Ten Steps in Enterprise-Wide Risk Management - Literature review Example

TEN STEPS IN ENTERPRISE-WIDE RISK MANAGEMENT” By Priscilla Burnaby and Susan Hass AN ANALYSIS Table of Contents Introductory Summary 1 Main Learning points 1 Step 1 Executive authority 2 Step 2 Enterprise-wide Risk Management Department 3 Step 3 Choose a Control Framework 4 Elements of a good Control Framework 5 Control environment 5 Risk Assessment 5 Control activities 5 Communication and Information Flow 5 Monitoring 5 Step 4 Risk Determination 6 Step 5 Risk Assessment 7 Step 6 Measuring Business Units Objectives and Perfomance 8 Step 7 Audits of Objectives and Control Summary 9 Step 8 Follow up Reporting 9 Step 9 Analysis 9 Step 10 Regular Monitoring 10 Practical Implications for UAE 10 Conclusion 10 Reference List 12 Introductory Summary Risk management is a topical issue in today’s business world. Years back, establishments used to view risk as an extra cost (Elahi, 2013). So whenever a risk actualised, one considered the unlucky and simply bore the costs. Today however, things have changed. Risk is seen as something that can actually be managed with a view of reducing the cost of risk actualisation. The use of insurance policies to mitigate financial loss is now almost a requirement for any successful business. According to Catmull (2012), risk management is a process that involves doing risky things, and then be in apposition to respond when things go in an unpredicted manner. Risk is a challenge that every business must face. Risk management represents a business’ preparedness for the unpredictable future. A well-established risk management practise can reduce exposure to risks (Sania, 2012). Burnaby& Hass (2009) therefore recommend an enterprise-wide risk management. The essence of ERM is that it involves managing risks in an integrated manner that appreciates the interdependence of risk situations (Gatzert, 2016). Arguably, ERM is at the core of any establishment’s strategy because it a system that is intended as a way to manage risk and opportunities within a co-ordinated process with the aim of increasing business value. This paper is an analysis of the steps that are necessary when it comes to enterprise-wide risk management (ERM). The paper is based on the Burnaby and Hass’ article titled “Ten steps to enterprise-wide risk management”. Main Learning points The article proposes ten steps that ought to be relied on in enterprise-wide risk management. The first step involves obtaining permission from the executive management. This is because risk management is very important in the execution of a business’ strategy, hence the importance of involving the executive in order to create situational awareness. The second step will see the formation of the ERM team with the mandate of overseeing the entire process. The third step involves deciding on which control framework to rely on to guide the entire process. The fourth step involves determination of all the risks. The fifth process involves analysing the identified risks in line with the business’ strategies and objectives. The sixth step involves review of business strategies in light of the new information. The seventh step involves the linking of objectives to a control summary. The eighth step is the process of regular reporting to the ERM team. The ninth step involves analysis by the ERM team. The tenth step is a process that involves continuous monitoring of the entire process. Step 1 Executive authority This is the first step when conducting an ERM. According to the article, this step is important in order to ensure a formal and documented process. Before the ERM process can start, the management of the particular establishment must give authority. Since risk management is at the core of executing any business strategy, there must be a convergence between the establishment’s strategic plans and an understanding of all organizational risks across the board (Burnaby & Hass, 2009). The authors also opine that the co-ordination of risk assessment and strategy development will ensure proper risk management by both internal and external stakeholders. The establishment of an ERM team depends on the executive. It is the executive that will weigh the pros and cons before deciding on whether or not to put in place an ERM team. It is the executive that will oversee the costs of establishing such a department and all other incidental costs. According to Decyk (2015), the reputation of an establishment is considered to be at the core its value. The presence of executive authority also functions to maintain the reputation of the organisation. The executive is the ‘face’ of the business to the outside world. Such reputation ought to be evident in the establishment’s strategic plan and in its risk management and insurance policies. A flawed risk management system affects an establishment’s insurance strategic plan (AoN, 2012). It is on the basis of risk that an insurance cover becomes necessary. So in the event that the risk management system fails to operate as intended, it may also lead to a flawed insurance strategy. Step 2 Enterprise-wide Risk Management Department Once the executive has given consent and determined the necessity of ERM, the next stage involves setting up of the ERM department. Burnaby and Hass (2009) propose than for purposes of efficiency, management of the ERM department ought to be set up in what they refer to as layers of ownership. At the very top is a senior manager whose duty is to develop the department. He will also be responsible for determining the appropriate level or resources as well as time management. Ideally, a team of managers working together should be able to assess, evaluate and develop an action plan (Rahin et al, 2015). A senior manager is in charge of creating the framework, including time schedules, within which the department will operate to meet its goals. Within the structure of the organisation, every department ought to have a representative from the ERM team. This is the level of the management team. Here a formal ERM process with specified time schedules has to be established (Mokni, et al, 2014). Fianko et al (2014), propose that it is essential that all members of an organisation participate for the purpose of identification of all possible risks. Although Burnaby and Hass (2009) propose that the audit department cannot be responsible for risk management, Fianko et al (2014) disagrees and fronts the idea that the audit department can be involved in developing and monitoring the risk management plan. Within the ERM department also, ownership refers to responsibility. Every member must be responsible for his portfolio. Those that supervise the risk management activities at the departmental level have to be responsible enough even for the quality of reports they present for analysis (Kallam, 2013). Step 3 Choose a Control Framework Commitment to an internal control and regulation framework is what this step is all about. An efficient control framework reduces the chances for errors and other irregularities (Gatzert, 2016). Among other things, a control framework will guide on areas such as setting of objectives, assessing of risks, communication, program monitoring, control activities as well as organization. A control framework will ensure that relevant strategic, financial and operational objectives are set right from the beginning. It will ensure that a proper assessment of risk is accomplished. Through control activities, legal, regulatory and business requirements are adhered to. A control framework also helps ensure that the risks that have been identified are mitigated or voided as the case may be (Simangunsong et al, 2012). In addition, Simangunsong et al (2012) posits that the monitoring of compliance with business legal requirements, regular feedback to the executive and regular reviews are also fall under the umbrella of control activities. Also, whenever new opportunities arise, it calls for advancement of policies that will take advantage of such. This is possible through the efficiency of control activities. Also, internal controls ought to correspond to the needs of the business (Hong Kong Institute of Certified Public Accountants, 2012). That being the case, it makes sense that such control mechanism ought to promote sound business practice, be continuously relevant according to the times and business environment as well as accord the business the leverage within its line of business. Kallam et al (2013) argue that it is through a control framework that opportunities for more and new business are maximised while at the same time reducing on the potential losses that are associated with unforeseen events. Another significance of a control framework is that it supports the achievement of business objectives and goals. This it does by serving as an advance alarm that sounds whenever barriers to the achievement of these goals are detected. Elements of a good Control Framework Control environment This is the element upon which the framework is built. A good control framework should provide discipline and appropriate structure for use by the ERM department. Risk Assessment A good control framework should allow for identification and analysis of risks vis-à-vis the achievement of set objectives. Control activities The control framework should be flexible enough to accommodate a varied range of policies and procedures whose main aim is to ensure that directives from the executive are carried out. Communication and Information Flow An efficient control framework should entail efficient system that ensure relevant information is passed along within a time frame and in a form that is easily understood and one that easily allows members to carry out their duties. Monitoring A good control framework should be able to assess the adequacy and quality of the framework over time. Inadequacies within the framework ought to be reported to the ERM department and to the executive as soon as possible. One major undoing of a control framework however is that it can only reduce, but not eliminate, the occurrence of; human error caused by poor or uninformed judgement, circumvention of processes by conniving employees, overriding powers of the executive and the actualisation of unseen future occurrences (Madjdj and Husing, 2012). Step 4 Risk Determination This is perhaps the most crucial of all the stages. Risks can be categorized according to their intensity and effects upon an establishment: disruptive and non-disruptive (Elahi, 2013). Disruptive risks are those risks that interrupt the core engagements of a business and which may threaten even the very existence of the business itself. Non-disruptive risks that the kind of risks that the business faces on day-to-day basis and are fairly familiar to the business (Palmer & Wiseman, 2012). Although generally non-disruptive risks are not threats to the establishment’s market or even the business’ existence itself, the ability to effectively handle them has a bearing on the business’ leverage and competitive advantage. Another classification considers the potential benefit of risks: rewarding and non-rewarding risks. Rewarding risks are risks that are identified for expected gain to the business. Nocco et al (2013) argue that these are the risks that a business consciously takes with the hope of making gain. Examples include development of new products, exploration of a new market and many others. Businesses occasionally rely on the taking of these risks in order to expand their business value and markets. Unrewarding risks on the contrary do not have any potential for adding value to the business (Nocco et al 2013). These are usually risks that are caused by external factors that cannot be controlled by the business. Such include natural disasters, pandemics, theft, accidents and many others. Risk identification therefore under this fourth step is central to the ERM process. Burnaby and Hass (2009) propose that within the business, there must be a concerted effort to gather all known and anticipated risks. This step is very crucial because it could be disastrous to the business in the event of actualisation of a risk that had not been anticipated nor prepared for. As such, all the employees of an organisation are responsible for identifying and relaying information about potential risks within their areas of work. It is important that each department identifies the risks that threaten the achievement of set objectives (Palmer & Wiseman, 2012). Such identification goes beyond mere risks associated with compliance, legalities and finance. Risk identification should include internal as well as external factors. Internal factors include information technology, support, documentation and processes involved within the business (Rahim et al, 2014). External factors on the other hand relates to governmental, environmental and economic considerations. In order to effectively identify risks, it is essential to have a common understanding of what entails a risk in any given business. To achieve this uniform understanding, the development of a risk dictionary is important (Sania, 2012). A risk dictionary contains the company’s definition of risk and identifies all potential risk catalysts. This helps all employees to be alert and able to identify a potential risk before it actualises. Step 5 Risk Assessment Once all risks have been identified and documented the next stage involves comprehensive analysis of the threats posed by the risks. This can be done through prioritisation of risks using what Burnaby and Hass (2009) refer to as a risk mapping technique. The argument by Fianco and Chileshe (2015) is that this process needs to be done before considering mitigating the risks either through the control framework or through insurance. As such, it is important that each risk be assessed for the impact of the potential loss or consequences in the event of actualisation. In carrying out assessment risks are categorised as minor, damaging or catastrophic. That being the case, the likelihood of the risk is categorised as being unlikely, possible or probable. Upon completion of consultations concerning the risks, Decyk (2015) proposes that closer attention should be accorded to those risks classified as high impact and highly probable. Secondly, it is important to also consider those risks that are likely to bar the business from realising its goals and objectives. It is also at this stage that a decision has to be made on what controls are suitable in mitigating the individual risks (Kallam et al, 2014). Various decisions can be made regarding ERM at this stage. First, the business may decide to retain the risk but constantly monitor it regularly. Second, the business could decide to reduce the risk either by dispersing it or developing controls. Third, there is the option of avoiding the risk either by divesting or eliminating the risk-causing process or by shutting down the operation completely. The fourth option involves transferring the risk by partnering through insurance, hedging, sharing or outsourcing. The last option would be to possibly engage the risk by choosing to diversify, expand, create, design, reorganise or renegotiate terms (Catmull, 2012). Step 6 Measuring Business Units Objectives and Perfomance The business objectives act as guidelines that inform the operations of any going concern or establishment. The important engagement under this step is the review of business strategy as against every single business unit in assessing the unit’s output in relation to the overall business objective (Becker and Smidt, 2016). At this step also, it is important to identify the objectives at the department level which will in turn help reach satisfy the overall business’ strategy. Schroeder (2014) came up with acronym “SMART” to which all such objectives must adhere to i.e. the objectives must be: Specific Measurable Achievable Results-oriented Timely Step 7 Audits of Objectives and Control Summary Processes under this step involve reporting back to the ERM department. It involves the giving back of risk analysis results to the ERM department According HKICPA (2012), each business unit has to deliberate and decide on which objectives, Perfomance measures and risks to be relayed. In their reporting, it is important that the strategic objectives of the business be combined with the risks, controls, performance measures and other important factors related to the audit. Step 8 Follow up Reporting In any ERM process, follow-up is as essential as the identification and assessment of risk itself. Simangunsong et al (2012) argues that merely having a risk management system in place and implementing it is not sufficient to ensure that the company is managing its risks. Rather, there must be a follow-up mechanism through which the risk management plan can be regularly monitored. Rahim et al (2015) identify issues that a good monitoring system should be able to show. It should: define the process, define the specific risks of not attaining departmental objectives, give a summary of the risk assessment done by the department, show how often targets have been achieved, explain and evaluate any reported results, identify issues for management action plans more especially in areas with potential opportunity and spell out an action plan for issues that have been identified by the reporting system. Step 9 Analysis An overall analysis by the ERM department helps keep the organisation alert to any need for corrective action. Here the ERM draws up an analysis to be presented to the executive. In this regard, Horton (2012) argues that governance at the corporate level includes implementation of a control framework as well as continuous monitoring. This is what ERM is all about in the first place. The risk management process is there to ensure that risks and shortcomings of a control framework are deliberated upon by the executive Step 10 Regular Monitoring Regular monitoring will ensure that the ERM process is working efficiently. Any shortcomings within the system can be identified early enough and dealt with. Also, this enables a continuous look out for factors that may force the organisation to revisit its business strategies and objectives (Madjdj & Husig, 2012). Practical Implications for UAE The practice of ERM is very relevant for a vibrant economy such the one experienced by the UAE. Within the UAE, the multi-sectoral development in businesses attracts unique risk situations. Some businesses within the UAE tend to focus on insurable and speculative risks separately. Businesses within the region now have an opportunity to benchmark their current risk management plans against the ERM model of risk management. The region can also rely on this system to create competitive advantage for businesses within. The ERM system increases situational awareness and alertness, which will give leverage and a sustainable advantage to region-based businesses. Conclusion The level of uncertainties faced by the company determines the need, or otherwise, for implementing risk management policies and plans. ERM basically functions to manage risk within the entire business setup in an integrated manner. If it an alternative to managing risk individually. The ERM system ensures that the possibility of a risk going unnoticed is reduced. Every firm that wants to perform well has to have a solid risk management plan in place to counter the unexpected happenings. This way, all the risks within a business can be analysed together and possible solutions worked out in due course. Risk management creates an expectation of decidability as well as preparedness for any eventuality. Reference List AoN (2012). Monitoring reputation performance in the interdependent world. Aon Oxford Metrica Reputation Review. Available at www.oxfordmetrica.com/Site.aspx. Accessed on 19 March 2016. Becker, K. and Smidt, M. (2016). A Risk Perspective on Human Resource Management: A Review and Directions for Future Research. Human Resource Management Review 26, 149-165. Burnaby, P. and Hass, S. (2009). Ten steps to enterprise-wide risk management. The International journal of business in society. Vol. 9(5) pp. 539-550. Catmull, E. (2012). How Pixar Fosters Collective Creativity. Harvard Business Review 87(1), 100-125. Decyk, R. (2015). A board’s eye view of reputation management. Kellogg Insight. Elahi, E. (2013). Risk Management: the next source of competitive advantage. Foresight 2, 117-131. Fianko, A.B.Y. and Chileshe, N. (2015). An Analysis of Risk Management in Practice: the Case of Ghana’s Construction Industry. Journal of Engineering, Design and Technology 13(2), 240-259. Gatzert, N. and Schmit, J. (2016). Supporting Strategic Success through Enterprise-wide Reputation Risk Management. The Journal of Risk Finance 17(1), 26-45. Hong Kong Institute of Certified Public Accountants. (2012). Internal Control and Risk Management- A Basic Framework. Available at app1.hkicpa.org.hk/corporate-relations. Accessed on 19 March 2016. Horton, A. (2012). Complexity Science Approaches to the Application Foresight. Foresight 14(4), 294-303. Kallam, W.J. and Maric, V.R. (2013). A Refined Risk Management Paradigm: Risk Management. Risk Management 6(3), 57-68. Madjdj, F. and Husig, S. (2012). The Heterogeneity of Incumbents’ Perceptions ans Response Strategies in the Face of Potential Disruptions. Foresight 13(5), 14-33. Mokni, R.B.S., Echchabi, A., Azouzi, D. and Rachdi, H. (2014). Risk Management Tools in Islamic Banks: Evidence in MENA region. Journal of Islamic Accounting and Business Research 5(1), 77-97. Nocco, B.W. and Stulz, R.M. (2013). Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate Finance 18(4), 8-20. Palmer, T.B and Wiseman, R.M. (2012). Decoupling Risk Taking from Income Stream Uncertainty: A Holistic Model of Risk. Strategic Management Journal 20(110, 1037-1062. Rahim, S.R.M., Mahat, F., Nassir, A.M. and Yahya, M.H.A.H. (2015). Re-thinking: Risk Governance? Procedia Economics and Finance 31, pp.689-698. Sania, K.S.A. (2012). Risk management practices in Islamic Banks in Pakistan. The Journal of Risk Finance. 13 (2) pp. 148-159. Schroeder, H. (2014). An Art and Science Approach to Strategic Risk Management. Strategic Direction 30(4), 28-30. Simangunsong, E., Henry, L.C. and Stevenson, M. (2012). Supply Chain Uncertainty: A Review and Theoretical Foundation for Future Research. International Journal of Production Research, 1-31. World Economic Forum. (2012). Global Risks 2010: 7th Edition. A paper presented at World Economic Forum. Available at http://reports.weforum.org/globalcrisis-2012/. Accessed on 19 March 2016. Read More