Enterprise Risk Management Frameworks Flashcards
What is enterprise risk management (ERM)?
the underlying premise is that every entity exists to provide value for stakeholders and that all entities face risk when implementing strategies to achieve this objective
risk - the possibility that events will occur and affect the achievement of strategy and business objectives
enterprise risk management - the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value
Understanding the concept of value
management and those charged with governance, such as an entity’s board of directors, are responsible for making decisions that support the creation of value and prevent its decline
management decisions will affect the development of value, including its creation, preservation, erosion, and realization
value is created when benefit of value exceed the cost of resources used; resources may include people, financial capital, technology, process, and brand (market presence)
value is preserved when ongoing operations efficiently and effectively sustain created benefits; high customer satisfaction with profitable product lines is evidence of value preservation
value is eroded when faulty strategy and inefficient/ineffective operations cause value to decline
value is realized when benefits created by the organization are received by stakeholders in either monetary or nonmonetary form
organizations encounter risks of failing to provide or optimize value to stakeholders; ERM provides a framework to manage risks to provide a reasonable expectation of achieving value objectives
ERM and strategy
mission represents the core purpose of the entity, including why it exists and what it hopes to accomplish
vision represents the aspirations of the entity and what it hopes to achieve over time
core values represent an organization’s beliefs and ideals about what is good or bad, and acceptable or unacceptable; they influence the behavior of the organization
core value correlate with culture
mission and vision correlate with strategy and business objectives
What is risk appetite?
it represents the types and amounts of risk, on a broad level, that an organization is willing to accept in pursuit of value; risk appetite is a range rather than a specific limit and provides guidance on the practices an organization is encouraged to pursue or not pursue
risk appetite is expressed first in mission and vision; it also varies between products, business units, or over time in line with changing capabilities for managing risk and must be flexible enough to adapt to changing business conditions
managing risk within risk appetite enhances an organization’s ability to create, preserve, and realize value; ERM seeks to align anticipated value creation with risk appetite and capabilities for managing risk over time
T/F: ERM is defined by 5 interrelated components and is supported by 20 risk management principles
True; the components somewhat resemble the COSO cube for internal control but address the broader issues of risk as it impacts an entity
Component 1: governance and culture
governance and culture together form a base for all other components of ERM (tone at the top); culture is reflected in decision making
the ability of an organization to successfully achieve its strategy and business objectives is impeded when the behaviors and decisions of the organization (culture) do not align with its core values and risk appetite; strategy must be compatible with culture
principle 1: defines desired culture - culture influences how the organization identifies risk, what types of risk it accepts, and how it manages risk (risk-averse, risk-neutral, and risk-aggressive)
principle 2: exercises board oversight - the board provides oversight for an entity’s strategy and carries out governance responsibilities to support management in achieving strategy and business objectives
principle 3: demonstrates commitment to core values - without support from the top, risk awareness can be undermined and risk-inspired decisions may be inconsistent with those values
principle 4: attracts, develops, and retains capable employees - this all starts with the board and its selection of executive leadership; the selection of team members is typically delegated to appropriate levels of management (HR may assist)
principle 5: establishes operating structure - this describes how an entity organizes and carries out its day-to-day operations and contributes to the alignment of risk management practices with core values
Component 2: strategy and objective-setting
this considers both internal and external factors and their effect on risk framed by business context
an organization sets its risk appetite in conjunction with strategy-setting; the business objectives allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities
principle 6: evaluates alternative strategies - strategy is evaluated from two perspectives: the possibilities that the strategy does not align with the mission, vision, and core values of the entity & the implications from the chosen strategy; misaligned strategies may impede achievement of the entity’s mission; mission, risk appetite, and strategy must be aligned; the implications of each strategy include understanding the risks and opportunities of each strategy; identified risks collectively form a risk profile and serve as the basis for developing and evaluating alternative strategies
principle 7: formulates business objectives - these are the measurable steps that an organization makes to achieve its strategy; the alignment of business objectives to strategy supports the entity in achieving its mission and vision; business objectives should align with the entity’s risk appetite
principle 8: analyzes business context - COSO defines business context as the trends, events, relationships, and other factors that may influence, clarify, or change an entity’s current and future strategy and business objectives
principle 9: defines risk appetite - the organization defines risk appetite in the context of creating, preserving, and realizing value; ultimately, risk appetite is expressed in the context of objectives
Component 3: performance
identification and assessment of risks that may affect an entity’s ability to achieve its strategy and business objectives represent the performance component
principle 10: develops portfolio view - this is a composite view of risk the entity faces that positions management and the board to consider the types, severity, and interdependencies of risk and how they may affect the entity’s performance relative to its strategy and business objectives
principle 11: assesses severity of risk - the severity of risk is evaluated after it has been identified; the severity of a risk is assessed at multiple levels (across divisions, functions, and operating units); risks deemed sever at the operating level my be less of a concern at the division or entity level; severity measures relate to impact (result or effect of the risk) and likelihood (possibility of the risk occurring); likelihood may be expressed qualitatively or quantitatively; risk assessment includes the concepts of inherent risk, target residual risk, and actual residual risk
principle 12: prioritizes risk - prioritization of risk as a basis for determining risk response is a principle underlying the performance component; factors such as risk severity, importance of the related business objective, and risk appetite are considered when prioritizing risks
principle 13: identifies risks - a risk inventory is a listing of the risks faced by an entity; new and emerging risks are identified, and currently assessed risks are reevaluated using various techniques
principle 14: implements risk responses - risk responses are generally classified as: accept (no action is taken to change the severity of the risk), avoid (action is taken to remove the risk), pursue (action is taken that accepts increased risk to achieve improved performance), reduce (action is taken to reduce the severity of the risk), and share (action is taken to reduce the severity of the risk…insurance and outsourcing); risk responses may trigger a review of strategic and business objectives
Component 4: review and revision
entities must continuously evaluate their strategies and business objectives as business context may shift and change over time
principle 15: assesses substantial change - assessments may include identifying internal and external environmental changes related to the business context as well as changes in culture
principle 16: pursues improvement in ERM - opportunities to revisit and improve efficiency and usefulness may occur in any area
principle 17: reviews risk and performance - organizations should evaluate the entity’s performance in the context of the achievement of targets whether relevant risks were identified and considered, whether any new risks are emerging, and whether there are any necessary changes to the overall risk appetite or responses to risks
Component 5: information, communication, and ongoing reporting
communication is the continual, iterative process of obtaining information and sharing it throughout the entity
principle 18: leverages information and technology - relevant information helps the organiztion be more agile in its decision making and provides a competitive advantage; data management is integral to risk-aware decisions; information capture can be grouped by an entity by using a set of common risk categories; organization and aggregation of risk information may help an entity assess concentrations of risk and amend risk responses
principle 19: communicates risk information - communications are made to internal and external stakeholders and with the board of directors; communication techniques vary widely; communication methods must be evaluated for effectiveness
principle 20: reports on risk, culture, and performance - risk reporting may include reporting information such as portfolio risk (entity-wide), profile risk (focused on a specific risk profile of a division or level), new or emerging risks, and trends related to risk; reporting on culture seeks to measure and provide feedback on behavior and attitudes; the frequency of reporting should be commensurate with the severity and priority of risk
What are ESG related risks?
environmental, social, and governance related risks are becoming more relevant to the ability of entities to exist and thrive
ESG issues are generally defined as follows:
environmental issues - pollution, deforestation, climate change
social issues - legal and social matters such as health and safety, customer relations, employee relations, and human rights
governance issues - proactive board membership and succession planning, promoting fair compensation, promoting diversity and inclusion, establishing strong data security, preventing bribery and fraud, preventing culturally and politically insensitive remarks, and preventing discrimination
