Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

94 Risk strategy

Chief risk ofﬁ cer

As champion of the ERM process, the CRO plays a key part in bringing together

disparate risk management processes to ensure that limited company resources are

applied effectively. The COSO ERM Framework deﬁ nes the role of the CRO as

working with other managers to establish effective risk management, monitoring

progress, and assisting other managers in reporting relevant risk information up, down

and across the organization.

Internal auditors should work with the CRO as part of their risk management duties.

In this role, internal auditors are responsible for evaluating the accuracy of ERM

reporting and providing independent and value-added recommendations to

management about its ERM approach. The IIA International Standards specify that the

scope of internal auditing should include evaluating the reliability of reporting

effectiveness, efﬁ ciency of operations and compliance with laws and regulations.

Risk architecture and structure

Risk architecture

Table 8.1 (page 80) shows the risk architecture for a typical large corporate entity that is subject

to the requirements of the Sarbanes–Oxley Act. This risk architecture should be set out in the

risk management policy for the organization. Terms of reference of the various committees

and a schedule of the activities should also be established, either in the risk management policy

or in a calendar of risk management activities. This schedule of activities should be aligned

with the other corporate activities in the organization.

For a large organization with non-executive directors, the audit committee should also be

shown in the risk management architecture. The role of the audit committee and the role of

the head of internal audit are important in fulﬁ lling the risk management strategy of the

organization.

For organizations subject to the requirements of the Sarbanes–Oxley Act, there will also be a

requirement to ensure that all information disclosed by the company is accurate. In many

large organizations, this requirement has resulted in the establishment of a disclosures com-

mittee. The role of the disclosures committee is to check the source and correctness of all

information that is disclosed by the organization. Sarbanes-Oxley requires that ﬁ nancial infor-

mation is evaluated to a higher level of scrutiny.

The risk architecture of an organization sets out the hierarchy of committees and responsi-

bilities related to risk management and internal control. In the structure shown in Figure 10.1,

the corporate risk management committee focuses on executive risk management activities.

Risk management responsibilities for activities at divisional or unit level should be allocated to

divisional management. Divisional management is responsible for co-ordinating the identiﬁ -

cation of signiﬁ cant risks at divisional level, compiling the risk register for the division and

ensuring that adequate controls are identiﬁ ed and implemented.

96 Risk strategy

The board

• Overall responsibility

for risk management

Executive committee

• Ensure risk management is

embedded into all processes

• Review group risk prole

Group

risk management (RM) committee

• Formulation of strategy and policy

• Compile group risk register

• Receive reports from divisions

• Track RM activity in the divisions

Disclosures committee

• Review and evaluate disclosure

controls and procedures

• Consider materiality of information

disclosed to external parties

Audit committee

• Receive routine reports from Group RM

Committee

• Set audit programme

• Monitor progress with audit recommendations

Divisional management

• Prepare and keep up to date the divisional risk register

• Set risk priorities for division

• Monitor projects and risk improvements

• Prepare reports and group RM committee

• Manage self-certication activities

Inform and monitor

actions

Reports for evaluation

Figure 10.1 RM architecture for a large corporation

Divisional management should be provided with guidance from the group risk management

committee. If there is a divisional committee, it should be required to send reports to the

group risk management committee, so that the corporate or group overview of risk manage-

ment priorities can be established.

For a public sector or charity organization, the risk architecture will be somewhat different.

Figure 10.2 sets out a typical risk architecture for a charity. In this case, risk management activ-

ities are focused on the governance and risk committee. The ﬂ ow of information and the

control of risk management activities are illustrated by the arrows in Figure 10.2.

Risk architecture and structure 97

Trustee board

• Overall responsibility

for risk management

Executive committee

Fund-raising committee

Governance and risk committee

• Provide assurance to the board that risks to achieving excellence in governance are

being effectively understood, managed and mitigated

• Identify signicant risks that the board needs to consider in detail

• Identify that the risk management strategy and policy is implemented consistently

across the charity

• Monitor and ensure the effectiveness of risk management governance systems

• Ensure that the risk register is t for purpose and meets requirements sufcient for the

board to discharge statutory functions

Audit committee

• Establish internal audit plan

• Receive reports from committees

• Review annual report to Charity

Commission

Finance committee

Events committee

Inform and monitor actions

Reports on RM activities

Figure 10.2 RM architecture for a charity

Corporate structure

There are many ways for risk management reporting lines to be established. The reporting

structure should be proportionate to the level of risk and the complexity of the organization.

For high-risk organizations, such as those in the ﬁ nance sector, the risk committee is likely to

be a direct sub-committee of the board. In these circumstances, it is likely that the risk com-

mittee will be chaired by the group ﬁ nance director and it will have other senior representa-

tion from the board.

In general, the risk management committee should be an executive committee made up

entirely of executive directors with no non-executive director membership. This is because the

management of risk is an executive function and non-executive directors are primarily respon-

sible for audit and risk assurance. Typically, the risk management committee will send reports

to the audit committee, and that will be the opportunity for non-executive directors to evalu-

ate risk performance and obtain risk assurance.

98 Risk strategy

For organizations that are not operating in such a high-risk environment, it may not be neces-

sary for the risk committee to be a direct report to the main board. In these circumstances, the

risk committee may be a sub-committee of the executive committee or the operations com-

mittee. In all cases, the corporate structure for the management of risk should be proportion-

ate to the level of risk within the organization and the size, complexity, nature and risk exposure

of the organization.

However, there are no speciﬁ ed correct structures for the risk architecture of an organization.

Provided that the risk committee delivers the required outputs, the membership and terms of

reference will be for the organization to decide. Nevertheless, the general point remains that

management of risk is an executive function, whereas audit activities should be led by non-

executive directors.

Risk committees

Table 10.1 sets out typical responsibilities for a risk management committee (RMC). Most

large organizations will already have an audit committee, chaired by a senior non-executive

director. An option considered by many organizations is to extend the role of the audit com-

mittee to include all aspects of risk management or to establish a separate risk management

group chaired by an executive director.

There is a strong justiﬁ cation for the RMC to be an executive group, rather than part of any

existing non-executive audit committee. This is necessary because risks need to be managed in

a proactive manner as an executive responsibility. The existing audit committee is likely to

treat the management of risk as a non-executive (reactive) auditing of compliance. Separation

of executive responsibility for the management of risk from non-executive responsibility for

auditing and review of compliance will also be consistent with good corporate governance

principles.

Some organizations have established the RMC as a sub-committee of the audit committee. If

this is the case, actions need to be taken to ensure that risk is managed as an executive respon-

sibility, rather than audited as a compliance/assurance issue. In fact, establishing RMC as a

sub-committee of the audit committee could impair the work of RMC because of increased

bureaucracy and an unhelpful emphasis on auditing and compliance, rather than proactive

management of risks.

Membership of the RMC is another question that needs to be addressed. The fundamental

decision to be taken in large organizations is whether the risk management committee should

be a small senior executive group setting strategy and policy or whether it should be a knowl-

edge-sharing group with representation from each of the units or departments within the

organization. The answer will depend on the structure of the organization and the intended

role of the committee.

Risk architecture and structure 99

Table 10.1 Responsibilities of the RM committee

To advise the board on risk management and to foster a culture that emphasizes and

demonstrates the beneﬁ ts of a risk-based approach to risk management

To make appropriate recommendations to the board on all signiﬁ cant matters relating

to the risk strategy and policies of the company

To monitor the performance of the risk management systems and review reports

prepared by relevant parties

To keep under review the effectiveness of the risk management infrastructure of the

company, including:

assessment of risk management procedures in accordance with changes in the

•

operating environment

consideration of risk audit reports on the key business areas to assess the level of

•

business risk exposure

consideration of any major ﬁ ndings of any risk management reviews and the

•

response of management

assessment of the risks of new ventures and other strategic, project and

•

operational initiatives

To review the risk exposure of the company in relation to the risk appetite of the board

and the risk capacity of the company

To consider the development of risk management and make appropriate

recommendations to the board

To consider whether disclosure of information regarding risk management policies

and key risk exposures is in accordance with ﬁ nancial reporting standards

The overall aim is to achieve a prioritized, validated and audited improvement in risk manage-

ment standards in the organization. The RMC and the audit committee should, therefore,

operate in a way that provides mutual support. However, combining the two committees into

a single group, or placing one committee as superior to the other will not be the best way

forward for most organizations.

100 Risk strategy

Risk communications

Accurate communication on risk issues is vitally important. Internal communication within

the organization will be undertaken through the risk architecture. This is the formal risk com-

munication structure related to risk control activities and the collecting of information for

external risk reporting purposes. For example, a road haulage company may wish to bring

focus to the efﬁ cient operation of the organization and ensure that risk management receives

appropriate attention.

In these circumstances, the company might decide to introduce a number of measurable loss-

control programmes. The board of the company has requested a report at every board meeting

on the number of road accidents, frequency of vehicle breakdowns, level of fuel consumption

and reported incidents during deliveries. These reports will enable the board to benchmark

the performance of the company, in comparison both with competitors and also with histori-

cal data for the company itself. In this case, the board is monitoring performance, whereas the

management of the improved risk performance remains an executive responsibility to be

delivered by line management.

Within some organizations, risk communication may also be more informal. Communication

will take place during risk assessment workshops and at risk training courses. Communication

arrangements are part of the risk culture and this is considered in more detail in a later Part of

this book. External risk communications should be considered as having two components.

Communication will need to take place with external stakeholders, including the media, the

general public and pressure groups.

For example, if a road haulage company wishes to extend the vehicle storage depot, there will

be a need to communicate with stakeholders, as well as local authority planning departments.

The company will need to prepare arguments that provide an evaluation of any risks to the

community that may increase when the depot is extended. The public perception of what is

proposed and the impact on the vicinity may not be fully accurate. Accordingly, the company

will need to prepare honest, open and detailed arguments that assure all interested parties that

adequate risk control arrangements are in place.

The box below provides an example of risk communication in relation to nuclear and chemi-

cal industries in the United States. The lesson here is that the public perception of risk may not

be aligned with the scientiﬁ c evidence. The information presented by an organization needs to

do more than present intellectual information. The communication should also address emo-

tional concerns.

Risk architecture and structure 101

Risk communication

The formal development of risk communication as a subject began in the late 1970s

with efforts by the nuclear and chemical industries in the United States to counteract

widespread public concern about those technologies. It was believed that clear,

understandable information was all that was needed to make people see that the risks

were lower than many feared.

For decades this approach has failed, and most risk communication experts say it is

inadequate. Perceptions of risk, and the behaviours that result, are a matter not only of

the facts but also of our feelings, instincts and personal life circumstances.

Communication that offers the facts but fails to account for the affective side of our

risk perceptions is simply incomplete.

Risk communication is also commonly thought of as what to say under crisis

circumstances, but this is inadequate. While it is certainly true that communication in

times of crises is important in managing the public response, countless examples have

taught that a great deal of the effectiveness of risk communication during a crisis is

based on what was done beforehand.

Risk maturity

Table 10.2 sets out a system for determining the level of risk maturity within an organization

with regard to risk management processes. This table sets out four levels of risk maturity,

described as naive, novice, normalized and natural (4Ns). The characteristics of each of these

levels are described in the table. Clearly, it is better for an organization to seek a higher level of

risk maturity. However, the approach to achieving risk maturity in the organization should be

proportionate to the level of risk that the organization faces.

The level of risk maturity within an organization will help deﬁ ne the level of sophistication

that the organization has in its risk management activities. Figure 4.2 (page 44) discusses the

level of sophistication of the contribution that risk management can make to company activi-

ties. The greater the level of risk management sophistication achieved by an organization, the

greater the beneﬁ ts. Achieving an improved level of maturity in relation to risk management

processes does not necessarily guarantee that a greater level of sophistication will be achieved,

or that a higher level of beneﬁ ts will be obtained.

Nevertheless, achieving an improved level of risk maturity may be one of the strategic aims for

risk management within the organization. If that is the case, an established framework for

measuring risk maturity is required. It is important that the organization uses a risk maturity

102 Risk strategy

Table 10.2 Four levels of risk maturity

Level 1 – Naive

Level 1 organizations are unaware of the need for the management of risk or do not

recognize the value of structured approaches to dealing with uncertainty. Management

processes are repetitive or reactive, with insufﬁ cient attempt to learn from the past or to

prepare for future threats or uncertainties.

Level 2 – Novice

Level 2 organizations are aware of the potential beneﬁ

ts of managing risk, but have not

implemented risk processes effectively and are not gaining the full beneﬁ ts.

The

organization is either experimenting with the application of risk management or is

operating a risk management process that has fundamental weaknesses.

Level 3 – Normalized

Level 3 organizations have built the management of risk into routine business processes

and implement risk management throughout the organization. Generic risk management

processes are formalized and the beneﬁ ts are understood at all levels of the organization,

although they may not be consistently achieved.

Level 4 – Natural

Level 4 organizations have a risk-aware culture with a proactive approach to risk

management in all activities. As a result, the consideration of risk is inherent to routine

processes. Risk information is actively used and communicated to improve processes and

gain competitive advantage.

model that aligns with its own ambitions in relation to risk management maturity and pro-

vides a practical approach that can be embedded within the organization.

Several types of risk maturity approaches are in existence, including the Criteria of Control

(CoCo) framework. The approach adopted by the Criteria of Control (CoCo) framework

focuses very heavily on the importance of risk maturity. The approach of this internal control

framework is that if the risk culture and the risk architecture, strategy and protocols are correct

then good levels of risk management and internal control will be achieved. Another risk matu-

rity model that is frequently used is the European Foundation for Quality Management

(EFQM) model.

Risk architecture and structure 103

Alignment of activities

Risk management activities and the risk architecture, strategy and protocols should be aligned

with the business processes within the organization. Risk information ﬂ ows around the risk

management framework and (if successful) this will produce various outputs. These outputs

have already been described as compliance, assurance, decisions and efﬁ ciency/effectiveness/

efﬁ cacy (CADE3).

Most risk management standards make reference to the upside of risk or discuss the manage-

ment of opportunity risks. Project risk management, or the management of control risks, has

become a separate discipline within risk management, and project risk management has

become well developed, with separate guidance material.

When considering the contribution that risk management can make to the organization, it is

important to decide whether the contribution will relate to strategy, projects and/or opera-

tions. This decision will enable the risk management activities within the organization to be

aligned with the other business operations, processes and imperatives.

It is important that risk management activities are aligned with other operations, so that the

risk management procedures can be fully embedded into the existing management procedures

and activities within the organization. This will also ensure that risk management activities are

undertaken in an efﬁ cient and embedded manner and are not seen as a separate activity

detached from management of the organization.