Enterprise Risk Management

Marc Heneghan

BA 559 Enterprise IT Governance

Professor Michael Shaw

December 16, 2008

Enterprise Risk Management

Introduction to Risk3

Types of Risk3

Risk Management Strategies4

Driving Forces of ERM4

ERM Software Solutions5

Choosing an ERM10

ERM Implementation11

ERM Valuation12

Credit Crisis and Financial Meltdown13

Conclusion14

Works Cited15

Introduction to Risk

There are several types of risk that companies face as they engage in business. These risks vary in both the type of risk and the impact the risk could have on the company. As great as these risks vary are the methods in which they are managed. These risks including governance, strategy, and operational are managed in different ways depending on the nature and size of the company as well as the industry it competes. This paper discusses several types of risk and evaluates many of the IT based Enterprise Risk Management (ERM) solutions available to address these risks. Finally, the paper discusses ERM with relation to the current credit crisis and financial meltdown.

Types of Risk

The number and types of risks a company face varies on countless factors ranging from the location and industry to economic conditions. Given the range of risks associated with business, classification is clearly needed. These risks, while not all-inclusive, can be broken down into the following categories:

  • Strategic – Risk that the company’s strategy is not successful.
  • Compliance – Risk of adverse legislation.
  • Financial – Risk of financial insolvent.
  • Operational – Risk of operational failure (Business Link).

Each risk must be viewed within the context of the company and even within the context of the other risks. ERM software can help identify and alleviate operational, compliance, strategic, and financial risk.

Risk Management Strategies

There are several ways to manage risk. The four main methods of risk management include:

  • Risk Mitigation – The actions taken to alleviate potential risk.
  • Risk Acceptance – Accepting the risk and potential consequences.
  • Risk Transfer – Transferring the risk to a third party such as an insurance company.
  • Risk Avoidance – Avoiding the risk in general due to the severity of the potential outcome (Measuring Risk).

Each Company’s methodology for risk management differs greatly and is largely a function of the industry. For example, a high tech firm may adapt a risk acceptance strategy for new products, whereas a landlord of an office building may transfer risk through the form of insurance. Additionally, some industries including financial and pharmaceuticals are forced through government compliance to manage risks in certain manners. ERM software allow companies to evaluate and organize their risks based on evidence both internally and externally.

Driving Forces of ERM

Many companies are forced to adapt ERM solutions in order to maintain government compliance while the scale and complexity of other ERM solutions voluntarily adopted. In the case of regulation, compliance may require certain business processes to reduce or mitigate risk. Generally speaking, when these processes are required by law and not by choice companies tend to take a low cost approach and tend to be reactive rather than proactive. This is an important distinction as it is relevant in understanding the credit crisis and sub-prime mortgage meltdown discussed below.

If ERM is not being implemented for Governance reasons, it is typically implemented strategically or to improve performance (operational). Strategically, it may give a company a competitive advantage or allow them to reduce risks that competitors are unable to manage. For performance based results, it can reduce costs through cost saving consolidations as well as ensuring a stable operating environment through financial instruments such as hedging and derivatives. It can also help to coordinate resources or reduce redundancies.

ERM Software Solutions

ERM software suites range from extremely high tech and integrated management systems to affordable SaaS options. Don Sobczak, a KPMG Manager in Advisory Services categorized ERM software into four categories based on their ability to execute and completeness of vision as displayed below during a KPMG presentation (Sobczak).

Each of the four quadrants list different competitors that offer different solutions for the client. Don noted the large number of players in the market compared to Customer Relationship Management or Enterprise Resource Planning software. The segmented market is again due to the unique and diverse needs of different users.

The differences are great between the software, but the similarities may be greater. Most of the products have numerous similar aspects and most share the COSO framework. A PriceWaterhouseCoopers paper on COSO Enterprise Risk Management-Integrated Framework describes ERM solutions.

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (Steinberg)

With the COSO framework at the core, many of the solutions become easier to compare with the main differences with the software being industry or user customization or the implementation process. The COSO framework has eight components that are consistent with most ERM software. These components are:

  1. Internal Environment
  2. Objective Setting
  3. Event Identification
  4. Risk Assessment
  5. Risk Response
  6. Control Activities
  7. Information and Communication
  8. Monitoring

In addition, the COSO framework share the same four risk areas described under the Type of Risks section (Steinberg).

The ideal software for most companies would take elements from each of the four risk areas and identify the relevant components outlined by the COSO framework and apply it in an easy to use custom software. While the COSO framework is not the only framework used or accepted, it is by large the most commonly accepted and applied framework.

The software should then be able to organize the information outlined in the COSO framework in a meaningful manner. The information can be collected and organized in a number of ways and will be unique to each company and industry. Clearly input will be necessary from both those involved in the strategic planning in a company to those involved in the day to day production. This truly leads to a diverse view of risk and provides a 360 degree view of issues within a company. Kregg Weigand, a Partner in KPMG Advisory services also noted that simply compiling information on risks as seen by those for example in a board room to those on a factory floor will illustrate the disconnect in identifying and prioritizing risk (Weigand). An visual example of the compilation of this information is graphically depicted in graph presented by KPMG Advisory Services.

(Weigand)

Once this information is collected it can be used to prioritize the risks. This again will vary from company to company on how risks are classified. Generally, the severity and probability of likelihood of each risk will be identified. In addition, the impact of the risk in comparison to the importance of the business process to critical success factors of the company will be evaluated (Weigand). McAfee visually depicts how an ERM would highlight and illustrate a certain risk based on these aspects.

(Measuring Risk)

The resulting compilation is a risk profile of the relevant risks and how they may be related. Once this profile is developed, management must decide how to approach each risk or type of risks using the methods described above. For example, management may find it pertinent to accept some forms of risk but to transfer others in the form of insurance. This also allows management to take a proactive view of risk rather than a reactive and highlights potential material weaknesses in given event circumstances. It is therefore important to highlight key processes pertinent to each risk and how it is currently being managed and if any changes should or are being made. This constant update allows users to have an up to date profile at any point during time. As described below, this could take the form of an annual review of risks or even a daily review depending on the company.

A small company may have one risk profile, while a larger company may have profiles for each division. These profiles create a portfolio. The portfolio view of risk is vital risk management of larger companies. Some companies may be so large and diverse that they can simply accept the risk as it may balance another aspect of the company. In these cases of large conglomerates, relevant and reliable data is key to allowing management to maintain an acceptable level of risk. In other scenarios, a common risk across the portfolio could provide tolerable levels of risk on a project level but an intolerable aggregate.

Choosing an ERM

Even with all this information, choosing an ERM can be more than a headache. As illustrated above, there is not a clear choice or industry leader in every circumstance. Instead, each company should evaluate their needs and consider what the software and service can offer. For example, if a company already runs Oracle and is satisfied with its performance, than the Oracle GRC platform may be an excellent fit since it can tie in the financial reporting aspect (Oracle). However; if the company falls within the financial services sector, than a company with financial services expertise such as Qumas may be a better fit (Financial). To take this one step further, Mike Ohata, a Manager in KPMG’s Advisory Services described how a high tech company like Google or Microsoft will face constantly changing risk profile compared to stable industry (Ohata). In an example like this, the stable industry may benefit from a simple inexpensive annual risk analysis; whereas a high tech company may need a complex real time risk analysis to be successful. Another aspect to consider is if the company internally has the resources to perform and maintain the risk analysis. If the company does not, consulting options such as Protiviti can implement the risk management. In addition, some firms have also partnered with software venders. For example, PriceWaterhouseCoopers has a partnership with Cura Software Solutions (Cura). Although the industry leading team is a seemingly perfect fit with a powerful solution, the company must evaluate other externalities such as if this impedes audit independence in any way. In addition, audit firms may not be able to offer a full line of services due to potential future independence issues. Finally, as discussed below is the monetary cost of the software itself. Again, this is dependent on both the size of the company as well as the number of users. What is clear is that ease of use of the system is vital for widespread success.

ERM Implementation

Similar with other investments in IT, successful implementation requires more than just an excellent product. Almost all of the software listed above advertised their differentiation through customer service. Consulting firms specialize strictly in implementation to ensure smooth results. So much emphasis is rightfully placed on the implementation because if employees can not or choose not to use the software effectively than the value of the solution becomes worthless. Therefore, choosing a software partner or consultant that the company can work with is nearly as important as the software itself. It is also important that management support the initiative or else it risks getting too little funding and respect. Under this circumstance, the software will not produce the desired results regardless of how good the software.

Valuation of ERM

Similar to the valuation of similar Enterprise suites or internal controls, the value gained by implementing the ERM solution should be greater than the cost; thus the company should recognize a positive return on investment. Still, the method of valuing such a system is difficult using conventional financial tools such as net present value. This difficulty arises for two primary reasons. The first being that the when an ERM is necessary for compliance the cost of not being compliant may be large fees or even termination of operation. For companies voluntarily adopting ERM, valuation becomes difficult as the true monetary value derived from risk management become an intangible figure. How should a company value properly identifying risks and responding in a timely manner, or avoiding projects management deems too risky for the organization? In addition, ERM can add value through opportunities identified through risk management. This is the idea that not only does ERM help manage the negative aspects of risk, but it also allows the company to identify and therefore increase the positive outcomes from risk. This adds to the difficulty in valuation and frustration to the implementation of ERM systems, as management often makes the mistake of taking a difficult to value asset and assigning it no value. What is clear, as Professor Michael Shaw of the University of Illinois states, is that companies should treat this and other forms of IT as an asset and view it as part of a portfolio (Shaw).

Credit Crisis and Financial Meltdown

Kregg Weigand described financial services as having some of the most advanced ERM solutions available. However, Mr. Weigand described many of the ERM solutions adapted by financial services as reactive rather than proactive (Weigand). The result, may be that management of financial service industries adopted these ERM solutions extremely well on an operational and compliance level, but failed to bridge ERM to a strategic level. The affects of financial reporting risks are still unclear as fair market accounting valuation may have increased the rate of decline. The results of a strategic failure can be seen as consumer mortgages and loans that were both compliant and within technical requirements. These requirements were set and optimized for performance with a reliance on increasing asset valuation and inexpensive lending. The failure then lies with the strategy of lending or purchasing financial instruments with the principal lying in sub prime debtors. A successful ERM should identify the lapse of logic in the strategy of a portfolio with heavy reliance on under-collaterized loans to sub-prime debtors and thus limit exposure to such high risk devices. Indeed some firms did come to this realization and adverted much of the sub-prime fallout. An example of this is Goldman Sachs relative position to that of Lehman Brothers (Sub-Prime). There are many lessons to be learned here about risk management. First is the importance of viewing risk both from an individual risk perspective as well as with a greater scope incorporating the entirety of the risk profile. Next is the adaptation and acceptance of the software within the organization. If employees fail to properly implement and accept the ERM solution than the value of the system is lost. Finally is the mandate of ERM solutions. Regulation can effectively mandate ERM for compliance, financial reporting, and even operational risks; however it is much more difficult conceptually and fiscally to enforce strategic risk or companywide risk analysis.

Conclusion

It is clear that there are enormous benefits to adopting an ERM solution. These include improvements within governance, strategy and performance. What is also clear is the difficulty in successfully implementing an ERM solution. Issues arising from valuation, selection, and implementation often hinder the effectiveness of the tool. Additionaly, trained and willing employees serve as link to a successful ERM. Clearly ERM can be a positive investment and serve as a competitive advantage when properly executed.

Works Cited

"Cura and PricewaterhouseCoopers Announce Risk & Control Library Partnership." Cura Software Solutions. 15 Dec. 2008 <

"Financial Services Solutions." Qumas.com. 15 Dec. 2008 <

"Managing Risk." Business Link. 15 Dec. 2008 <

"Measuring Risk to Gauge Vulnerability." McAfee. 15 Dec. 2008 <

Ohata, Michael. "Risk Managment Software." Champagin. 21 Dec. 2008.

"Oracle GRC." Oracle.com. 15 Dec. 2008 <

Shaw, Michael. "Enterprise IT Governance." Univeristy of Illinois, Champaign. 15 Dec. 2008.

Sobczak, Don. "KPMG IT Project Management Presentation." Univeristy of Illinois, Champaign. 30 Oct. 2008.

Steinberg, Richard, Miles Everson, Frank Martens, and Lucy Nottingham. "Enterprise Risk Management — Integrated Framework." PricewaterhouseCoopers LLP (2004).

"Sub-prime sidestep boosts Goldman." News.bbc.co.uk. 18 Dec. 2007.BBC News.15 Dec. 2008 <

Weigand, Kregg. "Enterprise Risk Management – Managing the Speed of Change." Univeristy of Illinois, Champaign. 20 Oct. 2008.

1