Enterprise Risk Management
by Richard Sharman and David Smith
Implemented properly, risk management can be successfully
married with wider business objectives.
Risk management has historically been a peripheral issue
for many organisations. The formal consideration of risk
was far removed from key decision making as companies focused
on the prevention of physical and financial loss at an operational
level. However, recent high profile corporate failures have
shown that failure to identify and appropriately manage
risk at a strategic level has a far greater potential impact
on organisational fortunes than insured or tightly controlled
operational risk.
According to the International Federation of Accountants
report Enterprise governance: getting the balance right,
the problem is that there has traditionally been little
appetite at board and senior management levels to overly
formularise decision making - most see it as a sure fire
way of increasing bureaucracy and hindering performance.
This is not to say that risks were never considered in relation
to strategic decisions - no business would have lasted long
if this had been the case - but it was usually an informal
and often unconscious decision.
The new agenda for risk management
Central to the requirements of enterprise governance is
a clear relationship between the management of risk and
the fulfilment of business objectives: profits and growth
are, in part, reward for successful risk taking. It is the
recognition of a performance-driven approach to risk management
- one that is wholly aligned with the spirit of good enterprise
governance - that has given rise to the concept of enterprise
risk management.
Enterprise risk management: a framework approach
Through its work with a number of organisations that take
risk management seriously, KPMG has defined a framework
approach for the key elements of risk management. The first
stage is the development of a strategy that is supported
by an appropriate structure. The delivery of the strategy
is evidenced through the processes in place to generate
a risk portfolio for the organisation. Once risks have been
identified they need to be managed, or optimised, based
on willingness or capacity to accept risk. Finally, the
measuring and monitoring of the risk portfolio involves
the establishment of measuring criteria and management reporting.
In using this best practice framework with organisations,
KPMG has identified a number of key insights into the development
of risk management.
-
Introducing a risk management framework
brings a number of changes to an organisation. Those that
do not address this appropriately will fail to fully embed
risk management into their operations. At best you get
two chances at implementing risk management; at worst,
just one. Organisations that are successful in managing
change quickly create a consistent understanding across
the organisation of what risk management entails and continually
engage and energise their management and employees.
-
Understand what you
have and what you need. All organisations have elements
of risk management already in place, some that work well,
others that don't. In recognising your position, you can
identify barriers to implementation as well as preventing
your organisation from reinventing the wheel. Current
behaviour, culture, level of buy-in and practical support
for risk management are key in this analysis.
-
Business strategy and risk strategy need
to be aligned. For many organisations, risk management
has generally been established to manage the meeting of
compliance requirements and as a result, often lacks any
real relevance to the performance of the business.
Risk appetite and risk management
strategy
The first step for any organisation seeking to improve the
alignment of its risk management activity with its key decision-making
is the formal definition of the amount, and type, of risk
that is acceptable in the pursuit of its business objectives.
This is its risk appetite.
For the development of an appropriate performance-focused
approach for risk management at board and executive management
level, the chosen risk appetite should be formally considered
as part of the setting of business strategy, with investment
plans, acquisitions, divestments and other strategic decisions
reviewed against it as they arise.
In more decentralised organisations there will most likely
be different levels of risk appetite for different operations
or individual businesses and a portfolio view of risk and
return will be taken. Even in less diverse organisations,
certain ventures or activities are looked to for providing
future growth and are therefore likely to carry greater
associated risk, whereas other activities may be core to
the organisation's current performance, providing a platform
for growth elsewhere, and consequently there will be less
appetite for risk in these areas.
The definition of risk appetite can be as complex or as
simple as organisations want to make it. But somewhere in
the discussions of corporate objectives, and the setting
of the strategy to deliver those objectives, there should
be the formal recognition of what the pursuit of these objectives
will mean in terms of the acceptability, or otherwise, of
the risks attached. A well-defined appetite for risk will
influence the setting of overall business strategy. The
strategy documents that go to the board for approval should
include commentary on the key risks associated with the
strategy and their acceptability in line with the agreed
risk appetite.
The setting of organisational strategy constitutes how
an organisation will prioritise its focus and allocate its
resources to exploit identified opportunities. Supporting
strategies will also be developed for the allocation of
resources and investment in areas such as human resources
and IT. The allocation of risk management resources and
investment is no different in this respect.
Management and the board will usually consider the environment
in which their organisation operates, the risks inherent
to that environment and the amount of risk they are willing
to accept in that environment. However, without an articulation
of this position, decisions are unlikely to be consistent
and the ability of the board to challenge the recommendations
of management will be limited. Neither outcome is particularly
healthy, whether viewed from a conformance or performance
perspective.
In most cases, risk appetite is defined by a mixture of
quantitative and qualitative elements. Quantitative elements
are generally difficult to define with any precision and
most organisations arrive at an estimation of, for example,
the amount of capital investment they are willing to risk
in the pursuit of their objectives. Qualitative elements
relate to the more intangible measurements of the organisation's
value (for example, reputation and stakeholder relations).
Risk appetite relates to the amount an organisation is
willing to bet in the pursuit of its objectives. Risk capacity
relates to the amount an organisation is capable of losing
before it endangers its own sustainability or, as is more
often the case, market sentiment becomes irreparably damaged.
In general, a risk management strategy should contain the
following key areas:
-
Statement on the value proposition
for risk management - specific to the organisation and
in relation to its business objectives and the risk environment
in which the organisation operates;
-
Definition of the agreed risk appetite
of the organisation;
-
Definition of the objectives for risk
management based on organisational objectives and supporting
business strategy;
-
Statement on the required organisational
culture and behavioural expectations with regards to risk
taking;
-
Definition of organisational ownership
for the risk management strategy at all levels;
-
Reference to the risk management framework
or system being employed to deliver the above requirements;
and
-
Definition of the performance criteria
employed for reviewing the effectiveness of the risk management
framework in delivering the risk management objectives.
As with any element of strategy, how an
organisation targets its risk management resources to manage
risk both effectively and appropriately to deliver performance
should be reviewed and revised regularly in line with its
overall business strategy.
So what else do organisations need to do
in the practical application of risk management? First, the
board needs to spend more time on risk. For a risk management
framework to be effective, the board needs to understand the
organisation's risk management strategy and framework and
adapt them as necessary in line with the overall business
strategy, objectives and direction.
Second, the board should rely more on its
risk management resource to understand how the organisation
is performing. This means a risk specialist can assess the
organisation's performance against the agreed strategy and
supporting framework more accurately than the board would
be able to in isolation. The risk management function needs
to:
- Continue to support the embedding of risk via a coordinated
and simple approach;
- Improve the development and formalisation of the risk
management strategy and engage leadership.
Where the direction of risk management activity, collectively
termed as a risk management framework, is developed to support
the delivery of organisational performance objectives, it
is more capable of providing assurance that the business is
managed responsibly.
This article is prepared by Richard Sharman and David Smith
of KPMG and it is an excerpt from ‘Enterprise Governance
– Getting the Balance Right’. This report is published
by the International Federation of Accountants and CIMA. |
