Back to News

The 7 Majors Contributions of Enterprise Risk Management | IAC Recruit

By YannicK Rostand Kounga Taptue, MBA | 26th August 2015

The 7 Majors Contributions of Enterprise Risk Management | IAC Recruit

Yannick Taptue is a Finance Risks Controller at Schlumberger Technologies.  He published this article in the IIA Group last month which gives his view on implementing a successful Risk Management function.  It offers a simple explanation to this complex issue capturing many of the key considerations in an accessible format. 

The Need for ERM

Why do we need to manage risk and pursue opportunity in a single coordinated program?

A few quick answers:

  • We want a better chance to identify, mitigate, avoid, and treat risks that could close us down.
  • We want reliable and predictable behaviors when creating, distributing, financing, and selling products and services.
  • Fiduciary ResponsibilityERM helps the board and CEO meet their shareholder, employee, community, social, and ethical responsibilities.
  • ERM helps build good relationships with other parties who expect us to observe legal and ethical behaviors in the conduct of our operations. This affects customers, employees, suppliers, creditors, and regulators.

The scope of ERM is broad. Therefore, it is important to simplify risk and to get it right in a complex world. 

Now we move into new territory, identifying the seven contributions of ERM. More than that, we develop a paradigm for enterprise risk management. We get close to the operational level where risk comes alive and managers deal with it on a day-to-day basis.

There are seven contributions that point the way to designing an effective ERM program.

Contribution 1: Recognize the Upside of Risk

As already explained, the first contribution of ERM occurs when “risk opportunity” is incorporated into the definition of “risk”. This acknowledges the interaction among risks because an exposure does not occur in isolation.

Contribution 2: Assign Risk Owners

The second contribution of ERM is to assign a risk owner for every category of risk. In an ERM structure, the “owner” has the knowledge, experience, and ability to manage the exposure and thus be accountable for it. Of course, some risks cannot be addressed with a single risk owner.

Contribution 3: Align Risk Accountability

A third contribution of ERM recognizes the importance of matching responsibility and accountability for risk management with the business model of the enterprise. This produces the least disruption of current successful practices while adding a new perspective on and capacity to understand business risk. Alignment occurs when risks are grouped together so that they can be managed by a single owner.

A business model includes several items. The first is a value to be created for customers or clients. Second is the architecture of the organization, which creates a hierarchy, partnerships, and other structures to deliver the value. Next is the network of employees, partnerships, and other relationships that create and deliver value. Finally, resources aligned with the structure provide the capital, assets, and people needed to generate sustainable profits and cash flows.

ERM can be fitted to the various units and levels of the business model. ERM is enhanced when key risks have risk owners while internal controls take care of “all” risks. Then we can use a structure of lower-level risks to drill down risk ownership into the entity.

Who are the risk owners in a business model? Functional staff members in production, marketing, and finance support the business model. Business units, including relatively autonomous regions and operations, are obvious risk owners. Finally, and not to be omitted, are key initiatives. These major activities reflect highly visible goals, cross unit lines, provide entrepreneurial opportunities, and solve major problems.

The final step is to match risk categories with risk owners. This enhances the chance that the risk alignment will work smoothly. Each risk owner is focused on his or her important risks. This limited list of perhaps five to eight exposures should be created at each hierarchical level. Risks handled by day-to-day organizational practices and internal controls are not part of the structure and are included only as exceptions if an internal control process breaks down.

Contribution 4: Create a Central Risk Function

A fourth contribution of ERM is to create a central risk function. This is an individual or unit responsible for the coordination of risk discussions across the entity. It should occupy a high position in the hierarchy and have access to senior executives. Its goal should be to facilitate efforts by risk owners to manage risk.

A central risk function can identify risks that might otherwise be missed by senior executives at the top of an organization. By facilitating the sharing of risks and strategies, it can manage and vet information. By influencing risk discussions, it can reduce the tendency for silos to refuse to share information and hide negative conditions.

In some formulations of ERM, a central risk function takes on the perceived role of managing risk. It may even be responsible for insurance buying or loss control. This is not a good model because risk identification and risk sharing are fundamentally different from risk transfer or mitigation. Somebody other than the central risk function should buy insurance and ensure workplace safety. Organizations need a central activity that seeks out factors that are changing the business landscape. What is happening with markets, regulators, politics, competitors, and other sources of risk? What is happening inside the organization itself with cultural, management, leadership, human resources, and unit life cycle exposures? These are important issues. They deserve full attention.

 Contribution 5: Install a High-Tech Electronic Platform (HTEP)

A fifth contribution of ERM is the recommendation to create a risk management decision support system specifically designed to help understand risk. It is a tool to share identified risks and recognize the scope of each exposure. It provides a repository to show how a risk owner is evaluating each risk and allows sharing alternatives and recommendations. 

Risk Clusters. Risk categories should be built so that risk relationships can be understood quickly and without clutter. A risk cluster is a grouping of related risks showing the interaction of exposures. As an example, a fire causes loss of property but also has an impact on future business, earnings, and cash flows.

Risk Mitigation Details and Activities.The individual exposures should be linked to inherent risks and managed risks. All authorized risk owners can see the activities and mitigation strategies and make suggestions for improvements or cooperation.

Contribution 6: Involve the Board of Directors

A sixth contribution of ERM involves the fiduciary role of the board (Tone at the Top). Its members understand the importance of complying with Sarbanes–Oxley. They usually require periodic reports from internal audit. How can a board not also have independent reporting on enterprise risk?

Contribution 7: Employ a Standard Risk Evaluation Process

The seventh contribution of ERM encourages the use of a viable evaluation process to assess risk. It is essentially a problem-solving process that is used widely in planning and budgeting and that is modified to systematically approach decisions to retain, transfer, reduce, or avoid exposures. This is one version:

  • Identify the Risk. External risks are largely uncontrollable because they arise from the competitive environment, economic factors, acts of regulatory bodies, and other outside sources. Internal risks reflect the culture, value structure, management and leadership styles, subcultures, and relationships among employees, suppliers, customers, and others. Exposures exist from faulty business processes, internal controls, and weaknesses among workers and departments.
  • Assign an Owner or Owners.Establish clear accountability by matching every important risk with a functional area, business unit, or key initiative. Delegate accountability down a chain of command to co-owners in a direct reporting line with the risk owner.
  • Assess the Impact.What is the expected frequency of each risk? Is the chance of loss remote or likely? What are the levels of damage severity under different assumptions? Support assessments with both quantitative analysis and qualitative considerations.
  • Evaluate Mitigation Options.What choices are available? Can the risk be retained, avoided, reduced, or transferred? Recognize the trade-off between the cost of mitigating the risk and the benefits gained by accepting it.
  • Implement, Monitor, and Revise.Pick an option and implement it. Monitor the results so that adjustments can be made as needed. Ensure flexibility if conditions change or new information becomes available.

Yannick R. Kounga T. is an ordinary man. He is a Finance and Accounting Professional who has received a Master's degree with majors in Accounting and Finance from University of Douala (Cameroon) and an MBA in Finance from University of Wales (UK). He is a Fellow of several US professionals association where he plays multiple roles. Yannick currently works as Controller in the energy industry and is based in Houston Area where he lived with his family. He speaks French, English and basic Spanish besides 4 others African dialects and has lived in 13 countries. Outside of work, Yannick is an avid reader/learner, community worker, volunteer, Father, Husband, average guess-blogger and poor but keen cook!