Enterprise Risk Management
This article examines the development of Enterprise Risk Management (ERM) processes and systems. The types of risks addressed by ERM are explained along with how enterprise risk analysis can assist boards of directors, corporate managers, investors, and industry analysts. The Integrated Framework for ERM of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is also reviewed. The processes and challenges of implementing ERM and information systems to support ERM are examined along with steps that stakeholders can take to address technical and cultural issues. Past experiences in developing and implementing large-scale systems that drive organizational change are also reviewed.
Keywords: Data Analysis; Decision Support Systems; Enterprise Resource Planning (ERP); Executive Information Systems (EIS); External Risk; Information System Development Life Cycle (ISDLC); Manufactured Risk; Organization Change; Public Company Accounting Oversight Board (PCAOB); Risk Analysis; Risk Mitigation; Sarbanes-Oxley Act; Technological Risk
Enterprise Risk Management (ERM) is a data intensive process that measures all of a company's risks. This includes providing managers with an understanding of the full array of a company's risks including financial risks, investment oriented risks, operations based risks, and market risks, as well as legal and regulatory risks for all of the locations in which a company operates or invests (Peterson, 2006). Risk can also be a result of political or social conditions in locations where a company has operations, suppliers, or customers (Woodard, 2005). Risk to a company's reputation is also an important aspect and element of ERM (Ruquet, 2007).
In each of the risk areas there are two primary types of risks that companies face:
- External Risk
- Manufactured Risk
External risk is the risk of events that may strike organizations or individuals unexpectedly (from the outside) but that happen regularly enough and often enough to be generally predictable. Manufactured risk is a result of the use of technologies or even business practices that an organization chooses to adopt. A technological risk is caused or created by technologies that can include trains wrecking, bridges falling, and planes crashing (Giddens, 1999). Business practice risk is caused or created by actions which the company takes which could include investing, purchasing, sales, or financing customer purchases.
ERM analytical models should encompass both external and manufactured risks which can be identified through historical analysis as well as reviews of current operations and exposures ("Expect the Unexpected," 2009). Once identified, risks can be validated through discussions with corporate executives, operations managers, production managers, and business unit executives. In addition to gaining a better understanding of risks these discussions can also provide insight into existing mitigation practices that have been designed to reduce specific risk (Muzzy, 2008).
The data intensity of ERM requires risk managers to obtain data from numerous sources, test the integrity and accuracy of that data, and to assure that the data is being properly applied and interrupted. Assumptions about the models or analytical approaches behind an ERM analysis must also be carefully examined and tested (Cotton, 2009; Vlasenko & Kozlov, 2009). The internal audit department can help validate some of the financial data used in ERM models as well as provide other potentially relevant financial information (Gramling & Myers, 2006).
The 2008 economic downturn caught many corporate executives working with analytical models that assumed that the housing market would not decline so drastically or on such a widespread basis (Korolov, 2009). Clearly the assumptions and the analytical model had not undergone stringent enough testing. However, most risk managers had also not previously seen the convergence of negative economic trends occur so quickly and across so many sectors simultaneously (Morgan, 2009).
Putting ERM to Work
The ERM process is designed to enable corporate executives as well as investors to quantify and compare risks and to gauge the overall health of a company (Coccia, 2006; Panning, 2006). Investment advisors, institutional investors, and credit rating agencies are adding to the pressure for companies to develop ERM systems and disclose their risks (Karlin, 2007). ERM enables top managers of a company to aggregate, prioritize, and effectively manage risks while enabling business-unit managers to improve decision making in operations and product management (Kocourek & Newfrock, 2006). In managing risks there are several options that corporate executives can take including accepting, preventing, mitigating, transferring, sharing, or avoiding the risks (Woodard, 2005).
The ERM process can also support strategic planning activities as well as provide insight into alternative business practices and goals (Millage, 2005). One of the biggest challenges in implementing ERM strategies is to make sure that selected analytical methods are appropriate for the type and size of organization to which they are being applied (Milligan, 2009). ERM strategies and models as well as the utilization of ERM analyses will vary with corporate culture, business goals, and risk management objectives. This means that a one-size-fits-all approach towards ERM is not likely to be successful (Lenckus, 2006).
The Push for ERM
Although many companies have used ERM over the last decade, the economic downturn of 2008 showed that some companies had not done well when it came to managing their risks (Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that corporate executives were not taking newly developed models of risk analysis as seriously as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the ERM concept is changing as more and more companies attempt to recover from the downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy base for using ERM to help manage companies through all phases of business cycles (Van der Stede, 2009)
In addition to pressure from the investment community, corporations also face new legal requirements that have increased the interest in ERM. After Enron, WorldCom, Tyco, and other large business failed, the United States Congress passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM. Section 302 mandates disclosure controls and procedures so that companies could disclose developments and risks of the business and section 404 requires an assessment of the effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).
The United States Securities and Exchange Commission (SEC) has also implemented requirements for publicly traded companies to disclose risk factors in section lA of their 10-Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed Section 404 guidance that supports top-down risk assessment that holds boards of directors more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir & Walker, 2009).
In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Integrated Framework for ERM. The framework identifies four types of objectives for ERM:
- Reporting, and
In addition, organizations are charged with examining eight components for each of the four objectives:
- Internal environment,
- Objective setting,
- Event identification,
- Risk assessment,
- Risk response,
- Control activities,
- Information and communication, and
- Monitoring (Bowling & Rieger, 2005a, p. 31; Wheeler, 2009).
A summary as well as detailed information about the COSO framework is available at www.coso.org.
Thus, the stage is set and the pressure is on for organizations to use ERM to gain greater insight into company-wide risk. But it may not all be that easy. Even after ERM systems are in place the analysis they render must then be applied to the business decision making process. Even at that point, it will require an added dose of knowledge, wisdom, and experience to develop a competitive strategy and support that strategy with rational day-to-day business management skills before ERM becomes an integral part of a company's success formula.
As companies begin to implement ERM processes and systems the most important decisions they face is to decide who will be in charge of the ERM processes and systems and where in the organization the structure the ERM function will be placed. Many companies have opted to create a position of chief risk officer (Wheeler, 2009). This trend has created new career paths for those interested in risk management, especially those that are interested in working in the highest levels of organization management (Branham, 2006).
Establishing an effective risk management organizational structure also requires that the risk management department or director be provided an adequate degree of independence similar to that of an internal auditor. This includes the ability and the resources to build an ERM information system that can support data collection, information-gathering, modeling, and risk analysis (Shan, Xin, Xiaoyan & Junwen, 2009).
ERM staff also need to develop a broad knowledge of the company in which they work and cultivate relationships with key players in all parts of the company in order to promote risk management (Loghry & Veach, 2009). Once relationships are established they must be maintained through continuous, meaningful, and understandable communications regarding the company's risks. ERM staff may also need to develop new skills and will always need to keep their skills and knowledge base updated through continuing education and training in the risk analysis and risk management fields (Zaccanti, 2009).
Corporate executives who are responsible for directing risk analysis need to have enough influence in their organization to gain the attention and respect of other executives (Baker, 2008). The quality of risk analysis and the sophistication or risk inventories and projections may help to persuade corporate executives that there is value to the ERM processes, systems, and staff (Johnson & Swanson, 2007).
ERM staff also need tools to help them crunch through the vast amounts of data that can be used to support risk analyses. The marketplace for applications software programs is beginning to emerge and ERM staff are faced with selecting from tools that may have had little actual real world use (Lenckus, 2006; Ramamoorti & Weidenmier, 2006). Tools and people cost money and if ERM programs are not adequately funded results are likely to be anemic at best (Panning, 2006).
Back to Basics in Information Management
The fundamental principle behind ERM is that it is designed to take a broad and comprehensive view of risks and focus on the basic causes and effects that can keep companies from achieving their strategic business goals (Loghry & Veach, 2009). Some analysts view this as a departure from the past when risk management was depicted as a fragmented, silo-ridden function in most organizations (Bowling & Rieger, 2005). However, ERM systems of this scope are largely based in information creation and analysis and thus the basic rules and processes of information management apply to ERM systems just as they do to any other information system.
There are four basic steps to business data management:
- Data creation,
- Data storage,
- Data processing, and
- Data analysis.
A considerable amount of data is created through every-day business processes such as production of items, consumption of supplies or resources, sales of goods or services, and customer service activities. The primary tool for processing and managing such large amounts of data is database software. Database software is used in virtually all industries especially those that are transaction focused and need to track large quantities of items or activities. Enterprise storage systems are capable of storing vast amounts of data and modern storage management tools have eased many of the problems associated with this task.
Complex data analysis, beyond what database software provides, has become essential to manage large organizations and may be more essential in ERM. This type of data analysis can be performed with a variety data mining, statistical analysis, and decision support software packages. This software helps managers and analysts compile or create statistics on millions of business transactions. These statistics can support business forecasting and planning efforts as well as ERM analysis.
Data analysis software has evolved over the last 60 years. For decades most such software was rather cumbersome and required custom programming. In the 1970s decision support systems (DSS) were introduced that provided assistance for specific decision-making tasks. While DSSs can be developed for and used by personnel throughout the organization, they are most commonly employed by line staff, middle level managers, and functional area specialists. Among the latest developments are expert systems, which capture the expertise of highly trained, experienced professionals in specific problem domains.
In the 1990s executive information systems (EIS) or executive support systems (ESS) were being developed in large organizations. At first these systems were cumbersome and most were stand alone systems requiring time consuming data entry processes. As expected, the technology for EIS has evolved rapidly, and new systems are more integrated with other applications like the DDS or Enterprise Resource Planning (ERP) systems (Watson, Rainer & Koh, 1991).
Information System Development Life Cycle (ISDLC)
Regardless if the ERM team is going to use off-the-shelf products such as DSSs or an EIS or develop their own in-house applications, they still need to apply the Information System Development Life Cycle (ISDLC) model to implementation. The traditional and well established approach to the ISDLC is that a development project has to undergo a series of phases where the completion of each is a prerequisite to the commencement of the next and where each phase consists of a related group of steps. The general scheme for the ISDLC is similar almost everywhere. It typically contains four major phases consisting of several steps each:
- Definition Phase: consisting of preliminary analysis, feasibility study, information analysis, and system design.
- Construction Phase: consisting of programming, development of procedures, unit testing, quality control, and documentation.
- Implementation Phase: consisting of user training, conversion of old systems to new systems, thorough field testing, and then a move to full operations.
- Maintenance Phase: after the system is full operation updates are made to assure continued operations as new equipment or upgrades to operating systems occur. Enhancements to the system can also be made to meet changing user requirements.
Effective management of information systems requirements analysis, and thus the design of appropriate systems, is critical to the success of an ERM systems project. Systems development methodologies must be selected and applied based on requirements and goals stated by staff who will ultimately use the system (Avison & Taylor, 1997). ERM practitioners can benefit from these basic information systems practices and should look to traditional development procedures and processes instead of going it alone and trying to reinvent the world of information management.
Issue: Overcoming the Hurdles
The last several years have been a rocky road for many ERM programs and many have been viewed as failures in their early stages. When ERM programs are driven by individuals, single divisions or business units, or function as silos they do not have the ability to bridge with other parts of the company and become integrated into the management process. In addition, ERM has often been viewed as a costly program that takes years to implement and years can pass before any real benefits are derived from the expenditure of time and money...
(The entire section is 7442 words.)