ERM Exchange’s approach to establishing an enterprise risk management program combines the important theories within COSO’s Enterprise Risk Management Framework, with real-life examples accumulated over years of experience and research, as well as applying ten common “risk factors” that help to transform a RISK AWARE culture in a very practical way.
Enterprise Risk Assessment Framework
Importance of an Enterprise Risk Management Framework
The Enterprise Risk Management Framework is designed to identify important risks in executing strategies and achieving enterprise goals. Successful enterprise risk management programs create more valuable enterprises by:
- lowering costs,
- enhancing processes, and
- reducing unpleasant surprises
Key Risks in an Enterprise Risk Management Framework
The ERM Framework is designed to identify important risks in executing strategies and achieving enterprise goals. Clearly, certain risks are common within industrial sectors (e.g., adequacy of loan loss reserves is an inherent risk in banking) as well as across industries (e.g., information security and cyber security). However, an enlightened understanding of risks almost always reveals that risks are unique to the organization in which they apply. Having said that, a pattern of risk types has developed over the years when instituting an ERM program, almost irrespective of the industry.
Responsiveness to Market Dynamics – If the Company does not adequately anticipate market changes and provide sufficient response to those changes, we may lose market share; evolving trends in consumer demands may be detrimental to our growth objectives.
Intensifying Competition – large competitors continue to grow through acquisition creating greater efficiencies for themselves, and smaller more nimble competitors threaten to infiltrate our customer base.
Supply Chain Disruption – a variety of circumstances can disrupt our supply chain which may result in inflationary pressure and declining revenue caused by delays in delivery, loss of retail shelf space, inability to produce some or all products, and an inability to distribute products.
Scalable Infrastructure – As the Company has experienced years of growth and continues to forecast growth, the current infrastructure may not be sufficient to support that growth; infrastructure is defined as the people, processes, systems, equipment, and relationships needed to support sales and operations.
Limited Liquidity and Cash Management – limited liquidity impacts the Company’s ability to attract new capital and grow the business; liquidity risks can materialize from customers, as well as vendors, suppliers, contractors, and sudden increases in the cost of capital including broken financial covenants.
Technology Adoption and Investment – Competitors, both large and small, are likely developing more sophisticated capabilities to manufacture or provide services, as well as transact with customers and vendors; such capabilities may be required to simply retain certain components of our customer base and supply chain.
Information Security and Cyber Security – Security breaches, ransomware attacks, loss of data may result in significant financial impact and reputational harm; security over operational, financial, and technical data is becoming more complicated and costlier to mitigate the threat; while the cost of cyber insurance increases, the coverage is narrowing.
What are the Major Components of ERM?
While COSO’s Enterprise Risk Management Framework is comprised of five “Components” and 20 underlying Principles, the most important element of a successful ERM program is the tone, behavior, and actions taken by senior leadership in support of establishing and maintaining an ERM program. When a CEO genuinely exhibits belief and commitment to enterprise risk management, their conviction cascades through the workforce – who will individually and collectively reveal greater care for the enterprise which results in added productivity, happy customers, lower cost, fewer harmful surprises…a more valuable enterprise.
Factors in the Enterprise Risk Management Framework
Operational Risk Management: a case study approach to effective planning and response, by Mark Abkowitz, Ph.D., M.S., B.S., identifies ten risk factors that have been drawn from over a dozen catastrophes that occurred over the past 40 years. The ten risk factors include:
- Design & Construction Flaws
- Deferred Maintenance
- Economic Pressures
- Scheduling Constraints
- Inadequate Training
- Not Following Procedures
- Lack of Planning and Preparedness
- Communication Failure
- Political Agendas
These risk factors can be applied to a number of the current day, high-profile corporate governance and risk management failures of larger enterprises, as well as smaller organizations including the Penn State / Sandusky Scandal, General Motors Ignition Switch Failure, Pacific Gas & Electric and the Camp Fire, the Temple University Business School false data submission for ranking in US News & World Report, as well as a small swimming club accident and a nursing home fire. While the ten risk factors can be easily applied to governance and risk lapses, they should serve as a foundation when establishing an ERM program and a culture of risk awareness.
Applying the Enterprise Risk Management Framework
Pharmaceutical Products Company
$100 million US-headquartered, privately held, domestic manufacturer of consumer products with several items representing the No. 1 product in their categories.
The CEO became increasingly concerned with the company’s ability to identify and effectively manage important risks, as a result of a few unforeseen compliance issues identified during an inspection by a US regulatory agency.
Facilitated offsite retreat with selected managers from all functions across the organization.
- Conducted selected interviews of executives and senior managers prior to the retreat.
- Anonymously surveyed all retreat participants prior to the start of the retreat regarding their understanding of ERM and perceptions of the organization’s risk posture.
- Presented research regarding ten common risk factors and the application of common factors to recent, high profile corporate governance and risk management failures of larger enterprises, as well as smaller organizations. Applied the risk factors to a recent event within the company itself.
- Established an enterprise-wide understanding of “risk appetite” from both a quantitative and qualitative perspective, as well as “risk tolerance.”
- Facilitated smaller group discussions to identify and debate the top risks faced by the organization.
- Developed a list of top 17 risks from across all groups, and collectively prioritized the most important risks.
- Facilitated separate, smaller group discussions to develop and debate more effective risk response strategies for each of the top risks.
- Facilitated the selection of “risk champions” and their underlying teams to manage, and periodically report changes to such risks, as well as emerging risks, to Senior Executive Management and the Board of Directors.
- Presented the enterprise risk assessment to all members of the Board and Executive Management. The Board requested a periodic (i.e., quarterly) ongoing update of all risks and mitigating activities identified.
FOCUS – the CEO was able to leverage this exercise to focus his team on the most important issues facing the organization.
COST REDUCTION – Reduced D&O and General Liability insurance premiums. In addition, the Quality Risk team acquired a specialty application/tool that resulted in $800,000 of reduced cost associated with an unexpected and immediate product recall by the vendor of a product’s key ingredient generating an ROI of 80:1 for the tool.
REALIGNMENT & CAPITAL ALLOCATION – a re-alignment of several risk response strategies that incorporated the collective views of the senior leadership team, and a transparent re-prioritization of capital allocation to addressing the most pressing risks faced by the organization.
CADENCE – The ERM program structure established a “play-book” for management to respond to a second, unexpected and unrelated crisis invoked by a Federal regulator within a year of the retreat.
COMPLIANCE – a report to share with the regulators demonstrating a high level of commitment in management’s response to issues identified.
MONITORING – improved focus on monitoring activities for selected risks.