November 2007 — PRINT EDITION    
 
Table of Contents
   
 

A critical function

By Yves Nadeau

While companies have always managed risks, today there’s a more formally structured approach

The concept of risk is inherent to business. Every-one knows that no risk equals no return. But considering the wide range and complexity of risks to which companies are exposed, it is not surprising that business people are seeking appropriate infrastructure and useful tools to effectively manage these risks. They may find the task made even more difficult by the numerous daily challenges they face, which can often be complicated by the marketing of new products, a reorganization, the implementation of a new computer system or additional compliance requirements imposed by the audit committee or regulatory authorities.

What is ERM?
The US-based Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as a “process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” In other words, with ERM, strategies, human resources, processes, technology and knowledge are aligned to manage company-wide risks.

Why use ERM?
ERM offers CEOs a solution based on a continuous process and the implementation of proven management tools. Applying ERM keeps them well informed of all enterprise risks and of their impact, making it possible to set priorities for action. ERM allows companies to:

  • reduce unacceptable performance gaps by establishing a risk impact and probability assessment process and proposing solutions;
  • eliminate compartmentalization (the silo mentality) if present within the organization and provide its leaders with a global vision of risk;
  • react appropriately to changes in the business environment by promoting a proactive attitude required to identify, understand and adapt to emerging risks;
  • properly align all its resources to manage risks, control costs and ensure compliance;
  • take risks and manage them effectively, which gives the company a competitive advantage and better prepares it to take advantage of opportunities; and
  • strengthen corporate governance and increase stakeholder and regulator confidence.

ERM today
Companies have always managed their risks, but for the past 10 years, ERM has offered a more formally structured approach to this critical function. The proliferation of corporate fraud scandals, the increase in terrorist acts and the requirement for companies to comply with Sarbanes-Oxley or its Canadian equivalent help explain the heightened level of interest in this discipline. The Conference Board of Canada conducted a survey of 81 Canadian entities and five US entities consisting of government agencies (25%), public companies (23%), Crown corporations (21%) and others (31%). The board found that while 87% of the entities surveyed had an ERM framework and 61% a risk management group, only 54% of these entities had set aside an annual budget for this purpose. More alarmingly, only 38% considered themselves effective in identifying and managing risk.

There is no single solution for applying an ERM framework (please see chart on page 60). Half the entities surveyed use a customized or hybrid ERM framework. Many (37%) use recognized models such as COSO’s, Australian Standard 4360 or other formal frameworks. The policies, processes, skill set, reports, methodologies and systems that make up the solution may differ from one entity to the next, as the objectives, strategies, structure, culture, risk appetite and financial position of each company are different. Nevertheless, the most effective ERM approaches seem to be those that focus on senior management’s active involvement, the establishment of an ERM infrastructure, thorough risk analysis and continuous process improvement.

ERM implementation
Implementing the process described in the diagram above, “Implementing ERM,” may take three to five years. This four-stage process consists of assessing risk, analyzing the current situation, determining the desired state and developing an action plan. To be successful, the process must be implemented across the enterprise at every level and in each operational unit. This requires a comprehensive view of all risks, and senior management will often choose to assign the role of risk management coordinator to the CFO while awaiting infrastructure rollout.

Risk assessment
Companies should first identify and prioritize the risks that will have an impact if they materialize. They need to determine whether these risks represent opportunities or can adversely affect their ability to implement their strategy and meet their objectives.

Many different techniques can be used to identify risks. These include discussions with employee groups, facilitated workshops, questionnaires and surveys, as well as process flow analysis. A number of commercially available software programs may also be useful in identifying and calibrating risk.

Priority will of course be given to the risks that are most severe and most likely to occur. The risk map on page 62 illustrates the impact level of the main risks faced by companies and their likelihood of occurring. This is the most commonly used tool for identifying and prioritizing risks.

Experience shows that the most significant risks are those pertaining to customer satisfaction, computer security, competition, the regulatory environment and employee turnover.

During a recent seminar on enterprise risk management, Jean-Marc Eustache, president and CEO of Transat AT Inc. and a leader in ERM, told participants that Transat had identified about 100 structural and cyclical risks grouped into several categories, namely strategic, operational, financial and compliance risks. To identify priority issues, Transat mapped out all these risks and awarded points to each based on the severity of potential consequences and their probability of occurring. Eustache said from a strategic point of view, one of the greatest risks for any tour operator is not being able to adapt to market changes: “International tourism functioned according to a fairly predictable model. Twenty years ago, most travellers were North American, British or German. There were no Russians, Chinese or anyone from the Eastern bloc. That’s something that changed quickly.” In short, Transat was able to adjust to industry shifts.

Other implementation steps
Once the risks have been identified and prioritized, the company’s current situation needs to be evaluated to determine its ability to manage the most serious risks. The company’s future situation should then be addressed, which means determining risk management goals. An analysis of the differences between the current and future situation will enable the company to develop an action plan targeting the selected priority risks. The following should also be considered:

  • The greater the difference between the current and future situation, the stronger the ERM infrastructure will need to be;
  • It is better to begin by addressing only one or two priority risks.The company’s ERM vision, the goals and objectives of each business unit and of the organization as a whole, as well as monitoring and reporting measures, should be defined concurrently.

Typical weaknesses
There are a number of weaknesses in ERM strategies:

  • It can be difficult to gain management acceptance and support.• Risks are often managed in silos, resulting in decisions that are not always adequately coordinated.
  • The duties and responsibilities assigned to individuals in charge of managing specific risks are sometimes unclear.
  • Potential risks may be identified and managed as they arise, which has the potential to result in a reactive approach and short-term solutions.
  • There is often little awareness of risks because of limited communication between levels of management and among functional groups.
  • Risk management sometimes focuses only on material losses or compliance with regulatory requirements.
  • Risk management activities may not be prioritized or related to the company’s strategy or sources of value.

The secret of success
Many of today’s top companies have succeeded in creating and promoting a risk management culture. Successful ERM implementation depends on a top-down approach. To remain competitive and take better advantage of opportunities, senior management must set the tone in terms of risk management and promote a risk management culture within the organization. Individual functional groups, on the other hand, must take responsibility and be held accountable for identifying and managing risks in their own spheres of activity.

As a first step, the CFO could take on the role of risk management coordinator and work closely with all functional groups to provide senior management with an accurate assessment of risks. Once the ERM infrastructure has been established, a separate risk management coordinator function may be created, which could become a key function for many enterprises.

Yves Nadeau, CA, is a partner, assurance and risk management group, with RSM Richter LLP in Montreal, and CAmagazine’s Technical editor for Assurance