Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
Business is the activity of making one's living or making money by producing or buying and selling products. Simply put, it is "any activity or enterprise entered into for profit. It does not mean it is a company, a corporation, partnership, or have any such formal organization, but it can range from a street peddler to General Motors."
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
The Sarbanes-Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
The General Data Protection Regulation(EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals inside the EEA, and applies to an enterprise established in the EEA or—regardless of its location and the data subjects' citizenship—that is processing the personal information of data subjects inside the EEA.
According to Thomas Stanton of Johns Hopkins University, the point of enterprise risk management is not to create more bureaucracy, but to facilitate discussion on what the really big risks are.
There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders."The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. The risk types and examples include:
The Casualty Actuarial Society (CAS) is a professional society of actuaries specializing in property and casualty insurance.
The risk management process involves:
The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 (New edition COSO ERM 2017 is not Mentioned and the 2004 version is outdated) defines ERM as a "…process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to combat corporate fraud. It was established in the United States by five private sector organizations, dedicated to guide executive management and governance entities on relevant aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. COSO is supported by five supporting organizations: the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI).
Risk appetite is a concept to help guide an organization's approach to risk and risk management.
The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:
The four objectives categories - additional components highlighted - are:
The RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, published in 2006, is an umbrella framework of content and methodology that detail the requirements for sustainable and effective enterprise risk management.The RMM model consists of twenty-five competency drivers for seven attributes that create ERM’s value and utility in an organization. The 7 attributes are:
The model was developed by Steven Minsky, CEO of LogicManager, and published by the Risk and Insurance Management Society in collaboration with the RIMS ERM Committee. The Risk Maturity Model is based on the Capability Maturity Model, a methodology founded by the Carnegie Mellon University Software Engineering Institute (SEI) in the 1980s.
Organizations by nature manage risks and have a variety of existing departments or functions ("risk functions") that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization's ability to manage the risks effectively.
The primary risk functions in large corporations that may participate in an ERM program typically include:
Various consulting firms offer suggestions for how to implement an ERM program.Common topics and challenges include:
|Part of a series on|
In addition to information technology audit, internal auditors play an important role in evaluating the risk-management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk-management function.
Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX 404 top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.
The risk management processes of corporations worldwide are under increasing regulatory and private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and opportunity. Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology change; geopolitical instabilities; and the rising price of energy.
Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly traded corporations to utilize a control framework in their internal control assessments. Many opted for the COSO Internal Control Framework, which includes a risk assessment element. In addition, new guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-down risk assessment and included a specific requirement to perform a fraud risk assessment.Fraud risk assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to the organization, related controls, and any action taken as a result.
The New York Stock Exchange requires the Audit Committees of its listed companies to "discuss policies with respect to risk assessment and risk management." The related commentary continues: "While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."
Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about risk management in its company evaluation process. This will rollout to financial companies in 2007.The results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact on the interest rates lenders charge companies for loans or bonds. On May 7, 2008, S&P also announced that it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, with initial comments in its reports during Q4 2008.
ISO 31000 is an International Standard for Risk Management which was published on 13 November 2009. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73.
IFC Performance Standardfocuses on the management of Health, Safety, Environmental and Social risks. The third edition was published on January 1, 2012 after a two-year negotiation process with the private sector, governments and civil society organisations. It has been adopted by the Equator Banks, a consortium of over 90 commercial banks in 37 countries.
Data privacy rules, such as the European Union's General Data Protection Regulation, increasingly foresee significant penalties for failure to maintain adequate protection of individuals' personal data such as names, e-mail addresses and personal financial information, or alert affected individuals when data privacy is breached. The EU regulation requires any organization--including organizations located outside the EU--to appoint a Data Protection Officer reporting to the highest management levelif they handle the personal data of anyone living in the EU.
In 2003, the Enterprise Risk Management Committee of the Casualty Actuarial Society (CAS) issued its overview of ERM.This paper laid out the evolution, rationale, definitions, and frameworks for ERM from the casualty actuarial perspective, and also included a vocabulary, conceptual and technical foundations, actual practice and applications, and case studies.
The CAS has specific stated ERM goals, including being "a leading supplier internationally of educational materials relating to Enterprise Risk Management (ERM) in the property casualty insurance arena,"and has sponsored research, development, and training of casualty actuaries in that regard. The CAS has refrained from issuing its own credential; instead, in 2007, the CAS Board decided that the CAS should participate in the initiative to develop a global ERM designation, and make a final decision at some later date.
In 2007, the Society of Actuaries developed the Chartered Enterprise Risk Analyst (CERA) credential in response to the growing field of enterprise risk management.This is the first new professional credential to be introduced by the SOA since 1949. A CERA studies to focus on how various risks, including operational, investment, strategic, and reputational combine to affect organizations. CERAs work in environments beyond insurance, reinsurance and the consulting markets, including broader financial services, energy, transportation, media, technology, manufacturing and healthcare.
It takes approximately three to four years to complete the CERA curriculum which combines basic actuarial science, ERM principles and a course on professionalism. To earn the CERA credential, candidates must take five exams, fulfill an educational experience requirement, complete one online course, and attend one in-person course on professionalism.
Initially all CERAs were members of the Society of Actuariesbut in 2009 the CERA designation became a global specialized professional credential, awarded and regulated by multiple actuarial bodies.
The Institute and Faculty of Actuaries (the merged body formed in 2010 from the Institute of Actuaries and the Faculty of Actuaries) is the professional body representing actuaries in the United Kingdom. In March 2008, Enterprise Risk Management was adopted as one of the six actuarial practice areas, reflecting the increased involvement of actuaries in the ERM field.
A regular newsletter communicates the ongoing work that the profession performs in respect of ERM.
Some of the key areas that the profession works on are summarised below (together with some of the recent outcomes in each area):
From April 2010 actuaries were able to study ERM as one of the Specialist Technical Stage exams (ST9 course information), which (with other exam passes) gives candidates the Chartered Enterprise Risk Actuary (CERA) qualification. In July 2010 the first nine actuaries to obtain the CERA qualification were announced. The CERA qualification is offered by 13participating actuarial associations, with further information available at a global or UK level.
Various events (e.g. networking evenings and webinars) are available to actuaries and other interested parties. The main event is the Risk and Investment Conference, which is often held during the summer months. There is also some regularly reviewed material available from the profession which may be of use in developing knowledge of ERM.
A committee has been established to consider research and thought leadership in the ERM field (including what the “elevator speech” on ERM issues might be, definition of the scope of ERM and demonstration of the value of ERM).
Some areas in which work has been completed include:
- ERM - A guide to Implementation
- A survey on actuaries in risk management
- A suggested common risk classification system for the actuarial profession
Research topics will be categorised and subject to a number of tests before proceeding with the research.
- enterprise-wide test (not just topic-specific / silo-based)
- risk management test (management = taking actions, not just modelling)
- director test (important enough for the Board, not just line managers)
Actuaries continue to look to demonstrate and promote the value of actuaries and the CERA qualification in the field of ERM - including through publication of articles in the Actuary
The Actuarial Profession also liaises with other professions where appropriate- e.g. the Institution of Civil Engineers on considering ERM in the context of Risk Analysis and Management for Projects (RAMP).
It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities. In a 2008 survey by Towers Perrin,at most life insurance companies, responsibility for ERM resides within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge of ERM, and these individuals typically report directly to the chief executive officer. From their vantage point, the CRO and CFO are able to look across the organization and develop a perspective on the risk profile of the firm and how that profile matches its risk appetite. They act as drivers to improve skills, tools and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for identifying and measuring risk and for management decision making. Respondents also reported that they have made good progress in building their ERM capabilities in certain areas.
In this study, more than 80% of respondents reported that they currently have adequate or better controls in place for most major risks. In addition, about 60% currently have a coordinated process for risk governance and include risk management in decision making to optimize risk adjusted returns.
In another survey conducted in May and June 2008, against the backdrop of the developing financial crisis, six major findings came to light regarding risk and capital management among insurers worldwide:
Nedbank in South Africa approaches ERM as a strategy to help them "optimise risk versus return on a sustainable basis, and risk management is therefore approached across three integrated core dimensions: Managing risk as a THREAT...as an UNCERTAINTY and as an OPPORTUNITY".
The Reserve Bank of Australia - The Bank has established a risk appetite statement regarding its key risks, including risk appetite statements, a supporting risk management framework, and implementation guidelines.
An actuary is a business professional who deals with the measurement and management of risk and uncertainty. The name of the corresponding field is actuarial science. These risks can affect both sides of the balance sheet and require asset management, liability management, and valuation skills. Actuaries provide assessments of financial security systems, with a focus on their complexity, their mathematics, and their mechanisms.
An audit is a systematic and independent examination of books, accounts,statutory records, documents and vouchers of an organization to ascertain how far the financial statements as well as non-financial disclosures present a true and fair view of the concern. It also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditing has become such a ubiquitous phenomenon in the corporate and the public sector that academics started identifying an "Audit Society". The auditor perceives and recognises the propositions before them for examination, obtains evidence, evaluates the same and formulates an opinion on the basis of his judgement which is communicated through their auditing report.
The International Actuarial Association (IAA) is a worldwide association of local professional actuarial associations.
The Society of Actuaries (SOA) is a global professional organization for actuaries. It was founded in 1949 as the merger of two major actuarial organizations in the United States: the Actuarial Society of America and the American Institute of Actuaries. It is a full member organization of the International Actuarial Association.
Financial risk management is the practice of economic value in a firm by using financial instruments to manage exposure to risk: operational risk, credit risk and market risk, foreign exchange risk, shape risk, volatility risk, liquidity risk, inflation risk, business risk, legal risk, reputational risk, sector risk etc. Similar to general risk management, financial risk management requires identifying its sources, measuring it, and plans to address them.
In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.
The chief risk officer (CRO) or chief risk management officer (CRMO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as Chief Executive officer and Chief Financial Officer.
The following outline is provided as an overview of and topical guide to actuarial science:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing is a catalyst for improving an organization's governance, risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: Governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.
Tillinghast was the world's largest actuarial practice focused on insurance and a unit of Towers Perrin specializing in risk management and actuarial consulting. The Tillinghast business of Towers Perrin provided consulting and software solutions to insurance and financial services companies and advised other organizations on risk financing and self-insurance. In January 2010, Towers Perrin merged with Watson Wyatt Worldwide to form Towers Watson where Tillinghast became part of the risk management group.
Entity-level controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.
The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high level independent corporate executive with overall responsibility for internal audit.
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
The actuarial credentialing and exam process usually requires passing a rigorous series of professional examinations, most often taking several years in total, before one can become recognized as a credentialed actuary. In some countries, such as Denmark, most study takes place in a university setting. In others, such as the U.S., most study takes place during employment through a series of examinations. In the UK, and countries based on its process, there is a hybrid university-exam structure.
Certified Sarbanes-Oxley Professional (CSOXP) is a credential awarded by the governance, risk & compliance group. The CSOXP credential communicates that certified professionals have the knowledge listed below:
The whole point of enterprise risk management is not to create another layer of bureaucracy, but rather to have your chief risk officer facilitate the conversations and then the discussions about priorities – what are the really big risks we’ve got to grapple with.