Effective Enterprise Risk Management (ERM) is essential to an organizations ongoing success nowadays, given how significantly regular every-day events can impact value. Value can be created, preserved, or eroded by any one of the daily decisions executed by an organization (either intentionally or erroneously).
In this context, risk refers to the possibility of an event affecting overall value, and the subsequent achievement of operational objectives.
ERM should be proactive, and applied in the form of ‘best practice guidelines’ with the aim of creating a proactive, risk-aware culture, capable of identifying potential risk events before they occur. Doing so will enable management to develop ways to control future adversities – which generate uncertainty.
Unlike ‘reactive’ responses to events (which often only slows spread of loss at best); proactive responses are more effective at halting (and event preventing) the spread of loss as they are enacted in a timelier/automated manner that is free of panic and poor judgment.
In addition to the bottom-line benefits that come with integrating risk control systems with business operations; positive by-products associated with culture and quality also result. By integrating Risk Management strategies into the daily management systems, people within the organization become empowered to achieve quality.
Imbedding risk control frameworks within the operational frameworks can, over time, promote risk-aware behaviors and attitudes – inherently, as core company values. Successful cultural improvements aid corporate independence and sustainability – which is key to surviving transitional phases when organizations are most vulnerable.
Cultural change via improved risk awareness also discourages corporate dependency on ‘quality professionals’ (i.e. Auditors and Accountants) who often guard their intellectual territory to maintain a power base – thus limiting transparency.
In this regard auditing shouldn’t be relied upon to drive operational quality, as practices would eventually deviate from an ideal perspective of ‘continuous improvement’, to a ‘checking up’ system that only serves to highlight defects on an ad-hoc basis. If left untreated all prior intentions for continuous improvement stagnates.
This situation is preventable by providing training, facilities, equipment, procedures, and communication to individuals on how to function effectively, and in accordance with risk management objectives. At the enterprise level, integrating a risk control framework into the organizations management systems ensures each activity will be planned, implemented and reviewed with regard to its potential to cause financial loss.
A good framework will be logical, coherent, all-encompassing, credible, comprehensive and adaptable, and it needs to be implemented and run by competent/ credible personnel with the following organizational support:
- Commitment of management.
- Clearly defined objectives, methods and reporting systems.
- Prompt implementation – if changes are revealed as necessary by audits.
AS/NZS ISO 31000:2009, Risk management – Principles and guidelines
AS/NZS ISO 31000:2009 is a legislative document intended as a reference for all organizations at all levels – national, regional and local.
The basis of AS/NZS ISO 31000:2009 is about establishing the context, from which risks are identified, analyzed, evaluated, treated, communicated and monitored. However whilst the standard specifies elements of the risk management process, it does not enforce the application of risk management systems.
The above standard is a guide to assist organizations with implementing:
- A structured process for decision making and planning.
- Tools to identify opportunities and threats.
- Conversion from a reactive management attitude, to a proactive attitude.
- Effective and efficient utilization of resources.
- Reduced insurance premiums.
- Stakeholder confidence and trust.
- A guide towards compliance with legislation.
- Better corporate governance.
The design and implementation of the AS/NZS ISO 31000:2009 program is dependent upon the organizations requirements, objectives, products, services and processes – for which it can be tailored/ scaled to suit.
Establish the context & setting objectives
This component acknowledges the likely risk occurrences (both expected and unexpected) that exist due to operational gaps, created by a poor risk climate/ culture. Ideally, this process would begin by studying the business financial statements to determine what business activities, processes and events commercially affect the businesses financial standing.
AS/NZS ISO 31000:2009’ as a function of ERM acknowledges the ‘internal environment’, but in varied terms. By identifying the ‘Internal/organizational and external context’, a basis is formed from which the purpose of a risk management plan is determined.
Similarly, review of financial statements generated from business activities via would help determine the risk management structure.
With regards to ‘establishing the context’ however, AS/NZS ISO 31000:2009 urges consultation/ communication via a team – based approach to establish the internal and external context. In doing so determines the objectives for risks to be analysed and evaluated against later.
This practice draws on numerous areas of expertise so all relevant enterprise components are considered – including;
- Perceptions and values of external stakeholders.
- Externally generated threats.
- Externally generated opportunities.
- Resource capacity.
This facilitates effective risk evaluation conducted in later steps, ensuring the best, most relevant treatment is implemented.
Further, a team based structure promotes values such as ‘ownership’ by management – which ultimately influences an enterprises culture on risk awareness, whilst also engaging stakeholders – improving the lines of communication.
Risk management objectives are developed in accordance to a business’ operational objectives.
Management and the board set about determining how much risk is acceptable – distinguishing the organizations ‘risk appetite’. Establishing ‘risk appetite’ further defines an organization’s risk tolerance levels, which indicates how much risk variation is allowable before the likelihood and potential loss from a risk event becomes undesirable.
Business activities identified as poignant to financial standing, should define what risk management objectives and internal controls require implementation into the ERM framework, as well as how much funding is commercially worthwhile.
Judgment and discretion needs to be exercised on part of the board/ CEO as to how deep and comprehensive internal controls are implemented, as well as the depth and scope of results required and measurements attained.
The integration of internal risk control framework into overall management systems means each activity will be planned, implemented and reviewed with regard to its potential to cause loss (e.g. financial, moral, reputational).
Identifying natural offsets that result from positive risk events and increased hazard exposure from negative risk events – distinguishes ‘opportunities’ from ‘risks’.
From there analysis is conducted to understand what independent or, interacting activities impact upon risk likelihood and potential loss. At an enterprise level, this would mean determining which risks deviates strategy and stagnates achievement of objectives.
Where financially focused risk models (i.e. COSO) emphasize the CEO’s ownership of risks as they affect financial statements; AS/NZS ISO 31000:2009 prompts consideration of a wider range of sources, including:
- Local and overseas experience, expert judgment, past experience.
- Structured interviews focus group discussion, surveys, questionnaires and checklists.
- Strategic and business plans, process and supply chains.
- Insurance claims reports, past audit reports, historical records.
- Site inspections and visits.
Risk Assessment/ Analyze Risks
The assessment or analysis of risks provides the information necessary for decision making to determine if and how a risk needs to be treated, and the most efficient and cost effective means to do so.
By analyzing the risk, we come to acknowledge different perspective of risks – which are often termed ‘likelihood and impact’, or ‘probability and consequence’. These are represented as measures and are used to distinguish:
a) The potential extent of loss resulting from a risk occurrence; and
b) The likelihood of the risk event actually occurring.
By combining the two, we produce a level of risk, which can further identify strengths and weaknesses within the existing controls (processes, devices or practices).
In this regard, risk data needs to be collated and reproduced for comparative studies against internal control measures, in a format that is relevant and consistent.
By appointing quantitative and qualitative values to each risk according to the level(s) of ‘likelihood and potential’, a tangible means of measurement can be utilized for further comparative study.
When applying quantitative/ qualitative measures during risk analysis, different combinations (of qualitative, quantitative or semi-quantitative) can be used depending on each circumstance.
Quantitative analysis is usually conducted first and should draw from factual information and data, to gain a general understanding of potential risks and outcome magnitude.
Quantitative analysis would then investigate risks in more specific terms, usually with numeric values representing consequence and likelihood.
Measuring risks with numerical values enables you to deal in absolutes (unlike descriptive values of qualitative analysis), preventing variation, miss- interpretation or uncertainty of data – as well as determining the parameters for ‘performance indicators’.
Via brief analysis, the ‘low-impact’ risks are excluded from the more comprehensive study conducted during the risk response/ risk evaluation phase outlined further on.
By determining the ‘low-impact’ risks for exclusion, we not only improve the efficiency of the risk management plan, but also assess the effectiveness of existing controls and strategies.
Risk Response/ Evaluate Risks
This involves the identification of ‘possible responses’ to a risk, then, selects and initiates the most beneficial and commercially worthwhile ‘response’. This specific response can be referred to as the treatment and is prioritised according to the quantitative/ qualitative data produced.
AS/NZS ISO 31000:2009 does not instigate risk avoidance, sharing or acceptance until the treatment options have been prioritised. AS/NZS ISO 31000:2009 insists that these treatment priorities fall within the parameters of the organizations ‘risk appetite’ and in line with the ‘risk context’ – determined in the initial stages (being the organizations objectives and the extend of opportunity that could result). If the quantitative/ qualitative data produced prioritises risks that don’t fall in line with the risk context, a repeat analysis should be conducted.
Control Activities/ Treat Risk Steps
AS/NZS ISO 31000:2009 involves the implementation of practical steps to address the specific risk in both the immediate term (mitigating), and the long term (contingent), without relying on uncontrollable factors such as personnel application.
Risk avoidance, transference, retainment/ acceptance and/ or reduction can be applied immediately with results generated immediately also.
Whilst auditing as a control measure is not an essential part of management, it does serve as a protective system capable of detecting failure in management systems initiated to control risk. On a more general scale, it also serves as a deterrent for carelessness and slapdash practices.
Communicate and Consult
This aspect of AS/NZS ISO 31000:2009 promotes candid communication between stakeholders, and the regular reporting of progress for each phase of a project/objective. Doing so not only secures stakeholder confidence, but enables all parties to keep abreast of potential deviations.
For risk management purposes, the following information would be communicated to the appropriate department for further consultation:
- Audit results.
- Identification of operational traits/ defects/ ineffectiveness.
- Operational improvements/ increased efficiency.
- Positive quantitative and qualitative measurements.
- Incidents of non-compliance.
An example of this would be the outcome of a financial audit produced by an external auditing agency, showing a reduction in operational gaps from the prior year’s assessment, improved accuracy with financial reporting, and (appropriately accounted) financial profit via reduced outgoings.
Monitor and Review
This section of the risk management model aims to prompt organizations to monitor the effectiveness of their control systems, by collating and documenting the results in a quantitative manner. Conducting separate evaluations on an ongoing consistent basis, provides the structure essential to maintain and promote the effective application of each ERM system component. As previously discussed, the quantitative and qualitative data is collated and analyzed to evaluate and compare the performance of the implemented control measures. Without this, management would be unequipped to measure the effectiveness of the implemented control system.
In this regard, the performance of the internal control systems can be measured in line with the context established at the frameworks commencement or, by monitoring and measuring performance according to specified objectives. Quality assurance audits of the internal risk reporting system, is one way personnel and management can both be measures for adherence to expected risk behaviors.
Reviews of the internal financial auditing system is another way organizations can measure the performance of internal risk control measures – which are aimed at ensuring accurate financial reporting, and compliant business operations. Acurate and consistent financial reporting is imperative nowadays due to tightening economic conditions.
In this regard it should be noted that internal controls aimed at maintaining and improving the accuracy and consistency of documentation is equally as important for small-to-medium enterprises; given the higher vulnerability to financial ruin through risks such as misappropriation of funds or taxation breach.