IRM Notes M1 PDF
Document Details
Uploaded by ReputableExponential
Kirinyaga University
jotham muchina
Tags
Summary
This document provides notes on Enterprise Risk Management (ERM), including definitions of risk and risk management. It covers the importance of ERM for organizations and discusses different approaches and standards to effective implementation. It references several resources and includes a table comparing traditional risk management with ERM.
Full Transcript
ERMM1 Unit 1 Back Up Book for Printing Site: The Institute of Risk Management Printed by: jotham muchina Course: Principles of Risk and Risk Management ERM - Module One Date: Thursday, 9 May 2024, 1:44 PM Book: ERMM1 Unit 1 Back Up Book for Printing ...
ERMM1 Unit 1 Back Up Book for Printing Site: The Institute of Risk Management Printed by: jotham muchina Course: Principles of Risk and Risk Management ERM - Module One Date: Thursday, 9 May 2024, 1:44 PM Book: ERMM1 Unit 1 Back Up Book for Printing Description The back up book allows you to print this units course content. This can be done by clicking on More and simply clicking ‘Print Book’. Table of contents 1.1 - Introducing Enterprise Risk Management (ERM) 1.2 - Evolution of Enterprise Risk Management 1.3 - Importance of Enterprise Risk Management for organisations 1.4 - Different approaches to Enterprise Risk Management 1.5 - Enterprise Risk Management standards and frameworks 1.1 - Introducing Enterprise Risk Management (ERM) Section 1.1 considers what Enterprise Risk Management (ERM) is and enables you to distinguish between risk and risk management using a range of different recognised approaches. After studying this unit, you should be able to appraise the nature and requirements of risk and risk management, and the purpose of managing risk, in-line with recognised international standards. You should make sure you have access to the following resources before starting this unit: Hopkin and Thompson (2021), Fundamentals of Risk Management, chapters 1-4 UK HM Government - The Orange Book (2020) - https://resources.aferm.org/resource/orange-book-2020/ IRM (2018) - Standard deviations - A risk practitioner’s guide to ISO 31000: 2018 - https://www.theirm.org/media/6907/irm-report-iso-31000- 2018-v2.pdf IRM (2018) - From the cube to the rainbow double helix: a risk practitioner’s guide to the COSO ERM Frameworks - https://www.theirm.org/media/6885/irm-report-review-of-the-coso-erm-frameworks-v2.pdf COSO (2017) Enterprise Risk management – Integrating with Strategy and Performance - www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf ISO 31000:2018 Risk Management Guidelines - PRETESH BISWAS How you choose to approach and organise your reading time is an individual choice. We will prompt you throughout this Unit Guide with specific readings associated with the Guide and the activities. This unit should take you approximately 30 hours, including the readings and the activities. Introduction You may wish to approach the unit by reading in advance, or by using the Essential Reading alert prompts to pause, read, and attempt activities before continuing. In this unit you will be introduced to risk management concepts. You will also be introduced to the importance of risk management across enterprises as well as internationally accepted standards and frameworks that support the effective implementation of risk management. There are many terms and definitions regarding risk and risk management, which are often misunderstood and inconsistently used by organisations. It is important to be aware of the appropriate language and methodology to be implemented, the reasons for their use, and understand the value that risk management can and should bring to an organisation. In this unit you will gain an insight into what risk and risk management are and looking at the positive and negative impacts that risk may have on organisations. You will also be introduced to key features of risk and risk management before moving on to explore the history of risk management. You will further examine the importance of risk management and its value for different stakeholders and finally distinguish between the different risk management standards. This unit introduces the concept of Enterprise Risk Management (ERM). Once introduced, the terms risk management and ERM will represent the same concept, unless noted otherwise. Unit 1 is divided into five parts. After studying this unit, you will be able to deliver what is specified in each section. Section 1.1 Distinguish between risk and risk management using a range of different recognised approaches. Section 1.2 Explain the key developments in the evolution of risk management. Section 1.3 Evaluate the importance of Enterprise Risk Management (ERM) for organisations from different perspectives. Section 1.4 Compare the approaches and the integration of the different risk management specialisms Section 1.5 Compare different international risk management standards including ISO 31000; COSO and the Orange Book - Management of Risk: Principles and Concepts.  During this Unit Guide and within the lessons of the online course, you will be prompted with readings and activities. You should complete Unit 1 of the online course entirely before moving on to Unit 2. When/if you leave this Unit Guide to read or do an activity, you will be prompted to view the last unseen page when you return. 1.1.1.1 - Approaches to defining risk There have been many attempts over the years to define risk. The more widely used definition of risk comes from the International Organization for Standardization (ISO 31000, 2018) which states that risk is ‘the effect of uncertainty on objectives.’ David Hillson simply describes risks as ‘uncertainties that matter’ (Hillson, 2016:3). This means that there are many uncertainties in the world, but they only become risks to an individual, group, or an organisation if they affect their objectives – if they matter to what needs to be achieved. See the further reading section at the end of unit 1. ISO 31000 (2018) also notes that ‘An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats. The IRM considered risks to have both an upside and a downside in their Risk Management Standard in 2002, which states that: ‘Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative.’ Many organisations still consider the term ‘risk’ to relate to threats only. Some organisations only look at these (downside) risks, whereas others have the (downside) risks and consider opportunities separately. Following the ISO 31000 definition, Hopkin sub-divided risks into four categories, where: 1. Compliance – mandatory risks 2. Hazard risks – negative risks 3. Control risks – uncertainty 4. Opportunity risks – positive risk The attempts to sub-divide risks or to split ‘risks’ from ‘uncertainties’ can cause confusion. For use in this Certificate, risks are considered simply as uncertainties that matter, or using a more standardised approach, the term risk is used to denote the effect of uncertainty on objectives, considering both sides of the risk ‘coin’ - threats and opportunities. As such, any reference to compliance, hazard or control risks in Hopkin will be regarded as threats (negative) risks. 1.1.2.1 - Approaches to defining Enterprise Risk Management (ERM) – Part 1 If risks are uncertainties that matter, risk management is doing something about them. As such, the overriding purpose of risk management is to empower organisations to identify, understand and manage their risks in relation to the context in which they are operating and the objectives they are trying to achieve. ISO 31000 defines risk management ‘Coordinated activities to direct and control an organisation with regard to risk.’ As stated by the IRM, ‘organisations of all types face a variety of factors and influences that make it uncertain whether and when they will achieve their objectives. The effect of this uncertainty is termed risk. Effective risk management helps organisations to identify, understand and manage the risks, thereby maximising the likelihood of achieving their objectives. And this is the first and overriding purpose of risk management. Risk management is a core management discipline. Like general management or project/change management, risk management is a discipline that supports all organisational activities. The risks that organisations face change all the time, so the art of good risk management is to combine planning for what we already know has happened and might occur, with preparation for unknown situations. 1.1.2.2 - Approaches to defining Enterprise Risk Management (ERM) – Part 2 To support all organisational activities, risk management has evolved to encompass the entire organisation and in doing so is commonly termed Enterprise Risk Management. James Lam (2003), chief risk officer at GE Capital, described ERM as ‘the integrated management of business risk, financial risk, operational risk and risk transfer to maximise a firm's shareholder value’. His meaning was that ERM makes a company more successful by creating a single view of all risks and managing those risks in a consistent way up, down and across the enterprise. KPMG (2006) summarised the move away from traditional forms of risk management to an ERM approach as shown in Table 1.1.1 - Comparing traditional risk management with ERM. Table 1.1.1 – Comparing traditional risk management with ERM In contrast with the traditional approach, ERM recognises that risks in one part of the organisation can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation. The COSO Enterprise Risk Management Framework (2017) defines enterprise risk management, as ‘The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value’ This definition recognises that risk management processes, policies, procedures, and other supporting information, are of no use on their own. It is the culture, capabilities and practices within an organisation that are integrated to ensure action is taken to change the risks that brings value. Every organisation that wants to practise risk management should produce its own clear, shared definition of what it means by the terms ‘risk,’ ‘risk management’ / ‘enterprise risk management. For examination purposes, it is vital to have in your mind one general definition each of risk and risk management, such as the ISO one. 1.1.2.3 - Approaches to defining Enterprise Risk Management (ERM) – Part 3 ERM considers risks against the need to meet an organisation’s objectives, from its strategic mission, vision, and core values, to enhanced value in achieving its objectives, which is illustrated in the strategic value chain in the COSO (2017) ERM Framework. ERM implies that risk management should be ‘embedded’ from the top of the organisation (entity level) downwards through the business. For ERM to work effectively, it requires a high investment in risk management across the enterprise, a high level of risk maturity and a strong framework for risk assurance, because the board needs to know that the framework it has invested in works effectively and consistently across the enterprise. ERM stresses the need to consider the interdependency between risks. By taking account of risk interrelationships and the interdependency of risks across the enterprise, ERM will enable organisations to assess the effect of their risks more accurately both individually and in total (this total assessment is sometimes called the ‘risk exposure’). More information on these important aspects of ERM is given in Unit 4. Section 1.1.1 Reading + Activity Alert read image + activity image Read the following which cover definitions of risk and risk management and the consider the concept of enterprise risk management: Hopkin and Thompson, first section and case studies of chapter 1, which consider the importance of risk management with some definitions of key terms Hopkin and Thompson, Chapter 2, which explains four different types of risk, where compliance, hazard and control risks are considered the downside of risk (threats) and opportunities the upside of risk Hopkin and Thompson, pages 45 and 46, which provides definitions of risk management Hopkin and Thompson, pages 83 – 86, which consider and define ERM Orange Book (2021) - Annex 5, which defines key terms ISO 31000 (2018), Section 3, which defines key terms Then complete the associated Activities on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The following activities comprise of three questions which require a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check them against ours. From your reading of this unit so far, how would you define the word “risk”? Activity 1.1.1 Answer Revealed From your reading of this unit so far, how would you define the word “risk”? There are many definitions for the word risk. The majority of definitions include three concepts: A risk has to be something that is uncertain. It is common therefore to find words such uncertain, potential, likelihood used in definitions. A risk can be both positive and negative. It is common therefore to find words such as opportunities and threats, pros and cons, positives and negatives being used. A risk needs to be something that if it happens will impact on what we are trying to achieve. This might be your team, your organisation or broader society. Remember that you should always consider not just the impact of the world on you, but also your impact on the world (as it will likely cycle 1.1: Risk in the real world EY (2019) published a paper on ‘Why risk-informed decision matters’, which included the results from a survey of over 1,200 business executives across multiple industries. From the survey, 90% of respondents expected risk management to be more directly involved in business decision making, while at the same time 70% of respondents evaluated their risk profile annually, which limited their ability to adjust their business strategy. The paper stated that the explicit integration of ERM into strategic and business planning and management routines would engage cross-functional leadership teams. It would also develop more resilient organisations, which recognise how the business environment was, and will continue to evolve at a dramatic rate, and which establish more dynamic, risk informed business decision making. 1.2 - Evolution of Enterprise Risk Management 1.2.1.1 Evolution of risk management – Part 1 Understanding of the history of risk management can be useful for several reasons: The scope of risk management has changed to such a degree in recent years that conventional views of risk have had to be altered. Historically, risk management has focused on the mathematics of hazard based or financial risks. It tended to focus on specific risks and neglected an enterprise-wide approach. You need to understand the history to explain where we are now in risk management and where this may lead in the future. You will see that our changing world has produced new risks that do not easily fit into historical frames of reference, and history tells us that new risks come, and old risks disappear – we can learn lessons on how people reacted to new, emerging risks. Risk management frameworks have developed only since 1995. A historical timeline in risk management history might include the following: 1500: Religious belief, fate and superstition – evolutionary theory. 1500 – 1900: A decline of the above by educational enlightenment in risk. 1900 – 1970: Development of specialist risk professions. 1970 – 95: Risk management specialism moves towards generalism. 1995 – date: The maturing risk profession. 1995 – 2004: The introduction of risk management standards. 2004 – 2018: International frameworks and standards developed and updated, such as COSO ERM Frameworks and ISO 31000. 2010 - date: Prominence of climate change and ESG rises – CSR, sustainability and resilience become core risk management conversations. This timeline has been developed graphically below, in Figure 1.2..1 - Evolution of risk management: Figure 1.2 – Evolution of risk management Click HERE to watch the video on Risk in Modern Society HERE (5 mins) -https://www.youtube.com/watch?v=96_I4wEoTjM 1.2.2.1 Evolution of risk management – Part 2 Over the last few hundred years there has another significant trend towards: More knowledge of causes and effects (as people experienced and better understood their environment – initially from the passing down of stories and then from first written records). Turning mystery and superstition into unknown uncertainty and then into known uncertainty (the time of the Enlightenment), which moved on into people being able to measure risk for the first time through the development of statistics. There is great value in looking at the past. Not only can it provide insight into the developmental dynamic of the field, but it also provides important guidance in understanding why the modern world appears as it does, particularly with some of the inherited superstitions and irrationalities. ‘A brief history of risk management’ (Kloman, 2010), gives a history of risk management from 1914 until 2008 and it includes something on the development of risk specialisms, such as insurance, actuarial science, and health and safety. Though the material skims the surface of a very detailed subject, it serves a useful role in orienting you towards key events in the history of the field. See the further reading section at the end of unit 1. Since 2008, the world has seen significant changes and shifts in emphasis for risk management. The focus on the financial aspects has moved towards the environment and society and need to hold people and organisations to account for their actions. Where the amalgamation of governance, risk and compliance (GRC) was coming to the forefront, particularly in the financial services sector, the spotlight has been brightening on environment, social and governance (ESG), for most organisations and sectors around the world. This has led to increasing regulation, with laws in the UK, such as the Modern Human Slavery Act (2015) and the introduction of mandatory requirements for over 1,300 of the largest UK-registered companies and financial institutions to disclose climate-related financial information on a mandatory basis, using guidelines from the Task Force on Climate-related Financial Disclosures (TCFD) from April 2022 and the wider requirements set against Environmental, Social and Governance (ESG) criteria. There is more information on this in Unit 8. Section 1.2.1: Reading + Activity Alert read image + activity image Read the first section of Chapter 3 of Hopkin and Thompson which looks at the origins of risk management. If you wish to pause now, you can return to this page after you've completed your reading. The Activity is comprised of 2 individual questions which require a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. As a modern risk manager, why is it useful to understand something of the history of risk management? Activity 1.2.1 Answer Revealed As a modern risk manager, why is it useful to understand something of the history of risk management? The scope of risk management has changed to such a degree in recent years that conventional views of risk have had to be altered. Historically, risk management has focused on the mathematics of hazard- based risks or on financial risks. It tended to focus on specific risks. You need to understand the history of risk and risk management to explain where we are now and where things may go in the future. You will see that our changing world has produced new risks that do not easily fit into historical frames of reference. So in summary, the history helps to explain where we are today and might give us some guide of the directions to where risk management is going in the years to come. Activity 1.2.1 Answer Revealed As a modern risk manager, why is it useful to understand something of the history of risk management? The scope of risk management has changed to such a degree in recent years that conventional views of risk have had to be altered. Historically, risk management has focused on the mathematics of hazard-based risks or on financial risks. It tended to focus on specific risks. You need to understand the history of risk and risk management to explain where we are now and where things may go in the future. You will see that our changing world has produced new risks that do not easily fit into historical frames of reference. So in summary, the history helps to explain where we are today and might give us some guide of the directions to where risk management is going in the years to come. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. By talking to some of the longer serving members of your organisation, try to discover something of the history of risk management in your organisation. Activity 1.2.2 Answer Revealed By talking to some of the longer serving members of your organisation, try to discover something of the history of risk management in your organisation. Your colleagues may be able to talk about some of the major crises or major periods of change that the business faced and how the organisation got through those changes intact. In addition, they may be able to talk about whether and how the risk management process has changed to reflect these changes, either from a need to comply with requirements or as a wish to be more risk aware and resilient as an organisation. 1.3 - Importance of Enterprise Risk Management for organisations Section 1.3 enables you to determine the importance and value of risk management from several perspectives, including organisational strategy, governance, and resilience. 1.3.1.1 Importance of risk management for organisations We noted in Section 1 that risk could be simply defined as an uncertainty that matters because it could affect the objectives we are trying to achieve. As such, the management of those risks that could have negative or positive effects on objectives is very important for any organisation. Risk management can provide both ‘soft’ people benefits, such as improving working relationships and ‘hard’ benefits, such as a higher return on investment. Further benefits are highlighted in Figure 1.3.1 – Purpose of risk management. Figure 1.3.1 – Purpose of risk management Click HERE to watch the video on ‘Why is risk management important’ – (Risk Doctor video) https://www.youtube.com/watch?v=o_X6Mg6Fz8c (9 mins) We explore further reasons why risk management is important through three core lenses: organisational strategy, governance, and resilience. We will consider these three lenses in more detail in later units. 1.3.1.2 Organisational strategy Risk management has becoming increasingly important over the last 15 years. As noted in Section 1, risk management considers the interdependency between risks across an enterprise, and by taking account of risk interrelationships and the interdependency of risks across the enterprise, it enables organisations to understand their risk exposure. Chapman (2011: Chapter 1) provides a list of benefits in his book Simple Tools and Techniques for Enterprise Risk Management, which can be categorised into four areas: Strategy; Governance; Organisational performance; and People, illustrated in Table 1.3. - Benefits of risk management. Table 3.1 – Benefits of Risk Management (Source: Chapman: 2011- Ch 1) The EY (2019) paper on “Why risk-informed decision-making matters” states that a risk informed strategy should be a Board priority, with the C- suite expecting ERM (Enterprise Risk Management) to play an increasing role in setting and implementing an organisation’s strategy. The EY (2019) paper further highlights that, where there has been a disconnect between the ERM programme and strategic planning, ERM is not able to add value to an organisation as it is not informing business decision making, or ensuring limited resources are allocated to the principal risks. 1.3.2.1 Governance The UK’s Corporate Governance Institute (CGI) defines governance as the system of rules, practices, and processes by which a company is directed and controlled. Corporate governance also refers to how companies are governed and why, identifying who has power and accountability within the organisation, and who makes decisions. In addition, corporate governance ensures that practices and procedures are in place to make sure an organisation achieves its objectives, and that stakeholders have assurance and confidence that their trust in their governance is well founded. Despite this, The EY ‘Board priorities 2022’ report considers that boards should start to focus their attention more on the fast-evolving business environment, and at the same time keep an eye on emerging risks rather than limiting their and their audit committee’s focus on financial reporting. They suggest that a way to deliver effective leading and achieve objectives, while addressing uncertainty requires a governance, risk, and compliance (GRC) approach, where there should be an integrated approach to compliance, risk management, internal controls, and internal audit. In addition, EY recognise that boards often delegate ERM oversight to their audit committees and that their responsibility now also relates to other matters, such as ESG and other, emerging risks, such as geopolitical tensions, market trends, skill shortages and supply chain disruption. As such, ERM is more important than ever to inform decision-makers and to provide assurance that risks are being managed and internal controls and the risk management process are operating effectively. More detail on corporate governance will be given in Unit 6. 1.3.3.1 Resilience In recent years we have experienced a number of major risk events such as the Covid 19 pandemic, the war in Ukraine, the migration by millions of people affected by civil wars the impact on organisations (including charities) of improper behaviour by senior officials, political uncertainties, such as the election of radical world leaders and the vote for the UK to leave the European Union (Brexit) and increasingly common and more severe natural events, such as floods and hurricanes,. These events have and are stretching the resilience of companies, industries, health sectors and countries, in many cases to breaking point. All these events impact on our role in the risk profession. Risk management is about safeguarding organisations and making them more resilient in the face of disruptions, of any size. While being ambitious, it is also important to protect the value of the organisation. Managing so-called ‘downside risk’ – events whose potential outcome is negative or undesirable – can help the organisation apply controls and achieve its objectives. At the same time, most of the exciting and worthwhile achievements humanity would like to make are complex and not without their potential pitfalls. Risk management can help organisations achieve what otherwise might be too risky or uncertain. Good risk management is about being able to take risk. Good risk management is about ‘reaching for the stars.’ Increasingly organisations are required by law, regulation, or stakeholder expectations to build risk management competencies and provide reports that show that those competencies are effective. This focus has sharpened due to Covid 19, the increased focus and effects of climate change. The pressure for organisations to prove their anticipatory and resilience controls, and to show their sustainability, corporate social responsibility (CSR) and environment, social and governance (ESG) credentials is increasing. It is expected that these reports will be audited in ways like the way financial reports are audited today. More detail on resilience and sustainability will be given in Module 2, Units 8 and 9. Section 1.3.1: Reading + Activity Alert read image + activity image Read pages 22 and 23 of Hopkin and Thompson on the why risk is important, pages 47 and 48, which consider specialist areas of risk management, pages 54 to 58 which explore benefits of implementing effective risk management, 86 to 87 where benefits of ERM are considered and pages 246 to 251 where the value of ERM is studied further. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which require a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. List five benefits of good risk management according to Hopkin. Activity 1.3.1 Answer Revealed List five benefits of good risk management. Your solution can be found in Hopkin and Thompson, Chapters 1 and 3. You can also help yourself by remembering the definition of risk, which implies that good risk management will help achieve your organisation’s objectives. There are other benefits to good risk management that you can find from many other sources, or your own experiences. 1.4 - Different approaches to Enterprise Risk Management Section 1.4 enables you to distinguish how different parties perceive the purpose and value of risk management, including specialists such as finance, health and safety and project risk management. 1.4.1.1 Consistency in approach and integration – Part 1 Hillson quotes a colleague who states that ‘risk management is risk management is risk management’ (Hillson, 2016:5). That means that all risk management processes, regardless of the activity, discipline, organisation, industry, sector, or country in which they are implemented are trying to answer the same question – considering the risks being faced, can the objectives be achieved? This can be explained using a simple four step process shown here in Figure 1.4.1 - Risk management: four easy steps. This four-step model was developed by risk management and sustainability consultants, Satarla, and pulls together the most important aspects from all of the main international standards.: (SATARLA 2022 - reproduced with permission) Figure 1.4.1 - Risk Management - four easy steps 1. Define context and objectives - Understand your internal and external context and how it is changing. Within this context and scope, articulate your objectives. 2. Assess the risks - Identify both the potential threats and opportunities (risks), understand them using the most appropriate techniques, and ask yourself: “so what? Do we need to do anything about these risks?”. 3. Manage the risks - Where possible take charge of the risks, or aspects of them through implementing controls. Note – a control is an act, object or system that modifies a risk. If the activity does not actually change the risk, it is not a control. 4. Monitor, Review and Report -Tell people what you are doing and what they need to know (and perhaps do) regarding the status of the risks and how effectively they are being managed. This enables us to ask and answer that key question: Given the context in which we are working, and the risks (be they opportunities or threats) that are faced, and the extent to which they are managed (or manageable), is it possible to achieve the stated objectives?" If the answer is “yes” – the system is deemed to be in balance and nothing more needs to be changed. If the answer is “no” – there are two options: a) To apply more effort and resources to managing the risks (implement more controls): Or, if that cannot be done / is not desired b) To change the objectives (if possible) because what is currently set is either too difficult or easy to achieve for optimised balance. 1.4.1.2 Consistency in approach and integration – Part 2 The simple risk management process is applicable at all levels of an organisation and can link risk management in all facets of an organisation. It can help answer the key question at board level all the way through to frontline operational activities. The process remains the same, but its application can be tailored to suit the situation where that question is being asked. This can be seen in Figure 1.4.2, where Satarla’s simple four-step process is being used to different degrees at all levels of an organisation. (SATARLA 2022 reproduced with permission) Figure 1.4.2 – Risk management at all levels The simple process also links to any other risk management process being implemented, whether it is financial, project, health and safety, reputation, environmental, etc. It can pull in risk information that enables integrated risk management to be undertaken and risk-based decisions to be made across any enterprise, as can be seen in Figure 1.4.3, where Satarla’s four-step process is used as the core process: (SATARLA 2022 reproduced with permission) Figure 1.4.3 – Integrated Enterprise Risk Management The need for consistency in approach and integration of ERM (Enterprise Risk Management) with other organisational activities can be seen in the EY paper on “Why risk-informed decision-making matters” as highlighted in Unit 1, Section 3. It is also one of the key principles of the International Standard on Risk Management, ISO 31000:2018, which is explored further in Unit 2. Click HERE to watch the video on the simple four step risk management process, how it integrates with other organisational activities and can be used in the decision making process (Satarla video – 14 mins) - https://www.youtube.com/watch? v=UWzI_kFhQXg&list=PLKpDlFYMnr9KpLiJJ_BJuT0ucbxM9QEjc&index=3https://www.youtube.com/watch? v=UWzI_kFhQXg&list=PLKpDlFYMnr9KpLiJJ_BJuT0ucbxM9QEjc&index=3 1.4.1.3 Consistency in approach and integration – Part 3 Hillson, in The Risk Management Handbook, asks the question of what is it that risk professionals and risk practitioners do, and the conversation goes like this: ‘So, what do you do?’ ‘I’m a risk practitioner.’ ‘Oh, you’re in insurance.’ ‘No, I’m not.’ ‘Then I guess you must a be a health and safety person, preventing slips and trips?’ ‘Actually no, I’m not that either.’ ‘So, what do you actually do?’ ‘Well…’ (Hillson, 2016) As has been seen in Sections 2 and 3 and previously in this Section, risk management has many different facets, and is carried out in many different parts of an organisation for many different reasons. The need for consistency in approach and integration of ERM with other organisational activities can be seen in the EY (2019) paper on “Why risk-informed decision-making matters” as highlighted in Unit 1, Section 3. It is also one of the key principles of the International Standard on Risk Management, ISO 31000:2018, which is explored further in Unit 2. When considering risk management in various parts of an organisation, some risk management activities will be more obvious than others, such as finance, health and safety and project management, which we will consider next. Section 1.4.1 Reading Read Section B of the Orange Book:2020. This describes how risk management should be an integral part of all organisational activities to support decision-making in achieving objectives. If you wish to pause now, you can return to this page after you have completed your reading. 1.4.2.1 Risk management ‘specialisms’ - finance Financial activities and the financial sector are heavily regulated and have a key focus on management risks that can have a financial impact on an organisation. These range from basic accounting and tax regulations for smaller organisations, to corporate governance and annual reporting, including the ability of larger organisations to operate as going concerns with statements on their longer-term viability. In addition, there are stringent laws and regulations that may affect an organisation further depending on its geography and industry. For example, in the US (United States) the Sarbanes Oxley law mandates certain practices in financial record keeping and reporting for corporations. From a financial services perspective, regulations include the international Basel accord (banking sector), the European Union Solvency II regulations (insurance sector). There is also a requirement for those in the banking sector to implement operational risk management, where the Basel Committee on Banking Supervision (2021) define operational risk as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”, as can be seen in Basel’s revisions to the ‘Principles for the sound management of operational risk’. 1.4.2.2 Risk management ‘specialisms’ – health and safety Health and safety is one of the most well-established areas of risk management. In the UK, the first health and safety legislation was enacted in the 1800's, with the Factories Act of 1833 being a pivotal moment in protecting the child workforce in textiles mills. This then led to legislation in other industries, such as mining and agriculture, culminating with the Health and Safety at Work etc Act in 1974. This is an umbrella act, which has been expanded to cover many different activities, industries, and hazards, such as construction, working from height, reporting of injuries, diseases, and dangerous occurrence regulations (RIDDOR), the control of asbestos and lead and the control of substances hazardous to health regulations (COSHH). Health and safety regulations can be found globally, with each country regulating work-based health and to a more or less stringent measure as the UK, such as the Occupational Safety and Health Act (1970) in the US, the Labour Code in France, the Industrial Safety and Health Law (1972) in Japan, and so on, as can be found in the HSE’s ‘International comparison of health and safety responsibilities of company directors’. 1.4.2.3 Risk management ‘specialisms’ – project risk management Projects have been carried out throughout history from construction of the Great Pyramid of Giza in 2570 BC to the millions of projects going on today, in every country, sector, industry. Formal project management is considered to gain prominence though in the mid 1950’s, with professional project associations being created soon after, for example, the International Project Management Association (IPMA) was founded in 1965, the Project Management Institute (PMI) in the US in 1969, and the Association for Project Management (APM) in the UK in 1972. Projects are defined by the APM as “unique, transient endeavours", undertaken to achieve planned objectives, which could be defined in terms of outputs, outcomes, or benefits. A project is usually deemed to be a success if it achieves the objectives according to their acceptance criteria, within an agreed timescale and budget,”. Some common themes of projects are that they: Have elements of uniqueness Are temporary – they have a beginning and an end Are focussed – on a deliverable that brings change Have elements of complexity Are reliant on third parties Are based on assumptions All these themes bring a great deal of uncertainty, and therefore risk, to projects. Recognition of project risk management as a discipline began in the late 1970’s, with formal guidance being developed by the recognised project associations, such as the APM with their Project Risk Analysis and Management (PRAM) Guide and the PMI with their standard for risk management. 1.4.3.4 Risk management ‘specialisms’ Although three specialist areas have been considered in this unit, risk management activities are undertaken in all areas of an organisation, with some with more and some with less structure to the risk management approach used. Further information on finance, health and safety and project risk management are included in Unit 10. The integration of these risk management activities can be illustrated by referring again to figures 1.4.1 and 1.4.2. When undertaking any activity, taking account of the context and objectives, the risks being faced and our ability to manage them, the question should be asked whether the objectives can be achieved. If not, then this should be reported to the management level above to request support for additional resource to manage the risks further, or for changes to the objectives to be made. This request can be escalated to the appropriate level of management and once a decision has been made, the actions can be cascaded back down to the relevant activity. As such, ERM can integrate with the different organisational activities, regardless of their risk management requirements. ERM provides the consistent approach which allows management of risk and reporting on risk across an organisation, to have a consistent approach, with common risk language. This allows managers and senior leaders to understand the profile of risks being faced across the organisation and supports decision to be made in the management of those risks in order to achieve objectives. Section 1.4.2 Reading + Activity Alert read image + activity image Read pages 88 to 92 of Hopkin and Thompson where integrating strategy and performance is explored and the further the integration of ERM with other organisational activities and pages 252 to 253 where ERM is considered as becoming more strategic. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you've completed your reading. The Activity is comprised of one individual question which requires a short sentence or two in response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. How is risk management integrated with other activities within your organisation? Activity 4.1 Answer Revealed How is risk management integrated with other activities within your organisation? Risk management is often considered as a ‘bolt-on’ activity, which is not aligned to or integrated with other processes or management activities carried out in organisations. Enterprise risk management means that the process is applicable across an organisation and has a relationship with other operational activities. It does not mean that ERM supersedes processes, such as Health and Safety or Financial risk management, which have regulatory or even legal requirements. It means that ERM can be used as a vehicle to take different risk information, collected in different ways, and deliver it to managers at different levels in a consistent manner, that helps them make effective decisions. Where risk management information is treated in silos it can lead to inconsistencies, gaps, and overlaps, which can make effective decision-making difficult. 1.5 - Enterprise Risk Management standards and frameworks 1.5.1.1 General risk management and standards – Part 1 This section considers the main features of key general risk management standards and frameworks, including the most generally accepted ISO 31000 standard (ISO, 2018), as well as considering the importance of a range of risk related guidance. It then looks briefly at some specialist risk management standards. All risk management standards and frameworks are relatively recent; indeed, the first ever risk management standard, the AS/NZS4360 was only released in 1995 (Standards New Zealand, 2013). If anything, that fact demonstrates the relatively youthful state of our profession and why even now risk managers debate fundamental issues such as the definition of risk. Your organisation may use the characteristics of one of these standards or frameworks to implement a risk management process to manage its risks; it may combine them and use elements from each; or it may even have its own bespoke standard. As your career in risk management develops you will need to know well at least one such risk management standard or framework and how to apply it in your organisation. 1.5.1.2 General risk management and standards – Part 2 As noted in earlier Sections in this unit, risk management has developed over time and across many regions of the world and many industry sectors, as well as within discrete professions, to meet diverse needs. Risk management standards, within a clear framework, can support a more consistent risk management process and this can help to ensure that risk is managed effectively, efficiently, and coherently across an organisation. In chapter 4 of Hopkin and Thompson we consider some general risk management standards. ISO 31000: 2018, Risk Management – Guidelines COSO:2004, Enterprise Risk Management - Integrated Framework COSO: 2017 Enterprise Risk Management – Integrating with Strategy and Performance. 1.5.1.3 ISO 13000 (2018) ISO 31000 (2018), Risk Management - Guidelines, is the international standard on risk management which considers: what good risk management looks like – the Principles what is needed to implement effective risk management – the Framework what the steps are in risk management – the Process. The ISO 31000 standard, first produced in 2009 and revised in 2018, is probably the most straightforward and certainly the most internationally accepted risk management standard. For this reason, you should feel comfortable about its content and purpose and especially be aware of its process. ISO 31000 states that managing risk is based on the principles, framework and process described in the guidelines. These three key components are illustrated in Figure 3 of IRM (Institute of Risk Management): A Risk Practitioners Guide to ISO 31000:2018. These three components are covered in more detail in Units 2, 3 and 4. It should be noted that ISO 31000 cannot be used for certification purposes (such as with Quality standard ISO 9001). However, it does provide guidance for organisations and internal and external audit programmes, as it can be used to compare risk management practice with an internationally recognised benchmark, looking at principles for effective management and assurance / corporate governance. In order to provide an explanation for the content of the risk management framework, the acronym RASP or ‘Risk Architecture, risk Strategy and risk Protocols’ has been developed. RASP is a supportive structure of the risk management process – it is what helps to determine how the process works. RASP is in fact an introduction to a substantial area of study which you will undertake in Unit 2. Section 5.1.1: Reading + Activity Alert read image + activity image Read the first part of chapter 4 in Hopkin, ‘Risk management standards’ which introduces the ISO 31000 risk management process. Look briefly as well at the short sections on ‘Risk management process’ and ‘Context.’. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you've completed your reading. The Activity is comprised of one individual question which requires a short sentence or two in response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. In the light of your reading, write a one-sentence definition of each of these key terms: a) Risk management standard b) Risk management framework c) Risk management process Activity 1.5.1 Answer Revealed In the light of your reading, write a one-sentence definition of each of these key terms: a) Risk management standard b) Risk management framework c) Risk management process Your definitions should be along the following lines (however it is acknowledged that every organisation will likely have their own nomenclature regarding the hierarchy of these sorts of documents): a) Risk standard – A published guide for managing risk, usually comprising a risk framework and (especially) a risk process. b) Risk framework – Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process. c) Risk process – The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment). 1.5.1.4 COSO (2004) The COSO (2004), Enterprise Risk Management - Integrated Framework (known as the COSO ERM Cube), was developed in the US (United States) by COSO (Committee of the Sponsoring Organisations of the Treadway Commission). The concept of “enterprise risk management” (ERM), which was first developed around 2000, received a real boost in world-wide popularity during the autumn of 2004 when the COSO launched the first ERM Framework. In line with COSO’s first standard on Internal Control, it was written to combat fraudulent financial reporting, not only control fraud and regulatory risks, but also to identify and assess the risks that needed controls. Its need was brought into focus with the Enron and similar corporate scandals. The COSO ERM framework is displayed as a cube, as in Hopkin and Thompson figure 4.3 and Figure 3 of IRM: A Risk Practitioners Guide to COSO ERM Frameworks, where: The front face is the risk management process, consisting of eight items. The top face of the cube describes the four categories of organisational objectives. Finally, the side face of the cube shows the implementation process of the standard. It indicates that ERM begins at entity level and then is cascaded downwards and across the organisation. In that sense, the fully implemented version of ERM must be embedded in all roles, operations, and activities of the enterprise. In 2017 the COSO ERM framework was updated. Despite this the COSO ERM cube remains important and influential because it provides a framework against which risk management and internal control systems can be assessed and improved, and as such is still an appropriate framework for risk management. Section 1.5.2 Reading read image Read the part of Hopkin chapter 4 covering the ‘COSO ERM Framework’ and pages 8-11 of the IRM’s ‘From the Cube to the rainbow double helix’ review. If you wish to pause now, you can return to this page after you've completed your reading. 1.5.1.5 COSO (2017) The COSO (2017) Enterprise Risk Management – Integrating with Strategy and Performance (known as the COSO ERM rainbow double helix), is an update to the COSO ERM Cube, to reflect the changing complexity of risks and the evolving business environment. In particular, the new ERM framework emphasizes that organisations who integrate enterprise risk management throughout the entity can realise many more benefits. However, the update was needed to provide greater insight into the links between strategy, risk, and performance, and to highlight the interconnectedness of risks and the effect that risk culture has on the effective implementation of risk management. The COSO (2017) ERM Framework recognises that ERM is not just about managing risks to objectives, but also about understanding the implications from the strategy and the possibility that the strategy does not align. As such, the core of the framework considers enhancing performance in line with an organisation’s mission, vision, and core values. Embedded in this strategic planning are five interrelated components supported by 20 (twenty) principles. There is a reasonable expectation that adherence to these manageable principles will ensure organisations understand and strive to manage risks related to their strategy and business objectives. These five key components and 20 principles are illustrated in Figure 4 of IRM: A Risk Practitioners Guide to COSO ERM Frameworks. Further information on the COSO (2017) ERM framework can be found in the COSO ERM Integrating with Strategy and Performance Executive Summary. Section 1.5.3 Reading + Activity Alert read image + activity image Read the part of Hopkin chapter 4 covering the ‘COSO ERM double helix’ and pages 12-13 and Appendix B of the IRM’s ‘From the Cube to the rainbow double helix’ review. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The following activity comprises of one question which require a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Explain why the COSO ERM framework puts so much emphasis on embedding risk management from the top of the organisation. Activity 1.5.3 Answer Revealed Explain why the COSO ERM framework puts so much emphasis on embedding risk management from the top of the organisation. This goes to the heart of ERM in that risk management starts at the top of the organisation, by the management of entity-wide risks and then the same methodology spreads from there down and across the enterprise. These entity-wide risks might well be the strategic types of risk that if they occur will impact upon the whole of the organisation. Look back to the COSO (2017) reading and you will see how important this is. 1.5.2.1 Alternative approaches We have mentioned three core standards / frameworks for risk management and conclude this section with a review of some other approaches. In recent years there has been a trend to complement generic risk management standards of the sort we have reviewed in this reading with industry-specific ones. Hopkin refers to one specialist standard called COBIT, which provides guidance regarding information technology risk management on page 48. In fact, there are standards for many of the specialist functions, some of which we mentioned in Section 4 of this unit, for example: Banking – Basel III Insurance – Solvency II Health and safety – ISO 45000 family – Occupational health and safety Legal – ISO 31022 – Risk Management: Guidelines for the management of legal risk Business Continuity – ISO 22301 – Business Continuity Projects – Association for Project Management – PRAM (Project Risk Analysis and Management) Guide. We will consider these further in Unit 10 – ‘Different approaches to risk management’. Hopkin notes that there are three distinct approaches followed in standards: ‘risk management approach, followed by ISO 31000 ‘internal control’ approach, developed by COSO Internal Control Framework and by the FRC risk guidance. ‘risk-aware culture’ approach, developed by the Canadian Institute of Chartered Accountants, known as the CoCo framework. We will consider the ‘internal control’ and ‘risk-aware culture’ approaches further in Unit 6 – ‘Corporate governance and assurance’. The formal requirement to provide assurance is part of corporate governance, which usually applies to organisations that are publicly listed on a stock exchange. Another sector-specific standard exists for the UK charity sector, and we include a reference to it as a further reading item at the end of the unit, if you are interested to find out more. Hopkin also mentions the UK Charity Commission, on pages 421 and 422, highlighting the requirement to report on risk management within this ‘third’ sector. Finally, we will also introduce a framework that aims to embed risk management in the public sector. This demonstrates that risk management is applicable to any activity in any organisation and to any sector – private, public or the third sector within which an organisation operates. 1.5.2.2 Orange Book: 2020 The Orange Book 2020 was designed for government / the public sector. However, the concepts and principles provide a valuable insight into risk management in general. The Orange Book looks at the main principles to adopt rather than detailed processes and procedures. It is the "what" and the "why" but not the how. This provides a conceptual framework alternative that could be adopted by other industries. Look at the risk framework on Page 6 of the Orange Book and compare this with those that are included in Hopkin (see Hopkin Chapter 4). The rest of the Orange Book explores 5 main principles of Risk Management. 1. Governance and Leadership 2. Integration 3. Collaboration and Best Information 4. Risk Management Processes 5. Continual Improvement. Section 1.5.4 Reading + Activity Alert read image + activity image Read the Orange Book 2020, Introductory Section Pages 1 to -4. The Orange Book sets out the main and supporting principles for risk management, primarily in government. It considers the effectiveness of Risk Management and makes a link to Corporate Governance Codes and introduces the Comply or Explain Principal. These principles will be discussed in Unit 2. You should also read pages 5 to -6 of The Orange Book 2020 which summarises The Orange Book’s risk management framework and gives a process diagram. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The following activities comprise of two questions which require a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. From your work on this unit, do you think opportunity (as opposed to threat only) is adequately addressed by the risk management processes outlined in this unit? Activity 1.5.4 Answer Revealed From your work on this unit, do you think opportunity (as opposed to threat only) is adequately addressed by the risk management processes outlined in this unit? From the range of processes that we have looked at, we can see from the underlying definitions of risk that most are meant for dealing with both opportunities and risks. But perhaps they could be criticised in assuming that the process for managing opportunities does not appear to be distinguished in any way from managing downside risk. Perhaps you could answer this question by considering your own organisation: Does your organisation manage opportunities in the same way that it manages downside risk? If the answer to the question is yes, why make the distinction between opportunities and risk in the first place? activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Which of the standards and models that we introduced in this unit best fits the way your organisation manages its risks? Activity 1.5.5 Answer Revealed Which of the standards and models that we introduced in this unit best fits the way your organisation manages its risks? This activity should help you to compare and contrast your process of risk management with the established standards to find out which of them it most closely mirrors. Look at the terminology that people use to see which standard you most closely resemble. we will look at each of the stages of the process in much more detail in Unit 2. ERMM1 Unit 2 Back Up Book for Printing Site: The Institute of Risk Management Printed by: jotham muchina Course: Principles of Risk and Risk Management ERM - Module One Date: Saturday, 18 May 2024, 10:36 AM Book: ERMM1 Unit 2 Back Up Book for Printing Description The back up book allows you to print this units course content. This can be done by clicking on More and simply clicking ‘Print Book’. Table of contents 2.1 - Principles and attributes of risk management 2.2 Strategic Planning for Enterprise Risk Management (RASP)– Risk Architecture 2.3 - RASP - Strategy 2.4 - RASP - Protocols 2.5 - Risk management processes 2.1 - Principles and attributes of risk management Section 2.1 considers what Enterprise Risk Management (ERM) is and enables you to distinguish between risk and risk management using a range of different recognised approaches. Learning Outcomes After studying this unit, you should be able to determine the most appropriate risk management principles, framework and process for an organisation. reading image You should make sure you have access to the following resources before starting this unit: Hopkin and Thompson (2021), Fundamentals of Risk Management, chapters 3, 4, 5, 7, 23, 24, 26 and 27 IRM: (2011) Risk Appetite and Tolerance - Executive Summary- https://www.theirm.org/media/8633/irm-risk-appetite-exec-summary-web.pdf IRM (2018) - Standard deviations - A risk practitioner’s guide to ISO 31000: 2018 - https://www.theirm.org/media/6907/irm-report-iso-31000-2018- v2.pdf IRM (2018) - From the cube to the rainbow double helix: a risk practitioner’s guide to the COSO ERM Frameworks - https://www.theirm.org/media/6885/irm-report-review-of-the-coso-erm-frameworks-v2.pdf ISO 31000:2018 Risk Management Guidelines - PRETESH BISWAS - https://preteshbiswas.com/2022/06/27/iso-310002018-risk-management- guidelines/#:~:text=According%20to%20ISO%2031000%202018%2C%20you%20can%20reduce%20your%20uncertainty,probability%20with%20its%20pot UK HM Government - The Orange Book 2020 – AFERM Resource Library How you choose to approach and organise your reading time is an individual choice. We will prompt you throughout this Unit Guide with specific readings associated with the Guide and the activities. This unit should take you approximately 30 hours, including the readings and the activities Introduction You may wish to approach the unit by reading in advance, or by using the Essential Reading alert prompts to pause, read and attempt activities before continuing. In this unit you will formulate an appropriate risk management strategy for an organisation considering risk principles, frameworks, and processes The principles of risk management focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome therefore reducing volatility or uncertainty. In this unit you will also learn about strategic planning for the implementation of effective risk management, including the framework (RASP) that provides organisations with a structure to work within. You will investigate or formulate a risk management framework of an organisation of your choice. This will comprise the Risk Architecture, including roles and responsibilities, the Risk Strategy, including the risk management policy, and Risk Protocols, including the risk management information system (RMIS). You will assess the principles of risk management, from a variety of perspectives, and finally you will learn about different risk management processes and their similarities. Unit 2 is divided into five parts at the end of each section you will be able to: Section 2.1 - Evaluate the effectiveness of risk management based on the established principles as defined by international standards. Section 2.2 - Establish an appropriate risk management architecture for an organisation's operational model and governance structure. Section 2.3 - Establish an appropriate risk management strategy for an organisation. Section 2.4 - Recommend appropriate protocols for a successful organisational risk management, clearly justifying how each contributes to its success. Section 2.5 - Establish an appropriate risk management process for an organisation. blue bulb image During this Unit Guide and within the lessons of the online course, you will be prompted with readings and activities. You should complete Unit 2 of the online course entirely before moving on to Unit 3. When/if you leave this Unit Guide to read or do an activity, you will be prompted to view the last unseen page when you return. 2.1.1.1 - Principles from international standards We established in Unit 1 that risk management is important to all organisations and has many benefits. In order to provide these benefits, the majority of recognised standards include a section on Principles (for example, ISO31000; COSO; Orange Book). ISO 31000 has established eight principles around the central purpose of risk management, which is the creation and protection of value. COSO incorporates 20 principles, and the Orange Book has 5 principles. The principles of risk management focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome reducing volatility or uncertainty (Hopkin and Thompson, page 52). Hopkin and Thompson also combine the eight ISO 31000 principles to provide five attributes of effective risk management, with a description of what these attributes or principles should deliver. 2.1.1.2 - ISO 31000 Principles The eight principles associated with the application of ISO31000 under the heading of “Principles – Value Creation and Protection”. The Standard emphasises the integrated and structured nature of the recommended approach to risk management and also recognises the importance of human and cultural factors. ISO 31000 defines the purpose of risk management as ‘the creation and protection of value’. It goes on to set out the eight principles which Hopkin and Thompson summarise as: 1. Framework and processes should be customized and proportionate. 2. Appropriate and timely involvement of stakeholders is necessary. 3. Structured and comprehensive approach is required. 4. Risk management is an integral part of all organisational activities. 5. Risk management anticipates, detects, acknowledges and responds to changes. 6. Risk management explicitly considers any limitations of available information. 7. Human and cultural factors influence all aspects of risk management. 8. Risk management is continually improved through learning and experience. Section 2.1.1 Reading read image Read Section 5 in IRM (2018): A Risk Practitioners Guide to ISO 31000:, page 63 of Hopkin and Thompson and the Section on 'ISO 31000 Principles of Risk Management' of the Pretesh Biswas ISO 31000 Guidelines article.'. These sources describe the principles set out in the international risk management standard ISO 31000. If you wish to pause now, you can return to this page after you've completed your reading. 2.1.1.3 – COSO (2017) Principles As noted in Unit 1, the COSO (2017) ERM Framework comprises of five components incorporating 20 principles which describe practices that allow the implementation of enterprise risk management in different ways for different organisations regardless of size, type or sector. The components and principles of the COSO (2017) ERM Framework are highlighted below: Governance and culture 1. Exercises Board Risk Oversight 2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values 5. Attracts, Develops, and Retains Capable Individuals Strategy and objective-setting 6. Analyses Business Context 7. Defines Risk Appetite 8. Evaluates Alternative Strategies 9. Formulates Business Objectives Performance 10. Identifies Risk 11. Assesses Severity of Risk 12. Prioritizes Risks 13. Implements Risk Responses 14. Develops Portfolio View Review and revision 15. Assesses Substantial Change 16. Reviews Risk and Performance 17. Pursues Improvement in Enterprise Risk Management Information, communication and reporting 18. Leverages Information Systems 19. Communicates Risk 20. Reports on Risk, Culture, and Performance Section 2.1.2 Reading + Activity Alert read image + activity image Read the IRM: From the cube to the rainbow double helix paper - Section 6 and Appendix 4. These provide further information on the five components of the rainbow double helix, and the corresponding principles of ERM. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you've completed your reading. The Activity is comprised of one individual question which requires a short sentence or two in response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check them against ours. Which of the principles of the COSO rainbow double helix are clearly part of the simple risk management process? (SATARLA 2022 reproduced with permission) From Unit 1: Figure 1.4.1 – Risk Management – four easy steps Activity 2.1 Answer Revealed Which of the principles of the COSO rainbow double helix are clearly part of the simple risk management process? (SATARLA 2022 reproduced with permission) From Unit 1: Figure 1.4.1 – Risk Management – four easy steps There are five components of the COSO ERM Framework and 20 principles. Of those, there are some principles that clearly relate to the four simple process steps for risk management: 1. Define context and objectives = 6) Analyses Business Context + 8) Evaluates Alternative Strategies + 9) Formulates Business Objectives. 2. Assess risks = 10) Identifies Risk + 11) Assesses the Severity of Risk + 12) Prioritises Risk. 3. Mange risks = 13) Implements Risk Responses. 4. Monitor, Review, Report = 15) Assesses Substantial Change + 16) Reviews Risk and Performance + 19) Communicates Risk Information + 20) Reports on Risk Culture and Performance. The other principles are equally important in the implementation of effective enterprise risk management but is clear that the process needs to be embedded to achieve successful integration of ERM with strategy and performance. 2.1.1.4 – Orange Book: 2020 Principles As noted in Unit 1, the Orange Book sets out the main principles relating to the effective implementation of risk management in all UK government departments and arm’s length public bodies. The main principles should help each government organisation determine how it is to operate in accordance with the UK Corporate Governance Code. There are 5 main principles that are designed to provide the ‘what’ and the ‘why’, but not the ‘how’ for the design, operation and maintenance of an effective risk management framework: A) Governance and Leadership B) Integration C) Collaboration and Best Information D) Risk Management Processes E) Continual Improvement. Section 2.1.3 Reading Alert read image Read Page 6 of the Orange Book:2020. This provides an overview of the five principles for effective risk management. These principles are explored further in Sections A to E of the Orange Book. You can read these sections now, but we will be coming back to these later in your learning. If you wish to pause now, you can return to this page after you've completed your reading. 2.1.2.1 – Attributes of effective risk management The principles of risk management can be combined into five attributes of effective enterprise risk management. These attributes are captured in the acronym PACED: Proportionate – a structured process is customised and tailored to suit the organisation and the activity that is being undertaken – “one size does not fit all”. At the same time there is consistency in the overall process and the language used so that there is common understanding of the risk management process, the risks and the controls and actions to manage them Aligned – the process is integrated with other organisational activities, so that business can continue as usual with ERM as a touchpoint into those different activities and an escalation and cascade mechanism to allow effective management of risks and risk reporting Comprehensive – the process encourages consistency in the risk management process, and consideration of risks and controls across the organisation and outside of it. This allows effective oversight and understanding of the overall risk profile and improves the understanding of the existing, new and emerging risks from both the internal and external context of the organisation ,so considering what is going on the in the world around them Embedded – the ERM framework and process encourages a change in risk attitudes, behaviour and culture, to help progress the risk management maturity and awareness of its value to the organisation Dynamic – the process does not finish with the completion of the risk register. Although it is important to collate the risk information, this is only ‘risk register writing’, it is not risk management. The energy needs to keep flowing through the process, and effort needs to be invested in how to keep the process alive for the organisation so that it can continue to support decision making and add value. Section 2.1.4 Reading + Activity Alert read image + activity image Read Pages 52 to 54 of Hopkin and Thompson on the principles and aims of risk management. Pay particular attention to the acronyms PACED and MADE2, as these will be recurring themes throughout module 1. On page 57, Hopkin uses a car’s brakes, clutch and accelerator as a synonym to explain the benefits of these three levels or types of risk (operational, tactical and strategic). Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you've completed your reading. The Activity is comprised of one individual question which requires a short sentence or two in response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. List and explain the five objectives of good risk management. Activity 2.1.4 Answer Revealed List and explain the five objectives of good risk management. Your solution can be found in Hopkin and Thompson, pages 53 and 54. The MADE2 acronym - Hopkin and Thompson’s Table 3.4 - Risk management objectives. You can also help yourself by remembering the definition of risk, which implies that good risk management will help achieve your organisation’s objectives. 2.2 Strategic Planning for Enterprise Risk Management (RASP)– Risk Architecture Section 2 enables you to determine key roles and responsibilities and structure for risk management as appropriate for an organisation's operational model and governance structure. 2.2.1.1 Organisational / governance structure – Part 1 We noted in Unit 1 that a risk management framework is often referred to as the Risk Strategy, Risk Architecture and Risk Protocols, which gives us the acronym RASP, which is highlighted in Hopkin and Thompson in Figure 23.1. Risk architecture is described in Hopkin and Thompson as the risk management organisation and arrangements of the organisation. As such we could consider risk architecture to be the structure of the risk management process, aligned to the structure of the organisation. Figure 23.1 also lists components of Risk Architecture: Committee structure and terms of reference. Roles and Responsibilities. Internal reporting requirements. External reporting controls. Risk management assurance arrangements. Budget and agreement on resources. 2.2.1.2 Organisational / governance structure – Part 2 Organisations largely structure their risk management activities according to the prevailing management style and structure that applies within the wider organisation. This structure is based on the important relationships and the delegation of tasks in an organisation in the context of conflicting interests between the parties, which is founded in the ‘Agency Theory.’ The Corporate Finance Institute defines ‘Agency Theory’ as “the concept used to explain the important relationships between principals and their relative agent. In the most basic sense, the principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes”. In terms of businesses and relationships, these will be between the likes of the shareholders / members / trustees and executives, the board of directors and CEO, and so on. Some CEOs prefer a centralised approach to their corporate structure, with the strategy and operations directed by a head office or other central team. An obvious alternative to this is the decentralised approach where management responsibility is delegated to unit or divisional managers with little direction from the centre. Many organisations adopt a hybrid approach to the general operating structure, where discretion in the design and operation of the subsidiary entities is allowed in certain areas but in others (such as brand management, health and safety, and banking arrangements) the corporate approach must be adopted. It is important to understand the organisational structure so that the ERM process can align with the roles and responsibilities and reporting requirements. of the organisation. Although we cover some of the roles and responsibilities in this section, we focus on the responsibilities of the board, internal audit and the chief risk officer in Unit 6 regarding corporate governance and assurance. No matter what the structure of the organisation, risk management still needs to take place. The structure of the risk management team and activities may differ depending on whether the organisation itself is centralised, decentralised or hybrid. Section 2.2.1: Reading + Activity Alert read image + activity image Read the first part of Chapter 23 of Hopkin and Thompson. Pay particular attention to Pages 263 describing the Risk Architecture. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check them against ours. Ensure you are clear on the type of organisation for which you are working – centralised, decentralised or hybrid? Examine the reporting lines and consider how risk management fits into the organisational structure and activities. Activity 2.2.1 Answer Revealed Ensure you are clear on the type of organisation for which you are working – centralised, decentralised or hybrid? Examine the reporting lines and consider how risk management fits into the organisational structure and activities. You can examine the structural emphasis of your organisation (or one you are familiar with) by looking at the nature of the head office. Is it comparatively large with numerous functional divisions, as is common with a centralised management approach, or small with only oversight and direction held at the centre as is the case with decentralised organisations? Sometimes certain functions are delegated to operating subsidiaries, such as HR activities, but financial management may be retained at the centre. This would indicate a hybrid organisation. Section 2.2 Risk in the real world In the Balfour Beatty plc annual report (Balfour Beatty, 2021), the international construction and engineering company notes that: “The Board accepts overall responsibility for risk management and has established procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its longer-term strategic objectives. Members of the ERSG [Executive Risk Steering Group] act as executive sponsors for risk management and provide valuable input to Group risk themes based on profiles within their respective businesses and functions. Risk management across all operations is critical to informing the Group’s risk profile.” This is a good example of a hybrid approach to structuring risk management in a diverse and internationally spread business, as can be seen in Balfour Beatty’s Annual Report: 2021, page 102. Prudential plc, the UK life, pensions and investment firm notes in its Annual Report 2021: “The Group Governance Manual (GGM) sets out the general principles by which we conduct our business and ourselves and defines our Group-wide approach to Governance, Risk Management and Internal Control. The Board is responsible for ensuring that an appropriate and effective system of risk management and internal control is in place across the Group. A key component of the GGM is the Group Risk Framework, which requires all businesses to establish processes for 1. identifying, 2. measuring and assessing, 3. managing and controlling, and 4. monitoring and reporting the risks facing the business”. The Board determines the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The Board has delegated authority to the Risk Committee to assist it in providing leadership, direction and oversight of the Group’s overall risk appetite, risk tolerance and strategy; overseeing and advising on the current and potential future risk exposures of the Group; reviewing and approving the Group’s risk management framework, including changes to risk limits within the overall Board approved risk appetite and monitoring the effectiveness of the risk management framework and adherence to the various risk policies.” Clearly Prudential has a strong central risk management function, but with accountability for managing risks and for upward reporting placed at unit level, as can be seen in the Prudential Annual Report: 2021, page 167. 2.2.2.1 Roles and responsibilities – Part 1 There are many different roles and responsibilities relating to risk management within an organisation. To ensure that risk management becomes effectively embedded, those roles and responsibilities should be considered carefully. Just bringing in more risk management people into an organisation does not mean the process is embedded. It could, in fact, have the opposite effect of disempowering people or providing them with an excuse not to implement risk management – ‘I don’t need to bother because there is a risk manager or risk champion who does that job.’ The roles and responsibilities of key staff and indeed all individual employees are a key feature of risk architecture. Chapter 24 of Hopkin and Thompson considers some key risk management roles and their responsibilities and Figures 24.1 and 24.2 in Hopkin and Thompson illustrate how assignments of risk responsibilities are woven into the risk architecture. Risk responsibilities will also be allocated to subject matter experts in the organisation who manage particular aspects of risk. Depending on the nature of the activity within the organisation, these roles may include some of the following: Head of legal. Business continuity manager. Head of internal audit. Head of clinical safety. Compliance officer. Money laundering reporting officer. Head of credit risk. Head of security. Corporate insurance manager. Head of human resources. Each jobholder will have a job specification (or terms of reference) describing the role. The activities of these specialists’ form part of the risk architecture of the organisation. You should consider the roles that exist in your own organisation that contribute to the overall risk management process. For projects, roles and responsibilities are commonly depicted in a RACI chart. This chart is a simple responsibility assignment matrix, which lists relevant stakeholders and their level of involvement in the project, which is denoted by the letters RACI: Responsible, Accountable, Consulted, Informed. Section 2.2.2: Reading + Activity Alert read image + activity image Read the Chapter 24 of Hopkin, which considers key some risk management roles and responsibilities. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check them against ours. What risk management roles and responsibilities exist within your organisation? Activity 2.2.2 Answer Revealed What risk management roles and responsibilities exist within your organisation? Each organisation will have its own risk architecture, and therefore its own set of roles and responsibilities. It is useful to understand those roles and responsibilities as they will support the effective management of risks within your organisation. If possible, try to ascertain if risk management responsibilities and appropriate tasks are a formal component in key individual’s role descriptions. 2.2.3.1 Planning for risk management When planning to implement ERM for the first time, bear in mind that: Firstly, organisations will often employ a risk manager or a risk management function to oversee the implementation and running of the ERM framework. In some business sectors, such as banking and finance, and in some countries of the world, the employment of a Chief Risk Officer is becoming a regulatory requirement. Secondly, the PACED principles of risk management are essential factors to consider as part of the implementation of the ERM framework in order to achieve the maximum benefits Thirdly, an organisation can assess the benefits of a fully implemented and effective ERM framework by way of a process called FIRM (financial, infrastructural, reputational and marketplace benefits). You could also assess ERM benefits by the use of the MADE2 model. In many ways, ERM implementation in an organisation is not really a type of risk management but is more about a measure of the maturity of risk management within the organisation. All things being equal, if you have ERM you are more mature in risk management than if you do not have it. Hopkin and Thompson suggest a process for implementing successful risk management using a four-step structure; planning, implementing, measuring and learning – or PIML. This approach is similar to the plan-do-check-act used in developing many management standards. As such, you will recognise the PIML approach in other IRM Thought Leadership papers, such as ‘A Risk Practitioners Guide to ISO 31000: 2018’ (Section 2) and ‘From the cube to the rainbow double helix: a risk practitioner’s guide to the COSO ERM Frameworks’ (Section 2). 2.2.3.2 Implementation timescales for ERM The implementation of a fully functioning ERM programme is a major undertaking that will involve the whole enterprise. The time required to successfully implement a full ERM programme depends on a number of factors which include:- The start position - what is already in place that the enterprise can build on? The commitment from the “top” – the greater commitment and involvement of the “C” suite the more quickly the programme will be implemented and embedded. The size and complexity of the enterprise. The extent to which the enterprise is a global actor. The resources available to support implementation. What is certain is that it will not be a short-term venture. Shortreed suggests that in a large FS organisation successful implementation can take 3-5 years (Shortreed, J. 2010. ERM Frameworks. In publication Fraser, J. & Simkins, B. (editors) Enterprise risk management. John Wiley & Sons, Inc. USA). Similarly, AFERM (Association of Federal Enterprise Risk Management) suggest that a fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc. It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome oriented. In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years. However, in a larger, complex, decentralized agency, it could take 5-10+ years. It is important that agencies not be discouraged by those projections. Effective ERM is meant to be a long-term, evolving endeavour. When considering how long; think about what is involved - the following are some of the key themes that need to be taken into account : The governance structure including assurance. Risk Appetite Statements. Risk profile etc. The culture of the enterprise – how open is it to change for example, how many countries does the enterprise operate in etc. In essence an ERM programme is a “Long Term” (over 3 years most likely) investment designed to deliver substantial benefits to the enterprise. There are many guides and readings providing advice about the implementation of ERM. In most cases, an overriding conclusion of these guides is that the method of implementation will be contingent upon the risk characteristics of the organisation concerned, along with its internal and external environment. In other words, it is contingent on the ‘organisational context’ – a term we explore further in Unit 3. Section 2.2.3 Reading read image Read the chapter 7 of Hopkin and Thompson on ‘implementing enterprise risk management’. If you wish to pause now, you can return to this page after you have completed your reading. 2.2.3.3 The ‘cadence’ of risk management An important part of the risk architecture and planning for risk management is how to embed it in the governance and reporting cycle or structure of an organisation. This means that risk management should reflect the cadence or lifecycle of meetings that are already in place. Ideally, it should be in these meetings that appropriate risks and risk management should be discussed, reviewed, or reported. A generic example of this schedule of regular reporting is illustrated in Figure 2.2.1 – Cadence of reporting: SATARLA - reproduced with permission. Figure 2.2.1 – Cadence of reporting 1. Illustrates the cadence of reporting where there will be discussions and decisions made as part of business-as-usual which do not need to be reported to management level above 2. Depicts an example of the regular team meetings, for example, every two weeks, when information will be shared, decisions made, and feedback given to support those operational activities as part of business-as-usual 3. Outlines the activity of relevant information then being gathered from those regular team meetings and shared with more senior managers at, for example, their monthly management meetings 4. Suggests that every, for example, quarter, relevant information collected from management is shared with the Board. What is often missing, but is very important, is the feedback loop back from the Board down to the units, the teams and the operations on the relevant outcomes of the discussions and decisions made (E). This is only an illustration of a meeting and reporting lifecycle for an organisation. To be embedded effectively, risk management should link into and match that lifecycle. We will consider governance, reporting and embedding risk management further in later units. 2.3 - RASP - Strategy Section 2.3 enables you to establish a risk management strategy and define the purpose of risk management as may be appropriate for your organisation. 2.3.1.1 Tone from the top Hopkin and Thompson note that it is important for an organisation to have a clearly established strategy for risk management. In Hopkin and Thompson’s Figure 23.1- Risk management framework, the components of the Risk Strategy, as interpreted by Hopkin and Thompson are listed as: Risk management philosophy Arrangements for embedding risk management Risk appetite and attitude to risk Benchmark tests for significance Specific statements / policies Risk assessment techniques Risk priorities These components all indicate that Risk Strategy is about the tone from the top and what the purpose of risk management is for the organisation. Is it just ticking boxes and doing enough to meet the minimum stakeholder requirements or is it to establish a process that adds true value to the organisation, supporting decision-making, and creating and protecting value? The Risk Strategy should therefore be in line with the agreed Principles for managing risk within an organisation. 2.3.2.1 Risk management policy With regard to this risk management strategy, one would expect to see it outlined in a risk policy adopted by the board and applied across all parts of the organisation. Where the organisation has an otherwise decentralised management structure, a hybrid risk management framework may dictate a set policy established by the centre with accountability for the operation and delivery of the framework assigned to unit or divisional managers. It is typical for organisations to have a short (maximum two pages) ERM Policy that outlines the philosophy of risk management for the organisation, states who should be responsible for it and commits to provide the resources necessary to manage risks to an acceptable level. The Policy is typically approved and owned by the Board or a Risk Committee of the Board. Hopkin and Thompson provide an example risk management policy for a council, and there are many more examples of policies available through simple internet searches, which vary in quality. Any examples should always be tailored to suit an organisation, its culture and its approach to risk management. Section 2.3.1: Reading + Activity Alert read image + activity image Read pages 263 to 264 of Hopkin and Thompson which provides an overview of risk management strategy. Then read pages 261 to 262, which provides an example risk management policy from the Constitution of the Royal Borough of Kensington and Chelsea. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two responses. If you wish to pause now, you can return to this page after you have completed your reading. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Review the risk management policy used by your organisation or an organisation of your choice. Activity 2.3.1 Answer Revealed Review the risk management policy used by your organisation or an organisation of your choice. You might find your organisation’s risk management policy in the annual report and accounts or such documents as shareholder prospectuses, regulatory returns and promotional material. Your organisation may also make their risk management policy public. Some organisations will have a short risk management policy, whereas others will have a large document called the risk management policy, which is more of a manual on risk management. Some organisations have a manual, with a policy statement at the beginning. This depends on the document control systems in place within an organisation. However, there should be clear statement on what risk management is for the organisation and why it is needed, whether as a standalone document or at the start of any lengthier manual. 2.3.3.1 Introduction to risk appetite – Part 1 How an organisation decides whether or not to respond to the risks that they face is called the ‘risk appetite,’ which the IRM defines as: ‘The amount of risk that an organisation is willing to seek or accept in the pursuit of long-term objectives.’ There are of course other definitions of risk appetite that you will come across in the course of your reading. The risk appetite is typically referred to in the risk strategy, however the guidance as to how to undertake risk appetite setting and how to embed it in the organisation is more often included in the risk manual and / or supporting protocols. If an organisation is to achieve a consistent approach to risk management across the enterprise (ERM), those who manage risk clearly need to know the trigger point, above which they should respond. If staff do not know when to respond and when to tolerate a risk, then the result is that the overall risk exposure of the business will increase because of the inconsistencies that arise. Staff will respond to risks of equal severity based on their own attitude to risk rather than the consistent attitude to risk that the organisation wishes. The most common criterion that organisations use to help staff make a consistent decision on whether to respond or not to the risks that they face is called the ‘risk appetite’ and not surprisingly it is the board which has the responsibility to decide on that risk appetite. Fundamentally, the key terms mean: risk appetite – the acceptable level for the risk, where no further action is required other than monitoring and reviewing for changes in the context, risk and controls risk tolerance – the level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level risk capacity – the level of risk that is unacceptable. This is the tipping point that the organisation cannot or does not wish to go over 2.3.2.2 Introduction to risk appetite – Part 2 Risk appetite varies from organisation to organisation – some are generally more risk taking (or risk aggressive) and others are more risk averse. Even within the same organisation, the appetite for risk taking will vary between different functions. An ERM approach requires organisations to understand their overall appetite for risk and then apply a consistent approach across the organisation. The organisation can then make consistent decisions about how to respond to a particular risk. Risk appetite has to be identified within the context of the organisation’s overall business strategy, tactics, operations and its need to comply with relevant legislation and regulation. However, boards are primarily concerned with business drivers and strategic imperatives, leading to