Enterprise Risk Management (ERM)

Geodita Woro Bramanti, ST, MEngSc

 OUTLINE

• INTRODUCTION

• WHAT IS ENTERPRISE

• WHAT IS RISK

• DEFINE ERM
 OUTLINE

• BENEFITS Of ERM

• ERM STRUCTURE

• KEY QUALITIES of AN EFFECTIVE ERM

• CASE STUDY
INTRODUCTION
 INTRODUCTION

• In the financial world is not immune to systemic failure, as

demonstrated by many stories such as Barings Bank collapse
in 1995, the failure of Long-Term Capital Management in
1998.

• And Also, In late August 2005 Hurricane Katrina struck,

reportedly the costliest natural disaster in US history. Oil
production, importation and refining were interrupted.At
least 20 offshore oil platforms went missing, sunk or adrift.

• Businesses were suddenly exposed to a surge in energy

prices, continuity failures and shipping disruption. Costs of
production rose and sales fell
 INTRODUCTION

• Failure to properly understand and manage risk has

been cited as the root cause for the global financial
crisis of 2007–2010.

• There is no doubt that risk management is an

important and growing area in the uncertain world.
 Before we are defining the term
“Enterprise Risk Management”, we
should know the definition of enterprise
and risk .
What Is Enterprise ?
WHAT IS ENTERPRISE ?

• Enterprise = Organization

• Enterprise is A unit of
economic organization or
activity, especially a business
organization

• Enterprise is a group of legal

vehicles, divisions, business
units and so forth that make
up an organization
What is Risk ?
WHAT IS RISK ?

Risk as a meaning “uncertainty“

(distribution of outcomes and
associated probabilities)
 What is Risk ?

• Risk thrives on risk drivers or causes and manifests

itself in events that have consequences (or outcomes)

• Risk manifests itself in events that have

consequences
Risk Universe
 Risk Drivers & Control

• Factors that influence the outcome

1. Risk drivers are factors that increase uncertainty

2. Controls are factors that are intended to reduce

uncertainty or help soften the blow of an adverse
outcome

• Their impact on the distribution of possible outcomes

NO RISK DRIVER

Certain
Outcome
THE PRESENCE OF RISK DRIVER

Simple Distribution of
Outcome
 THE DISTRIBUTION OF
OUTCOMES-RISK DRIVERS

Distribution Of Outcomes Influence Influenced By a

Different Number of Risk Drivers
 CONTROLS

• Controls are intended to reduce uncertainty or

soften the blow

• Distributions influenced by controls should be taller

and narrower than distributions not influenced by
controls

• Controls are measures that are put in place to

reduce the probability or severity of an adverse
outcome
 INHERENT & RESIDUAL RISK

• Inherent risk is the raw or untreated risk that

produces the set of possible outcomes, without
controls

• Controls are the vehicles to mitigate inherent risk 🡪

mitigated risk as ‘‘residual risk.’’

• In the absence of controls, residual risk equals

inherent risk
 RESIDUAL RISK

RESIDUAL RISK = INHERENT RISK - IMPACT OF

CONTROLS
 THE DISTRIBUTION OF
OUTCOME : CONTROLS

DISTRIBUTIONS OF OUTCOMES INCLUDING AND

EXCLUDING THE INFLUENCE OF CONTROLS (INHERENT
AND RESIDUAL RISK)
 RESIDUAL RISK

• Residual risk should be the main focus of the

enterprise risk manager as residual risk drives the
distribution of possible outcomes and it is the
distribution of possible outcomes that managements
are aiming to understand and manage
 EVENT

1. They evidence the presence of risk

2. Corporates can learn from them

3. They have consequences, and these consequences are

the things that corporates are trying to achieve or
avoid.

4. They precede an outcome, so corporates may still

have the ability to influence the outcome.
 OUTCOMES

• Outcomes are the consequences of events.

• Despite the fact that they are the ultimate element in

the flow of risk, they can be controlled (i.e., they can
be subject to the impact of controls).
SO ENTERPRISE RISK
MANAGEMENT IS…
DEFINE ERM
 DEFINE ERM

• ERM satisfy a series of parameter

• ERM must be embedded in a business’s system of internal

control, while at the same time it must respect, reflect and
respond to the other internal controls

• ERM must be multifaceted and addressing all aspects of the

business plan from strategic plan through to business
control. (strategic plan, marketing plan, operation plan,
research & development, management & organisations,
forecast & financial data, financing, risk management
processes, business controls)
 DEFINE ERM

• ERM defined as a comprehensive and integrated

framework for managing company wide risk in order
to maximise a company value

• ERM = a process affected by an entities Board of

Directors, management and other personnel applied
in as tragic setting and across the enterprise designed
to identify potential events that may the entity and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives.
 DEFINE ERM

• ERM is The Capability of Organization to

understand, control, and articulate the nature and
level of risks taken in pursuit of a risk adjusted
return.

• The Risk can be categorised as credit, liquidity,

Strategic/Business/Reputation, Market, Operational,
Compliance/Legal, Financial and Capital Adequacy.
DEFINE ERM
BENEFITS OF
ERM
 BENEFITS of ERM

ERM providers enhances capability to such as ;

• Increase the likelihood of a business realising its

objectives.

• Build confidence in stakeholders and the investment

community.
 BENEFITS of ERM

• Comply with relevant legal and regulatory

requirements.

• Align risk appetite and strategy.

• Improve organisational resilience.

 BENEFITS of ERM

• ERM Enhance corporate governance.

• Embed the risk process throughout the organisation.

• Minimise operational surprises and losses.

 BENEFITS of ERM

• Enhance risk response decisions.

• Optimise allocation of resources.

• Identify and manage cross-enterprise risks.

 BENEFITS of ERM

• Link growth, risk and return. R

• Rationalise capital.

• Seize opportunities.

• Improve organisational learning.

ERM STRUCTURE
 ERM STRUCTURE

A Structured for understanding ERM is composed of seven elements.

 CORPORATE GOVERNANCE

• Corporate governance now forms an essential

component of ERM because it provides the top-
down monitoring and management of risk
management.

• It places responsibility on the board for ensuring

that appropriate systems and policies for risk
management are in place.

• Good board practices and corporate governance are

crucial for effective ERM.
 INTERNAL CONTROL

• Examination of internal controls provides an understanding

of what should be controlled and how.

• There is more of a focus on formal approaches. Internal

controls are a subset of corporate governance.

• Risk management is a subset of internal controls

• The aim is to accomplish this through the identification and

assessment of risks facing the business and responding to
them by either removing or reducing them or, where it is
economic to do so, to transfer them to a third party
 IMPLEMENTATION

• Implementation of risk management (forming part

of a business’s internal control processes) can be
resourced from within a business or be supported by
external consultants.
RISK MANAGEMENT FRAMEWORK

• The purpose of the risk management framework is to assist an organisation in integrating

risk management into its management processes so that it becomes a routine activity.

• The framework is aimed at ensuring that information about risk derived from the risk
management process is adequately reported and is used as a basis for informed decision
making.

• The framework is composed of five step;

1. Mandate & Commitment

2. Design Framework

3. Implement Framework

4. Monitor Framework

5. Improve Framework
RISK MANAGEMENT FRAMEWORK

Mandate and Commitment

• "RIsk management cannot be delivered from the bottom up within an

organisation, but must come from the top down”.

• Management have to be seen to be both implementing and driving risk

management in recognition that risk management is one of the organisation’s
“vital organs”

• The risk management objectives must reflect and serve the organisation’s
objectives and performance indicators should be defined to measure the
effectiveness of risk management over time.

• The relationship with internal audit should be established so that the

organisation is ensuring legal and regulatory compliance
RISK MANAGEMENT FRAMEWORK

Design Framework

• The design of the framework entails

• understanding the organisation and its context

• establishing the risk management policy

• determining accountability for risk management

• embedding risk management in all of the organisation’s practices and

processes

• allocating appropriate experienced and competent risk resources

• establishing tailored internal and external communication and allied

reporting.
RISK MANAGEMENT FRAMEWORK

Implementing Framework

• The timing of the implementation of the framework should be

planned.

• Introduction into the organisation should be managed with

training sessions held as required.

• Ensure as far as possible that decision making is based on the

output of the risk management .

• The delivery process of the risk management process, is

depending on where in the organisation risk management is being
implemented
RISK MANAGEMENT FRAMEWORK

Monitor Framework

• Periodically review with internal and external

stakeholders whether the risk management
framework, policy, plan and process require
amendment as a result of changes in the
organisation’s internal or external context.
RISK MANAGEMENT FRAMEWORK

Improve Framework

• Based on the results of the monitor framework

• Decisions should be made on whether the risk

management framework step, and the policy and
process which support it, should be amended with
the aim of improving the effectiveness of the
organisation’s risk management practices.
 RISK MANAGEMENT POLICY

• Policy = why risk management will be undertaken, who within and

outside the organisation will undertake it, how it will be undertaken
by reference to the framework and process and internal functions,
and what those who are responsible will be required to undertake

• the policy should state its purpose, objectives, scope (where it applies
within the organisation), related and supporting policies, its degree of
confidentiality (any limitations on disclosure), the frequency of its
review and the date it was last updated.

• The policy should address the interests of all stakeholders, including

shareholders, customers, suppliers, regulators and employees.
 RISK MANAGEMENT POLICY

• It should describe the relationship between risk and corporate

governance and internal audit (" the specific responsibilities of the
board – and (depending on the size of the organisation) internal audit,
external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third-party contractors in
implementing risk management).

• It should describe the policy’s relationship to the process and the

framework.

• In addition, ideally any standalone policy statement prepared for

display (alongside, say, the health and safety policy and the business
continuity policy), should be short, concise and lucid (and is commonly
more effective when confined to a single page).
 Risk Management Process

• The mechanisms for implementing a risk

management process is to break it down into its
component parts and examine what each part
should contribute to the whole.

• The risk management process is broken down into

seven stages: context, identification, analysis,
evaluation, treatment, monitoring/review and
communication/consultation.
 Sources of Risk

• The sources of business risk comes from two primary

areas:

• from within the business itself (relating to the actions

it takes)

• from the environment or context within which the

business operates

• these sources are labelled “internal processes (internal

business context)”and “business operating environment
(external business context)”
KEY QUALITIES of
AN EFFECTIVE
ERM
 INTRO

• The key qualities of an effective ERM environment

are numerous and varied

• they must be strategically aligned with the

organization in order to be highly effective

• ERM must have all of the key fundamental

components
 1. HIGH - LEVEL CORPORATE
SCHOLARSHIP

• One component that is essential for an effective ERM

environment is for the board of directors and senior
executives to take it extremely seriously -> means
that support for the initiative must be consistent and
unflappable.

• An essential element is the presence of a strong and

highly knowledgeable Chief Risk Officer (CRO). This
person must be a visionary who is not locked into the
antiquated practices of the current predominant
thought processes.
 2.WELL-DEFINED RISK STRUCTURE FOR
EVALUATING THE ENTIRE ENTERPRISE

• This must include thorough and complete mapping of

the entire enterprise.

• One of the maps would include all of the operating

subsets of the enterprise.

• A second map would include all of the administrative

or cross-functional types of support mechanisms.

• The reason for this is that the risks of the various parts
of the enterprise are quite different and they need to be
evaluated separately and distinctly from each other.
 3.PROPERLY DETERMINED RISK
APPETITE

• Management must determine a proper risk appetite:

in other words, how much risk can we take long
before it is too much?

• One thing that is tricky about determining the risk

appetite is the variety of risks that have to be taken
into account.

• When establishing a risk appetite on a portfolio

basis we must be sure to include all types of business
risks
 4.WELL-DEFINED RISK LANGUAGE USED
THROUGHOUT THE ENTERPRISE

• The risk language must be developed the details

terminologies and methodologies

• The risk language should be communicated to all

persons in the organization and then utilised
continuously to build an understanding of its
meaning and content.

• The risk terminology should be published and

distributed across the enterprise
 5.CLEARLY DEFINED RISK
CULTURE

• Every organization that is going to effectively

employee ERM must have defined a risk culture

• The risk culture can be highly conservative, highly

aggressive, or essentially neutral.

• It can be avoided if sales and marketing acts within

the criteria of the risk culture that has been
established. In other words, they will adhere to the
established guidelines for promise dates and lead
times
 6.HIGHLY AUTOMATED AND DATA
CENTRIC REPORTING CONTROL

• The effective risk management methodology that

should be established must be data/fact based

• Using data or facts will lead to rapid and accurate

evaluation of risk and timeliness of reporting
 7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

• Key Risk Indicators (KRIs) are critical to the

successful implementation of any type of near-time
or real-time ERM environment

• KRIs should not be confused with Key Process

Indicators (KPIs), as in most cases they are not at all
alike
 7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

Key Risk Indicator

• Measure that indicates how risky an activity is

• Provide early warning to identify potential events

that may disrupt the activity/project

• Key components of operational risk analyses

 7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

• Differ from key performance indicators (KPI) in that

KPIs measure how well something is being done
while KRIs are indicators of the possibility of future
adverse impacts

• Example : the company’s stock price drops and

continues to drop that could indicate a loss of
investor interest in the stock and the company •
Changes in the value of this indicator could indicate
that the company needs to make major changes in its
operations and/or business model Stock Prices
Dropping
 7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

Example 2

• Objectives : Manage the collection of account receivables to reduce write off

and financial loss

• Risks : Slowing Economy, Customer Default, Negative impact on cash flow can
effect the ability to pay the bills on time

• Strategies : Issue payment reminders 5 days before due date, Call customer 5
days after due date if not paid, Escalate to CFO after 15 days overdue

• KRI : Account receivables turnover/month, payment trend for top 25

customers

• KPI : Bad Debts written off < 5% provision of doubtful debts/month

 8.STRAIGHTFORWARD AND HIGHLY
USABLE SYSTEM OF ANALYTICS

• When employing data, it is imperative to use an

effective set of analytics because data is only as good
as your ability to use and interpret it

• The best practice is of course the old KIS theory,

Keep It Simple-> a number of straightforward,
highly functional analytics that anyone can
understand and interpret quickly and easily
 9.EFFECTIVE BUT UNCOMPLICATED
CATEGORISATION Of RISK SCHEME

• The categorization of risk is extremely helpful , but When utilizing

risk categories, it is helpful to keep in mind a couple of fundamental
concepts and facts.

1. Risk cannot be neatly categorised

2. More is not necessarily better : A much more complicated scheme

with numerous subclassification schemes is contained in the
COSO/ERM model. When the scheme is too complex, it tends to
drive the discussion into a debate instead of focusing on the risk
and how it is going to be managed day to day

• Remember, it is the risk and the management of it that is the object

of the exercise, not a perfect categorisation scheme.
 10.STRATEGIC PLAN FOR CONSTANTLY
IMPROVING THE RISK MANAGEMENT
SYSTEM

• Risk is a dynamic process and never ceases to change

• All ERM environments should have a strategic plan for

constant migration of the risk management system to the
highest plateau of performance

• The strategic plan should constantly be re-evaluated to ensure

that it is keeping pace with the movement of the business, the
market, the technology, and the world.

• The strategic plan for every ERM environment, it should be

synchronised directly with the IT strategic plan of the
organization
 11. ABILITY TO EVENTUALLY MIGRATE THE
METHODOLOGY TO FACILITATE PREDICTING
THE FUTURE

• The ultimate objective of any ERM environment is

the ability to see the future before the future arrives
and undermines the organization

• The organization needs somebody to look into the

future and start to take an inventory of those types
of undesirable events. At the same time, executives
should be trying to identify opportunities that may
be present so that the organization may avail itself of
these positive events.
 11. ABILITY TO EVENTUALLY MIGRATE THE
METHODOLOGY TO FACILITATE PREDICTING
THE FUTURE

• Example : the significant impact on the newspaper

industry of the Internet and its diversion of
advertising dollars and loss of readership.
Recognising earlier on that there was an imminent
shift in the technological savvy of the consumer, the
tastes of the consumer, and the form of consumption
would have bode well for the organizations still
running the printing presses
 BARING BANK COLAPSE

• Barings Bank, founded in 1762, was one of the

world’s oldest merchant banks, renowned for having
facilitated the Louisiana Purchase. The bank
declared bankruptcy in 1995 after losing £827
million (approximately $1.3 billion) due to
unauthorized trading activities from one of its
employees, Nick Leeson
 REFERENCE

• Chapman,Robert J, (2011). Simple Tools and

Techniques for Enterprise Risk Management, John
Willey & Sons,Ltd.

• Duckert,Gregory H, (2011). Practical Enterprise

Risk Management : A Business Approach, John
Willey & Sons,Ltd.