Return
to main listing of articles
Myths and Q and A’s
Top 10 Enterprise Risk Management Myths
David Letterman is not likely any time soon to titillate
broadcast viewers with a top 10 list detailing the most
common misunderstandings about enterprise risk management
(ERM). But that doesn’t mean there’s no audience
for a rundown on the Top 10 Myths about ERM.
Few
companies can grow without taking risks. But poor risk management
leads to surprises in business operations that can impact
shareholder confidence, regulatory oversight and the bottom
line. An unprecedented wave of regulatory oversight in recent
years has convinced many organizations how inadequate their
risk management policies and procedures really are.
Many
of the world’s largest companies have responded to
external and internal pressures by embarking on a journey
to unify governance, risk and compliance (GRC) management
across the enterprise. Yet, many organizations that don’t
have a historical foundation in risk management are still
struggling to come to grips with this new discipline and
how to embed risk management into the business. So with
that in mind, let’s take a Letterman-like look at
the top 10 myths regarding ERM and how that can impact your
business.
Myth
Number 10: IT Risk Management = Information Security
Most
information security programs place far too much emphasis
on the how and what, and far too little on the why. Information
risk management, on the other hand, is inherently focused
on the why.
Unfortunately,
there’s always far too much for IT staffs to do. There
are too many vulnerabilities to remediate and too many controls
to implement, so some critical deficiencies will go unmanaged.
True risk management requires a business perspective on
these deficiencies to better manage and prioritize the issues
that threaten the organization. A checklist approach to
information security ignores business impact and criticality.
Myth
Number Nine: CIOs Embraced Enterprise GRC
To
address Sarbanes-Oxley (SOX) compliance, many companies
put in place technology platforms that now support a variety
of risk and compliance initiatives. SOX solutions were generally
purchased with the tacit approval of IT, but few IT organizations
standardized on a strategy for managing risk and compliance
data; as a result, different parts of the problem are addressed
by a wide and disparate range of solutions, including spreadsheets,
and both custom and commercial applications.
In
numerous buying decisions, IT is too often at the table
in a support role, rather than as a strategic thinker focused
on the long term strategic benefits of a common GRC platform.
Scattered risk and compliance data marts will cause an immense
amount of pain for risk managers trying to get a clear picture
of risk throughout the business.
Myth
Number Eight: A Rigid, Standardized Approach is Best
ERM,
similar to most business processes, is not a “one-size-fits-all”
solution. It has to be customized and tailored for each
firm. As Mark Olson of the Federal Reserve notes, “An
effective enterprise-wide compliance-risk management program
is flexible to respond to change and it is tailored to an
organization's corporate strategies, business activities
and external environment.” (April 10, 2006)?Companies
that try to implement an out of the box methodology will
likely fail. ERM methodologies and taxonomies must be adapted
to a company’s legal, regulatory, economic and competitive
environment, all of which can vary dramatically by industry.
Further, the risk framework must be able to adapt to change
over time to avoid losing competitive advantage.
Myth
Number Seven: You Can Only Manage Risk from the Center
No
one is likely to argue that strong, central risk management
is a bad thing. Unfortunately, many organizations make the
mistake of investing only in a centralized function because
it’s too difficult to federate, and they don’t
know how to push risk management to lower levels of responsibility
in the organization. It’s a classic issue of consistency
vs. quality of information.
But
accurate information lies at the business line level. Organizations
must augment their centralized risk management efforts with
localized, distributed data, and the only way to reliably
and cost-effectively do that is to invest in automated technology
solutions.
Myth
Number Six: You Can Manage Risk and Compliance with Spreadsheets
Spreadsheet
wizards have carved out a significant role in managing financial
and operational data in many companies. The problem is that
this approach is a) manually intensive and b) highly reliant
on the individuals that manage and operate these spreadsheets.
Further, the processes for linking, updating and archiving
data in spreadsheets is mostly ad hoc, leading to significant
risks associated with this data.
Freddie
Mac, for example, in its 2005 annual report noted that reliance
on “end user computing systems” (read: spreadsheets)
posed a significant risk to its ability to report accurately
on financial data. Using spreadsheets and file shares for
risk and compliance data is a dead end; risk managers have
trouble getting visibility into the data because of poor
reporting capabilities, and will rightly question the accuracy
of the data itself.
Myth
Number Five: Traditional Audit Planning is Good Enough
A
traditional model to planning the audit process typically
examines 10-20 risk factors for each element of the audit
universe, and funnels each auditable entity into a risk
category, which will drive its audit frequency. But the
known risk universe gets bigger by the day, and investing
in a massive risk evaluation for each entity may not be
the best use of resources: Is it worth tying up valuable
stakeholders in management and on the audit committee to
assess the risk inherent in the coffee procurement process
for a remote sales office?
Progressive
organizations are turning towards a more agile, top down
approach to risk assessment to drive audit scheduling. This
will lead to more efficient resource allocations, ensuring
that auditors are focused on the truly risk areas.
Myth
Number Four: Enterprise Risk Management is Dead!
David
Martin and Michael Power assert in “The End of Enterprise
Risk Management” that EMR frameworks are outmoded
because they embody an unrealistic and outdated theory of
organizations – hierarchical, “bird’s
eye views” from the top that are progressively detached
from the reality of modern financial organizations. Truth
be told, the current regulatory climate has resulted in
control-based ERM frameworks that have a bias for analysis
versus action and the production of evidence for regulators
and auditors in some instances has become more important
than managing real risks. But that doesn’t mean we
should abandon ERM.
ERM
needs to be deployed bottom up so that business managers
are the first-line managers of risk, embedding enterprise
risk management within the day-to-day business processes
of the firm. They must understand the risk/reward trade-offs
involved in their own decision-making. Risk management should
create a bias for action, surfacing problems as they arise
and empowering the entire organization to be risk managers.
Myth
Number Three: It Just Takes Common Sense
“There
are really no cook-book solutions. One has to use creativity
and a lot of common sense.” – May 16, 2000,
email response from ENRON risk expert Vince Kaminski when
asked by a colleague to recommend a good book on operational
risk.
As
ENRON proved, creativity is a No-No and common sense just
doesn’t hack it when it comes to risk management.
As business activities have become more complex, so too
has risk management. The sheer magnitude of the regulations
to comply with leaves many firms struggling to put in place
processes and infrastructure that are able to identify and
control the compliance risks they face.
Risk
management covers a wide variety of risk disciplines including
operational, compliance, financial controls, legal, liquidity,
business strategy and technology, each of which has its
own nuances and specialized models for assessing risk. It
may not be rocket science, but it does require application
of sophisticated models and analytics, aided with accompanying
software tools.
Myth
Number Two: TJX – It Can’t Happen Here
The
TJX data breach, perhaps one of the biggest business stories
of 2007, is only one of many that were publicly reported.
Attrition.org maintains a list of public, high profile data
breaches that is staggeringly long, going back to the year
2000. When you consider companies have a vested interest
in not making such events public and the many more breaches
that undoubtedly go undiscovered, only the tip of the iceberg
is visible to us.
But
shouldn’t we be getting safer? Preventative technology
and knowledge gets better and better every day. Unfortunately,
the villains also get better and better every day, so the
gap persists. Your organization is susceptible and it’s
critical you do everything you can to keep the gap as narrow
as possible to minimize your risk.
And
(drumroll…) the Number One Myth about ERM:
You Can’t Plan For the Unknown
You
may not be able to predict events that lie outside the realm
of regular expectations, but risk managers have to plan
for their occurrence. No one could predict or even imagine
the series of events that occurred on 9/11, but some firms
did plan for the possibility of a long term disruption of
their business operations due to a catastrophic event taking
place in Manhattan and were up and running from alternate
operational centers within hours of the fatal events of
9/11.
Key
risk exposures, whether they are operational, market or
credit risks, do not always follow a normal distribution
or bell curve. Some risks have fat tails and it is the events
that lie at the lower and upper ends of the distribution
curve that are most important to consider and plan for.
You have to fight the natural tendency to focus on the known,
the tangible and the repeated and devise strategies to cope
with the unknown – your company’s viability
may depend on it.
-
Source: Gordon
Burnes, SVP Sales and Marketing, OpenPages
Risk Management Q and A’s
Exactly
what is "Risk Management"?
Businesses
face risk every day. In fact, without risk
a business or organization would not grow and thrive.
Risk Management is the process that aims to help organizations
understand, evaluate and take action on all their risks
with a view to increasing the probability of their success
and reducing the likelihood of failure. Risk management
attempts to identify and then manage threats that could
severely impact or bring down the organization. Generally,
this involves reviewing operations of the organization,
identifying potential threats to the organization and the
likelihood of their occurrence, and then taking appropriate
actions to address the most likely threats.
Traditionally,
risk management was thought of as mostly a matter of getting
the right insurance. Insurance coverage usually came in
rather standard packages, so people tended to not take risk
management seriously. However, this impression of risk management
has changed dramatically. With the recent increase in such
areas as rules and regulations, employee-related lawsuits
and reliance on key resources, risk management is becoming
a management practice that is every bit as important as
financial or facilities management.
There
are several basic activities a nonprofit organization, for
instance can conduct to dramatically reduce its chances
of experiencing a catastrophic event that ruins or severely
impairs the organization.
Risk
management gives comfort to stakeholders (shareholders,
customers, employees and so on) that the business is being
effectively managed and helps the organization confirm its
compliance with corporate governance requirements.
Risk
Management is relevant to all organizations whether they
are in the public or private sector, or whether they are
large or small. It should form part of the culture of the
organization, with an effective policy and program led by
top management with clear responsibilities laid down for
every manager and employee to be involved in the management
of risk. It supports accountability, performance measurement
and reward thus promoting efficiency at all levels.
Just what is a Risk Management Assessment?
Risk
assessment is a step in a risk management process.
Risk assessment is the determination of quantitative or
qualitative value of risk related to a concrete situation
and a recognized threat (also called hazard). Quantitative
risk assessment requires calculations of two components
of risk: R, the magnitude of the potential loss
L, and the probability p that the loss
will occur.
Organizations
should regularly undertake comprehensive, focused assessment
of potential risks to the organization. This focused assessment
should occur at least twice a year by a team of staff members
representing all the major functions of the organization.
The assessment should be carefully planned, documented and
methodically carried out.
Comprehensive
checklists of common risks help a great deal to quickly
review a wide range of organizational aspects. Other aspects
require more careful review.
Some Best Protection Recommendations: Good Management,
Personnel Policies and Insurance
Good
Management
Efforts
undertaken to manage an organization well also contribute
to sound risk management. For example, a fully attentive
board with a wide range of skills may be the most important
guard against major threats to an organization.
Careful
strategic planning and effective supervision helps ensure
organizational resources are closely aligned to accomplishing
the organization's mission, and that staff and volunteers
are treated fairly and comply with rules and regulations.
Up-to-date,
Reviewed Personnel Policies
Every
organization must have up-to-date policies that guide the
relationships between staff and management. There has been
a noticeable increase in lawsuits regarding wrongful termination,
harassment and discrimination, disagreements about promotions
or salary actions, etc. Parties to lawsuits include the
organization, management and/or board members. Therefore,
personnel policies must be reviewed at least once a year
by an outside advisor who is an expert about all of the
employee-related laws and regulations.
Be
sure that management is well versed about the policies.
Typically, courts will interpret actions by organizational
personnel as representative of the organization's preferred
course of action and superseding related, documented policies.
Well-designed
Insurance Coverage
You
might first review insurance information and then invite
an insurance agent (or better yet, an insurance broker)
to visit your organization to provide you an overview of
the types of insurance typically sold to nonprofits. Note
that many insurance professionals might not understand the
nature of nonprofits. Therefore, you might first ask a few
people from fellow non-profits for references.
As
bad as it may sound, you must schedule two hours sometime
during the year to close your door and study your insurance
policies. Note any questions and pose them to your insurance
professional. Ask him or her to provide you a written, clear
description regarding any ambiguities and to do so on company
letterhead with his or her signature.
Note
that Directors and Officers Insurance (D & O, and covered
in the above "Insurance Against Liabilities" section)
is increasingly considered because of the increasing number
of lawsuits. In addition, D & O insurance helps attract
highly experienced board members. Be sure your D & O
insurance covers "insured vs. insured" which covers
employee-related lawsuits and also covers ongoing costs
to address a lawsuit (rather than paying only when the outcome
of a lawsuit has been decided).
|
