As a risk advisory firm, we are frequently asked by clients to assess the effectiveness of their enterprise risk management (ERM) systems. Without exceptions, such requests are always about benchmarking the adopted framework for risk identification, assessment, mitigation and reporting against the best international frameworks. The common wisdom is that as long as the documentation is done based on these recognised frameworks and reported to the Board, the enterprise risk management exercise for the year is closed, and the Audit Committee and Board can then opine that there is effective risk management in place.

Common reasons for ineffective ERM

Many organisations still regard risk documentation as an end, rather than a means to manage risks, therefore, treating ERM as a checklist-driven box-ticking exercise and failing to operationalise risk management into strategy setting and mission-critical day-to-day activities. Some lack a strong Board and management monitoring structure to take firm and timely corrective actions and avoid further threats. Others have organisation and reporting structures that confuse the roles and responsibilities between managing risks and monitoring risks, consequently failing to recognise the need for separation and independence. Often, there is also the incorrect assignment of risk owners, resulting in a lack of accountability and inadequate mitigation. Effective management of risks is also seldom emphasised as a KPI in assessing management performance.

We have therefore defined and applied the following eight drivers (refer to the diagram below) to assist organisations in assessing the adequacy of each to identify gaps for improving ERM effectiveness.

RSM’s 8 Drivers of Effective Enterprise Risk Management

Diagram showing the 8 Drivers of Effective Enterprise Risk Management which includes Risk Management Strategy, Risk Ownership, Risk Management Competency, Decision making, Day to day operations, Ongoing monitoring, Periodic monitoring and Culture and Board Oversight.

1. Risk management strategy

Before adopting leading risk management concepts for risk identification, analysis, mitigation, monitoring and reporting, the organisation should first decide on its risk management priorities, objectives, approach and risk governance structure based on its business model, size and complexity. A risk management strategy should also include an assessment of the required roles and competencies of the risk management, compliance and internal control-related functions, whether in-house or outsourced, their positions and reporting lines within the organisation structure.

2. Risk ownership

Risk ownership is often assigned to a person responsible for executing the risk responses. This is not an appropriate allocation of accountability. The head of the risk management function — whose role should only be to communicate, coordinate and administer the organisation’s risk management policies and activities, and ensure identification and mitigation of material risks by the appropriate risk owners — is often mistaken as the person responsible for the actual management of risks, with the rest of the management team just doing “form filling” to meet the Board’s requirements.

The right risk owner should instead be the individual ultimately accountable for ensuring that the risk is managed appropriately and adjusting the risk response within the desirable risk appetite and tolerance of his risk domain. Another critical point to note is that the risk owner should not be the same person responsible for monitoring the effectiveness of the risk response.

3. Risk management competency

With regard to risk management, persons within an organisation can be classified into four groups: those in charge of risk governance, those responsible for managing risk, those assigned the task of executing risk responses, and those monitoring and reporting the effectiveness of risk responses. They need to have appropriate skill sets, experience and training to understand as well as perform their roles and responsibilities effectively. The organisation should also consider where and when external professional advice may be required.

4. Decision-making

Risk management efforts tend to focus on post-decision implementation risks and overlook risks inherent in strategic choices. As many corporate failures are due to strategic missteps, risk management should be applied to the decision-making process by understanding the risks associated with each strategic choice before making the selection. Risk management personnel should therefore be consulted at the early stage of strategic planning. For the selected strategic choice, an appropriate risk appetite should be established to ensure alignment of views between the management and the Board, and to limit exposure within the organisation’s financial capability.

5. Day-to-day operations

A risk management system should include the establishment of an appropriate organisational reporting structure and processes to ensure effective and efficient execution of business plans. These should also include training and communication of policies and procedures for key processes, segregation of duties to provide checks and balances and prevent manipulation, suitable delegation of authority, the business plan and operating budget, key performance indicators, key risk indicators and key control indicators.

6. Ongoing monitoring

Depending on the business model, size and complexity of the organisation and the relevant regulatory requirements, effective second-line defence functions should be established to provide ongoing monitoring of actual performance against agreed metrics and timely reporting to risk owners and those in charge of governance. This will ensure that business operations stay within the established risk appetite and risk tolerance. Examples of second-line defence functions include Financial Controllership (also generally known as Financial Planning and Analysis or “FP&A”), Quality Assurance, Risk Management, Legal and Regulatory Compliance, Health and Safety, and Environmental Compliance.

No individual should be assigned a role to monitor performance within his or her domain of responsibility. And to ensure the integrity of the monitoring functions, the head of these functions must have direct access or a reporting line to a relevant Board member or Board Committee.

7. Periodic monitoring

An internal audit function with adequate resources and appropriate skills and experience should be established to perform periodic monitoring to ensure compliance with policies and procedures.  To ensure the integrity of the internal audit function, the chief internal auditor must have direct access or a reporting line to the Audit Committee.

Collaboration between the internal audit function and risk management function is critical. The internal audit function must understand all key risk areas, not just financial exposure, and review them at regular intervals. On the other hand, the risk management function should ensure that corrective actions taken by the management are adequate to address the internal audit findings.

8. Culture and Board oversight

Finally and most importantly, effective risk management can only be achieved with an appropriate risk culture. The Board should establish policies and guidelines to build a strong control environment within the organisation and set the right tone at the top. The Board should set an appropriate risk appetite for material risks and take responsibility for risk governance by establishing an appropriate committee structure to supervise the management in the identification and mitigation of material strategic, operational, compliance and financial risks.  Sufficient emphasis should be placed on effective management of risks in assessing the management’s performance. For some organisations, it may be necessary to set up specialised Board Committees to deal with certain key risks that require more specific focus, expertise and experience.

For material risks, the Board should ensure that there are robust ongoing and periodic monitoring functions in place to provide accurate and timely reporting to relevant committees and the Board. The Board should also act firmly and promptly on reported deficiencies, non-compliance and deviations.

Conclusion

Effective risk management is not about and should not stop at submission of the risk register to the Board. Organisations should review and build on the strengths of these eight drivers so that they may be well equipped to manage the various risks and remain resilient in the face of any adversity. 

This article was written by Partner Dennis Lee and Senior Director Sovann Giang of RSM’s Risk Advisory division.