Enterprise Risk Management (Preview)

Chapter 1 – Risk Management Awareness 33 Leadership is needed for the implementation of ERM. Most organizations have a distinct ERM function that provides leadership, advice, coordination and oversight services for risk management. The function is responsible for maintaining the risk management framework, process and information. It is also responsible for specific deliverables such as training sessions, the facilitation of risk identification and assessment work sessions, risk information reports, and presentations to senior executives and board members. Although ERM functions may be responsible for managing some risks, their main responsibility is to ensure that risk management gets done. Responsibilities for managing specific risks are normally assigned to risk owners who are the executives or managers best suited for managing specific individual risks in accordance with the directions set by the board of directors and senior executives. Risk owners reside within the different management functions and business units across the organization. The assignment of risk ownership is essential for effective risk management. Approximately thirty percent of organizations, and more than fifty percent of large organizations, have a chief risk officer leading their ERM function. 46 Chief risk officers normally report to the chief executive officer or to a committee of the board such as the audit committee or a risk committee. In other cases, organizations have a senior risk management professional leading their risk management function and reporting to a senior executive such as the chief operating officer or chief financial officer. In addition, many organizations create a risk management committee that supports the coordination of risk management across the organization, and provides a forum to resolve issues. Risk management committees are normally chaired by a chief risk officer, or by another executive acting as champion for risk management and advocate for the risk management function. Risk management committees support the integration of risk management with other corporate functions such as strategic planning, decision making, performance management and external reporting. In addition, they provide assistance for the integration of risk management efforts with other internal control functions, namely information technology security, ethics and compliance, internal audit, etc. Challenges Encountered ERM needs to be well understood and to add value. Otherwise, it cannot succeed. Organizations are making progress to improve their risk management practices and implement enterprise-wide approaches to risk management. However, experts believe that risk management approaches are largely unproven and still emerging. 47 Many challenges are encountered by organizations trying to implement ERM. Being aware of these challenges is the first step to resolving them. • Executive support – Executives cannot support initiatives that they do not understand, or that are not perceived to be adding much value. Risk management professionals need to articulate the value proposition of ERM and deliver on its promise. Otherwise, they can expect ERM funding to be reallocated. • Cultural issues – ERM requires an organizational culture that is transparent. The culture must encourage open discussions about risk, and support the reporting, escalation and resolution of risk issues. If the communication of risk information is discouraged or restrained, the benefits of ERM will be equally limited.