Ultimate responsibility for ERM starts at the top. However, everyone who matters within an organization should participate in the ERM process.
While several executives have significant responsibilities for ERM, including the Chief Risk Officer, Chief Financial Officer, Chief Legal Officer and Chief Audit Executive, the ERM process works best when all key managers of the organization contribute. The COSO ERM framework states that managers of the organization “support the entity’s risk management philosophy, promote compliance with its risk appetite and manage risks within their [respective] spheres of responsibility consistent with risk tolerances.” Therefore, identifying leaders throughout the organization and gaining their support is critical to successful implementation of ERM.
A goal of ERM is to incorporate risk considerations into the organization’s agenda and decision-making processes. This means that ultimately, every manager is responsible, which can only happen when performance goals, including the related risk tolerances, are clearly articulated, and the appropriate individuals are held accountable for results.
The COSO framework states that the CEO “is ultimately responsible and should assume ownership” over the implementation of ERM. Because ERM, as COSO defined it, is integral to running and managing a business, the CEO’s involvement is vital to the success of ERM.
For example, an effective ERM process affects the organization’s risk culture because it establishes an environment where people can raise their hands and express concerns about a deal, transaction, project or business plan without fear of retribution. This kind of open and positive environment is not possible without the CEO’s active and visible support. The CEO sets the tone by asking the tough questions about risk and risk management and by demonstrating a commitment to raise the focus of risk management to a strategic level.
A point that is often omitted in this discussion is that it is important to the CEO that he or she be involved in the process. The CEO’s active participation keeps the focus at a strategic level. The CEO wants to know the answers to such questions as:
- What is it that we don’t know that could erode or cause irreparable harm to our reputation and brand image?
- What are the soft spots in our business plan that could result in failure to deliver the financial results we expect?
- What are the critical assumptions underlying our strategy over the planning horizon? Are we monitoring the external environment for changes that could render one or more of those assumptions invalid?
- If we were to lose a key component of the supply chain or distribution channel, would we be able to continue operations? If not, how long would it take to recover?
- Are there any unknown exposures to events that can abruptly shift the organization’s agenda to “damage control” in a heartbeat should they occur?
- If such exposures exist, what can be done cost effectively to prevent these potential future events from happening, and how will our organization respond should the events occur?
- Based on the answers to the above questions, what do we do differently going forward?
ERM can help supply the CEO with answers to these and other questions, if he or she is sufficiently involved to ensure the process is appropriately focused on the strategic and reputation risks that matter. In summary, support from the top is vital to an effectively functioning ERM process.
Opportunity-seeking behavior is invigorated if senior management possesses the confidence that they understand the related risks and have the capabilities in place to manage those risks. In a rapidly changing world, traditional risk management approaches will not be effective because they are fragmented, treating risks as disparate events and easily compartmentalized in silos. While the tight focus of traditional risk management activities on loss prevention is not a bad thing, neither is it a good enough thing because the activities are not adequately integrated with the identification, evaluation and pursuit of growth opportunities. Moreover, current risk management approaches are too firmly rooted in the command-and-control era, which means they may not effectively balance the desire for control with the need for agility, responsiveness and cross-functional cooperation. That is why executive management must own the ERM process.
An enterprise-wide approach to business risk management will help executives meet the challenges they face by improving the linkage of risk and opportunity during the strategy-setting process and positioning risk management as a differentiating skill in managing the business. The COSO framework provides insights into the question of how executive management evaluates the application of ERM within the organization. The four categories of objectives, the extent of application (across the entity and its divisions and business units) and the eight components of ERM, as defined by the COSO framework, provide the basis for that evaluation. Executive management must evaluate the appropriate ERM prose and supporting infrastructure the organization needs in place to realize its chosen risk management vision, goals and objectives.
Every ERM solution is impacted by technology in various ways. Enterprise software solutions are informational tools that act as an enabler for ERM, particularly for purposes of managing non-financial risks. As companies configure risk measurement systems to work seamlessly with enterprise performance management systems, they will consolidate much more information. The most elegant solution is to leverage the existing executive reporting system as much as possible. Depending on the complexity and strategic importance of these systems and the number of internal stakeholders involved, the CIO will play a key role in this integration process.
As they focus on investment and return, on opportunity and reward and on competitive advantage and growth, CEOs and their management teams must pursue promising – though uncertain – opportunities in the face of changing market conditions. They must be in a position to confidently assure investors and other stakeholders that the organization is managing risk effectively. They must also comply with applicable laws and regulations. An effective ERM process can assist them in accomplishing these objectives.