Goals and Challenges of Establishing an ERM Programme
Risk management is using processes, methods and tools for managing risks and uncertainties. Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with them.
A standard definition of ERM is applying the discipline of risk management to all the risks a firm faces to understand and manage them, not only individually but also in how they relate to each other.
ERM is also known as integrated risk management or firm-wide risk management.
COSO’s definition of enterprise risk management has changed since the 2004 publication. COSO provides the following 2017 definition for enterprise risk management (ERM) in Enterprise Risk Management—Integrating with Strategy and Performance: Enterprise risk management is the culture, capabilities, and practices that organisations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realising value.
The goals of an ERM programme will include:
- designing and implementing the methods for collating firm-wide information on all risk types, asset types and business lines
- enabling decision-making through aggregated risk reporting
- allowing comparison of the firm’s risk profile to the available risk capital
- setting clear accountability and incentives across the firm to control risk exposures and concentrations in accordance with the stated risk appetite.
There are many challenges to implementing an ERM programme, both technical and cultural, and these will be discussed under the headings below:
1. Cultural Aspects of Implementing and Establishing an ERM Programme
An effective ERM programme requires the active involvement of several different firm areas, including credit risk, market risk, operational risk, compliance, finance and others. This means that identifying the right executive sponsor for the programme is extremely important. The sponsor will need to be senior enough to ensure that the right resources are available – while still being able to grasp the detail of what the programme is attempting to achieve. The sponsor will also play a vital part in ensuring acceptance throughout the firm for this new way of reporting all risk types.
Because the different risk departments use similar, but not identical, vocabulary, there is often scope for misunderstanding when these departments are required to work together. Establishing a common risk language or glossary across the firm is essential to enable this collaborative work – and will also help to embed the approach within the firm.
Firms have experienced challenges in combining their ‘financial’ (credit and market) risk teams with their operational risk teams to form a single unit. The main challenge has been the different cultures and skill types required to perform these very different roles. The leadership of these combined teams requires more than simply an understanding of multiple risk types; high-quality people management skills are also needed.
2. Exception-Based Escalation Challenges
Managing the different risks to which a financial services firm is subject is key to the firm’s success, and for this reason, the following types of risk information are reported up the chain of command:
- periodic reporting of risk and control information
- immediate escalation of risks as they materialise, and controls as they fail
An ERM framework encompasses so much information which could potentially be escalated and actioned that, without an exception-based approach, it may not be clear to the senior teams which actions should be prioritised. Thresholds and limits should be established across the firm for individual risk types, and these should then be used to build an ERM ‘escalation matrix’. An escalation matrix is a table showing potential incident types and who should be alerted at different severity points.
Interconnectedness within the firm also means that major incidents often require input from several departments for their resolution. Even with an ERM framework in place, it remains a challenge to ensure that incidents are not escalated in a piecemeal fashion by the different involved departments. A piecemeal approach makes it more difficult for senior managers to properly prioritise and coordinate their actions when the information they receive comes from several disparate sources.
3.Data Aggregation Challenges
Grouping risk data into comprehensive yet manageable reports is a vital goal of an ERM programme, presenting challenges. These fall into three inter-related categories:
measurement – the need to ensure that comparisons can be made between the various measurement techniques used across different risk types
timescales – linked to the measurement challenge, different risk types are typically considered over very different timescales
combining the data – having established a common approach to measurement and timescales, the data needs to be combined and summarised to enable succinct reports that can be readily understood and acted upon.
A visible ERM programme should increase accountability in three main ways:
1. Where departments or named individuals are included as risk or control owners in the ERM reports seen by senior managers, those departments and individuals often become very keen to ensure that they carry out their role effectively.
2. If a risk materialises, senior executives know which specific department or individual has responsibility for ensuring its resolution.
3. As specific accountability becomes more visible, other staff members know they do not need to try to resolve particular issues ‘just in case’ and can become more productive in the areas they are accountable for.
Despite these challenges, it is imperative to implement an ERM programme for the organisation given its many advantages as below:
- The organisation’s range of opportunities is increased. Management can identify new opportunities and unique challenges associated with current options by considering all possibilities, both positive and negative aspects of risk.
- Risks are identified and managed across the enterprise. Management can identify and manage multiple and entity-wide risks to sustain and improve performance.
- Positive outcomes are increased while negative surprises are reduced. Enterprise risk management enables entities to improve their ability to identify risks and establish appropriate responses, thereby reducing surprises and related costs or losses, and act on opportunities that present themselves, thus profiting from advantageous developments.
- Performance variability can be reduced. Even positive performance variability can cause challenges: performing ahead of schedule can cause as much concern as performing short of schedule. Enterprise risk management enables organisations to anticipate the risks that would affect performance and minimise disruption and maximise opportunity.
- Resource deployment—capital and company resources—is improved. Every risk can be considered a request for resources. Good information on risks allows management to assess overall resource needs, prioritise resource deployment, and enhance resource allocation.
- Enterprise resilience is enhanced. An organisation’s medium- and long-term viability is dependent on its ability to anticipate and respond to change. Effective enterprise risk management can improve the firm’s resilience and ability to anticipate and respond to change.
- Management will better understand how the explicit consideration of risk may impact the choice of strategy. As a result, the firm’s corporate strategy will be better aligned with its risk appetite.
- Enterprise risk management adds perspective to the strengths and weaknesses as conditions change and to how well the strategy fits with the organisation’s mission and vision.
- Management can feel more confident that it has examined alternative strategies and considered input from those in the organisation who will be charged with implementing the selected strategy.
- Once the strategy is set, enterprise risk management provides an effective way for management to fulfil its role, knowing the organisation is attuned to risks that can impact the strategy and manages them well.
- Applying enterprise risk management helps create trust and instils confidence in stakeholders.
- Enterprise risk management helps organisations identify factors that represent change as well as risk and how that change could impact performance and necessitate a change in strategy