Kevin Sullivan CPA, MBA
Senior Manager, ERM Group
Jerry Ravi CPA, CISA
Senior Manager, ERM Group
This is the first article of a six-part series focusing on the concept of ERM and how companies are addressing the issue of risk assessment in their overall strategy.
ERM is a management technique / program designed to identify, quantify, manage and mitigate risk per the company's risk appetite / tolerance. ERM programs are uniquely customized to fit each company – there is no band-aid ERM solution or software package that will instantly transform a company that is absent an ERM program to a company that has an effective ERM program in the short term. Initiating, developing, implementing and monitoring an ERM program into a company's strategic plan is remarkably difficult. As the diagram below shows, a company must have three principles working together to successfully implement an ERM program. These principles are talented people, effective processes, and the willingness to share and transfer knowledge throughout the organization.
There are numerous stories regarding the recent financial crisis that illustrate that ERM programs both effective and ineffective have been in place for several years at banks, insurance companies, and other financial institutions with varying degrees of success. Now, with rating agencies (S&P, Moody's, and AM Best) on the verge of considering a company's ERM program in determining a company's rating and stability, more and more non-financial services companies are considering ERM and how best to initiate an ERM program.
The tendency of human nature is to be enamored with fancy trends and buzzwords such as Crocs, Hushpuppies, mortgage–backed securities and credit default swaps, and buy into these concepts without fully understanding their implications or effects. The same can be said of ERM; senior executives should be proactive in determining the need for ERM but should not instantly react by insisting on the implementation of an ERM program without giving careful thought as to what risk assessment procedures are already in place.
Setting the Foundation
Before even considering implementing an ERM program, the concept of ERM needs to be understood, embraced and initiated by a company's Board of Directors ("BD") and senior executives. While management is responsible for establishing an entity-level risk appetite, the BD and senior executives need to be aware of and concur with the entity's risk appetite. They need to be apprised of the most significant risks, and whether management is taking appropriate responses.
Company BDs are responsible for establishing the values and governance structure of the company along with ensuring that the company is compliant in regard to laws and regulations imposed by government and industry. Companies that have an effective ERM program in place most certainly comply with other regulatory requirements, such as the Sarbanes Oxley Act ("SOX").
A frequent saying in the risk management field is "tone at the top," meaning that the BDs and senior executives set the tone for how a company will operate and what it determines to be its core values. To state the obvious for a brief moment, all companies care about risk management. However, some choose to express that care in different ways. In order for ERM to be considered it needs to be made a priority by the people directing the culture and strategy of the organization. The saying, "You are only as strong as the weakest link," most certainly applies here. Companies with poor corporate governance and directors who lack a strong corporate governance track record will not be taken seriously by stakeholders when the topic of ERM is discussed.
In the future it is certain that BDs will become more involved in the risk management aspect of the company they were elected to oversee. Indeed, stakeholders will demand that management produce performance reports and metrics that substantiate the ability of the company to exist in the long term. According to KPMG's 4th Annual Public Company Audit Committee Member Survey, 54% of Audit Committee Members (out of 280 Audit Committee Members surveyed) stated that "the lack of clear delineation of responsibilities of the full board and its standing committees for oversight of significant business risks is a concern."1
Thinking Ahead
Executives and directors need to take action and evaluate the need for an ERM program. The understanding of ERM and how it can be effectively utilized is paramount to its success. Other factors, such as the incentive structure, the amount of funds available for ERM allocation (if necessary) and organizational challenges also need to be considered throughout the ERM evaluation process and will be addressed in future articles.
EisnerAmper has developed key strategic alliances within the ERM universe to ensure that risk is considered when determining an organization's strategic direction, performance appraisals and compliance with applicable laws / regulations.
EisnerAmper has expertise in continuous controls monitoring that can be used to ensure your understanding of the risk drivers remains current. EisnerAmper can also help you evaluate whether you measured the risk correctly and assigned it an appropriate strategy. 1 "The Audit Committee Journey: Recalibrating for the "New Normal" – 2009 Public Company Audit Committee Member Survey," KPMG's Audit Committee Institute and National Association of Corporate Directors, 2009.
Capital...Still Available in This Changing Environment
Impact of Fraud in a Down Economy
Calculating Your Post-Retirement Income, Post Haste
Surviving a Liquidity Crunch
The Building Blocks of a Successful Enterprise Risk Management ("ERM") Program
The EisnerAmper SALT Box
Small Business, When to Expand
Sign of the Times the "going concern"
EisnerAmper's Friends of the Firm
EisnerAmper Welcomes Jim Mack