The release of the updated Enterprise Risk Management (ERM) Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2017 formally heralded the evolution of the traditional risk management mindset, wherein risks are managed as a consequence of business operations, towards a more proactive stance for managing risks. Entitled “Enterprise Risk Management — Integrating with Strategy and Performance,” the updated Framework highlights the importance of considering risks even at the onset of strategy setting, as well as throughout the process of driving organizational performance.
RESHAPING THE ERM LANDSCAPE
It is now close to a year since the publication was released and the Framework has been gradually reshaping how business leaders talk about risk. There is greater awareness among these leaders of the relationship between risk and value — that there is more to it beyond mere value protection. In fact, risk management, when properly embedded into the organizational DNA, can potentially result in value creation.
It must also be said that there has been a renewed effort by Philippine regulators to further promote the importance of enterprise risk management as a tool for the continued sustainable growth of the Philippine business environment. Financial institutions falling under the supervision of the Bangko Sentral ng Pilipinas (BSP) would most likely think of BSP Circular 971: Guidelines on Risk Governance, which requires banks and nonbank financial institutions alike to establish their own enterprise-wide risk governance framework with the ultimate goal of ensuring that these institutions possess risk management capabilities that are commensurate with their size, complexity, risk profile and systemic importance. Publicly listed companies, on the other hand, may be more familiar with Principle 12 of the 2016 Code of Corporate Governance for Publicly-Listed Companies issued by the Securities and Exchange Commission (SEC), which similarly requires these companies to have an enterprise risk management framework to help sustain safe and sound operations as well as implement management policies to attain corporate goals.
ANTICIPATING THE FUTURE OF ERM
As the understanding of risk continues to grow deeper and the practice of risk management becomes even more widespread, we can naturally expect the future to bring along even more changes to the field of ERM.
• Business leaders, having realized the potential that comes with unlocking the value of risk and supporting this with appropriate risk management practices, will seek to maximize the value that they can reap from their business strategy by crafting carefully calibrated risk and reward objectives. To this end, they will look into employing more sophisticated tools and technology to generate accurate information in a timelier manner.
• Shareholders and investors, on the other hand, will continue to hold these leaders accountable for the protection of their investments, as well as demand a reasonable amount of return on their invested funds. To allow for more informed decision making, an increasingly educated investing public will further drive demand for quality information, thereby requiring management to provide more comprehensive disclosures on how it manages risks.
• Regulators and standard-setters are expected to follow suit with even more detailed and comprehensive guidelines on risk management to ensure and promote market stability.
• People/employees comprise one of the largest key stakeholder groups of the organization who will be greatly affected by changes in existing processes owing to the deeper integration of core risk management principles into the corporate strategy and day-to-day operations. Consequently, they will require more comprehensive and detailed guidance on how to best execute their duties and functions whilst maintaining the proper risk mindset.
Considering the link between risk management, strategy and performance, as well as looking at these anticipated developments, we can clearly see that risk management holds a very important place in the organizational agenda for 2018 and even beyond.
So now, the key question is: how should your organization go about implementing ERM?
FORGING AHEAD WITH ERM
Having helped organizations with their ERM implementation, I can say with conviction that there really is no single way to implement ERM across organizations that are all inherently unique. For ERM implementation to be successful, it needs to be tailor-fit to the specific needs and circumstances of a specific organization.
As Dennis Chesley (PwC Global Risk and Regulatory Consulting Leader) aptly put it: “Risk management is as much an art as a science — in many ways it’s the nuances that are the most critical factors in both success and risk management.” This is also precisely why rather than creating a checklist or template that would restrict how organizations apply the various ERM principles and concepts, COSO and PwC decided to create what is called the Compendium of Examples. The Compendium contains nine illustrative case studies that show how organizations across various industries and of varying types and sizes, might choose to apply the principles and concepts of ERM. Each of these examples were developed from research into real-world industry practices, as well as interviews and conversations with risk professionals, C-suites and boards on enterprise risk management.
While having a good reference on hand is especially helpful, the key to unlocking the full benefits of ERM implementation lies in people. Organizations must appoint competent people to key management positions and must be aware of how they can leverage the vast wealth of knowledge and experience held by these individuals. In addition to competence, the value of creativity and innovation should also not be discounted.
The leaders of the organization need to be able to apply the principles of the ERM Framework in a manner that best complements the strategies, business, risks and opportunities of the entity. Beyond that, I think we can all agree that there is nothing more important to any implementation initiative than the support of management. At the same time, the proper risk management mindset should be instilled into employees. The process of implementing risk management, after all, is a collaborative effort that requires both the capability and willingness of all members of any organization to be successful.
The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. The content is for general information purposes only, and should not be used as a substitute for specific advice.
Rochelle C. Dichaves is a senior associate with the Risk & Regulations Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.
+63 (2) 845-2728