ERM Governance

This is Part 7 of my blog series: The Art & Science of Risk Management

In this post, I explained that there two sides to implementing enterprise risk management (ERM): the hard side and the soft side. In the context of the governance of an organization, the hard side is concerned with appointing risk champions and setting up risk committees so that risk information may smoothly flow up to the Board. In the same context, the soft side is concerned with ensuring Board level commitment, training risk champions in risk-based decision making, and ensuring communication flows smoothly through standardization of reporting. It is important to note here that ERM governance is key to the success of ERM in any business and implementation of ERM usually requires a top-down approach.

A business that is well governed will have a board of directors (BoD) to provide a more-or-less independent oversight of the management of the business. The BoD will usually meet on a quarterly basis to review the undertakings of the business and its management. In large businesses, due to the vast quantity of work to review, the BoD will often delegate specific review responsibilities to a committee. These committees will review the work for a given business unit or function, summarize it and report to the BoD. Using the governance structure at my company as an example, we have an audit & risk committee (ARC), a strategic advisory committee, a treasury committee, an environmental and social action committee, among others. Regarding ERM governance, the top-level committees need to be set up first. In my company we have the (ARC), but this committee also has a truck load of work to review. So, we’ve set up a subcommittee called the risk oversight committee (ROC) to vet, summarize and report to the ARC. The ROC comprises the appointed risk champions and the head of risk who gather risk information (such as a risk assessment from the employees (risk owners). What I’ve just described I have also depicted:

To add to this post, ERM can be broken down into seven components, the first of which relates to governance. The governance aspect ensure that the BoD and management have established the appropriate organizational processes and corporate controls to measure and manage risk across the company. This in fact mandated by governments in most countries.

The mandate by government clearly states the responsibilities of the BoD and senior management and should take effect at the outset of any ERM framework – the top down approach is therefore recommended. That is, it forms part of the first component of ERM implementation for a reason. These responsibilities normally include:

• Defining the organization's risk appetite in terms of risk policies, loss tolerance, risk-to-capital leverage, and target debt rating.
• Ensuring that the organization has the risk management skills and risk absorption capability to support its business strategy.
• Establishing the organizational structure of the ERM framework and defining the roles and responsibilities for risk management, including the role of chief risk officer.
• Implementing an integrated risk measurement and management framework for strategic, business, operational, financial, and compliance risks.
• Establishing risk assessment and audit processes, as well as benchmarking company practices against industry best practices.
• Shaping the organization's risk culture by setting the tone from the top not only through words but also through actions, and reinforcing that commitment through incentives.
• Providing appropriate opportunities for organizational learning, including lessons learned from previous problems, as well as ongoing training and development.

ERM governance begins with a risk policy – a statement of the corporation’s overall approach to risk management including risk philosophy and principles, roles and responsibilities, governance structure, risk tolerance levels, and reporting and monitoring processes. The risk policy must document the risk appetite of the organization. The risk appetite is a mutual understanding between the executive management and the BoD about what risk levels are acceptable, taking into consideration the organization’s strategy in maximizing value. Beyond these risk levels, the company may take preventative or corrective action and if these actions cannot apply, it should at least be flagged for BoD review. The BoD may even decide to amend the risk appetite if needs be. It is important to note that the risk appetite set at the corporate level (e.g. limits and tolerances on cashflow-at-risk, capital-at-risk, earnings-at-risk, target debt rating, etc) must line up with the risk appetite at the business and operational level (e.g. limits and tolerances on KPIs, foreign exchange, etc).

The benefits of corporate governance are clear – it provides independent top-down monitoring of the company to ensure that it stays in line with maximizing value to all stakeholders. I feel though I should spell out the benefits of embedding ERM into the governance of the organization:

• To build ERM into the organization requires time and effort, which the employees may be reluctant to provide. ERM governance ensures that the tone is set from the top and filtered down into the people and processes of the organization.
• ERM governance alleviates some the responsibilities given to the BoD and even perhaps to the ARC. This is because responsibilities are delegated to subcommittees such as the ROC and to the chief risk officer (more on this in the next post).
• A proper ERM governance in place ensures that timely, complete, relevant, accurate and accessible risk information is delivered to the BoD. This in turn enhances value through more informed decision making by the BoD.
• ERM governance ensures proper monitoring of ERM, the people and processes involved. This becomes especially useful where the ERM function at an organization is large.

I must point out that ERM cannot exist without governance because it is the governance that lays the foundation for ERM to grow.

Next up – Roles & Responsibilities of the CRO
Your Risk Connoisseur
J-MLN