Recent events such as the massive trading losses at Societe Generale, the subprime lending crisis and product recalls associated with Mattel's international toy manufacturing operations continue to shock financial markets and negatively impact shareholder value.
These events have also fostered rising expectations for boards of directors to exert greater oversight of their organizations' risk management processes, leading in turn to the growth of enterprise risk management (ERM) as a strategic planning tool.
Not only are key stakeholders pressuring boards to get a better handle on management's process for identifying, assessing and responding to specific risks, but stakeholders are also expecting boards to more effectively anticipate far-horizon risk exposures and to continually monitor those risks to ensure that strategic and operational decisions remain aligned with the organization�s risk appetite. In response, more companies are turning to ERM.
BOARD'S ROLE IN RISK OVERSIGHT
Deloitte's Global Risk Management Survey (5th edition) reports that 70% of financial institutions participating in the survey place oversight responsibility for risk management with the board of directors, up from 59% in 2004 and 57% in 2002. This increase was due in part to emerging regulations, such as the New York Stock Exchange's 2004 Final Corporate Governance Rules that require audit committees to discuss and monitor risk management processes and Standard & Poor's 2007 proposed scoring of ERM quality as part of the rating agency's credit evaluations (see description in Exhibit 1).
Boards are also beginning to embrace their responsibility for oversight of various enterprise risks. In the process, many are finding that better risk intelligence is a significant aid to their strategic planning responsibilities. The Conference Board's 2006 report, The Role of U.S. Corporate Boards in Enterprise Risk Management , found that a majority of boards believe strategic risks pose the greatest threat to the company and that more risk intelligence would be helpful to them when considering risk/return trade-offs as they evaluate various strategic alternatives.
DELEGATION TO AUDIT COMMITTEES
In many companies, boards are assigning the additional task of risk oversight to the audit committee, despite the audit committee's already lengthy list of responsibilities related to financial reporting and the internal/external audit function. Not only are audit committees being charged with overseeing management's risk policies and guidelines, they are also being asked to discuss with management the enterprise's key risk exposures - including those beyond financial reporting related risks. The Conference Board's recent analysis of Fortune 100 audit committee charters found that 66% place risk responsibility on the audit committee, in manners similar to the examples illustrated in Exhibit 2 for Reynolds American, MasterCard Incorporated and Harley-Davidson.
Audit committees (or other board committees) charged with risk oversight are placing demands on management for more information about risk management processes and for up-to-date information about management's assessment of key risk exposures. Chief financial or accounting officers are often taking the lead in risk management efforts internally. The Conference Board's 2006 report, based on interviews of board members of U.S. public companies, found that the CFO was the executive most frequently cited by directors as being responsible for informing the board on risk issues - with more than 70% reporting this relationship. However, in growing numbers, organizations are creating chief risk officer (CRO) positions to serve as the risk leader or "champion," while others are creating executive-level risk committees composed of the CFO, CRO, general counsel, executives in charge of strategy and internal audit, or other key business unit leaders.
FORMALIZING RISK MANAGEMENT PROCESSES
The volume and complexities of risks affecting the enterprise continue to expand, and boards and senior executives are increasingly feeling the pressure to respond. In fact, Ernst & Young's 2006 report, Board Members on Risk , finds that 72% of board members surveyed believe that the overall level of risk that companies face has increased in the past two to three years, with 41% indicating that the overall level of risk has increased significantly. Executives and their boards are realizing that the days of managing risks informally or on an ad hoc basis are no longer acceptable and that their current controls are inadequate in today's rapidly evolving business world. This is consistent with IBM's Global CFO Study 2008 that reported 62% of enterprises with revenues over $5 billion have encountered a major risk event that substantially effected operations or results in the last three years; and nearly half (42%) stated that they were not adequately prepared.
In response, many boards have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization. To help boards and management understand the critical elements of an enterprise-wide approach to risk management, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued in 2004 its Enterprise Risk Management - Integrated Framework that outlines eight critical components of effective enterprise risk management (see exhibits 3 and 4 ).
While the embrace of ERM is largely in response to emerging expectations for greater risk oversight, recent data from the IBM study find that entities that outperform their peers are more likely to have developed a more formal risk management process. Proponents of ERM stress that the goal of effective ERM is not to lower risk. Rather, ERM is designed to more effectively manage risks on an enterprise-wide basis so that stakeholder value is not only preserved, but enhanced. ERM allows the board and management team to make more holistic "risk-intelligent" strategic decisions.
As boards and executives focus on the ERM process, they are thinking more about risks affecting the company as a whole. This is different from traditional approaches to risk management where management typically assigns risk oversight responsibilities to individual functions or business units (often referred to as "silos"). The result of a silo approach is that risks are often managed inconsistently or according to each manager's personal tolerance for risk. More importantly, while risks may be managed within an individual business unit to acceptable levels, those risk responses may unknowingly increase or create risks for other units within the organization. In the end, when risks are managed in silos, the result is often an increase (rather than reduction) in net risk for the enterprise.
SENIOR EXECUTIVE LEADERSHIP IN RISK MANAGEMENT
Because an ERM approach to risk management involves a top-down view of risks, leadership from senior executives is a critical component to an effective ERM process. Those who have started down the ERM path can attest to the reality that the embrace of a holistic view of risks, where risk information is shared transparently across silos within the organization, requires a significant change in culture or mind-set of leaders within the enterprise. As employees throughout the organization are held accountable for the ownership of risks within their areas of responsibility, senior executives need to reinforce the importance of embracing this new mind-set toward a more transparent, enterprise-wide view of risk management.
The CFO is uniquely positioned to lead the overall enterprise risk management effort. CFOs are intricately involved in providing an overall view of the enterprise from a financial perspective, which gives them an enterprise-wide understanding of key activities driving both financial and operational performance. Furthermore, they have an established relationship with the audit committee. Thus, as audit committees turn to management to strengthen the enterprise's approach to risk management, they are naturally turning to CFOs to jump-start the process.
CFOs are responding to these new challenges by first designing basic structures for identifying and assessing risks across the enterprise. For many, this begins by defining risk terminology or developing common definitions of key risk concepts so that risk management approaches are implemented consistently across the enterprise. Providing clear definitions of risk terms (including discussion of whether "risk" represents both risk opportunities and risk threats) is often the required first step.
Second, once risk is defined, senior management can then look across the organization to identify potential risk drivers and risk events through surveys, interviews, risk workshops and external risk scanning to generate an inventory of risks affecting the enterprise.
Third, when risks are identified, leaders need to ensure that risks are assessed consistently across the organization. Risk champions at the senior executive level need to develop procedures to govern how risks are to be assessed, not only from a likelihood or probability perspective, but also from an impact perspective in order to prioritize those risks most important for senior executive and board oversight.
Finally, based on risk rankings reflecting probability and impact assessments, management is now in a position to identify those risks with the greatest need for development of an appropriate risk response. Senior executives may then develop key risk indicators that they can include in management information reports to allow for proactive management of these risks on an ongoing basis. Exhibit 5 provides an example of how an entity might define guidelines for probability and impact assessments.
While providing an abbreviated overview of the core elements of an ERM approach, the above discussion illustrates the nature of risk management leadership the audit committee or board is expecting from senior executives. To assist them in developing these procedures, many executives are turning to COSO's Enterprise Risk Management—Integrated Framework to understand in more depth the critical elements of an effective approach to ERM. In addition to the COSO framework, many have found useful the ERM frameworks illustrated in the Australian/New Zealand Standard 4360, Risk Management , and the United Kingdom's Turnbull report, Financial Reporting Council Internal Control: Revised Guidance for Directors on the Combined Code .
INTERNAL AUDIT'S SEAT AT THE TABLE
While the CFO or other senior executives are formally leading ERM efforts, internal audit plays a major role in supporting the process. In many cases, general audit executives who lead the internal audit function have been the first to take the lead in the launch of ERM. In fact, a 2005 study reported in Internal Auditor (conducted by one of the authors of this article) found in a survey of general audit executives that most have informally served as the chief risk officer when the organization had not formally designated an individual to serve in that role. When the entity has a CRO, the study found a great deal of interaction between the general auditor and the CRO, with 77% indicating their interactions range from regular to very close.
While internal audit is naturally involved in risk management activities, an Institute of Internal Audit position paper, The Role of Internal Auditing in Enterprisewide Risk Management , indicates that there are specific roles internal audit function should and should not assume throughout the ERM process. According to the position paper, internal audit should provide core roles in giving assurance on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks.
But internal audit should not be involved in developing the risk management process for board approval, imposing risk management processes, making decisions on risk responses, managing identified risks, or setting the enterprise�s risk appetite. Most argue that internal audit's role should be to monitor the effectiveness of ERM processes designed and implemented by senior management. Direct reporting of the internal audit function's monitoring activities puts audit committees in a position to be more objectively informed about the effectiveness of management's risk management processes, including the accuracy and completeness of risk information they receive directly from senior management.
EXTERNAL AUDIT AS AN INDEPENDENT SOURCE OF KEY RISK IDENTIFICATION
Audit committees are also exerting pressure on their external auditors to share risk information they glean from audits of financial statements and the audit of internal controls over financial reporting for publicly traded entities.
Also, for private companies and not-for-profit organizations, the external auditors are likely to identify key business risks affecting the enterprise in the process of understanding the entity and its environment now required by the Risk Assessment SASs ( Statement on Auditing Standards nos. 104-111 ).
Auditors of publicly traded companies may also identify deficiencies in risk responses as they assess the effectiveness of internal controls surrounding core business processes that affect financial reporting. Proactive audit committees are recognizing the external auditor as a vital source of risk information that can assist them in challenging the completeness of risks identified by management. External auditors are recognizing this need and are responding with greater dialog about key risks when participating in executive sessions with the audit committee.
ERM TAKES TIME— SETTING REALISTIC EXPECTATIONS AICPA RESOURCES
While boards and senior executives are rapidly ramping up their risk oversight processes, few entities can claim that they have fully developed ERM processes in place. Most recognize that implementing ERM is an evolutionary process, whereby risk oversight improves over time. In fact, a 2007 Conference Board survey notes that it is fair to think of ERM as being in the "adolescent stage." Most ERM proponents believe there is no "one-size-fits-all" approach. As boards and senior management strive to make real progress toward developing ERM processes into more mature business operating models, they will need to be patient. Immediate success is rare - ERM must be viewed as a long-term cultural change, and realistic expectations must be established for its implementation.
Audit Committee Effectiveness Center, www.aicpa.org/audcommctr
Management Accounting Guidelines
Integrating Social and Political Risk into Business Decision Making
The Reporting of Organizational Risks for Internal and External Decision Making
Identifying, Measuring and Managing Organizational Risks
All Management Accounting Guidelines may be downloaded for free at http://fmcenter.aicpa.org/Resources/Management+Accounting+Guidelines /Available+Management+Accounting+Guidelines.htm .
ERM Initiative at North Carolina State University's College of Management, www.erm.ncsu.edu .
n More companies are placing oversight responsibility for risk management with the board of directors. While embracing this responsibility, boards are also finding that better risk intelligence is a significant aid to their strategic planning responsibilities.
n In many companies, boards are assigning the additional task of risk oversight to the audit committee. Audit committees (or other board committees) charged with risk oversight are placing demands on management for more information about risk management processes and for up-to-date information about management�s assessment of key risk exposures.
n The volume and complexities of risks affecting the enterprise continue to expand. In response, many boards have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization.
n Because an ERM approach to risk management involves a top-down view of risks, leadership from senior executives is a critical component to an �effective ERM process. The CFO is uniquely positioned to lead the overall enterprise risk management effort.
n Most experts argue that �internal audit�s role should be to monitor the effectiveness of ERM processes designed and implemented by senior management.
n Audit committees are also exerting pressure on their �external auditors to share risk information they glean from �audits of financial statements, and the audit of internal controls over financial reporting for publicly traded entities.
n Implementing ERM is an evolutionary process , whereby risk oversight improves over time.
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and director of the ERM Initiative at North Carolina State University's College of Management. Bruce C. Branson , Ph.D., is the associate director of N.C. State's ERM Initiative and teaches undergraduate and graduate courses on topics related to financial risk management. Bonnie V. Hancock , is the executive director of N.C. State's ERM Initiative. Their e-mail addresses, are firstname.lastname@example.org , email@example.com , and firstname.lastname@example.org , respectively