Table of Contents Hide
- Enterprise Risk Management Definition
- Framework for Enterprise Risk Management
- ERM Competencies
While the idea of enterprise risk management (ERM) has been around for a long time, it wasn’t until the 2008 financial crisis that it became widely recognized as an important framework of a company’s overall business strategy. But, despite the increased emphasis on Enterprise Risk Management, many in the industry have difficulty in providing a precise definition. As a result, the RMA ERM Council set out to develop highly realistic guides for implementing a rigorous enterprise risk management system that will assist organizations of all sizes in managing risk holistically.
Enterprise Risk Management Definition
ERM is described by the council as “the capacity of management to handle all business risks in the pursuit of appropriate returns.”
With that concept as a starting point, the council developed a policy to assist management and boards of directors in answering pertinent business questions about an institution’s risk appetite, business strategy and risk coverage, governance and policies, risk data and infrastructure, assessment and evaluation, control environment, response, and stress testing.
So, away from definitions, in the course of this article, we’ll go through the Enterprise Risk management framework. This also includes a strategy you can follow immediately.
Framework for Enterprise Risk Management
Culture is at the heart of the Enterprise Risk Management framework model. Basically. none of the other elements would matter if an organization lacks the right culture and good leadership at the top. In other words, companies that understand and implement ERM as a way of thought outperform those that do not.
At the end of the day, an enterprise risk management framework will address three key business questions:
- Should we do it (in accordance with our business policy, risk appetite, history, principles, and ethics)?
- Can we do it (in terms of individuals, procedures, structure, and technology)?
- Did we succeed (evaluation of planned outcomes, ongoing learning, and a rigorous system of checks and balances)?
However, regardless of the size of the institution or how it wants to categorize its risks, the enterprise risk management framework’s structure applies. The framework’s circular representation is deliberate. Furthermore, individual components (such as coverage or risk appetite) should flow in both directions, not in a sequential order. Furthermore, culture is depicted as the model’s center/heart/foundation, as the other components are somewhat meaningless without the right culture.
What an Enterprise Risk Management Framework Covers
The ERM framework was created to assist management and boards of directors in addressing the following important business issues:
- What are all of the risks (coverage) to our market plan and operations?
- What is our risk appetite (how much risk are we able to take)?
- How do we collect the data (risk data and infrastructure) we need to handle these risks?
- What are the culture, governance, and policies that regulate risk-taking?
- How do we keep the risks under control (control environment)?
- What are the worst-case situations that could damage us (stress testing)?
- How do we determine the magnitude of different threats (measurement and assessment)?
- What are our plans for dealing with these dangers (response)?
- What is the relationship between different threats (stress testing)?
The RMA ERM Council used a set of highly realistic workbooks for risk management practitioners to establish this ERM framework and related ERM competencies. The following are the workbooks:
- Workbook on Risk Appetite Governance and Policies Workbook
- Measurement and Evaluation of Risk Data and Infrastructure (addressed as part of the Governance and Policies Workbook)
- A Basic Guide to Scenario Analysis and Stress Testing for Community Banks
The following are descriptions of key elements in a successful enterprise risk management strategy:
#1. Business Strategy and Coverage
Risk management must operate within the framework of business strategy and address the fundamental question; “What is our business strategy, and what risks accompany it?”
Prior to articulating its risk appetite, an organization must first define its priorities and objectives, or business plan. In terms of markets, geographies, divisions, goods, profits, and so on, the institution must identify its goals. The organization then assesses the risk associated with that plan and decides how much risk it is prepared to take in carrying it out. Meanwhile, an enterprise is vulnerable to the following threats, regardless of its business strategy:
- Capital adequacy
#2. Risk Appetite
The Risk Appetite Workbook from RMA explains what a risk appetite is and how an organization can grow one in great detail. It defines Risk appetite as “the amount of risk (volatility of expected results) an entity is willing to tolerate in pursuit of a desired financial output (returns).”
Meanwhile, it is vital to note that while individuals often use the terms “risk appetite” and “risk tolerance” interchangeably, they have distinct meanings. Risk appetite refers to how much uncertainty an organization is able to accept in order to carry out its business plan. Risk tolerance refers to a company’s day-to-day operating limits that are set in the sense of its specified risk appetite (for example, concentration limits).
The vital ties between policy, business strategies, and risk must be understood by management and the board of directors. One resource that promotes this link is a risk appetite statement. In this context, risk management is an important component of the institution’s overall strategy and basic business goals, as well as its performance, returns, and value development.
#3. Culture, Governance, and Policy
Culture can be described as “what people do when no one is looking.” As previously said, the most critical element of any successful ERM competency is culture. RMA’s Governance Workbook addresses governance and regulations, as well as presenting numerous examples of board and management level governance committees to oversee risk taking activities.
To the general public, policies express the company’s risk appetite. They tell all stakeholders what the organization is willing to do and what it is not willing to do. Policies (what to do?) and procedures (how to do them?) are used to carry out the risk appetite statement.
Simply put, an institution’s history, governance, and policies work together to help it handle its risk-taking activities.
#4. Risk and Infrastructure
Risk management is accomplished by boards of directors and management having a thorough understanding of the company’s risk profile. How information is gathered, integrated, processed, and converted into a coherent narrative is referred to as risk data and infrastructure.
However, this is most likely the most difficult part of ERM. Some businesses often invest $200 million to $300 million without seeing a return on their investment.
Therefore, a highly reliable management information system comes in handy when building an effective risk management framework. And for the most part, the ERM Council intends to devote an entire workbook to this subject due to its significance.
#5. Control Environment
One of the most critical tools in the management toolbox for risk management is the internal control environment. Internal controls assist in lowering the amount of inherent risk to a level that management can embrace. Part of the internal controls framework includes culture, governance, regulations, preventive and detective controls, and scenario planning.
Furthermore, internal controls help the management keep residual risk at a minimal level.
#6. Measurement and Evaluation
Boards of directors and management must handle a portfolio of risks at any given time. This ranges from asset quality, liquidity, interest rate, to business continuity, information security, privacy, etc.
However, in ERM, calculations are the science and art of determining which risks are important and which are not. It also evaluates where to spend time, resources, and effort.
For example, an organization may use a simple color-coding model (green, yellow, and red), a highly sophisticated risk-adjusted return on capital (RAROC), or a middle-of-the-road failure mode and effects analysis (FMEA) model to achieve the objective of measurement and evaluation.
Meanwhile, measurement and assessment, regardless of process, assist boards and management in answering the question; “So what?” The system of internal controls must be included in the assessment and evaluation process, as well as a determination of how well the risks can be handled.
#7. Scenario Planning & Stress Testing
The ability to answer the question, “What can go wrong and therefore cause deviation from planned outcomes?” is the art of ERM. Management must resolve documented, knowable, and unknown threats in order to achieve this goal.
Basically, scenario management and stress testing are methods that concentrate on the risks that are known and, in some cases, unknown. Therefore, from a capital planning standpoint, a strong scenario planning and stress testing discipline are important.