Enterprising Views of Risk Management: Businesses Can Use ERM to Manage a Wide Variety of Risks

EXECUTIVE SUMMARY * ENTERPRISE RISK MANAGEMENT (ERM) IS A STRATEGY organizations can use to manage the variety of strategic, market, credit, operational and financial risks they confront. ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete management by different risk overseers. * ERM HAS GIVEN RISE TO A QUESTION: Who should head the risk management process--internal audit or a chief risk officer? Some believe internal audit should take a back seat to preserve the checks and balances the audit function provides. Others say risk leadership should depend on what a company is comfortable with. * USING ERM ENABLES AN ENTITY TO ASSESS risk across the enterprise instead of looking at it on a per-project basis. It also gives the company a means to assess the controls in place to handle each risk and identify any gaps. This consistent approach also offers businesses an opportunity to determine authority and responsibility and allocate resources appropriately. * TO EXTRACT RISK DATA, MANY ORGANIZATIONS use business intelligence software. Many packages feature "traffic-light" Systems that show a red light if risk exceeds acceptable levels. The chief risk officer then can "drill down" to see the reasons and make more informed decisions. * OVERALL RESPONSIBILITY FOR ENTERPRISE RISK is changing because of new standards from the Institute of Internal Auditors, They require the internal audit function in a company to monitor and evaluate the effectiveness of the organzation's risk management and control systems. Industry insiders tout enterprise risk management (ERM) as the most effective strategy an organization can use to manage a plethora of risks, running the gamut from strategic, market, credit, operational and financial exposure to the daunting array of man-made and natural disasters. New ERM committees led by chief risk officers identify, quantify and monitor these risks via a holistic, portfolio-based management system. However, new internal audit standards from the Institute of Internal Auditors (IIA) (www. theiia.org) may change the paradigm; they require internal auditors to assume responsibility for monitoring enterprise risk, creating tension in some organizations over who is in charge. CPAs with internal audit or risk management responsibilities can use this article to determine whether ERM is a strategy that will benefit their organizations and who should be responsible for overseeing risk management. ERM BASICS The difference between ERM and more traditional ways of managing risk (see the exhibit on page 68 for more details) is that ERM calls for high-level oversight of a company's entire risk portfolio rather than for many different overseers managing specific risks--the so-called silo or stovepipe approach. ERM, in effect, centralizes management under a chief risk officer or ERM committee who manages the individual overseers to help identify overall how much risk the entity can tolerate, assess mitigation tactics and otherwise take advantage of risk opportunities. The idea of viewing risk as an opportunity may surprise some CPAs. ERM adherents explain that absorbing, hedging or transferring risk requires capital--dollars a business might otherwise direct to other, more productive and profitable endeavors. "Since entities must hold capital to absorb the risk of loss, there is less to invest in other profit-producing activities," explains Peter Nakada, executive vice-president of ERisk, a New York based ERM consulting firm and software provider. "ERM helps determine the right amount of capital companies should direct toward risk." How does ERM help a company arrive at this figure? It's done by gathering or otherwise polling risk overseers to determine the threats to the organization, the financial impact and the effectiveness of risk mitigation options. "The goal of the process is to determine the appropriate amount of capital you need. …