RIMS Membership Has a Say in COSO’s New ERM Framework

When Risk & Insurance Management Society (RIMS) members use the new ERM framework published Sept. 6 by the Committee of Sponsoring Organizations of theTreadway Commission (COSO), they may recognize their own ideas prominently displayed. Carol Fox, RIMS vice president of strategic initiatives announced the call for public comment on Risk Management Monitor in June 2016. She said feedback from the industry, and particularly RIMS members, is reflected in COSO’s ERM Framework: Integrating with Strategy and Performance.

“RIMS members took advantage of the unique opportunity to influence one of the industry’s major guidance documents. For several weeks, members collaborated and drafted a response, which was publicly available through the end of last year,” said Fox, who participated on the project’s advisory council. “We were very appreciative that COSO reached out to RIMS and other professional associations, whose input strengthened the content, ideas and approaches featured in Integrating with Strategy and Performance.

A summary of the public comment feedback includes:

  • More than 200 responses–double that of the internal control update
  • Over 70% of responses from individuals
  • Over 50% of participation outside of North America
  • Almost 50% had affiliations beyond COSO memberships
  • Almost 50% of respondents had 10 or more years of risk management experience
  • Positive ratings outnumbered negative ratings by 4.5 to 1

The new publication serves as an update to 2004’s Enterprise Risk Management – Integrated Framework, which is internationally regarded as the standard for applied risk management frameworks. Developed by PwC under the direction of the COSO Board, its simple, five-component structure considers various viewpoints and operating structures while highlighting the importance of enterprise risk management in strategic planning. It also emphasizes embedding ERM throughout an organization, as risk influences strategy and performance throughout the organization.

“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” said COSO Chair Robert B. Hirth Jr. “Our overall goal is to continue to encourage a risk-conscious culture.”

Enterprise Risk Management: Integrating with Strategy and Performance is available in printed form, e-book, on-line subscription and pdf licensing for large organizations, accounting and consulting firms. Additionally, COSO is planning for the framework to be translated into several languages, including Chinese, Japanese, Spanish and French.

Visit www.coso.org for purchase information and for a link to the framework’s executive summary.

Corporate Culture and Risk Management

According to an April New York Times article, “Uber’s core company values included making bold bets, being “obsessed” with the customer, and to “always be hustling.” The company emphasized meritocracy, setting employees up as rivals and overlooking transgressions of its high performers. At its worst, Uber maintained an “unrestrained culture” that has since resulted in several allegations of harassment. A published blog post by engineer Susan Fowler, indicated that “the culture was stoked—and even fostered—by those at the top of the company.”

Adoption of a strong risk culture
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” – a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.—@RiskCultureBuilder on Twitter

The “tone at the top” describes the climate and overall philosophy set by the board of directors and executive team to drive the culture and behaviors of all employees. In companies ranging from Uber to small businesses, this tone permeates the enterprise in a number of ways, including executive communications and onboarding and learning programs, as well as the policies and procedures designed to empower and/or control employee decision-making. The right tone stresses a high standard of ethics and a culture of compliance, but should be balanced with a message that empowers managers to take risks—appropriately—in the pursuit of short- and long-term rewards for the business.

Translating the tone into a strong risk culture requires reinforcement to employees defining how their decisions and actions affect the broader mission of the company. Then, through change management and strong accountability, culture and risk management can be aligned to keep everyone “rowing in the same direction.”

Drivers of risk culture
Many companies today have defined a “culture statement,” put it down on paper, and socialized it to employees. This is only the first step in driving employees to make the right risk management decisions, however. Consider a few of the levers that companies can pull to drive behaviors towards a stronger risk culture:

  • Performance management and compensation – Are corporate and employee goals tied to desired risk management outcomes?
  • Corporate governance – From the board of directors down, are enough questions being asked? Is there too much reliance on historical data?
  • Management reporting – Is attention to certain metrics—often short-term in nature—driving decisions that could cannibalize long-term outcomes?
  • Investor Relations – Are reasonable expectations being set with a company’s shareholders when it comes to risk versus reward?

While company leaders can help drive the desired corporate culture, this alone will not guarantee good risk management decisions every day. All employees must be taught risk management techniques, and relevant risk management skills should be built into the company’s overarching competency model. A risk culture that positions employees as an integral part of risk management will drive more successful and predictable business outcomes.

During his keynote presentation at the 2016 TMG Executive Summit, cybersecurity expert Brian Krebs reinforced this point when referring to the risk culture needed to deal with cyber risk: “…layers of technology are not enough to stop a data breach…security is only as effective as the people managing it.” Although achieving a strong risk culture is no small undertaking, the benefits will be significant as more and more risks are mitigated before impact.

5 Strategies to Maximize Your Risk Assessments

While risk assessments enable organizations to understand their business issues and identify uncertainties, the best assessments go further. They prioritize top risks, assign risk ownership, and most critically, integrate risk management and accountability into front line business decision-making. Simply put, “checking the boxes” just isn’t enough to achieve an organization’s real objectives.

Effective risk assessments can also give organizations a true advantage. Our sixth annual Risk in Review study–comprising viewpoints from more than 1,500 corporate officers in 80 countries—finds that companies shifting risk management leadership and collaboration to the first line of defense are measurably better equipped to succeed. We call these companies “front liners.” While a majority of companies agree that front line decision-making is ideal, somewhat surprisingly, front liners represent only 13% of survey respondents.

Front liners use effective risk assessment strategies to enable revenue and profit growth, while also creating agility to bounce back from adverse events more quickly than their peers. They also outpace the pack when it comes to using risk management tools and techniques (such as a risk rating system or scenario planning).

Based on the study results, here are five strategies you can adopt to gain a front liner advantage:

  1. Put your risk assessments to use in real-time

For true impact, organizations incorporate risk assessment findings into their business decisions. Assessments should be efficient, and actions should be implemented quickly to address immediate challenges. Annual assessments are a best practice, but our study shows front liners have a robust risk culture, conducting regular assessments. Ongoing collaboration across all three lines of defense, reinforced by continuous monitoring, enables the organization to more effectively align business strategies with risk appetite.

  1. Develop actionable guidance and insights for leadership

Effective risk assessments are relevant and actionable. Be sure to interpret risk information and recommend next steps to help management incorporate the findings into their strategic decisions. Make it easy for boards and senior management to understand the key findings by providing thorough insights. Data will mean a lot more if you identify the recommendations, target outcomes and next steps. Gaining the front liner advantage is best achieved by integrating risk guidance holistically into the organization, including planning, growth strategy and investments to M&A, staffing, disaster recovery and crisis management.

  1. Speak in lay terms

Leaders outside the risk management function may perceive risk assessments as an onerous process loaded with abstract language and a heavy focus on negative outcomes. To help leaders see value in these assessments, define the risks, drivers and consequences in familiar terms using meaningful scenarios that are specific to the organization.

  1. Balance automation with the human touch

While automation enables mass data collection, organizations benefit most when risk assessment surveys are combined with facilitated discussions. Gathering important qualitative information, facilitators can bring together multiple viewpoints and encourage productive debate. Pre-reads may also be a helpful tool to level-set on the organization’s strategic objectives and overall risk landscape.

  1. Adopt a realistic view of risk management

It can sometimes be difficult for management to accept the findings of a risk assessment, especially if they believe there is a low probability such events will occur. To support strategic, risk-based decision-making, risk scenario analyses can spur productive discussions about the organization’s overall risk landscape, while dynamic, engaging tools like a risk scenario dashboard can help to draw in even the most reluctant participants.

Following these strategies can help your risk assessments to not only be relevant, but also essential to your organization’s business strategy and growth objectives.

In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.