Following up on my previous article:

Enterprise Risk Management

There is an ever-increasing expectation from the board of directors to provide assurance to the shareholders on the adequacy and effectiveness of a company’s system of internal controls. This has led to an evolution in the way today’s boards perceive the importance of risk management oversight. Boards can be guided by the internal controls guidelines published by the Committee of Sponsoring Organizations of the Tread way Commission (COSO) while reviewing organization’s risk management framework.

COSO defines enterprise risk management as: ‘Enterprise risk management is a process, effected by the entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.’

There are numerous benefits from adopting a formal and structured enterprise risk management mechanism. The Institute of Internal Auditors advocates that enterprise risk management enhances an organization’s ability to:

• Align risk appetite and strategy.

• Link growth, risk, and return.

• Enhance risk response decisions.

• Minimize operational surprises and losses.

• Identify and manage cross-enterprise risks.

• Provide integrated responses to multiple risks.

• Seize opportunities.

• Rationalize capital.

• Deal effectively with potential future events that create uncertainty.

• Respond in manner that reduces the likelihood of downside outcomes and increases the upside.

The board has also the responsibility to oversee the implementation of the enterprise risk management (ERM) framework of the company.

COSO identifies the following four aspects of board oversight with reference to ERM, see Figure:

• Understand Risk Philosophy and Appetite: Boards need to understand the overall risk philosophy of the organization. Risk appetite is the amount of risk, on a high-level, which an organization is willing to accept in pursuit of stakeholder value. Since boards are responsible for protecting stakeholders’ interests, boards should get involved in creating organization’s risk philosophy and identifying the acceptable level of risks. This is needed to prevent an organization becoming a victim of excessive controls which would lead to low risk-taking and will ultimately result in lower returns. It is to be remembered that organizations do need to assume risks in normal course of doing business with the objective to maximize shareholder value.

• Supervise ERM Implementation: Boards should keep themselves aware of the extent to which effective enterprise risk management is established in an organization. This should include a review of the existing risk management process by way of challenging management to demonstrate the effectiveness of risk management processes and providing guidance and leadership to improve the entire process.

• Review Inherent Risk Portfolio: Board needs to review the organization’s risk portfolio as compared to risk appetite. Effective board oversight of risks is dependent on the board’s ability to understand and assess an organization’s strategies with risk exposures. Thus, board meeting papers should include both the strategic initiatives as well as enterprise-wide risk exposures. The board should then ensure that risk exposures are consistent with risk appetite for each strategic initiative.

• Monitor Significant Risks and Controls: Identifying, assessing, and managing the organization’s significant enterprise-wide risk exposures is management’s responsibility. However, boards should be updated with the most significant risks and the controls being implemented to mitigate these. Regular updating by management to boards of key risk indicators is critical to effective board oversight of key risk exposures for preservation and enhancement of stakeholder value.

The board may decide to delegate this task to the Audit Committee who can seek assistance from the organization’s internal audit department. Internal Audit can provide useful insight into the overall process of enterprise risk management. However, similar to strategic management, the board remains ultimately responsible to perform risk management oversight function.

This article will be continued in the next part of this column.

Hubert Rampersad