Module 9 - Thinking Through a Risk Management Lens Flashcards
Define “enterprise risk management.”
“Enterprise risk management” is defined as the culture, capabilities and practices, integrated with strategy setting and its execution, that entities rely on to manage risk in creating, preserving and realizing value for stakeholders. A more in-depth look at the definition of enterprise risk management emphasizes its focus on managing risk through:
(a) Recognizing culture and capabilities
(b) Applying practices
(c) Integrating with strategy setting and its execution
(d) Managing risk to strategy and business objectives
(e) Linking to creating, preserving and realizing value.
Define “culture,” “capabilities” and “practices” in the context of enterprise risk management.
Culture is developed and shaped by the people at all levels of an entity by what they say and do. It is people who establish the entity’s mission, strategy and business objectives and put enterprise risk management practices in place. Risk “culture” is defined as the attitudes, behaviours and understanding about risk, both positive and negative, that influence decisions and reflect the mission, vision and core values of the entity.
Enterprise risk management “capability” provides a core capability to an entity in its pursuit of competitive advantages to create value. Enterprise risk management helps the entity develop the skills needed to execute the entity’s mission and vision and to anticipate the challenges that may impede success. It enhances capacity to adapt to change and increases resilience and ability to evolve in the face of marketplace and resource constraints.
Risk “practices” are the methods and approaches deployed within an entity related to managing risk. Practices used in enterprise risk management are applied from the highest levels of an entity and flow down through divisions, business units and functions—applied to the entire scope of activities as well as to special projects and new initiatives. It is part of decision making at all levels of the entity. Practices are intended to help people within the entity better understand its strategy, what business objectives have been set, what risks exist, what the acceptable amount of risk is, how risk impacts performance and how to manage risk. In turn, this understanding supports decision making at all levels and helps to reduce entity bias.
Outline the premises that underpin the benefits of taking an enterprisewide approach to risk management.
An enterprisewide approach to risk management is based on the premise that every entity—whether for-profit, not-for-profit or government—exists to provide “value” for its stakeholders. A related premise is that all entities face uncertainty, generally understood to be something not completely known or the condition of not being sure of something, in the pursuit of value. Effective enterprise risk management allows decision makers to balance exposure against opportunity, with the goal of enhancing the entity’s capabilities to create, preserve and ultimately realize value for stakeholders.
Define “stakeholders,” and differentiate between internal and external stakeholders. Provide examples of stakeholders in group benefit plans or employer-sponsored pension plans who stand to benefit from effective risk management practices
“Stakeholders” are parties that have genuine or vested interest in an entity. Internal stakeholders are parties working within the entity such as employees, management and the board. External stakeholders are any parties not directly engaged in the entity’s operations but who are impacted by it, directly influenced by its environment, or influence its reputation, brand and trust. Key stakeholders in a group benefits plan or an employer-sponsored pension plan can include the employer (plan sponsor), employees (plan members), beneficiaries of the plan members, plan service providers and any relevant regulatory bodies such as the Canada Revenue Agency (CRA) or the pension regulator for the province or territory in which the plan sponsor operates.
Explain how the value of an entity is influenced by management decisions.
Management decisions, from overall strategy decisions to day-to-day decisions, can determine whether value is created, preserved, realized or eroded.
(a) Value is created when the value of deployed resources (such as people, financial capital, technology and processes) is less than the benefits derived from that deployment.
(b) Value is preserved when the value of resources deployed in day-to-day operations sustains created benefits. For example, value is preserved with the delivery of superior products and services, which results in satisfied customers and stakeholders.
(c) Value is realized when stakeholders derive benefits created by the entity. Benefits may be monetary or nonmonetary.
(d) Value is eroded when management implements strategies that do not yield expected outcomes or fails to execute day-to-day tasks.
Explain how enterprise risk management interfaces with strategy.
“Strategy” refers to an entity’s plan to achieve its mission and vision and to apply its core values. A well-defined strategy provides a road map for establishing business objectives and drives the efficient allocation of resources and effective decision making.
Enterprise risk management does not create the entity’s strategy, but it influences its development. It informs the entity on risks associated with alternative strategies considered and, ultimately, with the adopted strategy. It evaluates potential risks that may arise from strategy, including how the chosen strategy could affect the entity’s risk profile (specifically the types and amount of risk the entity is potentially exposed to). It also evaluates the critical assumptions underlying the chosen strategy by looking at how sensitive strategy alternatives are to changes in the assumptions (i.e., whether they would have minimal or significant effect on achieving the strategy).
Explain how enterprise risk management can influence an entity’s ability to adapt, survive and prosper.
Every entity sets out to achieve its strategy and business objectives in an environment of change. Market globalization, technological breakthroughs, mergers and acquisitions, fluctuating capital markets, competition, political instability, workforce capabilities, and regulation, among other things, make it difficult to know all possible risks to a business strategy and business objectives. Risk is always present and always changing. While it may not be possible for entities to manage all potential outcomes of risk, they can improve how they adapt to changing circumstances. This is sometimes referred to as “organizational sustainability.” Enterprise risk management focuses on managing risks to reduce the likelihood that an event will occur, managing the impact when one does occur and adapting as circumstances dictate.
Outline benefits of integrating enterprise risk management with strategy setting and performance management processes.
The benefits of integrating enterprise risk management with an entity’s strategy setting and performance management processes vary by entity. However, implementing enterprise risk management may increase the entity’s ability to:
(a) Expand the range of opportunities for creating value
(b) Identify and manage entitywide risks
(c) Reduce surprises and losses
(d) Reduce performance variability
(e) Improve resource deployment
Explain how events, uncertainty and severity impact risk.
In the context of enterprise risk management, an “event” is an occurrence or set of occurrences. “Uncertainty” is the state of not knowing how potential events may or may not manifest. “Severity” is a measurement of considerations such as the likelihood and impacts of events or the time it takes to recover from events. Some risks have minimal impact on an entity, and others have a larger impact.
In the context of risk, events are more than routine transactions; they are broader factors that affect the entity such as changes in the governance and operating model, geopolitical and social influences, and contracting negotiations. Some events are readily discernable—a change in interest rates, a competitor launching a new product that affects financial viability, or a cyberattack. Other events are less evident, particularly when multiple small events combine to create a trend or condition. For instance, it may be difficult to identify specific events related to global warming, yet that condition is generally accepted as occurring. In some cases, entities may not even know or be able to identify what events may occur. The risk of an event occurring (or not) creates uncertainty.
Explain why an event with a positive outcome can also pose a risk.
Commonly, the focus is on those risks that may result in a negative outcome, such as damage from a fire, losing a key customer, or a new competitor emerging. However, events can also have positive outcomes, and these must also be considered. Events that are beneficial to the achievement of one objective may at the same time pose a challenge to the achievement of other objectives. For example, if a company’s product launch has higher-than-forecast demand, it introduces a risk to supply chain management, which may result in unsatisfied customers if the product cannot be supplied.
Outline the benefits of integrating enterprise risk management with strategy setting and strategy execution processes.
When enterprise risk management, strategy setting and strategy execution processes are integrated, an entity is better positioned to understand:
(a) How mission, vision and core values form the initial expression of acceptable types and amount of risk when setting strategy
(b) Possibility of strategies and business objectives not aligning with the mission, vision and core values
(c) Types and amount of risk the entity potentially exposes itself to from the strategy that has been chosen
(d) Types and amount of risk to executing its strategy and achieving business objectives.
Define “mission,” “vision” and “core values,” and explain how they relate to an entity’s purpose.
“Mission” is the entity’s core purpose, which establishes what it wants to accomplish and why it exists. “Vision” is the entity’s aspirations for its future state or what the entity aims to achieve over time. “Core values” are the entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behaviour of the entity and how it wants to conduct business. Together, these elements communicate to stakeholders the entity’s purpose. For most entities, mission, vision and core values remain stable over time, and during strategy planning they are typically reaffirmed. Yet the mission, vision and core values may evolve as the expectations of stakeholders change.
Explain the significance of alignment among strategy, mission, vison and values to enterprise risk management.
Mission and vision help to establish boundaries for strategy and bring focus to understanding how decisions may affect strategy. Mission, vision and core value statements guide in determining the types and amount of risk an entity is likely to encounter and accept. If an entity’s strategy is not aligned with its mission, vision and core values, its ability to realize mission and vision may be significantly reduced. This can happen even if the (mis)aligned strategy is successfully executed.
Describe the focus of enterprise risk management in the context of strategy execution. Provide an example.
The focus of risk management in the context of strategy execution is on understanding the strategy as it is set out and what risks there are to its relevance and viability. There is always risk to executing strategy; a variety of techniques can be used to assess it.
For example, assume a health care provider sets a business objective of providing high-quality patient care. To assess risks associated with its execution, the provider considers risks relating to factors such as employee capability, medical care and treatment options, health care legislation requirements and health record management requirements. If these execution risks become significant enough, the health care provider may revisit its strategy and objectives and consider revisions or select other alternatives that have a more suitable risk profile.
Explain the roles of the governance and operating models in enterprise risk management.
An entity’s governance model defines and establishes authority, responsibility and accountability. It aligns the roles and responsibilities to the operating model at all levels—from the board of directors to management, divisions, operating units and functions.
An entity’s operating model describes how management organizes and executes its day-to-day operations. It is typically aligned with the legal structure and management structure. Through the operating model, employees are responsible for developing and implementing practices to manage risk and stay aligned with the core values of the entity.
Both models influence the ability to identify, assess and respond to risks to the achievement of strategy.
Explain the significance of an entity’s legal structure in risk management.
How an entity is structured legally influences how it operates. A variety of factors, including size of the entity and any relevant regulatory, taxation or shareholder structures influence the suitability of different legal structures. A small entity may operate as a single legal entity, and risks can be aggregated across the entity. For large entities consisting of several distinct legal entities, risks may be segregated.
Explain the relationship between performance targets and level of uncertainty.
“Performance” describes how actions are carried out as measured against a preset target. There is always risk associated with a performance target. The level of uncertainty varies with the level of performance desired. For example, airlines have a certain amount of uncertainty about their ability to operate 100% of the flights on their schedule. They may be less uncertain that they can operate 90% or even 80% of their scheduled flights. There is a different amount of uncertainty associated with each level of performance.
Explain the concept of risk profile in the context of enterprise risk management.
A risk profile provides a composite view of the risks for an entity as a whole or as a division, a project or an initiative. A composite view of risk allows decision makers to consider the type, severity and interdependencies of risks and how they may affect performance relative to the strategy and business objectives set.
To develop a risk profile requires an understanding of:
(a) Strategy or relevant business objective
(b) Performance target and acceptable variations in performance
(c) Capacity and appetite for risk
(d) Severity of the risk to the achievement of the strategy and business objective.
Interpret the following risk profiles. (First, a linear risk bell curve trending up. Second, a series of bars in a bar chart trending up)
There are several methods for depicting a risk profile. Every entity’s risk profile is different, depending on its unique strategy and business objectives. These samples plot performance on the x-axis and risk on the y-axis.
Sample Risk Profile A graphically illustrates the composite or aggregate amount of risk associated with different levels of an entity’s performance. In this risk curve, there is an upward trend; as performance increases, so does the risk level.
Sample Risk Profile B provides another illustration of a similar risk curve. This graph considers risk as a continuum of potential outcomes. Each bar represents the risk profile for a certain level of performance. The target level of performance illustrates the point at which the entity can balance the amount of risk to its desired performance.
Explain the concept of “risk appetite” and its relationship to strategy setting.
“Risk appetite” means the type and amount of risk an entity is willing to accept in its pursuit of value. Knowing the risk appetite is essential to enterprise risk management.
There is no universal risk appetite that applies to all entities. The first expression of risk appetite boundaries are in an entity’s mission and vision statements. Developing a risk appetite statement is an exercise in finding a compromise between risks and opportunities. Risk appetite is not static; it may change over time in line with an entity’s changing capabilities for managing risk. The process of selecting strategy and developing risk appetite is not linear, with one always preceding the other. Many entities develop strategy and risk appetite in parallel, refining each throughout the strategy-setting process.
Compare “risk capacity” to “risk appetite.”
“Risk capacity” is the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives. “Risk capacity” can be plotted on any depiction of risk profile. Risk capacity must be considered when setting risk appetite, since generally an entity strives to hold risk appetite within its capacity. It is not typical for an entity to set risk appetite above its risk capacity, but in rare situations an entity may accept the threat of insolvency and failure on a given strategic direction, with the understanding that success can create considerable value.
Compare “acceptable variation in performance,” “risk appetite,” and “risk capacity” using the following risk profile.
This sample plots performance on the x-axis and risk on the y-axis. “Acceptable variation in performance” (sometimes referred to as “risk tolerance”) means the boundaries of acceptable outcomes relating to achieving business objectives. Acceptable variation in performance is depicted by the broken lines to the right and left of the target level of performance. It is more focused than risk appetite, illustrating both the boundary of exceeding the target level of performance and the boundary of trailing the target level of performance. Generally an entity strives to hold risk appetite within its risk capacity.
Explain the premise of the COSO Framework.
The premise of the COSO Framework is that the entity’s mission, vision and core values drive the development of strategy and objectives, which in turn impact the entity’s performance. Enterprise risk management is integrated into strategy planning and day-to-day decision making in an iterative way. The COSO Framework consists of five interrelated components:
(1) Risk Governance and Culture
(2) Risk, Strategy and Objective Setting
(3) Risk in Execution
(4) Risk Information, Communication and Reporting
(5) Monitoring Enterprise Risk Management Performance.
Within these five components are a series of principles that represent the fundamental concepts and activities associated with each component. While these principles are universal and form part of any effective enterprise risk management practice, management must use judgment in applying them.
Outline the five components of enterprise risk management.
(1) Risk Governance and Culture
(2) Risk, Strategy and Objective Setting
(3) Risk in Execution
(4) Risk Information, Communication and Reporting
(5) Monitoring Enterprise Risk Management Performance
