Peer_Review

ERM & Internal Controls Using the New COSO Risk-Management Guidance By Richard M. Steinberg Compliance Week Columnist 6. Embed risk management into the fabric of the business; and Continue to update and educate senior management and the board on evolving ERM practices. T he Committee of Sponsoring Organizations recently issued guidance designed to assist companies with implementing an enterprise risk management process. Let’s take a closer look at the reports to get a sense of what they’re about and the value they bring. The first report, “Embracing Enterprise Risk Management: Practice Approaches for Getting Started,” issued in January, suggests ways in which companies, especially smaller ones, can begin a risk-management initiative with the ultimate objective of moving to an ERM process. The paper describes how an organization can start to move from informal risk management to ERM with suggested “specific, tangible actions that organizations can use to get started.” It has three sections: Keys to success; initial action steps; and continuing ERM implementation. Beginning with the paper’s “keys to success” we find seven themes. They are: 1. Gain support from the top of the organization; Build on incremental steps and implement key practices to gain immediate and tangible results; Focus on a small number of top risks; Leverage existing resources by using the capabilities of the chief audit executive, chief financial officer, or other executives as a catalyst to begin the initiative; Build on existing risk-management activities already being performed, for example, by internal audit, insurance, compliance functions, fraud protection and detection units, or credit and treasury functions; 7. The paper continues with initial action steps, which are intended to support development of an ERM initiative: » Seek board and top management leadership, involvement and oversight; Select a strong leader for the ERM initiative; Establish a risk committee or working group; Conduct an enterprise-wide risk assessment and develop a related action plan; Create an inventory of existing riskmanagement practices; Develop a communication and reporting process; and Plan the next phase of action and communication. Yes, some of the prescribed steps are a start—but my concern is that despite the warnings, companies will go down this path mistakenly believing that they are “installing ERM” in their organizations. The reality is that there is more work to do to implement an ERM process. The guidance offers two important points about risk analysis. One is the con- » » » A company that wants to initiate a risk-management process should definitely review the COSO guidance as an initial step to embarking on a full enterprise riskmanagement process. » » » 2. 3. 4. 5. The report seeks to break down barriers and reduce resistance to building an ERM process. And experience shows that taking small incremental steps can prove useful to companies looking to strengthen their risk management. The idea of focusing attention on a small number of “top risks,” inventorying existing risk-management practices and building on them, and conducting a risk assessment, along with the other identified approaches can be helpful in focusing attention on how risks are identified, analyzed, and responded to within a company. Remember, however, to recognize this guidance not only for what it is, but also for what it isn’t. The report does not provide guidance on how to design an ERM process, or how to implement one effectively throughout an organization. cept of risk velocity: the speed at which a risk event can come at a company, or more precisely, the time between occurrence of a risk event and its impact. The other factor is the company’s readiness to respond to a risk event when it does occur. Velocity in particular has gained attention in recent years and can be a particularly useful addition. A company that wants to initiate a riskmanagement process will want to review the COSO guidance as an initial step to embarking on an enterprise risk-management process. Key Risk Indicators he second report, “Developing Key Risk Indicators to Strengthen Enterprise Risk Management—How Key Risk Indicators Can Sharpen Focus on Emerging Risk,” was issued this past December. It provides valuable guidance to develop and use “KRIs.” The earlier COSO ERM report’s Volume 3, Application Techniques, published in 2008, touches on this topic, but use of KRIs has continued to evolve. In recent years, to complement the use of T 36 WWW.COMPLIANCEWEEK.COM » 888.519.9200 MARCH 2011 key performance indicators, which focus primarily on past performance, more organizations have adopted forward-looking key risk indicators to further enhance risk management effectiveness. This new guidance describes KRIs and explains how they can benefit an organization. Several examples of forward-looking key risk indicators are included in the report: » Common key performance indicators for customer credit may include data about customer delinquencies and write-offs. But KRIs, developed to help anticipate future collection issues, might focus on analyzing the reported financial results of a company’s 25 largest customers, or on general collection challenges throughout the industry to see what trends might be emerging among customers. Either of those KRIs could signal potential challenges to collection efforts going forward. A second example involves a chain of family-style restaurants where management sought to avoid the lower profits that could arise with unexpected market conditions. Recognizing that restaurant traffic is directly affected by customers’ discretionary income (when discretionary income falls, customers are less likely to dine out), management established average gasoline prices people pay at the pump as a KRI. This is based on the premise that when gasoline prices rise, discretionary income falls, and customer traffic begins to drop. tionship between the KRI and the risk and the accuracy of information used are both critical. Another benefit is the ability to track trend lines with dashboards or exception reports, which can quickly and easily communicate where action may be needed. With KRIs gaining recognition as important elements of enterprise risk management, this COSO report provides usable information and is definitely worth the read. While both COSO papers are useful, the guidance on practical approaches for getting started gets the silver; the report on key risk indicators clearly wins the gold. ■ RECENT STEINBERG COLUMNS Rick Steinberg is founder and principal of Steinberg Governance Advisors in Westport, Conn., where he advises directors and executives on board responsibilities, governance best practices, and compliance and risk issues. He was previously a senior partner at PwC, where he served as corporate governance practice leader. The author of numerous governance reports, including Corporate Governance and the Board— What Works Best, Steinberg served as the lead project partner in developing the Committee of Sponsoring Organizations’ (COSO) Internal Control— Integrated Framework, now recognized as the standard of internal controls. Steinberg can be reached by e-mail at rms@complianceweek.com, or at (203) 222-9330. Below are some recent columns by Compliance Week Columnist Richard M. Steinberg. To read more from Steinberg, please go to www.complianceweek.com and select “Columnists“ from the Compliance Week toolbar. Governance Challenges of Performance Measurement Choosing the right performance measures is never easy, but add increased shareholder scrutiny and new performance-related disclosure requirements and the task becomes much more difficult. Inside, Columnist Richard Steinberg discusses the governance challenges of choosing the right performance Published online 01/25/11 What 2011 Holds for Governance, Risk, and Compliance 2010 was a busy year for compliance officers—and so far at least, 2011 is looking like it could be even busier, with the SEC’s whistleblower program and possible proxy access on the way. Inside, Columnist Richard Steinberg makes some predictions about what to expect in the coming year. Published online 12/21/10 Where Were the Banks’ Internal Controls' After suffering through one of the worst crises in financial history, the big banks that survived the collapse in 2008 now find themselves dealing with another crisis: the foreclosure fiasco. First, banks lost billions on bad home mortgages and now they’re finding they often don’t have proper paperwork showing ownership of the properties on which they’re trying to foreclose. Published online 11/16/10 Shareholders, Be Careful What You Wish For There’s no doubt shareholders have made great strides in gaining more information and power. They’ve won more disclosure on a series of points, including the experience and skills of director candidates, what the board does to oversee risk management, the role of compensation consultants, and the structure of board leadership, just to name a few. Published online 10/19/10 » KRIs enable management to deal with risk events more quickly. In the later example, management is positioned to adjust marketing and promotion events to reduce the impact of the risk. The COSO guidance points out that KRIs are most effective when they are closest to the root cause of the risk event; that gives management more time to take action. Multiple KRIs can provide still more relevant information. A close rela- Shareholders, Be Careful What You Wish For There’s no doubt shareholders have made great strides in gaining more information and power. They’ve won more disclosure on a series of points, including the experience and skills of director candidates, what the board does to oversee risk management, the role of compensation consultants, and the structure of board leadership, just to name a few. Yes, shareholders have worked long and hard to obtain relevant information, and to wield greater influence on what happens in the boardroom. Published online 10/19/10 MARCH 2011 WWW.COMPLIANCEWEEK.COM » 888.519.9200 37 Copyright of Compliance Week is the property of Haymarket Media, Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.