RSM Resources

Facedwith a climate of diminished public confidence — and the desire toavoid earnings surprises — more companies are recognizing deficienciesin the traditional approach of managing risk. To better prepare foremerging challenges and uncertainties, they are increasingly turningtoward enterprise risk management (ERM) solutions.

ERM refersto a management framework that effectively deals with uncertainty andassociated risk and opportunity — enhancing an organization’s abilityto build value for its stakeholders. Generally, midsized companiesapproach ERM based on standards created by "COSO," the Committee ofSponsoring Organizations of the Treadway Commission, a not-for-profitorganization that created a model for evaluating the effectiveness ofinternal controls in the 1990s. COSO took on establishing a standardERM framework in 2001.

This is the idea behind ERM: Managementcan maximize value when it sets strategy and objectives that strike anoptimal balance between growth and return goals and related risks. Thenmanagement efficiently and effectively deploys resources in pursuit ofthose objectives. Comprehensive ERM plans address everything fromaligning risk appetite and strategy, enhancing risk response decisions,and reducing operational surprises and losses, to identifying andmanaging multiple and cross-enterprise risks, seizing opportunities,and improving capital deployment.

Objectives of an ERM program

ERMfocuses on identifying, measuring and monitoring risks that affect theentire company. The goal is to build bridges across the organization soleaders can more quickly identify, communicate and manage risks —thereby reducing the number of risk-related incidents.

Individualresponsibility for risk management is assigned to the appropriate partsof the company that can properly monitor it, while management and theboard or directors stay informed. The company then develops more-formalrisk management practices around third-party relationships.

A company builds its ERM framework to achieve objectives in four categories:

Strategy. Within the context of its mission, the company establishes high-level goals.

Operations. The company strives for effective and efficient use of its resources.

Reporting. In providing information about its condition, the company ensures reliable reporting.

Compliance. The company takes actions to comply with applicable laws and regulations.

Components of an ERM program

Adirect relationship exists between objectives — what a company istrying to achieve — and ERM components, which are essentially the toolsand processes through which the company manages risk. The eightinterrelated program components reflect, and are aligned with, thecompany’s management process. These include:

Internal environment. The board of directors and senior executives set the "tone at the top." Environmentalfactors taken into account include risk management philosophy, riskappetite, ethical values and human resource standards.

Objective setting. Management clearly states objectives and aligns them with the organization’s mission and risk appetite.

Event identification. Managementidentifies internal and external events — both opportunities and risks— that could affect the achievement of the company’s objectives.

Risk assessment.COSO provides eight "risk assessment factors." Risks in each of thesecategories are analyzed and prioritized to determine how they should bemanaged.

Risk response. Management implements corrective actions (avoid, reduce, transfer or accept).

Control activities. Policies and procedures ensure the organization effectively implements risk responses.

Information and communication. Management identifies, captures and communicates relevant information.

Monitoring. Internal auditors routinely assesses the ERM process.

The implementation process

Acompany’s size, complexity, industry, culture, management style andother attributes will affect how it applies ERM concepts andprinciples. Following are some common techniques midsized companies canuse to effectively implement an ERM program:

Core team preparedness.Establish a core team with representation from all business units andkey support functions. This team should become familiar with the ERMprogram’s components, concepts and principles.

Executive sponsorship. Gain executive support early and solidify it as implementation progresses.

Implementation plan development.Develop and document a plan with next steps, key project phases,defined work streams, milestones, resources, timing andresponsibilities.

Current-state assessment. Analyze how the organization is embracing ERM program components, concepts and principles, including existing capabilities.

Vision. Define how the organization will use ERM to achieve its objectives.

Capability development. Identify the ERM people, technology and process capabilities the organization will need to add.

Change management and deployment. Develop training and other change management programs to implement and sustain the ERM vision.

Monitoring. Continually review and strengthen risk management capabilities as part of management’s ongoing responsibilities.

Risk assessment factors

EveryERM program includes a risk assessment component. This should providefeedback on the effectiveness of control design and highlight anyweaknesses within the context of specific business objectives. Internaland external risk areas to consider include:

External and market reputation. Exposure to losses in market value and value of company assets.

Finance. Inaccurate, incomplete or untimely financial reporting.

Operations. Thelack of timely, accurate, authorized and complete processing activitiesto support delivery of the organization’s services or products tocustomers.

Legal and regulatory compliance. Failure to comply with a variety of federal, state and local laws, regulations and directives.

Strategy. Business strategies that are poorly defined and communicated or the inability of the organization to execute strategies.

Technology and systems. Failure to consider the level of use, sophistication and complexity of business systems.

People and culture. Inconsistent encouragement and enforcement of cultural principles such as ethical behavior.

Fraud. Failureto structure business activities and transaction processing to controltheir susceptibility to internal and external fraud.

Managementshould evaluate control weaknesses for the risk response that bestaligns with the company’s risk appetite and objectives. An organizationcan respond to risk in four ways: by reducing it, avoiding it,accepting it or transferring it. Implement controls to reduce the riskto an acceptable level. Reject certain risks. Consider risk managementa cost of doing business. And establish an agreement, securitization orsome sort of insurance that transfers the risk to a third party.

Benefits of an ERM program

Underthe discipline and structure of an ERM program, you can minimizesurprises and maximize opportunities at your growing midsized company.By identifying risks and implementing controls, you can enjoy greatermanagement of unanticipated costs. With the discipline of ERM, you’llgain more quantifiable measures of risk exposures, helping you makebetter pricing and capital allocation decisions. And you’ll havegreater confidence in your ability to understand and deal with eventsthat can create uncertainty in your company’s operational and financialperformance.