View Cart 0 Item

The value in risk...

Feb 01, 2017
Marc Aboud outlines how enterprise risk management frameworks can help organisations move beyond risk mitigation and ultimately create value.
 
Many organisations focus their risk management activity on risk mitigation as opposed to utilising the positive side of risk, where untapped value may reside. This article will explore how an enterprise risk management (ERM) framework aligned to international best practice can help your organisation identify value-creating opportunities. It will also help auditors think strategically and add value to the organisation.

The future of risk management

The focus of risk management is no longer a static view of risks and controls documented within an organisation. The challenge for accountants and other risk practitioners is to pivot to a more proactive risk management approach. This will enable an organisation not only to preserve value, but also to create and realise value.
Moving to ERM
 
The complexity of risk has changed, new risks have emerged, and boards have enhanced their awareness and oversight of ERM while asking for improved risk reporting. The drivers include regulation, technology, big data and the macro environment.
 
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) recently published an ERM framework for public comment. The framework sets out core definitions and outlines five components and underlying principles. It also provides direction for all levels of management involved in designing, implementing and conducting ERM practices. It reads: “Well-designed ERM practices provide management and the board of directors with a reasonable expectation that they can achieve the overall strategy and business objectives of the entity”.
 
The key changes from the original 2014 COSO ERM Framework include:
 
  • Greater insight into the role of ERM when setting and executing strategy;
  • Enhanced alignment between performance and ERM;
  • Expanded reporting for greater stakeholder transparency; and
  • Inclusion of evolving technologies and growth of data analytics.

The five components

The updated framework consists of five components, as outlined below, supported by 23 principles.

  1. Risk governance and culture: risk governance and culture together form a basis for all other components of ERM. Risk governance sets the entity’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviours and understanding of risk in the entity. Culture is reflected in decision-making;
  2. Risk, strategy and objective-setting: ERM is integrated into the entity’s strategic plan through the process of setting strategy and business objectives. With an understanding of business context, the organisation can gain insight into internal and external factors and their impact on risk. An organisation sets its risk appetite in conjunction with strategy-setting. The business objectives allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities;
  3. Risk in execution: an organisation identifies and assesses risks that may affect its ability to achieve its strategy and business objectives. It prioritises risks according to their severity and the entity’s risk appetite. The organisation then selects risk responses and monitors performance for change. In this way, it develops a portfolio view of the amount of risk the entity has assumed in pursuit of its strategy and business objectives;
  4. Risk information, communication and reporting: communication is the continual, iterative process of obtaining information and sharing it throughout the entity. Management uses relevant and quality information from both internal and external sources to support ERM. The organisation leverages information systems to capture, process and manage data and information. By using information that applies to all components, the organisation reports on risk, culture, and performance; and
  5. Monitoring ERM performance: by monitoring ERM performance, an organisation can consider how well the ERM components are functioning over time and in light of substantial changes.
The supporting principles represent fundamental concepts of each component and what you would expect to see in place with respect to the component.

A dynamic framework

The draft framework includes useful appendices on roles and responsibilities, and risk profile illustrations. It outlines the approaches an organisation can take for assigning roles and responsibilities for ERM and provides guidance on the roles and responsibilities of the board of directors, chief executive officer, chief risk officer, management and the internal auditor.

Audit considerations

Audit practitioners can utilise the new framework to add value to an organisation rather than focusing exclusively on whether procedures, policies and controls are documented and in place and operate effectively.
 
Deloitte’s 2016 Global Chief Audit Executive Survey highlighted that organisations need internal audit to inform them about the future rather than only report on the past. They require insights and advice as well as assurance. They require reviews of not only financial and operational controls, but also of strategic planning and risk management processes. In addition, the report concluded that:
 
  • Internal audit currently lacks the impact and influence it wants and needs within the organisation;
  • Key gaps in certain skills, including analytics, IT, and communications, must be addressed to increase impact and influence; and
  • Stakeholders expect more forward-looking reports as well as insights regarding risks, strategic planning, IT and business performance.
The updated ERM can help internal audit think differently about risk management, adapt with the business, and add value in both planning and executing the annual audit plan. To assess the framework, the internal audit function may consider whether:
 
  • The components and principles relating to ERM are present and functioning;
  • The components relating to ERM are operating together in an integrated manner; and
  • The necessary controls are present and functioning.
External audit perspectives do not traditionally focus on ERM. Depending on the jurisdiction, however, external audit may comment on the internal control environment. An effective ERM framework will help provide assurance in this scenario.

The proposed timeframe

First released in 2004, COSO’s proposed ERM is linked to strategy and explores the ways in which ERM can help create and realise value within an organisation and help execute and influence an organisation’s strategy.
 
COSO defines ERM as the “culture, capabilities and practices integrated with strategy-setting and its execution that organisations rely on to manage risk in creating, preserving, and realising value”. This definition and the proposed framework are intended to apply to all entities, regardless of legal structure, size, industry or geography.
 
In June 2016, COSO released the updated ERM framework for public comment. The public comment period came to an end in December 2016 and COSO is now considering and addressing the input received. The final version of the framework is expected to be released later this year and the public exposure document is available at www.coso.org.

Implementation considerations

In theory, frameworks such as the draft ERM are very useful guidelines in addressing potential changes to and/or implementing an ERM framework. However, the relevance of the concepts may vary depending on an organisation’s size and complexity.

If your organisation is updating its existing risk framework or is considering doing so in the near future, here are some points to consider:
 
  • Culture: there may be a poor risk and control culture, which may hinder implementation. An effective training plan and communication strategy will be required to bring the powers that be on the journey;
  • Buy-in: achieving buy-in with the business may be a challenge due to conflicting priorities and a history of past failures. Examples include previous risk projects that failed or are not fully embedded;
  • Project governance: project objectives, scope and the team need to be agreed early with clear roles and responsibilities. Deliverables, timeline, management and communication strategies also need to be set out and agreed;
  • Stakeholder management: managing expectations of multiple stakeholders including business representatives, human resources, IT, head of vendor management, internal audit, external auditor and representatives from the second line of defence;
  • Resourcing and capability: having the resources and appropriate skillset on the ground to facilitate workshops, draft documentation, implement feedback and manage the project;
  • IT considerations and linkage to other risk frameworks: should the ERM be Excel-based or should the organisation procure a governance risk and compliance solution? What are the advantages and disadvantages to each? How will they integrate with existing risk processes, frameworks and systems?
  • Deployment to embedding: once the processes have been developed and deployed, how do you move to embed the processes into business as usual?
Marc Aboud is a Manager in Deloitte's Risk Advisory department.

Useful links

Get in touch

Dublin HQ

Chartered Accountants
House, 47-49 Pearse St,
Dublin 2, Ireland

TEL: +353 1 637 7200
Belfast HQ

The Linenhall
32-38 Linenhall Street, Belfast
Antrim BT2 8BG, United Kingdom.

TEL: +44 28 9043 5840

Connect with us

CAW Footer Logo-min
GAA Footer Logo-min
CARB Footer Logo-min
CCAB-I Footer Logo-min

© Copyright Chartered Accountants Ireland 2017. All Rights Reserved.

Is the website not looking right / working right for you? You might need a browser update. Browser support