Creating Effective ERM Program

• By: Staff Editor
• Date: March 02, 2016
• Source: ComplianceOnline

Enterprise Risk Management: 5 Best Practices to Establish an Effective ERM Program

The variety and complexity of risks facing today's organizations is increasing due to emerging technologies, globalization, and increased compliance obligations. The financial market breakdown of 2007/08 has emphasized the importance of risk management in creating and protecting stakeholder value. As the economy continues to struggle, focus of stakeholders has shifted from simple risk management to overall Governance Risk Compliance (GRC).  The Dodd-Frank Act, focus on FCPA along with whistleblower rules are examples of why firms should focus on more holistic approaches to their GRC and Enterprise Risk Management (ERM) programs.

What is ERM?

ERM is an ongoing process designed to identify and assess potential events affecting the entity and manage risk within its risk appetite. ERM offers a more holistic approach uniting every level and unit within an organization to anticipate and manage risk better.

Why Do We Need ERM?

Traditional risk management strategies from a decade ago focused entirely on segmenting and compartmentalizing risk to fit into its own nook. This approach is no longer appropriate, particularly due to the interdependence of functionalities that are spread across multiple regions and business divisions. The need for today is more of an integrated and enterprise-wide approach to risk management with systems and processes that are geared to assess, monitor and report on highly regulated, business critical programs continuously.

ERM move away from an ad hoc approach to risk management and towards a more structured enterprise-wide view of risks. It helps manage risk well within its risk appetite, and provides reasonable assurance regarding the achievement of organizational objectives.

How to Establish an Effective ERM Program?

ERM is now the hallmark of a good compliance program. Consequently, it is important to know how to create an effective ERM program. The following are the recommended best practices for establishing an effective ERM program:

1.     Conduct an enterprise risk assessment: The first step in building an effective program is to conduct an enterprise risk assessment including all stakeholders. Risk assessment requires qualitative and quantitative techniques prioritizing the significance, likelihood, and timing of risk events so that the various risks can be rolled up effectively.

Here are few benefits of conducting risk assessments:

• Identify business objectives which may not be achieved due to current level of risk exposure
• Recognize top risks which may need management attention
• Identify changes in level of risk exposure
• Ascertain strengths and weaknesses within the current control environment
• Identify new /emerging risks which may need further risk treatments
• Recognize risk treatments (e.g. controls) which may no longer be required 

2.     Articulate risk management vision: It is important to understand the goals, plans and strategies of the company and managing the risk that affects those plans and strategies. Hence it is essential to identify risk management capabilities. Organizations should have a holistic risk management plan and it have to include risk policies, processes, oversight and reporting.

3.     Identify key risks and address them: Identify the key risks including credit, market, operational, strategic etc. that need to be addressed. Once the risks are picked:

• Create the control and ensure the proper program is in place for these risks
• Test the program using internal auditors or external auditors to ensure that it works
• Finally evaluate the program for success and make appropriate changes if required.

4.     Expand the program for other risks in order of priority:  The next step is to implement the program in order of priority of the risk. The key components of risk management program are:

• Internal controls
• Process for monitoring, testing and auditing the program
• Involvement of risk managers
• Senior management control
• Board oversight independent of management

5.    Develop risk monitoring and reporting process: The key risks that were identified and prioritized must be monitored and reported periodically to executive management and board of directors to keep the track of ongoing risk management process.

The best practices described above aids to establish a successful ERM program to drive business performance and build the confidence of the investment community and stakeholders.