ERM and Corporate Governance
his article is to address some of the pressing enquiries received from readers.
Question. Is there a distinction between risk management and enterprise risk management? The answer is “yes”. The both point in the same direction, but take on a different interpretation when the word “enterprise” is introduced. Refer to my earlier article – why risk management – (https:// www.thisdaylive.com/ index.php/2016/11/28/why-risk-management/)
A classic definition of risk is the “effect of uncertainty on objectives”. An objective, here used as a noun, means a thing aimed at or sought, a goal, intention, purpose or target. Objectives can be personal goals, or can have commercial or social motivations such as business objectives, and government objectives.
Risk management for organisations is often used interchangeably with enterprise risk management (ERM). Risk management, as its name implies means the management and control of risks. This concept is practiced in most organisations, albeit in stand-alone circumstances, commonly referred to as silos. By introducing the word “enterprise”, which is the focus of my writings, risk management takes on a more strategic meaning and purpose, whereby we move away from the separate management of individual risks, to a broader and more integrated and structured method. This is the fundamental idea behind the ERM approach. ERM in any organisation (business or government: ministries, departments and agencies) is a system of dealing with all the risks faced, across all the operations, departments and units in a structured and holistic manner. It is concerned with the management of the risks that can impact the objectives, or key dependencies. ERM is delivered within a framework which is part of the overall risk governance arrangements. This framework, is the architecture, strategy and protocols, which support the risk management process. The risk architecture defines how information on risk is communicated. The risk strategy defines the overall objectives, and the risk protocols are the systems, standards and procedures put in place. An ERM specialist is imbued with the skills to design frameworks, implement and advise no matter the industry and/or sector.
ERM is like a holy grail. Many executives say they do it, and yet they can’t agree on what it is. The reality is companies think they are implementing ERM, but they really aren’t. What obtains in practice often demonstrates a very limiting view of ERM, from maintaining a list of risks (“enterprise list management”) to summarizing risk responses, leaving many corporate leaders underwhelmed with its value contribution.
The overwhelming evidence out there is a positive relationship between ERM and company performance. There is also evidence that improved corporate governance leads to better ERM. One can conclude that ERM, properly designed and implemented, has significant effect on performance and profitability. In its immature state, ERM adds limited value because it often leaves management with a list of risks and very little insight as to what to do next. In its various forms, ERM may increase risk awareness with management, the board of directors and others, but it will not be effective in driving decisions because it typically isn’t integrated with the enterprise’s decision-making processes. As a result, it is often an afterthought to strategy and appendage to performance management.
Different standards have their interpretation of ERM. The Committee of Sponsoring Organizations standard (COSO) points out that ERM, among other things: • Is an ongoing process • Is applied across the enterprise • Is designed to identify potential events that could affect the entity, and to manage risk within its risk appetite. • Provides reasonable assurance. Another standard, ISO 31000, states that ERM should be an integral part of organizational processes as well as a part of decision making.
While these and other standards provide valuable insight in defining ERM, I prefer a version of ERM summed up as follows:
“ERM is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment”.
Why is ERM important? Events over recent years have pointed to five realities that every CEO and board face:
1. The time may come – sooner than we may expect – when the fundamentals of the business are about to change. Risk management at enterprise level, is about securing “early mover” positioning in the marketplace.
2. It is not what we know that matters; it is what we don’t know that makes the difference. 3. Most businesses are boundary-less. 4. Sooner or later, there will be a crisis that will test your company. Even the most effective risk management cannot prevent this exposure.
5. Management and directors are struggling with delineating between risk management and risk oversight. ERM and corporate governance are therefore intricately interwoven, in the sense that one requires the other to work. The failure of companies is mostly attributed to a failure of managing their risks.
There has been much more interest in corporate governance across the globe due to high-profile corporate scandals. In Nigeria, the CBN issued in 2006 a mandatory corporate governance code for Nigerian Banks which addressed the following risk management requirements;
• There should be, as a minimum, the following board committees – Risk Management Committee, Audit Committee, and the Credit Committee.
• Banks should put in place a risk management framework including a risk management unit that should be headed by a Senior Executive.
The insurance and pension regulators soon followed suit with corporate governance codes for their respective Industries. The Code of Governance for Public Companies was issued in 2008. The current code has the following requirements regarding the Risk Management Committee
• The Board may establish a Risk Management Committee to assist it in its oversight of the risk profile, risk management framework and the risk-reward strategy determined by the Board.
In summary, the discipline of ERM has become established, and is here to stay. It has proven to be able to demonstrate significant and measurable financial benefits, in the form of increased profit in private sector organisations and can produce enhanced efficiency and/or value for money delivery of services in the public sector.