COVID-19 has triggered the biggest crisis in a generation having caused not only a global pandemic, but also unprecedented disruption to businesses and economies worldwide.
While we have seen how the awareness of risk management and its scope evolve with previous crises, the COVID-19 pandemic is unique. As organisations rethink their risk management practices, the opportunities presented to the accountancy profession are profound. Yet above anything else, the pandemic has shown the business benefits of addressing risk from an enterprise-wide perspective. We have found that organisations with established ERM frameworks were able to respond to the pandemic with more speed and suppleness. We have also seen how ERM has enabled these companies to leverage on the opportunities that the crisis presents. An established ERM framework encompasses all risks, including business resilience, so even if a global pandemic was not identified as a specific risk, the possibility that the company could be interrupted would be considered and the structure for responding to the crisis defined. This is crucial because if additional finance is needed the framework serves as a neutral basis to help senior management decide which risks should take priority over scarcer resources.
Risk Governance Structure
A successful ERM framework allows an organisation to detect future risks and opportunities. By using the right KPIs and KRIs, organisations not only optimise the decisions they make about risk appetite and future strategy, but also measure the effectiveness of ERM itself.
ERM Culture: the single greatest hurdle to successful ERM is articulating and integrating risk management into the organization’s culture. In one sense risk management is part of the culture no matter what is articulated in policy – an organization can have a cavalier approach to risk taking, a structured approach to risk taking and oversight thereof, or anywhere in between. The organization needs to clearly spell out how the organization approaches risk taking, ownership, management, and ongoing monitoring of risk in the organization.
Risk Governance & Policies: How good you are at overseeing risk taking. Risk Governance Structure is critical for organizations to establish the right governance for risk management and specifically how it is aligned with strategic planning and objective/performance management. This is a big area of failure for most ERM programs when it is often the case that risk management operates as an island with very little to know interaction with the board and executives or with organization strategy and objectives. A solid ERM policy will identify how the board and its committees interact with ERM as well as senior executives.
Roles & Responsibilities: Once the governance structure is in place, the policy should get into specific roles and responsibilities for ERM. This includes a clear understanding of the roles of a Chief Risk Officer, executive management, business operations, risk owners across the business, risk management staff, and the role of audit in the assurance oversight of risk management.
Risk Strategy: Following on the heels of risk culture, the ERM policy should next deal with how ERM aligns and integrates with corporate performance, objective, and strategy management.
Risk Tolerance & Appetite: How much risk are we willing to take? The next logical sequence in the ERM policy is to establish the boundaries of risk taking in articulating the organization’s approach and boundaries to risk tolerance and appetite, the policy should discuss what is acceptable and unacceptable risk.
Risk Ownership: You cannot hold anyone accountable for risk unless clear ownership of risk is defined. While specific ownership of individual risks are found in supporting risk management policies (e.g., vendor risk policy, privacy policy, credit risk policy, information risk policy) – the ERM policy should state the ownership of risk at the high-level categories. It should also be clear on the point that the risk management function does not own risk, the business and process owners are the ones that own risk. The ERM process is there to communicate and provide the infrastructure to manage and monitor risk to support the risk owners across the business.
Risk Assessment Process: The ERM policy is to authorize the formation of risk assessment processes in the organization. The policy itself should outline the expectations of required periodic assessments such as an annual ERM assessment process, and is to authorize the establishment of more specific risk assessments that are established in supporting risk management policies. This section of the policy should identify the approval needed to establish a risk assessment, what structure is provided, and how the assessment gets communicated and integrated into the ERM structure.
Mitigation & Response: The ERM policy should articulate the proper response plans to risk such as risk transfer, risk acceptance, risk mitigation, and risk avoidance. While much of the details of this will be worked out in supporting risk policies.
Key Risk Indicators: Ongoing monitoring for risk is critical to a successful ERM program. This involves the authorization and establishment of a process to gather metrics on Key Risk Indicators that are further defined in supporting policies. The ERM policy should provide guidance on how KRI information is collected, how often, and establish that KRI’s are to be relevant to the business and mapped to Key Performance Indicators of the business.
Risk Documentation & Communication: Documentation of risk, risk taking, risk acceptance and ownership, as well as assessment, management, and monitoring activities for risk are critical to a successful ERM program. An organization cannot hold individuals accountable for risk taking if there is not clear documentation on the risk.
Operational Resilience
The operational challenges brought on by the COVID-19 crisis have forced companies to rethink what it means to be resilient. It is imperative that organisations address emerging risks that can hinder the business from fulfilling its commitments to customers and other stakeholders. Accountants are trained to understand how business models work, so they should make sure the necessary measures are in place and the right questions asked.
Operational risks depend on the organisation’s activities but require constant assessment, analysis and adaptation if the organisation is to be able to address the unique challenges of every type of disruption. Operational resiliency is another risk journey that must be defined from the top, by the board, and include the engagement of all business units and people working within them. The lesson learned is that operational resilience demands long-term investment of resources and time. By focusing on critical activities and testing their processes, controls and documentation, organisations can start laying valuable foundations for a more resilient future. Accountants can help their organisations with this by creating specific metrics for the tolerable levels of operational disruption.
Governance, resilience, risk and control process ensures effective and appropriate governance, allowing evaluation, monitoring and implementation of appropriate risk identification procedures; by designing and implementing effective internal audit and control systems.
To learn more about ERM, please contact us.
