As we continue our organizational introspection, we cover the foundational components of enterprise risk management (ERM) and their supporting principles: Governance & Culture and Information, Communication & Reporting. In tackling the principles, let’s be guided by key questions we ought to ask ourselves.
GOVERNANCE & CULTURE: DEFINING ACCOUNTABILITIES, STRUCTURES AND HUMAN CAPITAL FOR RISK MANAGEMENT
How does the Board oversee strategy development, execution and risk management?
True to its all-encompassing nature, corporate governance comes first to establish the framework of “stewardship and control” for the organization. Leading the drive towards good corporate governance is the Board, which advocates long-term organizational sustainability to address the interests of its stakeholders. In the Framework’s context, Board refers to the organization’s governing body (e.g. board of directors, partners or owners). The Board is primarily responsible for overseeing strategy development, execution and enterprise risk, while management handles day-to-day responsibilities. Regardless of the structure adopted, there should be a clear directive allocating risk accountability and responsibility between the Board and management.
Having ultimate risk oversight accountability, the Board should collectively have the skills, experience, and knowledge of the organization. These allow the Board to understand the business environment, strategy, and the attendant risk exposures. Specialist knowledge (such as emerging technologies or industry expertise) also allows Boards to guide management and ask the right questions on relevant issues. Also, the Board should be independent to have the objectivity to “challenge” management’s decisions, performance, and responses to risk. With the wealth of business knowledge and breadth of perspective, the Board can assess and guide the organization in the suitability of ERM and specific focus areas.
How effective are the organization’s operating structures to support strategy and achieve business objectives?
Responsibility for ERM does not reside with a specific organizational group or function. It’s a common misconception that for organizations with a “risk management function/unit” or a chief risk officer (CRO), these units/officers are primarily responsible for managing risk. In fact, everyone in the organization is responsible for risk management, although in varying forms or degrees. These responsibilities should be clearly reflected by the appropriate operating structures (e.g. functional, geographical, legal segmentation) and reporting lines (e.g. direct reporting, matrix) implemented by management.
How does the organization define the desired behaviors that drive the desired culture?
The organization’s attitude and perspective toward risk is largely influenced by its culture: the reflection of core values, behaviors, and decisions of its members. Culture is also the result of, among others, how the Board and management define expected behavior, the parameters in using judgment, and interaction between individuals of varying personal background and organizational roles. With these factors, the terms “risk-averse” and “risk-aggressive” at opposite ends of the spectrum come to mind. It equates to how inclined the organization is in expecting its members to accept the amount and type of risk to achieve the strategy and business objectives.
How does the organization demonstrate commitment to the corporate core values?
We usually hear the concept of “tone at the top” to describe how organizational leadership establishes and communicates expected behavior and a core component of the control environment. Similarly for ERM, “tone” relates to how corporate core values are communicated across the organization. This allows its people to have a consistent understanding of the core values, business drivers, and desired behavior — driving risk awareness and consideration of risks in decision-making. Together with the core values, the concepts of management and individual accountability for managing risk are reinforced. Likewise, management should promote open communication and transparency on risk exposures, and risk implication of actions. Last, any deviation from these expectations (usually embodied in the “code of conduct”) should be addressed with a clear set of considerations in a timely manner. This drives organizational commitment in enforcing acceptable and correcting unacceptable behavior.
How is human capital built and developed to align with strategy and business objectives?
Any organizational program’s effectiveness hinges largely on the capabilities and culture of the people implementing and managing it. The same is true with ERM. Management should define the appropriate combination of knowledge, skills, capabilities, and experience for their people to carry out their responsibilities and contribute to achieving business objectives. With the help of the human resources function, human capital can be managed from recruiting the right individuals, developing their capabilities to address performance requirements, and retaining for continuity and succession. Specific considerations likewise include giving the right balance between rewarding performance and addressing pressure.
How does the organization leverage information and technology systems to support ERM?
In the digital age, information is exponentially growing. The challenge shifts to identifying the data relevant for decision-making and performance/risk monitoring, knowing how to source such data, and processing such data to become useful information. Underlying considerations also include data quality and currency. Organizations should define a framework on data identification, processing, presentation, quality, and controls to generate timely, accurate, and relevant information. Existing systems and processes provide the preliminary infrastructure to make this happen. However, depending on the nature and complexity of business and data, organizations may implement other tools. Examples include governance, risk and compliance (GRC) applications that provide dashboards and reports, and even artificial intelligence (AI) to facilitate voluminous data analysis and decision support.
How are communication channels utilized to support enterprise risk management? How is organizational risk, culture, and performance reported?
The current focus of risk reporting are on the Board and management, during the periodic Board or committee meetings. Risk reports try to answer the questions “What are my risk exposures?” or “What should I think or worry about?” Level of information likewise varies from “information overload” to stingy. To balance these requirements and variability, organizations should define the responsibilities for risk information dissemination (who needs to know what), the amount of information required by these recipients, and the channels to be used (e.g. formal meetings, town halls, third-party materials). Being able to address these considerations aligns the information requirements of various stakeholders (whether internal or external), and the corresponding actions they need to take with regard to risk.
TAKING STOCK AND MOVING FORWARD
Considering the renewed focus on culture (environment and expectations) and capabilities (knowledge and skills) to implement practices, organizations with varying ERM maturity should leverage the new COSO ERM for various purposes:
• For organizations with existing ERM: look into the supporting principles as foundation. It may be in place as part of the previous ERM efforts, but is it sufficient? Is it fit for the organization’s purpose? Is it integrated and with the components working together?
• For organizations with disparate or no established ERM: review the strategic direction and use the organizational vision, mission, and values as guides in assessing applicability and implementation of an ERM framework. Surely there are bits and pieces in place, but there is a need to integrate them into a coherent framework.
ERM is not a totally new idea, but it warrants a refreshed look at our organizations. We may need to adjust the lens we use to see a different side of things. Understanding our organization and finding our core jumpstarts the journey to achieving objectives and enhancing value.
The content is for general information purposes only, and should not be used as a substitute for specific advice.
Alvin Dave M. Pusing is a senior manager with the Risk Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.
+63 (2) 845 2728 ext. 3232