Enterprise-Wide Approach to Risk Management - Coursework Example

Enterprise-wide approach to risk management Name Subject Instructor Institution Date Enterprise-wide approach to risk management Introduction Enterprise risk management plays a vital role in ensuring that in each of the entities that do exist have their specific values for their given stakeholder. This is a central part in the strategic management for most of the organizations. The organizations are able to address the risks attached to its activities methodically and even build its capacity as noted by Islam and Tedford (2008, p.420). For this to be purposeful, the risk management must be proportionate to the level of the risk attached in the organization that has as well been aligned together with other corporate activities. Lam (2003) claims that, enterprise risk management (ERM) should be comprehensive in scope, dynamic and responsive to the changing situations. Its focus should be to assess significant risks and be able to provide significant solutions to them. It should achieve maximum sustainable value from all the activities in the organization. The downward and potential upward factors that can probably affect the organization are harmonized (McKay, 2011; Pohlmann and Tim, 2002). The ERM reduces the probability of failure and uncertainty level that is associated with the organizations objectives and increases the probability of success in the organization. This paper gives the evaluation of the enterprise approach towards the risk management in organizations. Firstly, there are several principles that guide the management of the enterprise risks as noted by Olson and Desheng (2008). These include: Embedding: The ERM and internal control framework have to be fully embedded in the major operational processes in the same way as strategic planning and performance measurement is done. Risk awareness; the results obtained would form the basis of the decision making process to ensure proper policies are made. Proper funding and evaluation; the required resources should be well allocated by considering the risks that may affect the achievement of the objectives which are applicable to each of the organizational units as well as, at the fund wide level. The relevant risks require to be well evaluated in the evaluation of the programs as well as, the relevant budget allocations. The ERM should have its inclusion during the preparation of the budget and when it is under the review processes. Ownership; middle and senior managers as well as, the risk owners should have a proper understanding of the risks that impact their operations and are able to identify the strategies and mechanisms that will assess, monitor and control the risks associated with it. Accountability; the owners of the risks, the middle managers as well as the senior managers are responsible for the actions of management in their responsibilities. The governing bodies give an adequate oversight, control, review and approve the strategies that have been prepared by management. Consistency: As part of its decision making process, the fund should adopt a consistent method to identify, assess, monitor, mitigate, control and be able to communicate risks associated with any of its processes so as to efficiently and effectively achieve its objectives. Authority; the middle and senior managers as well as, the risk owners should have a certain level of authority and flexibility that will determine and execute the proper action to be taken to manage the risks in their responsibility areas. Communication; the data outputs will be considered in designing the funds information systems that will need to be designed and updated so as to have proper risk assessment and monitoring. Reasons for building a business case for ERM Essentially, one of the corporations that have experienced the enterprise risk management is the New York Stock exchange. This emanates from the fact that, this corporation requires the board to discuss the risk assessment procedures in its sittings. Additionally, the General Electric Company in Fairfield, Connecticut has developed a risk management structure that conforms to the large physical assets. They have employed the risk strategy that conforms to the finance option. The risk patterns have been developed such that they are centrally formulated while they become decent rally executed as itemized by Young and Rodney (2009). This enables all the employees to understand their job jurisdiction and perform their very best. On the other hand, JP Morgan Chase in New York, which is a financial service institution, offers risk management strategies that base on, analysis, incentives culture and the structure (Fraser, Benton and James, 2001). They presume a quantitative risk management structure where they focus on the scenario analysis and the stress test. Above all, all organization perform risk management so as; Improves risk awareness The application of ERM together with related risk management activities will bring out a cultural shift that will allow the organization to have a risk smart workforce and environment. It helps the organization to be innovative and provides the tools for the same and as well becomes prudent as it protects its interests. Improved organizational efficiency The entire value chain has an improved efficiency out of having ERM as there is top down coordination that has proved to have the effect of improving the functioning of an organizational work. It allows the team to be integrated and addresses the individual risks that are facing the company as well having the risks interdependent. Enhances shareholder value The overall profitability of the firm is improved through the application of an ERM framework. The costs of application of the ERM cannot be compared to the benefits that accrue from it. It allows the organization to save both the auditors fee as well as, the internal costs. It has the effect of streamlining the risk management, as well as, enhancing the organizations credibility The risk exposures are clearly marked With the help ERM, the organization can, measure, monitor and control the inherent risks exposures of the business at all the levels of the business (Harris and Tony, 2005). Event management, risk assessments and the key risk indicators are some of the elements which have a key role in the organizations that will help the evaluate the risk controls with reference to the identified inherent risks and measure the residual risks which will remain after the controls have been implemented. Roles and responsibilities are redefined The risk management process is made easier through having roles and responsibilities clearly defined within the firm’s profile. This also helps the firms to have accountability in the work culture of the organization. The ERM enhances the corporate social responsibility [CSR] The economist intelligence unit in 2007 stated that, the most important outcomes of ERM are the way it assists the organization in protecting and enhancing the reputation of an organization. In addition, there is a regulatory compliance and the capital in conjunction with the resources that are effectively allocated. This will allow the firms to avoid losses which will increase the shareholder value and have reduced earnings volatility. ERM creates an increased sustainable value Most of the companies rely on ERM for this to produce clear and identifiable benefits like competitiveness and the sustainability. This brings about a sense of corporate goals and objectives, significant loss exposure and reductions as well as talent management. Different views have been propounded that ERM enhances the behavior of the organizations and improves their performance. This means that it assists in reducing the cost of risks and secures opportunities for growth under optimum conditions. The risk management process This can be presented as a list of well coordinated activities where there are alternative descriptions of the process. According to Murray-Webster and Graham (2010), the listed components below form part of the process where there are 7Rs and 4Ts which form part of the risk management. The 7Rs are; Recognition and risk identification Ranking or risk evaluation Response to significant risks Resourcing controls Reaction planning Reviewing the risk management Reporting and risk performance measurement The for 4Rs are; Treat Tolerate Terminate Transfer When the ranking of the risks are identified, this forms the assessment activity of the risks. The risk responses scope includes the tolerate options of the 4Ts that gives rise to the risk. These responses are applied in combination for many of the risks (Harris and Tony, 2005). For the opportunity risks, the range of the options available has in them the consideration of exploiting the risks. The planning of the reactions considers business continuity planning and the planning of the disaster recovery. Framework for managing the risk According to Lloyd (2010), the ISO 31000 describes this as a framework where the risk management is implemented but not a framework which is for supporting the risk management process. The framework is described by an organization which will be needed to support risk management where the risk architecture is the way, the strategy and the protocol of the organization (Woods, 2011). The risk architecture, protocols and strategies represent the internal arrangement for communicating on the risk issues. It also displays the roles and the responsibilities of the committees and the individuals that have their full support on the risk management process. The strategy of the risk is that it should set out the activities of the risk management that the organization is endeavoring to achieve. The procedures of the risks are described by the risk protocols which also dictate how these are to be implemented and management. Achieving ERM benefits The stages in the process are risk assessment and treatment. This is shown under the chart below Mandate and commitment Design of framework -Organization and its context -Risk management policy - Embedding risk management Implement risk Improve framework management -Implement framework -Implement RM process Monitor and review framework Risk assessment Consequently, the identification of the risk exposes the organization to uncertainty and risk which requires the involved to have a very close relationship with the organization and to have its knowledge well as well as the market in which it operates, its political aspect, social, legal and cultural aspects of its environment as well having an understanding of the operational and strategic objectives. The factors that are critical to the success of the organization are going to be highlighted to have the SWOT analysis done well which are related to the achievement of the objectives as noted by Greenhalgh (2001). This should have a methodical way of approaching it to ensure that all the value adding activities have been evaluated within the organization and have all the risks that are flowing from the activities clearly defined. These results are used to generate a risk profile that will bring a rating of significance to all the risks and will be able to therefore prioritize the efforts of risk treatment. The identified risks are going to be well ranked in order of importance. It will allow the ranks to be mapped on the area of the business which has been affected, to describe the primary controls and put them in place. They may be adjusted upwards or downwards or may remain unaltered. This activity enables the organization to have effective and efficient operation where it identifies the risks that require management attention. This is will what will assist the management to prioritize the risk control actions where it will consider the potential actions so that it can benefit the organization (Woods, 2011). The available risk response range among the 4Ts that the organization may as well decide that there will be need to improve the control environment. Treatment of risk This is an activity of selection and implementation of the appropriate control measures that will modify the risk. Risk control is the major element in it although it further extends to transfer, avoidance and financing of these risks. This treatment of the risks should provider affective and efficient internal controls. The degree of reduction or risk elimination by the proposed control measures is what is referred to as effectiveness. The cost effectiveness is the cost of implementing some controls as compared to the benefits achieved through the risk reduction. An organization has to consider the laws that are applicable and a system of controls must be implemented so as to achieve compliance to these laws. Insurance policies are part of the ways that these organizations can hedge against the risks financially but some of the elements of loss may be uninsurable like the uninsured costs and the damage of the morale of the employees or the organizations reputation. The assessment of risk will require feedback mechanisms which are to review and monitor the performance of consultation and communication (Pohlmann and Tim, 2002). This ensures that there is monitoring of the risk performance and that the organization is able to learn from its experience. Communication and consultation is part of the risk management as well as the supporting networking. Several steps are involved in the implementation of an enterprise risk management process. These are discussed as follows: Planning and designing Several factors should be considered when planning. The details of the risk architecture the strategy and the protocols are supposed to be recorded in the risk management policy for the organization (Pohlmann and Tim, 2002). A typical risk management policy should include the following in its context. Management of risk and objectives of risk control. Attitude statement of the organization to risk or the risk strategy. A description of a culture for risk awareness of the control environment. A risk appetite that is acceptable. Risk management organization and its arrangements [risk architecture]. Procedural details for recognition of risk [risk assessment]. Documentation list for analysis and report of the risks [risk response]. Risk allocation management of the roles and the responsibilities. Management of the risks, training topics and the priorities. Monitoring and benchmarking criteria of the risks. Resource allocation to risk management. Risk activities and priorities for the next year. The scope of this initiative is that, for it to be successful, the comprehensiveness of the ERM process needs to be clearly marked out as noted in (Security Architecture modeling: 2009). Otherwise, the introduction of standards of risk management that are enhanced is not something that can be instantaneously achieved but, should be a gradual progressive process as stipulated by Tonello (2007). Therefore, the organization should decide the scope of the ERM as it is in the process of development. The initiative scope will be defined by the range of benefits of the organization which will be under the influence of the expectation for the organizational stakeholders. Implementation and benchmarking The assessment of risk is a very vital process in the management of the risk. So as to achieve comprehensive risk management, there needs to be risk assessments which are suitable and sufficient. The first thing to be done is to establish risk assessment procedures. This is because the risk assessment will be part of the decision making process that will aim at exploitation of the business opportunities (Pohlmann and Tim, 2002). The risk assessments are attached to the proposed project papers so that it will have to be part of the decision making process. In addition to this, the risk Assessments are required in relation to routine operations as well as throughout the whole project. At this stage, the organization will choose on the detail level that will be required when recording will be done. It is also at this stage that the risks will be classified using the risk classification system in the organization. To undertake risk assessments, benchmarks should be developed so as to determine the significance or materiality of the risks that have been identified where these benchmarks will depend on the types of the risks. Where financial risks are involved, the benchmarks can be a sum of money. Where there are risks that can cause disruptions in the operations, the disruption duration is a very suitable test (Teece, 2000). For reputational tests, this can be benchmarked by the use of the profile that it would receive, the likely share price impact of the event or the political impact on the political as well as the financial support that is received from the key stakeholders The techniques of risk assessment are: Use of questionnaires and checklists-to identify the significant risks, structured questionnaires are used as well as check lists to collect information. Workshops and brainstorming-this involves the collection and sharing of ideas in a discussion on the events that are likely to impact on the objectives, key dependencies or stakeholder expectations. Inspection and audits- these involves the physical inspections of premises, activities and carrying out audits to ensure there is compliance with the established procedures and systems. Flowcharts and dependency analysis. This will be done to the processes and operations so as to identify critical components that will be to that success. HAZOP [Hazard and Operability studies] and FMEA [Failure Modes Effects] which will analyze the quantitative failures. SWOT and PETLE analysis which will offer structural analysis to risk recognition. With the above risk assessment procedures and having the right benchmarks in place for the different risks, it will be possible for the organization to identify the attitude or the appetite to that type of risk in conjunction with the organizations capacity to withstand the risk as noted by Slater and Eric (2001, p.1057). To wrap it up, the organization will be able to determine the overall exposure to the risk that is under consideration. Measuring and monitoring It is usually the case where the risk assessments are recorded in register of the risks. There is no standardized format which a risk register should take and an organization should have a suitable format for the document for it should not be a static record of the risks that are significant that are faced by the organization. This should be viewed as an action plan of risk that will include the details of the current controls and the actions that are further planned which should be written as auditable actions that must be completed within a certain timescale by identified individuals to enable the internal audit function to be able to monitor the controls that are existing and monitor the implementation of the necessary controls. The resources that are required so as to implement the risk management policy should be clearly established properly at each level and unit. The risk management is supposed to be embedded within the planning strategy and processes of the business as well as monitoring the existing controls. To further measure and monitor, it will require that the risk ware culture be monitored as well as the risk management framework and the alignment extent of the corporate activities. Evaluation of existing controls This will extend to the evaluation of culture preparedness and performance of the organization. The activities that will be covered by the risk evaluation will include; monitoring of risk, improvement of recommendations and the embedding of risk evaluation activities in the organization as well as, continuous monitoring of the risk performance indicators as suggested byBorgelt and Ian (2007, p.124). The monitoring of the preparedness of the organization to cope with the major disruptions forms a major part of the risk management as it extends to the development and the testing of business continuity and disaster recovery plans. So as to assure the preparedness of the organization to these risks, it will be important that the plans be kept up to date so as to cope with the identified risk (MacMinn, 2005). When the existing controls are identified, this will lead to identification of risk improvement and recommendations which, should be placed in the risk register by way of a risk action plan. More importantly, there should be adequate evaluation of the business continuity and disaster recovery planning arrangements in place. Embedding a risk aware culture The surrounding of the organizations operation should be identified and the changes thereof taken into consideration and the appropriate modifications should be made to the protocols. The assurance should be provided by the monitoring activities and the procedures should be understood and followed (Olsson, 2002). In addition to this, the internal and the external environmental changes should be identified so as to modify the existing procedures The monitoring and measuring technique should determine whether; The intended results were obtained from the measures that were taken There was efficiency in the procedures that were taken The risk assessments were taken out of having enough information Better decisions would have been obtained if improved knowledge was obtained Future assessments and controls can be done out of the lessons learnt If risk management is to be embedded, then it will involve leadership to be demonstrated through better leadership schemes from the senior management, where staff at all level are going to be involved, there will be a culture where learning will be from experience, there will be accountability for the actions taken without developing a culture for blaming automatically as well as have good communication on risk issues. Learning and reporting Reporting from performance will be in line with the learning from experience and this will complete the feedback loop. As noted by Peppers and Martha (2004), learning from experience will need review of the risk performance indicators and check what the risk performance indicators have assisted for the success of the organization and check on the appropriateness of the mechanisms that have been selected. To monitor the risk performance, the organization will need to get opinions of other stakeholders both from the organization and outside it. In cases where learning is from experience, this will need more than evaluation of the risk performance indicators. Report risk performance In addition to the organization having internal communication, it will need to have external communication that is in response of mandatory requirements that are related to risk management so as to give the external stakeholders that the risks have been already mitigated adequately as noted by McKay (2011). This will also provide information on the measures that are being taken so as to improve performance and to set out the policies and the effectiveness if the organization in achieving the objectives (Teece, 2000). Additionally, risk reporting will provide information on the historical losses and the trends. It is important to note that risk disclosure is a forward looking activity that is meant to anticipate emerging risks Conclusion The ERM policy will provide assurance to the funds ability in meeting the obligations and the commitments to achieve the goals that have been set. It has entailed the coordination, identification, assessment, mapping, monitoring, communication and risk control across the organizational funds. It requires that the risks be identified and understood from a wider perspective and the managers to develop options that will address the risks that have been identified. References Borgelt, K. and Ian, F., 2007. "The Leadership/management Conundrum: Innovation or risk management?" Leadership & organization development journal 28(2), pp.122-36. Fraser, R., Benton, G, and James, K., 2001. Commercial banking: the Management of Risk. Cincinnati: South-Western College Pub. Greenhalgh, L., 2001. Managing strategic relationships: The key to business success. New York: Free. Harris, L., and Tony, W., 2005. The Strategic managing of human resources. Harlow: Financial Times Prentice Hall. Islam, Al, and Tedford, J., 2008. "Managing Operational Risks in Small- and Medium-sized Enterprises (SMEs) Engaged in Manufacturing – an Integrated Approach." International Journal of Technology, Policy and Management 8(4), p.420. Lam, J., 2003. Enterprise risk management: From Incentives to Controls. Hoboken (N.J.): J. Wiley. Lloyd, B., 2010. Enterprise risk management. Dublin: Chartered Accountants Ireland, Management of Risk, 2007: Guidance for Practitioners. London: TSO. MacMinn, D., 2005. "On corporate risk management and insurance." Asia-Pacific journal of risk and insurance. Maeda, Y., Yoshihiko, S. and Nicos, S., 2010. "Shareholder Value: The Case of Japanese Captive Insurers." Asia-Pacific Journal of Risk and Insurance 5(1), p.47. McKay, S., 2011. Risk assessment for mid-sized companies: Tools for developing a tailored approach to risk management. New York, NY: American Institute of CPAs, 2011. Murray-Webster, R. and Graham, W., 2010. Management of risk: Guidance for practitioners. Norwich, England: Stationery Office. Olson, L., and Desheng W, 2008. New Frontiers in enterprise Risk Management. Berlin: Springer. Olsson, C., 2002. Risk management in emerging markets: How to survive and prosper. London: Financial Times Prentice Hall. Peppers, D. and Martha, R., 2004. Managing customer relationships: A strategic framework. Hoboken, NJ: John Wiley & Sons. Pohlmann, N. and Tim, C., 2002. Firewall architecture for the enterprise. New York, NY: Wiley Pub. Security Architecture modeling, 2009. A comprehensive approach to enterprise risk management. Wiley-Interscience. Slater, F., and Eric, O., 2001. "Marketing's contribution to the implementation of business Strategy: an Empirical Analysis." Strategic management journal 22(11), pp.1055-1067. Teece, J., 2000. Managing intellectual capital: Organizational, strategic, and policy dimensions. Oxford: Oxford UP. Tonello, M., 2007. Emerging governance practices in enterprise risk management. New York, NY: Conference Board. Woods, M., 2011. Risk management in organizations: An integrated case study approach. London: Routledge. Young, B. and Rodney, C., 2009. Operational risk assessment: The commercial imperative of a more forensic and transparent approach. Chichester, England: Wiley. Read More