INFORMATION FOR QUESTION 1:
Ernst and Young. The Risk Management Checklist. Available at:
Do you have a formal risk management framework?
Have you clearly defined your risk appetite?
Do you perform an annual enterprise-wide risk assessment?
Are processes in place so that risk management is aligned to corporate strategies?
Have you evaluate the advantages and disadvantages of outsourcing or co-sourcing the functions needed to support the risk management plan?
Do you risk and compliance functions throughout the organization work together?
Do you risk functions improve your business performance?
Does your internal audit department have a clear mandate that addresses strategic, operational, financial, and compliance risk?
Have you established clear governance over risk and risk management?
Have you defined board committees with a focus on specific risk areas and considered the appropriateness of a risk committee?
Do you clearly articulate your risk assessment and risk management process to the public markets?
Walker, Paul L. and Shenkir, William G., Implementing Enterprise Risk Management. Journal of Accountancy (March 1, 2008). Available at: http://www.journalofaccountancy.com/issues/2008/mar/implementingenterpriseriskmanagement.html
Managing risk is imperative for successful leadership in today’s business world. Leaders must develop processes like enterprise risk management (ERM) to improve their ability to manage risks effectively. ERM cuts across an organization’s silos to identify and manage a spectrum of risks. Consider these ERM action items:
Resolve to proactively manage risks, rather than react to them. Implementing ERM takes total commitment by management, as well as recognition by the board of its responsibility.
Clarify the organization’s risk philosophy. As discussed in the COSO ERM framework (Enterprise Risk Management—Integrated Framework), organizations need to know their risk capacity in terms of people capability and capital. The board and management must come to an understanding, factoring in the risk appetite of all significant stakeholders.
Develop a strategy. Since risk relates to the events or actions that jeopardize achieving the organization’s objectives, effective risk management depends on an understanding of the organization’s strategy and goals. One of the benefits of ERM implementation is the revelation that those responsible for achieving the objectives have varying degrees of understanding about them. ERM helps get everyone on the same page.
Think broadly and examine carefully events that may affect the organization’s objectives. This involves taking your business and industry apart. Pore over your strategy, its key components and related objectives. Use a variety of identification techniques such as brainstorming, interviews, self-assessment, facilitated workshops, questionnaires and scenario analyses. In selecting among these techniques, consider how rigorously each business unit can implement them, and if openness among the participants would result. Analyze how both external and internal events can change the organization’s risk landscape. This initial effort does not have to take months to accomplish. Start with a top down approach. Begin to identify risks through workshops or interviews with executive management and by focusing on strategies and related business objectives.
Assess risks. Initially, try to reach a consensus on the impact and likelihood of each risk. Placing risks on a risk map can be a valuable focal point for further discussion. As the risk assessment process matures, consider applying more sophisticated risk measurement tools and techniques.
Develop action plans and assign responsibilities. Every risk must have an owner somewhere in the organization. Manage the biggest risks first and gain some early wins.
Maintain the flexibility to respond to new or unanticipated risks. Put a business continuity and crisis management plan into place. If your organization is in a volatile environment, you should anticipate even more unknowns.
Use metrics to monitor the effectiveness of the risk management process where possible.
Communicate the risks identified as critical. Circulate risk information throughout the organization. The board of directors and audit committee should be given regular reports on the key risks facing the organization. It is not acceptable to identify important risks and never communicate them to the appropriate people.
Embed ERM into the culture. Integrate the knowledge of risks in your internal audit planning, balanced scorecards, budgets and performance management system. Leverage your organization’s compliance with SOX section 404 to benefit ERM implementation. The focus by PCAOB Auditing Standard no. 5 and the SEC’s new management guidance on “top down” risks provides an opportunity to leverage compliance to enhance shareholder value through ERM.