PricewaterhouseCoopers LLP sponsored this webcast: Corporate leaders have long recognized that the pace of change continues to increase in velocity, thus challenging management’s execution of the business’ strategic and tactical plans. Enterprise Risk Management (ERM) is a management tool that can be effective in identifying and assessing the risks that come with change and allow management to respond to their organization’s changing risk profile in a timely fashion. The speakers were all from PricewaterhouseCoopers LLP:
- Joseph C. Atkinson, Principal
- Brian Brown, Partner
- Peter Frank, Director
- Catherine Jourdan, Director
These are my notes.
Why focus on risk? Changes in the marketplace and the world economy has given the perception that the world is a riskier place. That may or not be true. But people are more focused on risk. It seems that poor risk management had a role in the recent economic troubles. Joe advocates that risk assessment should be integrated into business processes.
Brian took over and focused on defining risk and risk management. “Risk assessment is a systematic process for identifying and evaluating the events that could affect the achievement of an organization’s objectives, both positively or negatively.”
Risk Assessment can be mandatory or voluntary. Anti-Money-Laundering, Basel II, and Sarbanes-Oxley compliance all require formalized risk assessment and focus on such processes as monitoring of client accounts, operational risk management, and internal control over financial reporting. Often it also voluntary, driven by business needs, to assess development opportunities, talent retention, operational efficiency and performance improvement.
There are three primary frameworks for risk management: COSO‘s ERM requirements, Federal Sentencing Guidelines, and OCEG’s Red Book.
Peter took over and focused on the challenges to an effective risk assessment. Common business challenges include:
- Risk assessment is viewed only as an episodic initiative, a required report that needs to be updated
- An inordinate amount of effort is invested in gathering data and information, and the volume is difficult to interpret and leverage in a meaningful way for executive leadership
- The risk assessment is viewed as a conclusion of the process, rather than a starting point.
- Risks are identified and risk mitigation practices are emphasized without meaningful understanding of impact, causing some risks to be over-controlled and stifling innovation
- Risk assessment is viewed as an additional function or department, not as an integrated management capability to embed in day-to-day activities
- Accountability for risk management and performance management resides in silos
- Multiple risks assessments are performed, using different definitions and measurements of risks, creating confusion and making confident action impossible
Catherine moved on to the six essential steps to performing a risk assessment.
- Identify relevant business objectives
- Identify events that that could affect the achievement of objectives
- Determine risk tolerance
- Assess inherent likelihood and impact of risks
- Evaluate the portfolio of risks and determine risk responses
- Assess residual likelihood and impact of risks
Joe came back to conclude that “risk assessment discipline should be embedded in the organization’s regular business processes and yield valuable information to support decision-making to help systematically link risk, reward, and performance management.”