Read on to know how ERM is the eyes and the ears of an organization...I. Broad OverviewEnterprise Risk Management (ERM) is a strategic mechanism to look at risks holistically and evaluate the same at an entity level, with the perspective of identifying material risks and putting in place robust mitigation plans.The fundamental of ERM is to add value to all stakeholder functions in...
Access the exclusive LEGAL ERAStories,Editorial and Expert Opinion
Read on to know how ERM is the eyes and the ears of an organization...
Enterprise Risk Management (ERM) is a strategic mechanism to look at risks holistically and evaluate the same at an entity level, with the perspective of identifying material risks and putting in place robust mitigation plans.
The fundamental of ERM is to add value to all stakeholder functions in the organization through identifying & treating existent and potential risks to ensure attainment of business objectives and strategic plans.
The core aspect to be appreciated is that ERM is neither a compliance nor an audit activity. It is a business partner in the growth story of an organization and focuses on ensuring that the business navigates smoothly even in rough waters.
In the world of VUCA (Volatility, Uncertainty, Complexity, and Ambiguity), if there is one thing which would ensure that the company balance sheet is protected and the entity continues to maintain its position built over years of perseverance, innovation, and commitment to stakeholders, it is ENTERPRISE RISK MANAGEMENT.
Integrating ERM into the strategy and day-to-day workflow is of utmost importance for the long-term viability and sustainability of an organization.
If there is one function which plays the role of THE EYES AND EARS OF THE BUSINESS, IT IS THE ERM FUNCTION.
I. The Process
The Enterprise Risk Management process is built on four
i. RISK IDENTIFICATIONRisk identification is aimed at identifying existent and prospective risks for an entity. Broad strategies for identification would include conducting risk workshops, brainstorming sessions with teams, analyzing economy and industry specific reports, reviewing past risk-related observations, & other apt measures.
ii. RISK ASSESSMENTRisk assessment is focused on assessing risks basis the following:
a) Frequency: The likelihood/probability of a risk hitting an organization.
b) Severity: The impact an organization would suffer if the risk event was to materialize.
Whilst Velocity as a concept for risk assessment is gaining increasing prominence, a majority of organizations continue to assess risks basis the bovementioned two parameters.
iii. RISK EVALUATION
All identified and assessed risks are never going to be at a uniform level.
Basis the assessed frequency and severity, a risk leveling is undertaken into various grades of risk, e.g., High, Medium, & Low Risks, etc.
Gradation of risks influences risk prioritization and thereby, the order of treatment.
iv. RISK TREATMENT
Risk Treatment is focused on implementing a suitable plan to mitigate the evaluated risk and bring it to acceptable levels.
The governance structure in an organization plays a pivotal part in determining the success of risk management.
i. Risk Management Committee
From a governance perspective, an organization should have a Risk Management Committee, comprising a majority of non-executive independent directors, with the Chairman of the Committee also being a nonexecutive independent director.
The Risk Management Committee, being a Committee reporting into the Board, would be responsible for reviewing & approving risk management frameworks, policies, and other key risk management decisions.
Every critical risk management strategy adopted by an organization would have to be reviewed by the committee, prior to Board approval.
ii. Chief Risk Officer
The ERM function should be headed by a Chief Risk Officer (CRO), who either reports to the CEO or directly to the Risk Management Committee of the organization.
The CRO's broad responsibilities would include:
iii. ERM Team
The CRO would be assisted by the ERM team, which would comprise individuals having the right exposure to managing risks.
The ERM function would be expected to interact with stakeholder functions and build up a risk management culture wherein proactive management of risks is undertaken as part of day-to-day work.
The function would be expected to conduct trainings and create awareness on key risk management issues confronting the company.
The function would lead in terms of working closely with functions for identification, assessment, evaluation, and treatment of risks and drive the creation of a resilient organization.
The three lines of defense model is a structure built up to ensure good corporate governance.
There are three functions which would defend the company against risks:
a. First Line: The Business/Functional Unit
Every unit which does an activity day-in and dayout is in the best position to understand its risks and effectively structure its controls.
Therefore, each unit should endeavor to build strong risk management practices and integrate their decisionmaking with the overall risk management framework.
The above builds a robust risk management culture.
b. Second Line: The Enterprise Risk Management Function
The second line of defense is the ERM function which would look at reducing material risks and monitor the timely implementation of mitigation plans.
The ERM function is expected to proactively assist teams in risk mitigation. The ERM function should be a business partner with the objective of protecting the entity balance sheet.
c. Third Line: Internal Audit Function
The third line of defense is the Internal Audit Function which would independently assess the risks and controls as part of their Risk-Based Internal Audit Plan.
The categories of risk can be classified into four broad categories
a) Operational Risk
Operational Risk is the risk of loss on account of inadequate or failed people, process, system, or event.
robust ERM framework is a
must for an Organization's
and the protection of its
Operational Risk, if not managed, can lead to leakages and losses and hence must be controlled through strong internal control mechanisms.
Organizations have an Operational Risk Management Committee (ORMC) comprising the Heads of Functions.
Operational Risk Management (ORM) is built on the following:
1. A Board Approved ORM Policy2. ORM Standard Operating Procedures
3. A strong Risk & Control Self-Assessment (R & CSA) Framework
4. Key Risk Indicators (KRI's) to track movement of risk drivers
5. Stress Testing of material operational risks
6. Culture building and awareness creation Organizations can also have an Operational Risk Manager nominated from each business unit for effective accountability of risk.
b) Market Risk
Market Risk is the risk faced by a company on account of market movements. An organization is exposed to risks of foreign exchange fluctuations, interest rate movements including reinvestment risk, liquidity risks, drop in equity share prices, ALM (Asset Liability Management) Risks, and similar other risks. Organizations manage these risks through monitoring market movements, building strong norms for investment management, controlling concentration in specific asset classes, hedging contracts, stop-loss limits, assessing Value at Risk (VAR), & similar measures.
c) Strategic Risk
Strategic Risk refers to risk which can impact the organization at a strategic level.
Broad categories of these risks could be risks affecting company market share, non-attainment of a healthy bottom line, rating downgrades, and similar risks.
d) Credit Risk
Credit Risk refers to a counter-party failing to honor its obligations on timely payments.
The same would include risks related to solvency, rating downgrades of key counter-parties, concentration risk, etc.
Management of these risks is attained through benchmarking the extent of concentration limits, continually monitoring rating downgrades and similar mechanisms.
Risk Appetite refers to the extent of risk an organization is willing to accept in pursuit of its objectives.
CROs always focus on having in place clearly defined risk appetites so as to ensure that everybody in the organization has a clear roadmap in terms of understanding what is acceptable & what should be rejected/avoided.
It is essential to avoid the following pitfalls for effective risk management:
a) To reiterate, ERM is not a Compliance or Audit Activity. It is never: Business/Function v/s Risk Management. Business and Risk will always be part of the same team, protecting the organization against a common foe, the same being – Internal & External Risks.
b) ERM should not be labeled as the exclusive responsibility of the ERM function. EVERY EMPLOYEE SHOULD PERCEIVE HIMSELF TO BE A RISK MANAGER. Successful ERM requires engagement and alignment of senior, middle, and lower management.
c) ERM is about moving out of silos. Hence, it is crucial to ensure that a holistic view of risks is undertaken and the focus is on assessing risk from an organizational perspective.
d) ERM is about being proactive. Hence, it is important to continually review existing ERM practices, keep examining changes in business conditions, economic environment, systems & processes.
An organization which adopts ERM in its true spirit is certain to withstand the test of time and evolve into a respected Company. ERM is an imperative, and organizations which have ERM as their foundation stone will continue to grow along with protecting the interest of their stakeholders.
Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.