By Michael D. Cohn
Risk management used to be a “trial by fire” method of operation. You wait for something to happen and clean up the mess when it does. Today’s world of on-demand information, market fluctuations, and constantly evolving computer vulnerabilities requires a much more proactive approach. Enterprise risk management (ERM) helps business leaders control risk and make decisions swiftly. The challenges for any risk management system stem from complexity in maintenance and coordination. Each new regulatory mandate adds a new project initiative and the integration and maintenance of these new project initiatives usually involves little synchronization. By instituting an ERM program, you will have set the framework for evaluating uncertainties, thereby managing threats and providing opportunity to build value for your institution. A structured ERM program provides a holistic view of the institution’s business opportunities and risk profile, with the goal to minimize operational losses while maximizing returns on new business ventures.
Understanding the risk management lifecycle
In order to better understand the process of ERM, consider the Risk Management Lifecycle. Composed of three separate parts: assess, audit, and remediation, the lifecycle will help you link previously unconnected activities. First, you assess the likelihood of adverse effects that may result from exposure to vulnerabilities. Following the assessment the audit examines and validates the controls and records your performance against internal policies and procedures. Lastly, the institution remediates control deficiencies and develops response plans. Having a strong risk management life cycle in place provides protection against unforeseen business or regulatory changes and is the base process necessary for an effective ERM program.
Two paths for successful ERM
There are two approaches that you can take when creating an ERM program but both take into account the same four elements within the institution: strategy, reporting, compliance and operations. Knowing which one will work best in your institution is best determined by looking at how your institution views its world: operationally or strategically.
If your institution has a business model where the strategic objectives come first, the top-down method will work most effectively. First, you take into account the strategic objectives of the institution. Next, you identify the positive and negative events that affect the institution and whether they come from an internal or external source. Third, you distinguish the influencing factors of the events, such as those that are related to swings in the economy or technology dependent. Lastly, event identification will recognize the impact these events will have throughout the organization if the event occurs.
A Bottom Up approach works best when an institution is operations-oriented. Beginning with each business operation, you must create an inventory of the people, business processes and technologies used therein. Next, you utilize a common language of assessing risk. This common language means measuring the quantity (or inherent) risk against the quality of risk management and controls. Once residual risk has been measured, it is time to integrate individual risk management assessments (i.e. technological, vendor, transactional, etc.) with each assessment focusing on different threats. Lastly, you must communicate with directors and executive managers so that they can evaluate risks and controls according to the products and services offered.
Key success factors for an effective ERM program
An ERM program can only be as successful as the sum of its parts. Defining a risk management methodology with measures consistent throughout the institution and aligned with the institution’s strategy will warrant a workable program. Remember that simplicity is fundamental in order to make the ERM program explainable to each person in the institution. Additionally, the roles and responsibilities of the program should be understood by everyone. The institution’s board of directors and audit committee must provide guidance and oversight with support for the program articulated and enforced at the executive level. Finally, the program must be viewed as a living thing, so as regulatory and economic factors change, you integrate new risk management tools into the daily activities and operations.
A structured ERM program can increase the operational efficiency at your institution by providing insight to minimize operational losses while maximizing returns on new business ventures. The institution can begin to address risk from a strategic nature, first aligned with business objectives or across operational units and business lines. Whichever approach is chosen, the program needs to be adopted across the organization, practiced by all employees, and supported by management and the board at every turn.