Yannick Taptue is a Finance Risks Controller at Schlumberger Technologies. He published this article in the IIA Group last month which gives his view on implementing a successful Risk Management function. It offers a simple explanation to this complex issue capturing many of the key considerations in an accessible format.
Why do we need to manage risk and pursue opportunity in a single coordinated program?
A few quick answers:
The scope of ERM is broad. Therefore, it is important to simplify risk and to get it right in a complex world.
Now we move into new territory, identifying the seven contributions of ERM. More than that, we develop a paradigm for enterprise risk management. We get close to the operational level where risk comes alive and managers deal with it on a day-to-day basis.
There are seven contributions that point the way to designing an effective ERM program.
As already explained, the first contribution of ERM occurs when “risk opportunity” is incorporated into the definition of “risk”. This acknowledges the interaction among risks because an exposure does not occur in isolation.
The second contribution of ERM is to assign a risk owner for every category of risk. In an ERM structure, the “owner” has the knowledge, experience, and ability to manage the exposure and thus be accountable for it. Of course, some risks cannot be addressed with a single risk owner.
A third contribution of ERM recognizes the importance of matching responsibility and accountability for risk management with the business model of the enterprise. This produces the least disruption of current successful practices while adding a new perspective on and capacity to understand business risk. Alignment occurs when risks are grouped together so that they can be managed by a single owner.
A business model includes several items. The first is a value to be created for customers or clients. Second is the architecture of the organization, which creates a hierarchy, partnerships, and other structures to deliver the value. Next is the network of employees, partnerships, and other relationships that create and deliver value. Finally, resources aligned with the structure provide the capital, assets, and people needed to generate sustainable profits and cash flows.
ERM can be fitted to the various units and levels of the business model. ERM is enhanced when key risks have risk owners while internal controls take care of “all” risks. Then we can use a structure of lower-level risks to drill down risk ownership into the entity.
Who are the risk owners in a business model? Functional staff members in production, marketing, and finance support the business model. Business units, including relatively autonomous regions and operations, are obvious risk owners. Finally, and not to be omitted, are key initiatives. These major activities reflect highly visible goals, cross unit lines, provide entrepreneurial opportunities, and solve major problems.
The final step is to match risk categories with risk owners. This enhances the chance that the risk alignment will work smoothly. Each risk owner is focused on his or her important risks. This limited list of perhaps five to eight exposures should be created at each hierarchical level. Risks handled by day-to-day organizational practices and internal controls are not part of the structure and are included only as exceptions if an internal control process breaks down.
A fourth contribution of ERM is to create a central risk function. This is an individual or unit responsible for the coordination of risk discussions across the entity. It should occupy a high position in the hierarchy and have access to senior executives. Its goal should be to facilitate efforts by risk owners to manage risk.
A central risk function can identify risks that might otherwise be missed by senior executives at the top of an organization. By facilitating the sharing of risks and strategies, it can manage and vet information. By influencing risk discussions, it can reduce the tendency for silos to refuse to share information and hide negative conditions.
In some formulations of ERM, a central risk function takes on the perceived role of managing risk. It may even be responsible for insurance buying or loss control. This is not a good model because risk identification and risk sharing are fundamentally different from risk transfer or mitigation. Somebody other than the central risk function should buy insurance and ensure workplace safety. Organizations need a central activity that seeks out factors that are changing the business landscape. What is happening with markets, regulators, politics, competitors, and other sources of risk? What is happening inside the organization itself with cultural, management, leadership, human resources, and unit life cycle exposures? These are important issues. They deserve full attention.
A fifth contribution of ERM is the recommendation to create a risk management decision support system specifically designed to help understand risk. It is a tool to share identified risks and recognize the scope of each exposure. It provides a repository to show how a risk owner is evaluating each risk and allows sharing alternatives and recommendations.
Risk Clusters. Risk categories should be built so that risk relationships can be understood quickly and without clutter. A risk cluster is a grouping of related risks showing the interaction of exposures. As an example, a fire causes loss of property but also has an impact on future business, earnings, and cash flows.
Risk Mitigation Details and Activities.The individual exposures should be linked to inherent risks and managed risks. All authorized risk owners can see the activities and mitigation strategies and make suggestions for improvements or cooperation.
A sixth contribution of ERM involves the fiduciary role of the board (Tone at the Top). Its members understand the importance of complying with Sarbanes–Oxley. They usually require periodic reports from internal audit. How can a board not also have independent reporting on enterprise risk?
The seventh contribution of ERM encourages the use of a viable evaluation process to assess risk. It is essentially a problem-solving process that is used widely in planning and budgeting and that is modified to systematically approach decisions to retain, transfer, reduce, or avoid exposures. This is one version:
Yannick R. Kounga T. is an ordinary man. He is a Finance and Accounting Professional who has received a Master's degree with majors in Accounting and Finance from University of Douala (Cameroon) and an MBA in Finance from University of Wales (UK). He is a Fellow of several US professionals association where he plays multiple roles. Yannick currently works as Controller in the energy industry and is based in Houston Area where he lived with his family. He speaks French, English and basic Spanish besides 4 others African dialects and has lived in 13 countries. Outside of work, Yannick is an avid reader/learner, community worker, volunteer, Father, Husband, average guess-blogger and poor but keen cook!