With the financial crisis of 2008 still fresh, and the emergence of “newer” risks such as cyber-security and vendor risk management, businesses are trying enterprise risk management to some degree. Although rare, the black swan risk—the threat that nobody expects or foresees—is also on the mind of board directors.
No surprise, then, that boards are paying attention to ERM. Internal auditors and compliance professionals have noted that audit committees or other directors are asking them to assess the state of enterprise risk management at their businesses. CFOs also support the idea because they have served on boards elsewhere, where ERM is a focused topic.
In a related development, the Committee of Sponsoring Organizations (COSO) is revising the enterprise risk management framework it created in 2004. Much has changed in the business risk environment as well as on how management and the board view integrated ERM processes. COSO expects to publish its exposure draft for public comment in the first quarter of 2016.
Historically ERM efforts trace back to compliance with the Sarbanes-Oxley Act, with the implementation of an internal control framework that requires a regular enterprise risk assessment. As a result, it’s not surprising that internal audit departments have become crucial in driving their organization’s ERM efforts.
Does a compliance program need to shift toward a broader ERM one? Not necessarily. Remember that compliance, internal audit, and risk management remain distinct disciplines that need to work together, in a collaborative (if not integrated) fashion, to achieve corporate objectives.
The Risk Management Discipline
For chief audit executives and chief compliance officers, the ERM process reminds that the risk landscape has rapidly evolved since SOX, well beyond internal control over financial reporting. Regularly conducting a comprehensive risk assessment is recognized as one of the key elements of an effective compliance and ethics program, but compliance-related risks are only a subset of a company’s overall risk environment.
Performance of risk assessments falls under the discipline of risk management, where enhanced frameworks and techniques have emerged. Risk management comprises the identification, assessment, and prioritization of risks, followed by the coordinated and efficient use of resources to monitor, minimize, and otherwise control the probability or impact of the risks occurring. Risks can range from uncertainty in financial markets, operational failures, third-party risks and natural disasters to legal liabilities and reputational harms.
For companies that have already identified their risks and laid out mitigation plans, the next hurdle is to ensure that the lines of business actually employ those mitigation measures.
Risk management and compliance do overlap somewhat. Risk management has become even more hardwired into more rules and regulations since the 2008 financial crisis. Clearly, risk management requirements are themselves requiring the attention of chief risk officers where risk management is a separate function. Some companies in the financial services industry have gone so far as to merge risk and compliance, so that their related activities are better coordinated; many others view the disciplines as having quite different skill sets and just need to work more closely together.
As legal, compliance, and ethical risks are a significant subset of the overall risk universe any organization faces, it is worthwhile for compliance professionals and internal auditor to be aware of risk management techniques (particularly those used in your industry sector). Risk management components and the role of risk managers vary by industry, the size and structure of the organization, and the risk financing strategies employed. Similar to the field of compliance and ethics, the risk management profession has evolved along functional needs and growing regulatory mandates.
Risk assessments, when performed from a compliance and ethics perspective, do not delve into the full range of business operational risks that a company experiences. But as risk management has taken on more importance in the corporate environment, more risk assessment activities have been undertaken across organizations. The compliance and ethics professional should be cognizant of other risk assessment activities, including ERM that may be taking place.
Examples of other types of risk assessments include:
Financial risks pursuant to SOX section 404 internal controls over financial reporting.
Disclosure controls under Sarbanes-Oxley Sec. 302 to material, non-financial, and financial information required to be disclosed.
Fraud risks, including those performed as part of the external auditor’s duties under SOX and Auditing Standard 5 by the Public Company Accounting Oversight Board.
Other functional-specific risk assessments in high-impact areas depending on industry (cyber-security controls, environmental hazards, and so forth).
Because ethics and compliance risks touch so many areas of the enterprise, organizations should integrate (when possible) the compliance risk assessment into the ERM process. Compliance benchmarks have suggested that while formal risk assessments have become common, most companies do not undertake them in an integrated manner, and when they do, they don’t address compliance- and ethics-related risks adequately.
The benefits of an integrated ERM approach are many. One obvious benefit is consistency in terminology, criteria, process, and the risk information collected. When risk assessments are conducted separately by different business units, the use of different frameworks can result in the need to reconcile the information collected across the organization. Integration can lead to a better quality of risk-based information, leading to better decisions made.
Risk Management Frameworks and Resources
While the U.S. Sentencing Guidelines are clear about the role and significance of risk assessments for an effective compliance and ethics program, the guidance is conspicuously meager on how actually to perform one. Generally the Sentencing Guidelines expect an organization to scrutinize its operating circumstances, legal surroundings, and industry history to gain a practical understanding of the types of unlawful practices that may arise in future organizational activities. As such, it can be valuable to look to other frameworks and standards on how to proceed with a risk assessment and understand the risk management discipline:
The COSO enterprise risk management framework issued in 2004 for companies to evaluate the broader universe of business risks. As noted, COSO is updating this framework.
AU/NZS 4360, the Australian/New Zealand risk management standard uses a more concise definition of risk than COSO.
ISO 31000, from the International Organization for Standardization, which is based on AS/NZS 4360.
The GRC Capability Model “Red Book 3.0” by the Open Compliance and Ethics Group (OCEG) seeks to integrate principles of effective governance, risk management, compliance and integrity (GRC) into tangible business practice and provides an ERM approach.
Each of the above-referenced sources provides a framework with guidance for conducting risk assessments as part of an overall risk management program. Other resources exist from professional associations and industry groups that the organization should consider when structuring an ERM approach.
Because the ERM program (and conducting a regular risk assessment) is not a one-time event, the company should also consider forming a management-level risk steering committee to maintain continual oversight over the periodic performance of the program. (Note: Legislators have proposed requiring a standing risk committee of the board of directors for all public companies. Although board-level risk committees have become widespread in the financial services sector, it is less common for companies in other industries to have them.)
The role of the management risk committee can be merged with an existing compliance and ethics committee, or it can be a separate committee depending on the organization’s structure and culture. For instance, a company may have a company-wide risk committee as part of its ERM process where internal audit and the compliance professional can participate. The risk committee could provide oversight for managing the identified risks, such as the responsibility for reviewing and approving mitigation plans submitted by risk owners.
Remember the Three Lines of Defense
For the management of risk to be effective, ultimately it must owned and addressed by management, not by a risk office or compliance in the second line of defense, nor by internal audit in the third line. The risk practitioner along with compliance and internal audit facilitate identifying, monitoring, and mitigating risk, but management understands the organization and risks far better and will add or modify the risk with operational decisions they make.
Of course compliance risk and ERM are ever evolving, and changes are becoming more rapid in a global economy and the shift toward intangible assets (intellectual property, company data, and so forth). For companies that have already identified their risks and laid out mitigation plans, the next hurdle is to ensure that the lines of business actually employ those mitigation measures. Only when management is actively considering risk on a continuing basis—what might happen and how it might affect the achievement of objectives—will an ERM program be effective.