Latest Ways to Identify and Lower Enterprise Risks
By Mark Cory, Protiviti
Implementing a successful risk management process starts with senior management setting clear and measurable strategic objectives. Organizations often use a top-down management approach to prioritize their risks and create a risk management structure for owning and measuring those risks. While a top-down approach to risk management has become a familiar term and was recommended in 2007 by both the PCAOB and SEC, for the purpose of managing financial reporting risk, measuring specific risks often requires a bottom-up approach to risk management activities. Let us discuss how organizations can benefit from an enterprise risk management (ERM) approach that relies on both a top-down structure and bottom-up information, and the synergies this powerful combination creates.
Create the Right Infrastructure
Before organizations can effectively monitor risk, they must create a common risk language. That is developing a risk hierarchy with a set of risk definitions that enables everyone in the organization to speak the same language regarding the entity’s risks. This risk hierarchy, or “risk catalog,” ensures that everyone is on the same page when it comes to labeling and categorizing risks.
The purpose of the risk catalog is to provide a framework for classifying new problems, issues and sub-risks, while facilitating a logical organization and assignment of risk management responsibility. Organizations lacking such a structure often log duplicate risks resulting in a large and cumbersome database. In addition, mitigation measures tend to be incorrectly viewed as “risks,” and mitigation efforts may also be duplicated.
Confusing mitigation measures with risks is much more than an issue of semantics. If mitigation measures are viewed as risks, it becomes difficult to:
· Link the mitigation method to the actual risk (or multiple risks) it is intended to mitigate
· Measure the effectiveness of the mitigation method in terms of its effectiveness in reducing the actual risk to an acceptable level
· Measure the cost of the mitigation method for each risk it is intended to mitigate
· Keep management’s focus on the real risk, and prevent it from approving a, perhaps, wrong choice of mitigation methods rather than choosing an alternative to mitigating the real risk
Once a risk catalog is properly established, the organization should then examine its strategic objectives to determine which defined risks threaten progress towards achieving those objectives. When the key risks are determined, the next step is to prioritize those risks by converting them into something specific enough to be quantified. This can be accomplished by creating risk scenarios, similar to a plausible short story articulating what can happen, to place the risk in context to the organization and properly estimate its frequency and impact. Risk scenarios are tied to key risks, thus setting the stage for measuring changes in those risks.
After the risk scenarios are prioritized, they are traced through the business processes to determine high-level action plans that address those risks. At this point, risk owners, which include business unit line managers, are assigned to the risk scenarios. This assignment of responsibility is intended to cut across functional departments and prevent a silo approach to risk management. Since risk mitigation often involves multiple departments, risk owners must either be empowered to make changes to the underlying policies and processes, or the risk ownership must be assigned to a team that has the power and incentives to mitigate the risk.
Monitor Using a Combined Approach
Organizations often solely monitor strategic risks through key performance indicators (KPIs). These are high-level metrics that can be tied directly to strategic objectives. In an ERM system, senior management typically employs dashboards to monitor progress toward each strategic objective using KPIs, such as: return on investment, customer satisfaction, market share, capacity utilization, and information system availability. However, KPIs are not directly tied to a particular risk or risk scenario since a multitude of risks and activities affect a single KPI.
To ground the monitoring process at its roots, organizations should also monitor risk using a bottom-up viewpoint through key risk indicators (KRIs). These measures are detailed metrics associated with one or more risks and may be a leading or lagging indicator for a given risk or group of related risks. KRIs are established to monitor risk scenarios and can also be tied to both risk categories and strategic objectives. This represents a detailed “grass-roots” approach linked to the source where the risk is mitigated, in contrast to high-level KPI metrics.
When working with the risk owners, management should identify KRIs and threshold levels of those risks that warrant the attention of senior management. While KRI reports typically do not reach senior management, an exceptional number of threshold breaches or poor trends could trigger a reaction in an ERM system to escalate the issue to senior management. Therefore, KRIs should reach to the top when a significant problem is identified at the source.
Combining a top-down framework and a bottom-up risk monitoring approach enables organizations to link both KPIs and KRIs to strategic objectives. This linkage establishes a relationship between strategic objectives on the one hand and risk scenarios and their risk owners on the other. With the correct risks identified and proper metrics in place, organizations are then able to collect detailed information, look for trends, aggregate those trends, and set thresholds for notifying management. Information flowing from both KPIs and KRIs can also be cross-referenced for validity. This validity check helps to arm management with the right information at the right time.
Manage Across Functions and Activities
It is then up to management to decide how to address the issues identified. Mitigating and monitoring risk is most effective when management instills the proper mindset throughout the organization. Employees must understand how KPI and KRI metrics are tied to risks and how what they do impacts their department, other departments and overall company results.
Unfortunately, many companies still take a “silo” approach to risk management, keeping information and actions in one area, with little or no cooperation between other areas in the organization. This results in senior executives being inundated with data from multiple sources as opposed to being provided insights as to what is really happening. The following examples illustrate why open communication is important to effectively execute risk management across all functions and activities.
Production Risk Example – The importance of a combined top-down and bottom-up approach was recently realized too late at a major oil refinery. Workers on site knew something was going wrong because production outputs were not consistent with inputs. Line workers tried to raise the issue but could not get the attention of management. Before long, a major production outage occurred as a result of the problems identified by the line workers. If the organization had an ERM system in place that was designed to collect metrics at the grassroots level, and if thresholds for notifying management existed, the outage probably could have been avoided. Also, management would have been automatically notified of the discrepancies between inputs and outputs through clearly defined metrics.
Health and Safety Risk Example – At another company, an integrated ERM system helped management identify workplace injuries in its chemical plants as a leading indicator of mechanical breakdowns and potential plant shutdowns. This company believes that health and safety violations are key indicators of poor maintenance practices.
Financial Risk Example – A gas and power company with electric, gas pipeline and field service operations also learned from an ERM exercise that some divisions were hedging commodity price risks and others were not. These hedges conflicted with the natural hedges built into the company’s diverse lines of business, creating additional financial risk and higher costs to the organization.
Management is Vital to Success
Although many businesses are starting to embrace an organization-wide approach to managing and measuring risk, this movement has a long way to go. In reality, few organizations have identified the metrics needed to determine where and how to dynamically update the assessment of risks. However, market forces are starting to pressure businesses to do so. One source of pressure is rating agency attention. Standard & Poor’s has rolled out questions regarding nonfinancial organizations’ ERM capabilities and is incorporating an evaluation of risk management capabilities into the business risk side of their credit review. An organization’s ability to manage risks could have an impact on its credit rating.
As such, organizations that choose to mitigate some risks while managing others to their advantage create differentiating factors that can go a long way towards determining success. With a risk identification process that links KPIs, KRIs, strategic objectives and risk scenarios, an organization can better manage and monitor risks using information gathered from the grassroots level, filtered for importance and sent to senior management as needed.
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
