Why Today’s Organisations Need Enterprise Risk Management
If one reviewed the archives and compared the business world then to where we are now, there is no doubt that the seismic fallout of the 2008 global financial crisis (GFC) left an indelible mark on how financial institutions and intermediaries operate under the new, unfamiliar and unforgiving market and regulatory environment.
Enterprise risk management (ERM), which percolates across all parts of an institution, is often cited as the operational framework or mechanism to ensure that an institution fundamentally remains a going concern, despite any changes to its internal or external environment. The Committee of Sponsoring Organizations of the Treadway Commission – aka COSO – is the industry body at the forefront in defining and articulating what an effective ERM framework should look like.
Back in 2004 COSO defined ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Much has changed since then. COSO is now in the process of updating its ERM framework and will take into account a detailed industry survey carried out last year. Published in November ‘COSO Enterprise Risk Management – Integrated Framework Update Project – Frequently Asked Questions (FAQ)’ noted: “Indeed the business and operating environments have changed, becoming more complex, technologically driven, and global in scale”.
It is also worth noting that in 2013 COSO refreshed its 1992 ‘Internal Control Integrated Framework’, which is considered a critical element of the ERM framework. COSO retained the three core objective categories of operations, reporting and compliance, and the five key elements associated with internal controls, but supplemented the 2013 framework with 17 new principles alongside 75 observations or points of focus that are geared to financial reporting.
Breaking Down the Silos
So what impact will the new COSO ERM and controls framework have on the industry? Will it lead to greater success in how ERM programmes are viewed and implemented? From the standpoint of managing financial risks, it is not surprising that institutions still face hurdles in obtaining a coherent, detailed, complete and timely view of what risks they face on a daily basis.
Often this weakness is borne out of the multiple risk and data silos that permeate across many organisations, making it incredibly difficult to put in place a robust governance framework. This siloing creates a disjoint between how the business model is managed on an operational basis versus the best practices outlined in a set of policies and procedures. So what improvements can be made to get a more holistic picture of how an institution views and manages its risks?
Apart from embracing the best practices advocated by COSO’s ERM and internal control – integrated frameworks, there needs to be a concerted effort to promote the virtue that a well-designed, transparent and engaging ERM framework will add incremental value to the bottom line – rather than as a process to limit or mitigate the amount of risk taken. A greater in-depth view of risk can exploit opportunities rather than mask them, which may become apparent during a stress scenario where typically the business view becomes so conservative that there is a reluctance to take on any incremental exposure to help derive a few additional basis points.
Under Basel III, treasury has become a focal point not just for the regulators but also for the board of directors. Both parties have a vested interest in how treasury performs its duties to ensure the institution remains solvent and liquidity at all times, while still delivering shareholder value. Today, given the benign interest rate environment and uncertain economic outlook, institutions are looking towards their treasury to seek out profitable opportunities – however small – that help offset the slowdown in income from more traditional asset and liability activities.
Maximising such opportunities will mean institutions have to seriously re-consider moving their treasury models away from a centralised service centre to a more decentralised set-up, which gives greater autonomy (with appropriate governance and controls) on the level of risk the balance sheet is exposed to.
Reputation at Risk
The demand for granular financial and risk data and analysis has exploded since the crisis, not only due to the new regulations, but also to help senior management work out where and how future profitable opportunities will arise in this challenging environment. These dual requirements places a tremendous amount of pressure on both chief risk officers (CROs) and chief financial officers (CFOs), along with treasurers, all of who are critical members of the asset-liability committee (ALCO) on how reporting is generated out of the many disparate systems that proliferate across an institution.
One only has to review the updated COSO internal control – integrated framework to see the significance of why a stronger governance framework around financial reporting is vital to supporting the institution’s business model.
The regulatory tone, going forward, will not just be about producing and submitting the final financial and risk ratios and ticking the compliance box, but evaluating the veracity of the process or processes that produced that analysis. With so many variables in play that need to be actively governed across the institution, the reputational damage of having to restate a critical regulatory submission will be viewed dimly. Not only will the supervisory authority at home and elsewhere pass judgement but also the market, where the natural reaction would be to pull back how much exposure and support it is willing to extend.
In order to derive the benefits of an ERM framework to deliver superior finance and risk management, an institution needs to have in place a clear and scalable solution; an infrastructure that evolves with the business and accommodates and embraces the internal and external dynamics of is operating model, thus providing a long-term environment in which to manage all finance and risk activities. Above all, it should offer complete visibility and control of finance and risk data, irrespective of where this data is sourced from. This point cannot be overstated.
For institutions, data is the key to effective compliance, financial and risk management. Those organisations that can easily access, accurate and complete data at the right time as part of their ERM framework are the ones that will be able to able to better compete and realise their strategic objectives.