in the down economy
Risk
• Reporting integrity
• Financial statements/disclosures are
misstated according to accounting/
industry standards
• Insufficient liquidity
• Lack of reliability in the systems
reporting key financial data
• Non-compliance with employment
practices (FMLA, EEO, etc.)
• Environmental contamination
• Record retention policy
• Regulatory noncompliance
• Inability to meet contractual obligations
• Acquisitions and strategic alliances
• Strategic planning does not consider
external impacts
• New products and services
• Customer demand shortfall
• Disruptive technologies
• Loss of key personnel
• Supply chain failures
• Obsolete technology
• Insufficient information
technology governance
• System security vulnerabilities
• Inadequate recording/oversight of
financial information
• Estimates are not adequate
• Interest rate/market risk
• Foreign currency exchange
• Credit risk
• Breaching existing capital requirements
• Non-adherence to debt covenants
• Data used to support compliance
is unreliable
• Fraud
• Competitive pressure
• Loss of key customers
• Misaligned products
• Counterparty failures
• Customer pricing pressure
• Business concentration
• Natural disasters
• Acts of terror
• Third-party outsourcing
• Security breaches
• Lack of business continuity/disaster
recovery planning
• Off balance sheet risk
• Product-liability risk
• Tax rate risk
• Transactions are not properly approved
• Inability to raise capital
• Asset/liability risk
• Investment risk
• Adherence to 401K/benefit
plan requirements
• Insider trading
• OSHA violations
• HIPAA violations
• Distribution strategy
• Litigious trends and judicial uncertainty
• Research and development
• Reputation risk
• Insufficient governance structure
and practices
• Service quality
• Project/change management
• Business disruption/system failures
• Lack of sufficient contractual oversight
• Process control risk
7 Enterprise risk management: Creating value in a volatile economy
8 Enterprise risk management: Creating value in a volatile economy
Why ERM: Rethink risk management in a down economy
(continued)
Not surprisingly then, the management of high-impact,
rare risks is often the greatest challenge in the ERM process.
One method for looking at these and other risks is through
the use of a risk profile (Figure 1), where risk events are
positioned on the diagram based on their impact and likelihood.
Once an event’s placement is made and analysis completed,
(Table 2) the necessary risk management actions can then
be determined.
IV
III
II
I
2 1
A B C D E F
Likelihood I
m
p
a
c
t
Figure 1: Sample risk profile
Impact I – Marginal; II – Material; III – Critical; IV – Catastrophic Likelihood A – Almost
impossible; B – Remote; C – Low; D – Probable; E – Reasonably probable; F – Very high
Table 2: Sample risk analysis report
# Risk/Risk event Trigger Consequences Current controls Key risk indicator Risk response Profile Rating
1 Loss of key
customer (financial/
strategic risk).
Pricing pressures
due to economic
conditions and/or
competition.
Decrease in revenue
and liquidity.
Monitoring of
current client
base. New product
development
process.
Change in market
share. Decease in
customer demand
and/or timeliness of
payment.
Increase monitoring
of competitors. Use
of customer surveys.
Increase modeling of
customer base and
demands.
III D High
2 Lack of continuity
associated with
management
turnover and
reorganization
resulting in failure to
meet strategic goals
(strategic risk).
Personnel change
without sufficient
knowledge transfer.
Lack of familiarity
with business
model resulting
in incorrect
accounting, broken
commitments
and/or insufficient
knowledge
of business
arrangements.
Strategic plan
exists and roles
and responsibilities
are defined.
Board approves
appointment of
key executives. Key
executives establish
organizational
structure and
appoint necessary
personnel
to complete
organizational goals.
Analysis of current
industry and
organizational
turnover trends.
Analysis of results
from employee
exit interviews.
Formal succession
planning and cross
training of positions
implemented.
Planning committees
appointed to
address key
personnel changes
in the organization.
III C High
Risk
As noted previously, one of the benefits of ERM is that it
looks at a full range of possible events, enabling a company to
identify all of its risks, as well as potential areas of opportunity.
Scenario analysis can assist in this process in that several diverse
risk events are analyzed in conjunction with various possible
future events over a period of time (e.g., one to three years).
In the scenario process, not only does an organization seek to
identify events that may not have occurred in the past, but it also
helps to assess the likelihood of an event or events and related
risk event correlations. Moreover, as there are significant new
risk events occurring today that were not considered in the past,
having a successful scenario analysis process in place is integral in
the ongoing management of risk.
Why ERM: Rethink risk management in a down economy
(continued)
9 Enterprise risk management: Creating value in a volatile economy
10 Enterprise risk management: Creating value in a volatile economy
Why ERM: Create stronger governance
and corporate compliance
More frequently than not, shareholders and regulators are
now demanding greater corporate transparency, making
strong corporate governance a necessary component to almost
every business. Enterprise risk management can contribute
to successful, compliant and effective governance, enabling
companies to better understand and measure those risks
that threaten strategic objectives. Moreover, ERM provides
information that helps quantify business performance, narrow
the focus of controls and streamline compliance efforts.
As part of this process, some organizations have begun to
use their risk objectives to create an integrated governance, risk
and compliance (GRC) management framework to help drive
their compliance initiatives (Figure 2). This strategy is promoted
by the Open Compliance and Ethics Group (OCEG), of which
Grant Thornton is a founding member. By establishing a GRC
framework, companies are able to set their governance and
enterprise risk objectives first, and then use these objectives
to define compliance control requirements.
G
O
V
ERNAN
C
E
C
O
M
P
L
I
A
N
C
E
R
I
S
K
M
A
N
A
G
E
M
E
N
T
CULTURE
Figure 2: Integrated governance, risk and compliance (GRC)
7
Governance
• set and evaluate performance against objectives
• power to authorize a business strategy and model
to achieve objectives
Risk Management
• proactively identify and rigorously assess and
address potential obstacles to achieving objectives
• identify and address risks that the organization
will step outside of mandated and voluntary
boundaries
Culture
• establish an organizational climate and mind-sets
of individuals that promote ethical behavior, trust,
integrity and accountability
Compliance
• proactively encourage and require compliance
with established policies and
• detect noncompliance and respond accordingly
7
Open Compliance and Ethics Group (OCEG)
11 Enterprise risk management: Creating value in a volatile economy
Why ERM: Create stronger governance and corporate
compliance (continued)
Furthermore, the integration of governance, risk management,
compliance and ethics can also help an organization more
effectively and efficiently drive performance. Governance
establishes objectives and, at a high level, the boundaries inside
of which an entity must operate. Risk management helps a
company identify and address potential obstacles to achieving
objectives. Compliance management ensures that the boundaries
are well set, and that the organization does indeed conduct
business within those boundaries. Finally, a strong culture
provides a safety net when formal controls and structures are
weak or nonexistent while, at the same time, providing an
environment that helps the workforce reach its highest level
of productivity. High-performing organizations master and
integrate these disciplines for maximum effectiveness and
responsiveness, allowing their companies to leverage
innovation in one area across the entire enterprise to
address all set requirements.
Last, but certainly not least, an effective ERM program
enhances a company’s governance structure in that the “tone
at the top” message is promulgated as one where compliance
with laws, regulations and internal policies and procedures is
mandatory and non-compliance is unacceptable. This assists
in motivating desired conduct and provides assurance to
management that they are operating within legal, contractual,
internal, social and ethical boundaries. Moreover, ERM further
assists in establishing the fundamentals of a good governance
environment and structure, promoting a common risk language
and collaboration on risk management issues throughout the
organization (e.g., sharing of any risk issues identified by
internal audit, compliance officer and others).
Why ERM: Identify strategic
opportunities
12 Enterprise risk management: Creating value in a volatile economy
Historically, enterprise risk management has been largely
viewed as eliminating or reducing risk exposures. However,
more companies are beginning to understand that this focus
is too narrow or constraining in aiding a company to meet its
goals. That is, risk is not merely a negative for an organization,
but should also be viewed as being potentially positive. By
accepting and managing risk, companies have the ability to
measure the likely reward for taking on some risk. They have
the ability to maximize profit and increase shareholder value
by limiting some risks and exploiting others.
Therefore, risk tolerances and related risk profiles should
be established to meet organizational strategic objectives, and
they should be promulgated throughout organizations. This
highlights the importance of how much risk to take and what
type of risk is critical to the success of the business. Risk must
be understood and measured not only in everyday decisions,
but also in creating innovation within an organization. This
is a more complete view of risk management, which entails
strategic risk management and incorporating risk considerations
in the strategic planning process. Companies must view risk as
potential opportunity while also understanding there are possible
undesirable outcomes. The future success of companies will
depend on the ability to weigh the expected risks versus rewards
on an ongoing basis. Successful companies need a complete
understanding of ERM, which analyzes what risks to avoid
and what risks to exploit. Also critical is implementing a
financial planning process, which is a part of an integrated
strategic and risk management program. This process needs
to be consistently updated and should measure the risks taken
and related results in conjunction with an organization’s
overall risk profile and risk tolerance.
13 Enterprise risk management: Creating value in a volatile economy
Next steps
It’s easy to dismiss any new process as unnecessary overhead
in times of financial unrest. However, ERM is justifiably
different in that, when properly implemented, it not only
provides improved risk information for better decision-making,
but also overlaps with many measures already undertaken by
organizations to comply with regulations. In establishing such
a process, there are several helpful steps that a company should
consider. They include:
1. Clearly define the organization’s risk appetite and
communicate it throughout the organization.
A proper “tone at the top” is established through actions
demonstrating that risk management is a key component of
organizational success. The development of a formal risk policy
statement, risk policy manual, risk committees and applicable
governing charters is integral to this process, helping to solidify
a superior risk awareness tone and culture. It’s important to
note that a punitive culture should be avoided, as it reduces the
possibility that all risk scenarios and related failures and learnings
are communicated to improve a company’s risk management
practices.
2. Create a documented risk management structure.
While many organizations have risk management practices in
place, a formally documented ERM framework is not always
present. That is, although companies may believe they utilize
an ERM framework that generally follows the COSO ERM
guidance, without sufficient formal risk management practices,
the likelihood of unidentified, insufficiently captured and/or
monitored risks and/or related opportunities is greatly increased.
Organizations should assess what practices are already in use
and leverage them into a structure that ensures a “top-down,
bottom-up” approach, such that all corporate business units,
local and geographical risks are identified and evaluated.
Where applicable, companies should build on what already
works, enhance what they already have in place and standardize
wherever possible. Furthermore, even if a program is working
well, an organization should continue to review its practices for
weaknesses that may evolve with changing business conditions.
3. Create a uniform risk language, as well as define and
communicate risk-related roles and responsibilities.
By establishing the necessary risk committees and ensuring
the appropriate individuals know what is expected of them,
the potential success of an ERM program is notably enhanced.
Additionally, creating management objectives, including
incentive compensation that is tied to risk management goals,
may also help in this process (see Appendices A and B).
4. Maximize the use of technology.
Technology is a key component of any successful ERM
initiative. As long as the necessary risk data is available,
technology can be used to facilitate the creation of necessary
reports and related monitoring tools.
5. Address risks in the strategic planning and
decision-making process.
The strategic planning process should be one that is continuous,
whereby obstacles, threats and potential impacts are addressed. It
should also include regular reporting of risk metrics to the board
and related management.
Depending on the maturity of a business and the formality
of its risk management program, an organization may even
benefit from a third-party review and consultation. Utilizing
outside consultants can help a company review, monitor,
assess and improve its risk management capabilities over time.
With these steps, a company can create an ERM solution
that improves risk information, leading to stronger strategic
decisions, fewer surprises and enhanced governance.
14 Enterprise risk management: Creating value in a volatile economy
Conclusion
At its heart, ERM is a forward-looking, process-oriented
approach that provides business intelligence to companies to
help better plot the future and make more informed decisions.
When implemented correctly, ERM can provide organizations
with a means of leveraging risks for greater performance,
building a foundation for competitive advantage and ultimately
establishing themselves as market leaders.
In theory, it is easy to understand how ERM could
potentially add value to any organization, yet in reality,
assigning the time and resources to create an ERM initiative is
often overlooked. Strategic balance is needed. Organizations
that embrace ERM and build it into the core of their enterprise
should no doubt anticipate reaping the fruits of their labor. At
the same time, companies must also realize that implementing
such a program is far from easy and cannot happen overnight if
done properly. However, for those organizations that choose to
weather this economic storm with the aid of ERM, the benefits
of their efforts today will likely remain long thereafter.
For more information on the topics covered in
this publication, please contact:
Michael Rose
Partner
Advisory Services
T 215.376.6020
E [email protected]
Bill Mellon
Senior Manager
Advisory Services
T 215.376.6087
E [email protected]
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries.
Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms
are not a worldwide partnership, as each member firm is a separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case.
For additional information on the issues discussed, consult a Grant Thornton client service partner.
Bailey Jordan
Partner
Advisory Services
T 336.271.3965
E [email protected]
15 Enterprise risk management: Creating value in a volatile economy
Appendix A: Business unit risk
organizational chart
Manage Risk Oversee Risk
Board Risk Committee
Oversees risk strategy and tolerance
and overall risk effectiveness
Board of Directors
Oversees audit and risk issues
Chief Executive Officer
Overall risk responsibility
Chief Risk Officer
Overall recommendation, coordination,
and monitoring of risk policies
Audit Committee
Responsible for internal control over financial
reporting and risk management oversight
Chief Audit Executive
Provides assurances on risk
management processes
Management Risk Committee
Members (CFO, CRO, legal compliance, etc.)
review risk policies and recommends to
CEO for approval
Business Unit A Business Unit B Other Functions
CEO
Risk Manager
CEO
Risk Manager
CFO
Assists CEO in
risk responsibilities
16 Enterprise risk management: Creating value in a volatile economy
Risk Management Committee
• Recommends risk policy and guidelines to
CEO and monitors risks
Business Unit CRO
• Assures that each unit’s stated risk management
tolerance is baked into each business unit’s planning
and budgeting processes
• Similar to BU CEO with additional monitoring
responsibilities
Business Unit Personnel along with CEO/CFO
• Follows organization’s risk policy
• Identifies and reports all risk exposures to CRO and CEO
• Assures risk information is reported to CRO and CEO
Internal Audit
• Assures the Board and Audit Committee that each
business unit’s activities effectively manage risk according
to the organization’s risk tolerance
• In some organizations, assists in leading the implementation
of an enterprise-wide management risk assessment process
Appendix B: Business unit risk
management roles and responsibilities
Board and, where applicable, Board Risk Committee
• Sets the requirements for superior risk management
measurement, monitoring and reporting, as well as
the organization’s appetite for risk
• Ultimate strategic oversight of risk within organization
Board Audit Committee
• Responsible for oversight of the internal controls of
an organization including oversight that appropriate
risk management processes are in place
Chief Risk Officer (CRO)
• Recommends risk management policy and
tolerance for approval by CEO
• Ensures risks are identified
• Develops risk measurement methodologies and
tools to quantify risk and assures such are utilized
• Conducts overall risk coordination
• Analyzes and reports on risk exposures
• Provides ongoing risk training
• In some organizations, takes an active role in assisting
line management in developing risk strategies
Chief Executive Officer (CEO) with assistance from
Chief Financial Officer (CFO)
• Approves risk policy and tolerance (initially suggested
by CRO then reviewed by Internal Risk Committee)
• Manages overall risk
• Approves risk tolerance
• Takes action to mitigate risk
• Assures proper control environment is in place
© Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton International Ltd
National Office
175 West Jackson Boulevard
Chicago, IL 60604
312.856.0200
National Tax Office
1900 M Street, NW, Suite 300
Washington, DC 20036
202.296.7800
Arizona
Phoenix 602.474.3400
California
Irvine 949.553.1600
Los Angeles 213.627.1717
Sacramento 916.449.3991
San Diego 858.704.8000
San Francisco 415.986.3900
San Jose 408.275.9000
Woodland Hills 818.936.5100
Colorado
Denver 303.813.4000
Florida
Fort Lauderdale 954.768.9900
Miami 305.341.8040
Orlando 407.481.5100
Tampa 813.229.7201
Georgia
Atlanta 404.330.2000
Hawaii
Honolulu 808.536.0066
Illinois
Chicago 312.856.0200
Oakbrook Terrace 630.873.2500
Kansas
Wichita 316.265.3231
Maryland
Baltimore 410.685.4000
Massachusetts
Boston 617.723.7900
Michigan
Detroit 248.262.1950
Minnesota
Minneapolis 612.332.0001
Missouri
Kansas City 816.412.2400
St. Louis 314.735.2200
Nevada
Reno 775.786.1520
New Jersey
Edison 732.516.5500
New Mexico
Albuquerque 505.855.7900
New York
Long Island 631.249.6001
Downtown 212.422.1000
Midtown 212.599.0100
North Carolina
Charlotte 704.632.3500
Greensboro 336.271.3900
Raleigh 919.881.2700
Ohio
Cincinnati 513.762.5000
Cleveland 216.771.1400
Oklahoma
Oklahoma City 405.218.2800
Tulsa 918.877.0800
Oregon
Portland 503.222.3562
Pennsylvania
Philadelphia 215.561.4200
South Carolina
Columbia 803.231.3100
Texas
Dallas 214.561.2300
Houston 832.476.3600
San Antonio 210.881.1800
Utah
Salt Lake City 801.415.1000
Washington
Seattle 206.623.1121
Washington, DC
Alexandria, VA 703.837.4400
McLean, VA 703.847.7500
Washington, DC 202.296.7800
Wisconsin
Appleton 920.968.6700
Madison 608.257.6761
Milwaukee 414.289.8200
Offices of Grant Thornton LLP
About Grant Thornton’s Advisory Services Practice
Today you need advisors that focus on insightful and
innovative solutions for your complex issues, such
as complying with changing legislation, managing
risk, containing costs, streamlining business processes
and identifying strategic transaction opportunities.
Grant Thornton’s Advisory Services professionals
can deliver value by providing independent advice
to public, private and not-for-profit organizations.
Our specialists combine insight and innovation from
multiple disciplines with a wide range of business and
industry knowledge. To learn more, visit
www.GrantThornton.com/advisory.
doc_315885185.pdf
Risk is a reality of doing business. Whether large or small, public or private, domestic or international, companies today operate in a risk-filled world.
Addressing the concerns of the Corporate Governance Community Summer 2009
CorporateGovernor Series:
Enterprise risk management:
Creating value in a volatile economy
1 Enterprise risk management: Creating value in a volatile economy
Contents
2 Introduction
3 ERM frameworks
4 Why enterprise risk management (ERM)?
5 Your credit rating may depend on it
7 Rethink risk management in a
down economy
10 Create stronger governance
and corporate compliance
12 Identify strategic opportunities
13 Next steps
14 Conclusion
15 Appendices
A Business unit risk organizational chart
B Business unit risk management roles
and responsibilities
2 Enterprise risk management: Creating value in a volatile economy
Risk is a reality of doing business. Whether large or small,
public or private, domestic or international, companies today
operate in a risk-filled world. In many cases, risk is necessary
for long-term operational success; however, failure to control
risk effectively can often lead to just the opposite, including
damaged reputation, loss of profits, disruption in productivity
or, in severe cases, the end of the entity altogether.
Although other priorities in running a business may
have trumped risk management in the past, the planning and
implementation of a formal program to better identify and
oversee risk is of particular importance today. That is, in the
current economic downturn, risk can emerge from both expected
and unexpected channels relative to the past. In order to weather
this economic storm, organizations must respond proactively,
taking the proper steps to ensure they are assessing, prioritizing
and managing all risks – both old and new – in a strategic and
consistent way.
Enterprise risk management (ERM) is the leading
approach to managing and optimizing risks, enabling a
company to determine how much uncertainty and risk
are acceptable to an organization. With a company-wide
scope, ERM serves as a strategic analysis of risk throughout
an organization, cutting across business units and departments,
and considering end-to-end processes. In adopting an ERM
approach, companies gain the ability to align their risk appetite
and tolerance with business strategy by identifying events that
could have an adverse effect on their organizations and then
developing an action plan to manage them.
Furthermore, by applying ERM in conjunction with
other operational elements in the current business environment,
companies can also accomplish many of their governance-related
tasks. Specifically, ERM can help organizations:
• Identify strategic risk opportunities that, if
undertaken, can facilitate achieving organizational goals.
• Provide senior management with the most up-to-date
information regarding risk that may be used in the
decision-making process.
• Use the Sarbanes-Oxley compliance process
to assist in identifying key financial risks.
• Establish co-dependency between the ERM
initiative and considerations for Securities and
Exchange Commission (SEC) reporting disclosures
and other laws and regulations.
• Align annual performance goals with
risk identification and management.
• Encourage and reward upstream reporting
of business-risk opportunities and challenges.
Proper risk management allows
organizations to examine and
evaluate opportunities and create
value by taking risks carefully.
Introduction
3 Enterprise risk management: Creating value in a volatile economy
ERM frameworks
There are various ERM frameworks that a company could potentially follow –
all of which should define the essential components, suggest a common language and
provide clear guidance for enterprise risk management. In addition, each framework
that is implemented should also describe an approach for identifying, analyzing,
responding to, and monitoring risks and opportunities facing the enterprise.
Among the more widely known frameworks and the related ERM definitions
that they promulgate are:
• Published in its 2004 ERM framework,
1
The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) defines ERM as “… a
process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.”
• The Australian and New Zealand Standard on risk management defines the risk
management process as “the systematic application of management policies,
procedures and practices to the tasks of communicating, establishing the context,
identifying, analysing, evaluating, treating, monitoring and reviewing risk” (1.3.21).
2
In addition, other ERM definitions that drive the establishment of risk
management frameworks include:
• The Institute of Internal Auditors (IIA) defines ERM as “a structured, consistent
and continuous process across the whole organization for identifying, assessing,
and deciding on responses to and reporting on opportunities and threats that
affect the achievement of its objectives.”
3
• The insurance rating agency A.M. Best defines ERM as “a process by which
companies systematically identify, measure, and manage the various types of
risk inherent within their operations.”
4
1
The Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management — Integrated Framework (2004)
2
Joint Technical Committee OB-007, Risk Management, “AS/NZS 4360:2004” (August 2004)
3
The Institute of Internal Auditors, Position Statement: “The Role of Internal Audit in Enterprise-wide Risk Management” (September 2004)
4
A.M. Best, “Best Rating Methodology: Risk Management and Rating Process for Insurance Companies” (January 2008)
4 Enterprise risk management: Creating value in a volatile economy
Why enterprise risk management?
North Carolina State University in partnership with the
American Institute of Certified Public Accountants recently
conducted the Report on the Current State of Enterprise Risk
Oversight in an effort to gain a better understanding of ERM
practices across a wide range of organizations. Surveying
approximately 700 companies, the research study found that
more than 60 percent of respondents believed that the volume
and complexity of risks have changed “extensively” or “a great
deal” in the last five years. However, despite these sentiments, 44
percent of respondents had no enterprise-wide risk management
process in place and had no plans to implement such a system.
In response to this answer, survey participants whose
organizations had not implemented an ERM process were
asked to provide some perspective into this decision.
While respondents could list more than one reason, the
most common response (53 percent) was that they believed
risks are monitored in other ways besides ERM. The next
most common responses were “no requests to change our risk
management approach” have been made (29 percent) and “too
many pressing needs” keep them from launching an ERM
process (24 percent). Of those same respondents, 18 percent also
noted a belief that they “do not see benefits exceeding the costs.”
The question becomes then, in a severe economic downturn
where companies are plagued with shrinking budgets and limited
personnel, what is the real value of investing time and money
into a strong ERM program?
5 Enterprise risk management: Creating value in a volatile economy
As a result, ERM became a far more serious focus for
corporate America in 2008 as S&P began incorporating
ERM analysis into the credit-rating process for nonfinancial
companies. As part of the new S&P approach, organizations
that fail to implement ERM in a formal, strategic way are in
danger of suffering ratings downgrades. Alternatively,
companies that fully adopt ERM can improve their credit
ratings, while also benefiting from the other aspects of having
a strong ERM program.
In evaluating the credit ratings of nonfinancial institutions,
S&P will focus on two universal components
6
of ERM – risk
management culture and strategic risk management.
Risk management culture includes:
• risk management organizational and
governance structures
• roles, capabilities and accountabilities
of risk management staff
• risk management communications
and transparency
• risk management policies and metrics
• influence of risk management on budgeting
and management compensation
Why ERM: Your credit rating
may depend on it
In the current economic state, lending has nearly come
to a standstill. Companies must now demonstrate their
creditworthiness more than ever before in order to gain
financing. The current credit crunch has squeezed many
organizations to their breaking point, leaving those companies
unable to pay back lenders in a dangerous position, potentially
leading to cut backs in production, decreased market share,
layoffs or even the end of the business.
With access to capital limited, a company’s credit rating
has become vital to its borrowing power, which is where
ERM comes into play. In 2005, Standard & Poor’s (S&P)
began analyzing the financial service industry’s ERM practices,
developing criteria for assessing the ERM procedures of
financial institutions and insurance companies. Then in 2006,
S&P expanded its analytical approach for assessing the trading
risk management practices of energy companies. This led to the
integration of ERM analysis into the rating process of energy
trading firms in electricity marketing and agribusiness.
5
Following the successful addition of ERM analyses to
the ratings of these sectors, S&P concluded that nonfinancial
organizations could also benefit from ERM analysis, providing
meaningful insight into those companies’ management
capabilities and corporate governance.
5
For more information about Standard & Poor’s review of ERM practices, visit www.erm.standardandpoors.com
6
For now, S&P has deferred consideration of the other two applicable components of ERM that they initially were going to also factor into the process – emerging risk management and
risk-control processes. The background and framework will be communicated later this year.
6 Enterprise risk management: Creating value in a volatile economy
Why ERM: Your credit rating may depend on it (continued)
Insurance Industry
The insurance industry is no stranger to enterprise risk management and its
role in the credit rating process. Since 2005, S&P has included an ERM analysis
in its rating evaluations of financial institutions and insurance companies,
utilizing a six-step economic capital (EC) model. Credit agency Fitch Ratings
has developed its “Prism” model that analyzes an insurer’s EC by determining
capital adequacy using a conjectural measure. The model was created in 2006
and has since been utilized as a “beta” version for testing and development
purposes. Moody’s is currently building its own model to analyze an insurer’s
EC adequacy that includes a scorecard for each component of its model. This
information, combined with Moody’s opinion of the EC method in use and of the
insurer’s capital strength, will determine a company’s overall ratings. Lastly,
credit agency A.M. Best Company has also developed a proprietary capital
model, which determines a Best’s Capital Adequacy Ratio (BCAR) that is based
on a company’s balance sheet, operating metrics and overall business health.
To learn more, please visit the rating agencies’ Web sites:
• Standards & Poor’s: www.standardandpoors.com
• Fitch Ratings: www.fitchratings.com
• Moody’s: www.moodys.com
• A.M. Best Company: www.ambest.com
Strategic risk management includes:
• management’s view of the most consequential risks,
including their likelihood and potential effect on credit
• frequency with which top risks are identified and how
often the identification is examined and updated
• influence of risk sensitivity on liability management
and financing decisions
• role of risk management in strategic decision-making
Throughout 2009, S&P plans to gather risk information
through its regular review meetings with rated nonfinancial
companies, resulting in the development of reliable ERM
performance benchmarks.
Once appropriate benchmarks are established, S&P plans to
publish criteria that will eventually lead to evaluation metrics and
possible scoring measures of ERM capabilities, with the end goal
being to enhance the evaluation of management performance, an
existing part of the rating agency’s analytical framework. S&P
intends to score ERM performance very broadly at first, using
qualitative terms such as “favorable ERM” versus “unfavorable
ERM,” with the hopes of developing more quantitative metrics
over time.
The touchstone for scoring ERM capabilities will be
evaluating whether a company consistently identifies,
assesses and manages exposures to risk and losses within
predetermined tolerance objectives. S&P does not expect
to score ERM capabilities until at least late 2009, giving
companies time to put robust ERM implementation
processes in place.
the achievement of business objectives. This begins by thinking
in a different way – creatively, abstractly, broadly – considering
all possible incidences on an entity and business unit level, as
well as those other factors that could combine and interact to
influence the risk profile (Table 1).
Quantifying all risk is difficult. For emerging risks,
very little, if any, relevant historical information is available.
Unfortunately, this can serve as a stumbling block for ERM,
which is contingent on ensuring that all significant risks are
captured and incorporated into a framework. This is done
to facilitate the holistic approach to managing risk that is
the foundation of an effective ERM process.
Why ERM: Rethink risk management
in a down economy
Risk is active, and therefore, constantly evolving due to
ongoing changes in external and internal factors. Whether
there are modifications in business systems or processes, or
events in the industry, a company with a strong ERM strategy
will periodically review its program and risk profile, allowing
management in charge to respond to these changes as needed.
Since the start of the current recession, an array of risks have
bombarded organizations – some emerging and others more
common – that may have been underestimated or overlooked
in the past when the economy was more stable. In light of
this change, companies must now take a more comprehensive
approach in identifying risk events that could potentially affect
5 Establishing an effective whistleblower complaint-handling process
Risk type
Financial
Compliance
Strategic
Operational
Table 1: Risks to consider in the down economy
Risk
• Reporting integrity
• Financial statements/disclosures are
misstated according to accounting/
industry standards
• Insufficient liquidity
• Lack of reliability in the systems
reporting key financial data
• Non-compliance with employment
practices (FMLA, EEO, etc.)
• Environmental contamination
• Record retention policy
• Regulatory noncompliance
• Inability to meet contractual obligations
• Acquisitions and strategic alliances
• Strategic planning does not consider
external impacts
• New products and services
• Customer demand shortfall
• Disruptive technologies
• Loss of key personnel
• Supply chain failures
• Obsolete technology
• Insufficient information
technology governance
• System security vulnerabilities
• Inadequate recording/oversight of
financial information
• Estimates are not adequate
• Interest rate/market risk
• Foreign currency exchange
• Credit risk
• Breaching existing capital requirements
• Non-adherence to debt covenants
• Data used to support compliance
is unreliable
• Fraud
• Competitive pressure
• Loss of key customers
• Misaligned products
• Counterparty failures
• Customer pricing pressure
• Business concentration
• Natural disasters
• Acts of terror
• Third-party outsourcing
• Security breaches
• Lack of business continuity/disaster
recovery planning
• Off balance sheet risk
• Product-liability risk
• Tax rate risk
• Transactions are not properly approved
• Inability to raise capital
• Asset/liability risk
• Investment risk
• Adherence to 401K/benefit
plan requirements
• Insider trading
• OSHA violations
• HIPAA violations
• Distribution strategy
• Litigious trends and judicial uncertainty
• Research and development
• Reputation risk
• Insufficient governance structure
and practices
• Service quality
• Project/change management
• Business disruption/system failures
• Lack of sufficient contractual oversight
• Process control risk
7 Enterprise risk management: Creating value in a volatile economy
8 Enterprise risk management: Creating value in a volatile economy
Why ERM: Rethink risk management in a down economy
(continued)
Not surprisingly then, the management of high-impact,
rare risks is often the greatest challenge in the ERM process.
One method for looking at these and other risks is through
the use of a risk profile (Figure 1), where risk events are
positioned on the diagram based on their impact and likelihood.
Once an event’s placement is made and analysis completed,
(Table 2) the necessary risk management actions can then
be determined.
IV
III
II
I
2 1
A B C D E F
Likelihood I
m
p
a
c
t
Figure 1: Sample risk profile
Impact I – Marginal; II – Material; III – Critical; IV – Catastrophic Likelihood A – Almost
impossible; B – Remote; C – Low; D – Probable; E – Reasonably probable; F – Very high
Table 2: Sample risk analysis report
# Risk/Risk event Trigger Consequences Current controls Key risk indicator Risk response Profile Rating
1 Loss of key
customer (financial/
strategic risk).
Pricing pressures
due to economic
conditions and/or
competition.
Decrease in revenue
and liquidity.
Monitoring of
current client
base. New product
development
process.
Change in market
share. Decease in
customer demand
and/or timeliness of
payment.
Increase monitoring
of competitors. Use
of customer surveys.
Increase modeling of
customer base and
demands.
III D High
2 Lack of continuity
associated with
management
turnover and
reorganization
resulting in failure to
meet strategic goals
(strategic risk).
Personnel change
without sufficient
knowledge transfer.
Lack of familiarity
with business
model resulting
in incorrect
accounting, broken
commitments
and/or insufficient
knowledge
of business
arrangements.
Strategic plan
exists and roles
and responsibilities
are defined.
Board approves
appointment of
key executives. Key
executives establish
organizational
structure and
appoint necessary
personnel
to complete
organizational goals.
Analysis of current
industry and
organizational
turnover trends.
Analysis of results
from employee
exit interviews.
Formal succession
planning and cross
training of positions
implemented.
Planning committees
appointed to
address key
personnel changes
in the organization.
III C High
Risk
As noted previously, one of the benefits of ERM is that it
looks at a full range of possible events, enabling a company to
identify all of its risks, as well as potential areas of opportunity.
Scenario analysis can assist in this process in that several diverse
risk events are analyzed in conjunction with various possible
future events over a period of time (e.g., one to three years).
In the scenario process, not only does an organization seek to
identify events that may not have occurred in the past, but it also
helps to assess the likelihood of an event or events and related
risk event correlations. Moreover, as there are significant new
risk events occurring today that were not considered in the past,
having a successful scenario analysis process in place is integral in
the ongoing management of risk.
Why ERM: Rethink risk management in a down economy
(continued)
9 Enterprise risk management: Creating value in a volatile economy
10 Enterprise risk management: Creating value in a volatile economy
Why ERM: Create stronger governance
and corporate compliance
More frequently than not, shareholders and regulators are
now demanding greater corporate transparency, making
strong corporate governance a necessary component to almost
every business. Enterprise risk management can contribute
to successful, compliant and effective governance, enabling
companies to better understand and measure those risks
that threaten strategic objectives. Moreover, ERM provides
information that helps quantify business performance, narrow
the focus of controls and streamline compliance efforts.
As part of this process, some organizations have begun to
use their risk objectives to create an integrated governance, risk
and compliance (GRC) management framework to help drive
their compliance initiatives (Figure 2). This strategy is promoted
by the Open Compliance and Ethics Group (OCEG), of which
Grant Thornton is a founding member. By establishing a GRC
framework, companies are able to set their governance and
enterprise risk objectives first, and then use these objectives
to define compliance control requirements.
G
O
V
ERNAN
C
E
C
O
M
P
L
I
A
N
C
E
R
I
S
K
M
A
N
A
G
E
M
E
N
T
CULTURE
Figure 2: Integrated governance, risk and compliance (GRC)
7
Governance
• set and evaluate performance against objectives
• power to authorize a business strategy and model
to achieve objectives
Risk Management
• proactively identify and rigorously assess and
address potential obstacles to achieving objectives
• identify and address risks that the organization
will step outside of mandated and voluntary
boundaries
Culture
• establish an organizational climate and mind-sets
of individuals that promote ethical behavior, trust,
integrity and accountability
Compliance
• proactively encourage and require compliance
with established policies and
• detect noncompliance and respond accordingly
7
Open Compliance and Ethics Group (OCEG)
11 Enterprise risk management: Creating value in a volatile economy
Why ERM: Create stronger governance and corporate
compliance (continued)
Furthermore, the integration of governance, risk management,
compliance and ethics can also help an organization more
effectively and efficiently drive performance. Governance
establishes objectives and, at a high level, the boundaries inside
of which an entity must operate. Risk management helps a
company identify and address potential obstacles to achieving
objectives. Compliance management ensures that the boundaries
are well set, and that the organization does indeed conduct
business within those boundaries. Finally, a strong culture
provides a safety net when formal controls and structures are
weak or nonexistent while, at the same time, providing an
environment that helps the workforce reach its highest level
of productivity. High-performing organizations master and
integrate these disciplines for maximum effectiveness and
responsiveness, allowing their companies to leverage
innovation in one area across the entire enterprise to
address all set requirements.
Last, but certainly not least, an effective ERM program
enhances a company’s governance structure in that the “tone
at the top” message is promulgated as one where compliance
with laws, regulations and internal policies and procedures is
mandatory and non-compliance is unacceptable. This assists
in motivating desired conduct and provides assurance to
management that they are operating within legal, contractual,
internal, social and ethical boundaries. Moreover, ERM further
assists in establishing the fundamentals of a good governance
environment and structure, promoting a common risk language
and collaboration on risk management issues throughout the
organization (e.g., sharing of any risk issues identified by
internal audit, compliance officer and others).
Why ERM: Identify strategic
opportunities
12 Enterprise risk management: Creating value in a volatile economy
Historically, enterprise risk management has been largely
viewed as eliminating or reducing risk exposures. However,
more companies are beginning to understand that this focus
is too narrow or constraining in aiding a company to meet its
goals. That is, risk is not merely a negative for an organization,
but should also be viewed as being potentially positive. By
accepting and managing risk, companies have the ability to
measure the likely reward for taking on some risk. They have
the ability to maximize profit and increase shareholder value
by limiting some risks and exploiting others.
Therefore, risk tolerances and related risk profiles should
be established to meet organizational strategic objectives, and
they should be promulgated throughout organizations. This
highlights the importance of how much risk to take and what
type of risk is critical to the success of the business. Risk must
be understood and measured not only in everyday decisions,
but also in creating innovation within an organization. This
is a more complete view of risk management, which entails
strategic risk management and incorporating risk considerations
in the strategic planning process. Companies must view risk as
potential opportunity while also understanding there are possible
undesirable outcomes. The future success of companies will
depend on the ability to weigh the expected risks versus rewards
on an ongoing basis. Successful companies need a complete
understanding of ERM, which analyzes what risks to avoid
and what risks to exploit. Also critical is implementing a
financial planning process, which is a part of an integrated
strategic and risk management program. This process needs
to be consistently updated and should measure the risks taken
and related results in conjunction with an organization’s
overall risk profile and risk tolerance.
13 Enterprise risk management: Creating value in a volatile economy
Next steps
It’s easy to dismiss any new process as unnecessary overhead
in times of financial unrest. However, ERM is justifiably
different in that, when properly implemented, it not only
provides improved risk information for better decision-making,
but also overlaps with many measures already undertaken by
organizations to comply with regulations. In establishing such
a process, there are several helpful steps that a company should
consider. They include:
1. Clearly define the organization’s risk appetite and
communicate it throughout the organization.
A proper “tone at the top” is established through actions
demonstrating that risk management is a key component of
organizational success. The development of a formal risk policy
statement, risk policy manual, risk committees and applicable
governing charters is integral to this process, helping to solidify
a superior risk awareness tone and culture. It’s important to
note that a punitive culture should be avoided, as it reduces the
possibility that all risk scenarios and related failures and learnings
are communicated to improve a company’s risk management
practices.
2. Create a documented risk management structure.
While many organizations have risk management practices in
place, a formally documented ERM framework is not always
present. That is, although companies may believe they utilize
an ERM framework that generally follows the COSO ERM
guidance, without sufficient formal risk management practices,
the likelihood of unidentified, insufficiently captured and/or
monitored risks and/or related opportunities is greatly increased.
Organizations should assess what practices are already in use
and leverage them into a structure that ensures a “top-down,
bottom-up” approach, such that all corporate business units,
local and geographical risks are identified and evaluated.
Where applicable, companies should build on what already
works, enhance what they already have in place and standardize
wherever possible. Furthermore, even if a program is working
well, an organization should continue to review its practices for
weaknesses that may evolve with changing business conditions.
3. Create a uniform risk language, as well as define and
communicate risk-related roles and responsibilities.
By establishing the necessary risk committees and ensuring
the appropriate individuals know what is expected of them,
the potential success of an ERM program is notably enhanced.
Additionally, creating management objectives, including
incentive compensation that is tied to risk management goals,
may also help in this process (see Appendices A and B).
4. Maximize the use of technology.
Technology is a key component of any successful ERM
initiative. As long as the necessary risk data is available,
technology can be used to facilitate the creation of necessary
reports and related monitoring tools.
5. Address risks in the strategic planning and
decision-making process.
The strategic planning process should be one that is continuous,
whereby obstacles, threats and potential impacts are addressed. It
should also include regular reporting of risk metrics to the board
and related management.
Depending on the maturity of a business and the formality
of its risk management program, an organization may even
benefit from a third-party review and consultation. Utilizing
outside consultants can help a company review, monitor,
assess and improve its risk management capabilities over time.
With these steps, a company can create an ERM solution
that improves risk information, leading to stronger strategic
decisions, fewer surprises and enhanced governance.
14 Enterprise risk management: Creating value in a volatile economy
Conclusion
At its heart, ERM is a forward-looking, process-oriented
approach that provides business intelligence to companies to
help better plot the future and make more informed decisions.
When implemented correctly, ERM can provide organizations
with a means of leveraging risks for greater performance,
building a foundation for competitive advantage and ultimately
establishing themselves as market leaders.
In theory, it is easy to understand how ERM could
potentially add value to any organization, yet in reality,
assigning the time and resources to create an ERM initiative is
often overlooked. Strategic balance is needed. Organizations
that embrace ERM and build it into the core of their enterprise
should no doubt anticipate reaping the fruits of their labor. At
the same time, companies must also realize that implementing
such a program is far from easy and cannot happen overnight if
done properly. However, for those organizations that choose to
weather this economic storm with the aid of ERM, the benefits
of their efforts today will likely remain long thereafter.
For more information on the topics covered in
this publication, please contact:
Michael Rose
Partner
Advisory Services
T 215.376.6020
E [email protected]
Bill Mellon
Senior Manager
Advisory Services
T 215.376.6087
E [email protected]
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries.
Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms
are not a worldwide partnership, as each member firm is a separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case.
For additional information on the issues discussed, consult a Grant Thornton client service partner.
Bailey Jordan
Partner
Advisory Services
T 336.271.3965
E [email protected]
15 Enterprise risk management: Creating value in a volatile economy
Appendix A: Business unit risk
organizational chart
Manage Risk Oversee Risk
Board Risk Committee
Oversees risk strategy and tolerance
and overall risk effectiveness
Board of Directors
Oversees audit and risk issues
Chief Executive Officer
Overall risk responsibility
Chief Risk Officer
Overall recommendation, coordination,
and monitoring of risk policies
Audit Committee
Responsible for internal control over financial
reporting and risk management oversight
Chief Audit Executive
Provides assurances on risk
management processes
Management Risk Committee
Members (CFO, CRO, legal compliance, etc.)
review risk policies and recommends to
CEO for approval
Business Unit A Business Unit B Other Functions
CEO
Risk Manager
CEO
Risk Manager
CFO
Assists CEO in
risk responsibilities
16 Enterprise risk management: Creating value in a volatile economy
Risk Management Committee
• Recommends risk policy and guidelines to
CEO and monitors risks
Business Unit CRO
• Assures that each unit’s stated risk management
tolerance is baked into each business unit’s planning
and budgeting processes
• Similar to BU CEO with additional monitoring
responsibilities
Business Unit Personnel along with CEO/CFO
• Follows organization’s risk policy
• Identifies and reports all risk exposures to CRO and CEO
• Assures risk information is reported to CRO and CEO
Internal Audit
• Assures the Board and Audit Committee that each
business unit’s activities effectively manage risk according
to the organization’s risk tolerance
• In some organizations, assists in leading the implementation
of an enterprise-wide management risk assessment process
Appendix B: Business unit risk
management roles and responsibilities
Board and, where applicable, Board Risk Committee
• Sets the requirements for superior risk management
measurement, monitoring and reporting, as well as
the organization’s appetite for risk
• Ultimate strategic oversight of risk within organization
Board Audit Committee
• Responsible for oversight of the internal controls of
an organization including oversight that appropriate
risk management processes are in place
Chief Risk Officer (CRO)
• Recommends risk management policy and
tolerance for approval by CEO
• Ensures risks are identified
• Develops risk measurement methodologies and
tools to quantify risk and assures such are utilized
• Conducts overall risk coordination
• Analyzes and reports on risk exposures
• Provides ongoing risk training
• In some organizations, takes an active role in assisting
line management in developing risk strategies
Chief Executive Officer (CEO) with assistance from
Chief Financial Officer (CFO)
• Approves risk policy and tolerance (initially suggested
by CRO then reviewed by Internal Risk Committee)
• Manages overall risk
• Approves risk tolerance
• Takes action to mitigate risk
• Assures proper control environment is in place
© Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton International Ltd
National Office
175 West Jackson Boulevard
Chicago, IL 60604
312.856.0200
National Tax Office
1900 M Street, NW, Suite 300
Washington, DC 20036
202.296.7800
Arizona
Phoenix 602.474.3400
California
Irvine 949.553.1600
Los Angeles 213.627.1717
Sacramento 916.449.3991
San Diego 858.704.8000
San Francisco 415.986.3900
San Jose 408.275.9000
Woodland Hills 818.936.5100
Colorado
Denver 303.813.4000
Florida
Fort Lauderdale 954.768.9900
Miami 305.341.8040
Orlando 407.481.5100
Tampa 813.229.7201
Georgia
Atlanta 404.330.2000
Hawaii
Honolulu 808.536.0066
Illinois
Chicago 312.856.0200
Oakbrook Terrace 630.873.2500
Kansas
Wichita 316.265.3231
Maryland
Baltimore 410.685.4000
Massachusetts
Boston 617.723.7900
Michigan
Detroit 248.262.1950
Minnesota
Minneapolis 612.332.0001
Missouri
Kansas City 816.412.2400
St. Louis 314.735.2200
Nevada
Reno 775.786.1520
New Jersey
Edison 732.516.5500
New Mexico
Albuquerque 505.855.7900
New York
Long Island 631.249.6001
Downtown 212.422.1000
Midtown 212.599.0100
North Carolina
Charlotte 704.632.3500
Greensboro 336.271.3900
Raleigh 919.881.2700
Ohio
Cincinnati 513.762.5000
Cleveland 216.771.1400
Oklahoma
Oklahoma City 405.218.2800
Tulsa 918.877.0800
Oregon
Portland 503.222.3562
Pennsylvania
Philadelphia 215.561.4200
South Carolina
Columbia 803.231.3100
Texas
Dallas 214.561.2300
Houston 832.476.3600
San Antonio 210.881.1800
Utah
Salt Lake City 801.415.1000
Washington
Seattle 206.623.1121
Washington, DC
Alexandria, VA 703.837.4400
McLean, VA 703.847.7500
Washington, DC 202.296.7800
Wisconsin
Appleton 920.968.6700
Madison 608.257.6761
Milwaukee 414.289.8200
Offices of Grant Thornton LLP
About Grant Thornton’s Advisory Services Practice
Today you need advisors that focus on insightful and
innovative solutions for your complex issues, such
as complying with changing legislation, managing
risk, containing costs, streamlining business processes
and identifying strategic transaction opportunities.
Grant Thornton’s Advisory Services professionals
can deliver value by providing independent advice
to public, private and not-for-profit organizations.
Our specialists combine insight and innovation from
multiple disciplines with a wide range of business and
industry knowledge. To learn more, visit
www.GrantThornton.com/advisory.
doc_315885185.pdf