Enterprise Risk Management Software Solution

Where Was ERM?

2009-01-30T03:15:00.000-08:00

For the most part, I'm a true believer in enterprise risk management (ERM). Properly implemented and applied within a supportive culture and executive sponsorship, ERM creates improved organizational resiliency, identifies and helps crush risks under organizational rocks, and enables senior leadership to make better decisions in the light of a very complex and risk-filled world.

by Chris Duncan
The McCart Group

However, as a risk professional, and an occasional observer of the world around me, I'm at a loss as to where ERM was in the whole sub-prime, toxic portfolio, market meltdown, insurance downgrade, credit market debacle? Why didn't we see it coming, or did we? Did the financial meltdown train hit us because ERM failed us, like a warning gate that malfunctions at a railroad crossing, or did the bells and lights go off, but senior management ignored the warnings and drove across the tracks anyway? Is ERM itself a waste of time and management effort? If it is not a waste, what can we learn from this debacle to make ERM more effective in the future?

ERM Functions and Effectiveness

One of the primary functions of ERM is to help identify and predict company-killer risks and assist management in making better risk-based decision making to avoid risks being realized that one can ill afford. And if you can't avoid them, the goal is to attempt to mitigate (or transfer) them to a level that you can manage. Unfortunately, there are many can't be predicted or mitigated, and an effective ERM process is no guarantee that bad things won't happen to an organization.

As the famous risk philosopher, Calvin (of Calvin & Hobbes fame) says, "Some days even my lucky rocket ship underpants don't help." However, an effective ERM process should highlight and communicate to the most senior level of a company the risks that matter, and help allocate finite resources to address the ones you can influence.

Since 2005, Standard and Poor's has experimented with integration of ERM effectiveness into the credit ratings of financial institutions, such as banks and insurance companies … the very ones that have failed, or are currently failing. S&P recently announced that it was expanding this ERM effectiveness scoring integration into all rated companies. This is a long overdue recognition that ERM matters to a company's ability to survive and thrive, and as ERM is increasingly embraced, we will have more resilient, transparent, and profitable companies. However, we would be doing our companies, clients, and our profession a disservice if we did not ask ourselves, today and over and over again in the future, what went wrong?

We should do our own postmortem on the apparent failure of ERM in the financial services industry and apply these lessons. I fully expect as time goes by, and we have a chance to research and reflect, answers to this failure will be evident in the perfection of 20/20 hindsight.

The Blame Game

Already financial legends such as Alan Greenspan have all but admitted that he (and therefore the Federal Reserve) missed the magnitude of the financial meltdown risk. Robert Schiller, a well-known economist, has been ringing the warning bell of the real estate bubble for years. Many politicians have attempted (and failed) to rein in the political power of Freddie Mac and Fannie May. E-mails and instant messages from those very rating analysts charged with objectively rating securitized mortgage instruments had been widely reported in the press discussing this "house of cards." Expect much more detailed analysis in the future on the risk management failures of our financial institutions once people have a chance to get out from underneath the walls that fell on them in this "house of cards."

Where was ERM in financial institutions, anyway? A recent survey of 316 financial services executives by SAS/Economist Intelligence Unit (published September 2008, surveyed in July 2008, before the massive crash!) reports that 70 percent of those surveyed blamed poor risk management for the current financial/credit crisis. Seventy-one percent of these financial institutions reported that they have an ERM strategy in place and in the process of being implemented. Fifty-nine percent said that the financial crisis has forced them to take a much closer look at their risk management programs. Only 18 percent of those surveyed reported a fully implemented, comprehensive ERM plan. At this limited level of ERM maturity, one could easily argue that ERM didn't have a chance to make a difference in heading off this crisis as it simply wasn't there.

ERM Failure Points

One of the staples of truth in management is that work gets done through people. We bring with us into well-defined processes preconceived notions of how things work, or how we think they ought to work, and we are prone to messing up the very best of work plans. Here are a few of my favorite failure points in ERM.

We Believe Our Beautiful Spreadsheets!

Overreliance on beautifully formatted models, statistical analysis, spreadsheets, and Power Point presentations lull us into a stupor of confidence in our "numbers." As Billy Crystal's famous SNL character Fernando would say, "Darling, and you know who you are, it's more important to look good than to be good." Spreadsheets create specific answers, point estimates that look "marvelous" but don't create a great deal of room for uncertainty, debate, and critical thinking. Often "numbers" don't do an adequate job of showcasing the impact on reputation risk or investor reactions based on loss of confidence and market emotion.

Risk Is Defined Not by Facts, but by Perception of Facts

Executives often miss a key point in understanding what a risk really is. Often, being factually right is not enough. Understanding the likely public (or regulator, or media) perception of these same facts may be the difference in a company meltdown or a company triumph in adverse circumstances.

Many ERM practitioners say that you must quantify every risk in order to manage risks. How does one "quantify" the potential of public outrage over executive compensation decisions made in good economic times when the exit pay package is paid in the bad times of layoffs that few can predict? An airline may be in technical compliance with FAA regulations on fleet maintenance, but what happens if the media discovers a track record of coziness with inspectors? There may be a one in a million chance of a product fatality, but what happens if the fatality happens to be a child? What is your risk if you handle a true accidental workplace fatality with all the right responses, but the CEO comes off as uncaring and calloused in the media?

If you are a bank, your primary asset is public confidence that hard-earned savings are in good hands. What happens when that confidence is shaken because you invested in some assets that are now highly uncertain? Risk is defined by the perception of facts, not facts themselves.

We Miss the Black Swans

A must read in any risk professional's bookcase is The Black Swan, by Nassim Nicholas Taleb. The basic premise of the book is that we believe we live in a "bell curve," a predictable world, and are taught such in business school and in the media. In this bell curve world, we believe we can predict the future by extrapolating from the past. The problem is that reliance on the past leaves little room for trend-busting changes that turn the predictability of the past into an irrelevant crystal ball exercise. When these events occur (i.e., "black swans"), they create massive, disruptive change in the world that we know.

For example, I recall having intense conversations with executives at a former employer (an airline) about the risk that oil prices might just be jumping off the historical tracks (it was $38 per barrel at the time, an unheard of run up from the mid-$20s) due to the expansion of the war on terror and likely perceived supply disruption, increasing evidence of "peak oil" supply, and increased demand from emerging growth economies of Brazil, India, China, and Russia. The suggestion was that we consider contingencies to survive as a business if there was a fundamental delinking of oil price trends from the past. This discussion was consistently dismissed because the historical experience was that "oil is a mean reverting commodity," and sure to return to the mid-$20s because it always had.

A similar black swan—residential real estate prices in the United States—had also "never" had a nominal decline in 30+ years of tracking home prices either … and real estate price drops "can only happen at a localized level." The Case-Schiller home price index of 20 major metropolitan areas shows a decline of 16 percent in home prices from July 2007 to July 2008. I, along with millions of others, also missed this particular black swan residing in our neighborhoods.

Sometimes It's Just Hard To Swim Upstream

Thousands of companies and millions of people were making money on rising real estate prices. The "safe" money was in real estate, remember? We all enjoyed the rising housing prices, and the growth in real and paper wealth it represented. Few complained when the risk in the housing prices played in their favor. SUVs printed money for U.S. automakers year after year, and we all enjoyed the room and convenience of these gas-guzzling behemoths.

In insurance, the more exotic insurance and derivative products like credit default swaps made billions for powerful and aggressive risk-taking companies such as AIG. Banks worldwide enjoyed the high rate of return on assets and the portfolio effects of mortgage securitization for years. It would be a very courageous executive indeed to "cry in the wilderness" against the potential risks created from products generating handsome profits and cash flow. Imagine the poor fellow standing up to a high-powered CEO (picture Hank Greenberg!) and telling him or her that their multibillion dollar enterprise should not leverage its A+ balance sheet on poorly understood exotic derivatives, credit default swaps, and rising real estate prices when billions were to be made. That is a pretty ugly mental picture, isn't it?

Effective ERM occasionally requires a dose of contrarian views coupled with more than a dash of moral courage, the combination of which is often negatively equated with career advancement. For ERM to truly be effective, a company's culture, from the very top, should encourage the appropriate questioning of the status quo without killing the questioner. But that is a hard lesson to learn.

Warren Buffett summarized this trait of human and business behavior best when he said:

Most managers have very little incentive to make intelligent-but-with-some-chance-of-looking-like-an-idiot decision. Their personal gain/loss ratio is all too obvious; if an unconventional decision works out well, they get a pat on the back, and if it works out poorly, they get a pink slip. Failing conventionally is the route to go; as a group, lemmings may have a rotten image, but no individual lemming has ever received bad press.

It is easier on your career, your marriage, and your ulcers to swim with the prevailing current than against it. However, for ERM to be effective, occasionally one does have to swim against the tide and run the risk of getting eaten by the sharks.

It Takes a Global Village (of Risk Managers)

Gone are the days when one person (a risk manager, CFO, CEO) can come to grips with all the risks of a single company. Risks in supply chain, in finance, in the environment, and in reputation are global in scope. Company-killer risks exist in the ripples of events like tainted milk in China, failing banks in Iceland, residential real estate prices in the United States, and commodity price volatility from Middle East politics and the illogical acts of terrorists.

ERM is not a centralized function to be administered at company headquarters, but a management capability and way of thinking that must be global in its scope to be truly effective. The entire leadership of an organization must be attuned to the internal and external risks that can impact an organization across the globe, with an ability to identify and communicate these risks to decision makers without retribution. If a company is depending on one person to be the risk safety net of the organization, ERM will fail, because one person will never know enough.

The Risk of Expertise

Finance, science, the economy, medicine, the environment politics—almost all areas of life, business, and governance is highly specialized, with experts having deep expertise in a particular area. More information is added in a day to the Internet than in some decades of human progress. Not only is it impossible to keep up with it all, it is increasingly hard to be a generalist in one's knowledge. We end up defaulting to the "experts" in a particular area because many times, we have neither the time, experience, nor sheer ability to figure out if they are smoking their own exhaust or not.

Regarding the sophisticated sub-prime collateralized mortgage bonds bought by many very smart, sophisticated banks and investors worldwide, one estimate from a prominent economist is that there are only a few hundred financial analysts or market specialists in the world that truly understand these products, where the risk truly is, and what they are worth. Well, we listened, we thought we understood, and we (and the experts) were wrong. Functional and expert sophistication typically overwhelms the general understanding of decision makers and critical control points.

Conclusion

Enterprise risk management works. It adds tremendous value to organizations large and small, public and private, U.S. and international. However, it is not the end all, and it does not mean that all risks will be eliminated. Sometimes monsters do come out from under the bed in the middle of the night. Sometimes we create the monsters ourselves because we don't examine ourselves to understand where the process of ERM could go wrong.

The above is by no means a complete list of how ERM can fail, but perhaps it will prompt some thinking by all. A healthy skepticism of ERM is always a good thing, and, as with pressure testing our own designs and processes, we get better. I for one am looking forward to learning all I can from the financial chaos of the recent months—at least then perhaps something good might come of it!

To view the original article, click here

IT Governance, Risk, and Compliance (ITGRC)

2008-06-30T03:19:00.000-07:00

Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.

Corporate Governance:

Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.

Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.

Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.

IT Governance Role:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.

Who is Responsible for IT Governance and Risk Management:

Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:

IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
Risks and threats are identified, categorized and mitigated to acceptable levels.
IT Governance obtains coordinated and integrated action from the top down.
IT investments are not mismanaged or misdirected.
IT Governance rules and priorities are established and enforced.
Trust is demonstrated toward trading partners while exchanging electronic transactions.

In Closing:

IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:

What decisions must be made to ensure effective management and use of IT?
Who should make these decisions?
How will these decisions be made and monitored?

Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Best Practices for Performing Risk Assessments

2008-06-01T23:15:00.000-07:00

In today’s blog, we will discuss best practices for performing risk assessments.

Assessing business and information risk, in most organizations, are often challenging and performed in silos. This is why risk experts are encouraging companies to take a closer look at their risk assessment strategies and think of ways to simplify, integrate, and collaborate on their assessment tasks across the enterprise.

Risk Assessment Frequency:

This topic is often debated; however, in my professional opinion, organizations should perform their risk assessments at least annually. The most common approach is that companies asses their enterprise business risks on a calendar year. I also recommend that most organizations review their risk assessment strategies on a quarterly basis as business processes, systems, strategies, etc, may also change during the course of the year. This way the annual risk assessment plan will account for those changes. I am also seeing organizations that have very inefficient risk assessment strategies and some without any at all. The only way to ensure that your organization is risk intelligent is to implement an effective risk assessment strategy that covers the entire organization. Risk assessment results should stored so that risk trending and analysis can be performed.

Tearing Down the Risk Assessment Silos:

The most challenging aspect of a successful enterprise risk assessment strategy involves “the silo approach to risk assessment”. If you search businesses today, you will find that a smaller percentage do not have a “central” ERM group or Chief Risk Officer that will collaborate business process leaders to consolidate risk assessment activities. In order to give BODs oversight of business risks, organizations should seek to improve their efforts by bringing risk assessment efforts under one “umbrella” for centralize management and reporting.

Measuring and Weighing Risks:

There are many ways that an organization can measure and weigh their risks. The most common measurement of risk is likelihood and magnitude of impact. I have also worked with clients that measured their risks based on complexity, speed of onset, and/or dollar value. The key here is to choose a measurement that is right for your business and modify over time or assessment needs change. As far as weighing or ranking risk, I prefer to use the NIST model or approach to do so. It relatively simple and do not require you to be a mathematician to rank and score your risks.

I would like to hear your views on the following:

How do you measure and rate your risks?
Do you have a centralized risk assessment strategy?
Do you have a Chief Risk Officer?

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Understanding Enterprise Risk Management In-Depth

2008-05-26T03:36:00.000-07:00

In today’s blog, we will discuss “Understanding ERM In-Depth; Using the Right ERM Strategy as A Catalyst for Addressing Risk, While Improving Audit Outcome”.

Companies are under significant pressure to stay abreast of a wide array of business risks that may impact their organization’s success and sustainability. BODs and senior management’s risk oversight role is becoming as critical to the sound running of an organization, especially for companies with significant market risk exposures. This has caused BODs and corporate officers to become more involved in strategic ERM planning at early stages, rather than just reviewing and signing off on an ERM strategy after it has been fully developed by management. Furthermore, the increasing demands and high expectations from the BOD levels have caused a major shift in how audit committees and chief audit executives approach their internal audit programs. Internal auditors are encouraged to incorporate a risk-based approach to internal controls auditing.

ERM Framework and Strategy:

I’ve seen many clients undergo major efforts in developing an ERM framework that work for their business. Most of these frameworks, in my opinion, appear to be nothing more than an over-engineered process that could have been completed with a COSO-based or NIST-based ERM framework. Bottom line here is to take advantage of frameworks that have already been established so that you are not “re-inventing” the wheel. Your ERM framework should capture ALL key and critical business areas within your organization. Your framework should also account for both, business and information risks. Key word here….ENTERPRISE!

ERM and Internal Audit:

The role of the internal auditor and the internal audit process is quickly changing. Today, internal auditors are encouraged to take a risk-based approach to their audit programs. I am working with a particular client where they are using risk composites to drive or “trigger” their audits. The way it works is that when both the likelihood and the MOI (magnitude of impact) of the threat are equally high, the audit department is notified to audit the control(s) that are supposed to mitigate the risks or threats. As an auditor, I strongly encourage that your audit team employ a risk-based approach to your audit strategy. Additionally, getting integrated with your ERM division offers great rewards in this process. This strategy will also improve your audit outcome. Know the risk….employ the effective control(s)….mitigate the risk….you get the idea!

ERM and GRC (Governance, Risk, and Compliance):

I had a customer ask me. “What is the most critical component of the GRC Process”? Although this is a tough question and every component of the GRC process is important, it is my opinion that cornerstone of GRC is risk (R). Without knowing and understanding the risks that businesses face today, it would be difficult to provide BODs with risk oversight, identify controls that need continuous monitoring, and achieve a risk-based approach to compliance management. Once your risk appetite has been determined and your business risks have been identified, you can perform risk analytics and modeling to further enhance your ERM program and provide BODs and corporate officers with oversight of their enterprise risks. All in all you can see the importance and significance of ERM within a GRC or corporate governance strategy. I’m curious to hear other approaches to this thought.

I would like to hear your views on the following:

What is your approach to Enterprise Risk Management?
How do you incorporate risk into your GRC or Corporate Governance Strategy?
What ERM framework works best for your organization?

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

COSO Enterprise Risk Management

2008-05-15T02:42:00.000-07:00

BUSINESS PRESCRIPTION — COSO ENTERPRISE RISK MANAGEMENT:

Organizations are looking for a structured methodology that lets them quantify risk, establish risk appetite/tolerance, identify and prioritize controls, and establish a system of record to meet a multitude of legal and compliance obligations.

This is where COSO comes in. The COSO Internal Control Framework was originally authored in 1994 with the aim of establishing internal controls to manage operational efficiency and effectiveness, financial reporting reliability, and compliance with laws and regulations. The Internal Control Framework has received a lot of attention recently, as it is the approach most organizations are taking for Sarbanes-Oxley compliance and is recommended by the SEC and Public Company Accounting Oversight Board.

What has been lacking is a structured framework to build an ERM process upon that integrates and extends the Internal Control guidance. PricewaterhouseCoopers, working alongside a project advisory council, worked with COSO in developing this needed guidance. The result: the recent release of the COSO ERM framework.

COSO defines enterprise risk management as:
“Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.”

The COSO framework provides an answer to the challenges organizations are facing in governance, risk, and compliance. This framework’s goal is to build a risk management process as a foundational element of business operations.

The Evolution Of Technologies And Tools In Support Of COSO ERM

Sarbanes-Oxley (SOX) was the primary driver in providing a wake-up call within organizations for a consistent and defined structure to ERM.

Facing Section 404 compliance, organizations turned to documenting accounting controls in spreadsheets of SOX-specific solutions. Organizations have now become aware that a broader approach to risk and compliance management is needed. This results in a shift in the approach and tools needed to document risk, compliance, and internal controls. Neither the spreadsheet approach nor specific SOX tools are enough — organizations now need tools that can document and manage risk and compliance to the broader risk and compliance demands the organization faces.

SOX vendors, such as OpenPages and Paisley Consulting, are quickly expanding their tools to become broad enterprise risk and compliance management platforms. Others, particularly Axentis, provide an enterprise risk and compliance management platform already — including SOX compliance — and are among the first to integrate the COSO ERM framework into their solution.

Vendors in the SOX segment will face increasing demand for broader enterprise risk and compliance management capabilities — those that are to narrowly focus are likely to falter.

(COSO is the Committee of Sponsoring Organizations of the Treadway Commission. It is a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants. Further information on COSO and the Enterprise Risk Management framework can be found at http://www.coso.org.)