A Deep Dive Into ERM Framework
Enterprise Risk Management (ERM) was introduced in 2004 when the Committee of Sponsored Organizations (COSO) issued its Enterprise Risk Management – Integrated Framework (www.coso.org). COSO defined ERM as a process performed by the Board, management and other personnel, and applied in a strategy setting across the firm. It is intended to identify potential risks that could impact the firm. ERM allows the firm to manage risk to be within its accepted risk appetite and provides reasonable assurance regarding the achievement of firm objectives.
The Integrated Framework organizes firm objectives into four categories:
Strategic objectives are part of the ERM framework and COSO defines strategic objectives as high-level goals that are aligned with and support the goals of an organization. Strategic objectives are core to the overall strategy of the firm. Strategic risk management is a critical part of a firm’s overall ERM program.
Even though ERM was introduced in 2004 many firms have been slow to adopt it because of the various challenges that need to be overcome. Historically risk has been managed in silos, and while firms have been migrating to a more integrated and enterprise wide approach progress has been slow. Some of the challenges for ERM teams include:
• Data Management Skills: Risk management teams need not just analysts but also people with technology backgrounds, especially in the discipline of data science. Data is an element that drives risk management and it is our ability to harness data that provides the valuable information needed for impactful analysis.
• Risk Taxonomy: There should be a consistent definition of risk throughout the firm so everybody is speaking the same language.
• Consistent Analysis: Analysis is a disciplined and formal process that associates need to be trained for in order to get a base level of skill that is required.
• Portfolio Reporting: Information resides in pockets throughout firms but it is critical for ERM to link these pockets of information and provide horizontal and vertical integration of information across the firm.
The same as strategy requires a plan for execution ERM must include the underlying market, credit, and operational risk disciplines to be effective. Otherwise ERM runs the risk of being isolated from the running of the business and could become an ivory tower.
What ERM Means For Risk Managers
ERM is a process in which each of the risk disciplines works within a dynamic process of gathering internal and external data that feeds into their respective risk systems, but these separate data streams become aggregated, taking into account intra-risk relationships. The output of this exercise is management information that can be used at the appropriate level to ensure each management level has sufficient information to deal with uncertainty and has sufficient information to support decision-making.
ERM represents a portfolio view of risk that provides a holistic view of the organization and seeks to understand how all risks, internal and external, faced by the organization can ultimately impact the organization. The objective for the risk disciplines is to understand how the various pieces of risk management fit together within an accepted framework and determine how this framework can best support strategic and tactical decision-making with the goal of supporting firm strategy.