IN THIS ISSUE
The Road to ERM
By TIM J. LEECH, CIA, FCA, CCSA, CFE,
TRADITIONALLY, ASSURANCE SPECIALISTS such as internal auditors, environmental analysts, safety officers, insurance specialists and others assessed risks within their own specialty field, without looking at the total universe of risks to the business entity as a whole. They were trained to use their own particular terminology and store information on risk and controls in their own separate “data silos.”
To cope with the speed of change in today’s complex, global business environment, many organizations and regulators are beginning to recognize the inefficiency of such silo-based approaches and are turning to integrated enterprise risk management (ERM), a holistic approach to managing all kinds of risks that threaten the achievement of business objectives. An integrated risk management strategy promotes the increased involvement of all work units and senior management. Most importantly, ERM calls for full integration, analysis, and reporting of all important risk status information from assurance specialists, work units, and senior managers to senior executives, boards, and oversight groups.
CONSIDERING THE WHOLE
A large body of research supports the notion that it makes good business sense to change from the old silo-based risk-management approach to the new, holistic paradigm. “Enterprise Risk Management: Trends and Emerging Practices,” a recent study sponsored by the IIA Research Foundation in cooperation with the Conference Board of Canada, demonstrates the growing acceptance of the benefits of an integrated approach to risk. McKinsey & Company, a top global strategy consultancy firm, also published research indicating that organizations with better corporate governance systems are likely to have higher price-earnings ratios and higher share prices.
To a large extent, today’s global ERM movement is being led by financial institutions worldwide, which are experiencing massive regulatory reform and corporate reorganization. In the past, regulators have required banks to have a certain amount of reserve capital on hand that they’re not allowed to lend in case the worst happens. Under the terms of the latest draft on operational risk management from the Basel Committee, banks will be required to demonstrate that they have effective systems in place to identify, measure, mitigate, and report on a variety of risks, including traditional credit and market risks as well as nontraditional risks such as system interruptions, rogue traders, a decline in the customer base, poor customer service, regulatory irregularity, fraud, and errors processing credit card transactions.
The Basel Committee, a sub-unit of the Bank for International Settlements in Switzerland, is composed of members from financial superpowers around the world. Charged with developing new governance solutions, the committee is expected to finalize its capital accord recommendations in late 2002. Bank regulators in countries around the globe will be expected to implement the recommendations and banks will have three years to prepare for full compliance. By 2006, banks will have to demonstrate to regulators that they have real-time, enterprise-wide, integrated risk-management systems in place. If banks aren’t able to demonstrate that they have implemented such systems, regulators may require higher levels of reserve capital and may charge greater deposit insurance premiums. Literally, trillions of dollars will be on the line.
BARRIERS TO IMPLEMENTATION
If the dangers of continuing with traditional, silo-based, risk-management approaches are so clear, why aren’t more public-sector departments and private-sector companies moving faster to adopt it? It would seem that the barriers to implementing a truly integrated, enterprise approach to risk and assurance management are formidable.
1. Fiercely defended “assurance silos.” Many organizations have specialist assurance units and functions that have developed their own assurance approaches, tools, and risk language. These groups include internal auditing, external auditing, safety, environmental, security, risk and insurance, compliance, and others. Each group records and stores risk information separately. Rarely, if ever, is all of the data known to each of these groups consolidated, synthesized, and reported to senior management and oversight groups. These specialist groups often defend their own turf aggressively, to the detriment of the organization as a whole.
2. Attachment to the “direct report” assurance approach. Consultants and assurance groups such as internal auditing, security personnel, and compliance officers have used the direct report approach as a primary tool for many decades. The direct approach is any approach where assurance specialists are the primary analysts/reporters. The training these specialists receive, the professional standards that govern their work, and their customers’ expectations, all serve to perpetuate a strong attachment to this approach.
3. Reluctance to learn and apply new skills. Auditors are familiar and comfortable with the traditional direct-report assurance approach. They would have to acquire new skills if they are to play a key role in introducing ERM. Also, few public- or private-sector organizations currently expect senior managers and business-unit members to learn formal risk- and control-assessment skills and apply them to their daily work. This barrier is recognized in the new Canadian Centre for Management Development study, A Foundation for Developing Risk Management Learning Strategies in the Public Service (available online at www.ccmd-ccg.gc.ca/pdfs/risk_mgnt_rt_e.pdf).
4. Limited proof that ERM is better. It is now widely accepted that the ERM movement will be led globally by the banking industry, because banks may be required to have higher levels of reserve capital and potentially pay higher deposit insurance premiums if they cannot demonstrate to regulators that they have effective risk-management systems in place. However, similar monetary incentives are lacking in other sectors,* and research efforts to provide documented, empirical proof of a correlation between good risk-management practices and higher share prices are just getting under way in the private sector. Producing irrefutable proof that ERM provides superior results will be even more challenging in the public sector. (*NOTE: The recent move by the major credit rating agencies — Standard & Poors, Moodies, and Fitch — to begin calculating and reporting a corporate governance score may change this lack of tangible incentive in the very near future for all publicly listed companies.)
5. Aversion to public disclosure of sensitive information. Effective risk management means clear articulation and disclosure of outcomes sought, visible and conscious risk-management decision processes, and an obsession with measuring results. It also means determining and publicly disclosing acceptable levels of residual risk, the risk considered acceptable given senior management and the board’s risk tolerances, budget constraints, and other priorities. In a world where the press, litigation attorneys, and opposition parties live each day hoping to second-guess risk acceptance decisions — usually with the benefit of hindsight — and a world where negligence and due diligence lawsuits are becoming increasingly common, organizations are understandably leery of documenting that they have consciously decided to accept varying levels of residual risk.
6. Auditor reluctance to accept new roles. For decades, auditors have used audit approaches that produce reports on mismanagement and unmitigated risks. They have called their observations audit findings, audit inquiries, and other similar terms, and they’ve frequently been expected to play extended supervisory roles and act as watchdogs or the “eyes and ears” of management. In light of this history, some audit customers may resist auditors’ efforts to take a more integrated approach by fostering increased involvement of work units in assessing and reporting on risk and control and integrating risk and assurance data. They may mistakenly assume that new integrated approaches to risk and assurance lack “teeth” and diminish audit independence.
KEY SUCCESS STRATEGIES
Organizations that have decided the benefits of ERM justify the significant work necessary to overcome the barriers and want to proceed fairly quickly with ERM implementation should consider eight key strategies.
1. Publicly report risk-fitness scores. The risk-fitness score is a composite score of the quality of risk identification measures, mitigation strategies, and reporting processes in place in each department. Guidance on how to calculate this score and report it to boards and other oversight groups is now available from The Institute of Internal Auditors in the new publication, Implementing the Professional Practices Framework, published earlier this year following the release of the new internal audit professional standards. Bank regulators and credit rating agencies are also working to develop corporate governance and risk-management scoring systems. The Canadian Federal and Ontario provincial governments are working to score risk management and modern “controllership” capacity. All of these initiatives are significant steps in the right direction. Boards of directors should insist on risk-fitness scores from their internal auditors on all key business units.
2. Link risk-fitness scores to funding processes and risk-adjusted interest rate premiums. Given the global impact that the Basel recommendations have had on the banking sector, it would seem obvious that one of the quickest routes to widespread adoption of ERM is to link elements of the capital funding process to risk-fitness scores. For example, organizations with the best risk-fitness and governance scores should be able to access more capital at a lower cost than those with lower scores. This trend may happen fairly quickly with the launch of the new corporate-governance scores by the three main credit rating agencies.
3. Link risk-fitness scores to senior management remuneration. Given that ERM leads to better decision making, and senior executives should be compensated for their sound decision making, linking some portion of senior executives’ incentive pay to the quality of risk-management processes evident in their business units would appear to make good sense. Evidence emerging from the rash of major corporate-governance failures indicates senior executives’ behavior is strongly influenced by the design of their remuneration systems. Therefore, these systems need to adjust reward levels of senior executives for retained risk and the quality of the risk-management and assurance systems in place.
4. Provide specialized public-relations training to senior executives and politicians. Training should be designed to make senior mandarins comfortable with the candid disclosure of information regarding risk status and risk-acceptance decisions. The training should focus on the most politically and legally optimal ways to disclose the current risk status and the basis for decisions related to residual-risk acceptability.
5. Train assurance personnel to foster and support ERM. Internal and external auditors, safety, environmental, insurance, security, and other assurance groups can play a key role in assisting their organizations in implementing ERM. The IIA now offers a professional designation, Certification in Control Self-assessment (CCSA), for assurance professionals who want to ensure their skills are up to the task. Although the CCSA designation has been around for more than two years, to date only a small percentage of auditors have qualified. As an incentive, organizations should pay a premium to employees with this designation.
6. Employ technology. ERM and ERAM (enterprise risk and assurance management) software is now available to help organizations that want to sustain ERM over time as a core business process. These new collaborative enterprise systems enable senior management and oversight groups to see — at a glance — the status of all significant risks and the assurance levels attached to that information across their entire business universe. They can capture key result areas, track performance and key performance and risk indicators, report residual risk status, monitor corrective action plans and assurance efforts, measure the value added, and serve as an effective, real-time tool to increase an organization’s risk awareness and response capabilities.
7. Train all staff members. Giant strides are being made to develop user-friendly risk and control assessment training that can be deployed quickly and cost effectively to thousands of employees. In addition to traditional workshop-based training on risk and control assessment, computer-based training modules allow staff to get self-paced training via the Internet or internal networks. The Canadian Centre for Management Development has researched risk management learning strategies and published some global best practices in this area. (See Web address above.) Leading corporations are now beginning to deploy risk and control assessment training to staff in all business units and at all levels using Web-based training technology.
8. Link risk and control assessment to performance results and strategic planning. If formal risk assessment is to be accepted as a core business activity in the public or private sectors, the value it adds must be measured and reported regularly. The newest generation of enterprise risk and assurance software is designed to integrate business planning and performance management, risk and control management, assurance management, and knowledge management as well as to measure and report the value being added by integrated risk and assurance management activities.
The momentum to implement ERM in the public and private sectors is building rapidly. Although the benefits of moving to this new approach are substantial, the barriers to overcome it are also formidable. In the end, the collective will of boards of directors, regulators, auditors, and senior management and — perhaps, most importantly — the strength of tangible business reasons to adopt ERM will determine success or failure of the integrated risk management movement.
TIM J. LEECH, CIA, FCA, CCSA, president and chief executive officer of CARD®decisions Inc. in Mississauga, Ontario, Canada, is a leading global authority on risk and control self-assessment, Collaborative Assurance and Risk Design (CARD), and implementation of ERM and ERAM systems. To comment on this article, e-mail the author at email@example.com.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.