Enterprise Risk Management & Corporate Governance
It was the US military during 1991 Iraq war that popularized VUCA environment in their description of the extreme conditions of the Afghanistan and Iraq terrains. VUCA has become an acronym for volatility, uncertainty, complexity and ambiguity which are characteristics of todays external environment not only in West Africa but throughout the World. Leading an enterprise for sustainable growth in the VUCA business world is challenging and extremely daunting. It reflects the increasingly unstable and rapidly changing business environment where organizations that thrive today could be extinct by the dawn of a new day.
Crises is often the common denominator of this critical environment in the financial sector. Many companies have problems and have had to deal with many unexpected difficulties ranging from decline in product demand, decline in commodity prices, high receivables, intolerable credit defaults, wild swings in currency exchange rates, broad liquidity crunch, failure of management, wide skills gap, harsh regulations and natural disasters. How then does an enterprise respond to these unexpected difficulties in the wake of VUCA environment such that it is not taken unawares and it’s also able to control the impact of such occurrences?
The financial services industry in West Africa has changed considerably over the years, with significant new ideas, new products, new processes and new ways of doing business creating great expansion and meteoric rise for several banks, insurance companies, mortgage institutions and finance companies to the extent that rising revenue and profitability were mistaken for well-run companies. Amidst this development, many of the companies have been careless and poorly governed to the extent that some of the once supposedly strong companies are no more today.
Some of the reasons for the failure include poor capital management, poor liquidity position, rapid regulatory changes, inadequate human capital, lack of innovation, huge receivables, poor loan recovery and outdated processes. Regardless of the reasons, it was evident that there were unmitigated exposures arising from VUCA business environment which were poorly managed and had huge impact on the financial system which has created a contagious but damaging effect throughout the market.
The necessary response to this development has been an increasing focus on enterprise risk management and effective corporate governance. This paper discusses the concepts of enterprise risk management and corporate governance and how to embed them in the management of the financial sector companies.
2.0 Traditional Risk Management
It is evident that organizations have always managed their risks and business leaders have done so for decades. This is why they have remained in business. However, these organizations managed their risks in silos. For instance, in the past, each of the leaders of the functional department was responsible for the risks emerging from their department without regard to the linkages such risk may have on other departments or the entire enterprise. While assigning functional heads the responsibility for managing risks related to their business unit makes a good sense, this traditional approach to risk management has limitations, which had sometimes meant that significant risks on the horizon had gone undetected by this approach. Thus, enterprise risk management has great benefits to the company over the traditional risk management approach. This is illustrated in the Table below.
3.0 Enterprise Risk Management
Risks” are simply defined as future issues that can be avoided or mitigated. It is assessed as a function of three variables which are: the probability that there is a threat, the probability that there are vulnerabilities and the potential impact these could bring to the business or the organization. The fact that these variables when present in the activities of an enterprise could indicate risky exposures with dare consequences has necessitated the need for the introduction of enterprise risk management which is a comprehensive and systematic approach to a more proactive and holistic risk management. ERM is an enterprise-wide process-based solution to managing risks and it usually involves everyone in the organization, from the Board to the least staff in the enterprise.
Thus, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined Enterprise Risk Management (ERM) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
3.1 Importance of Enterprise Risk Management
Despite the apparent significance of ERM, many organizations are yet to embrace it. While every institution is exposed to various level of risks no matter how small, insignificant risks on their own have the potential to become big risks based on their interaction with other events to cause great havoc and extreme financial losses. Enterprise Risk Management therefore helps to reduce earnings volatility, improve operational processes, enhance competitive advantage and increase Management confidence in decision making process.
It is apparent that enterprise risk management is not just about avoiding losses, failures and disasters, but its also about taking advantage of emerging opportunities in order to protect and enhance the value of all stakeholders.
Fig 1: Importance of ERM
Source: Paul Esther Consulting Limited, 2017
3.2 Expressions of Enterprise Risk Management
Risks have been shown to manifest in different ways even though they may be caused by similar events. For instance, the outbreak of Ebola disease in Liberia did not only spread through Guinea, Sierra Leone, and Nigeria but it eventually extended to Europe and America. While it had a primary cause in Liberia, its contagious effect wreaked havoc in all the other places. This has implications for risk management strategy. Similarly, on the 14th of August, 2017, there was a mudslide that killed hundreds of people on the outskirts of Freetown, the capital of Sierra Leone. The mudslide which is typically considered a natural disaster was triggered by torrential floods while the uprooting of trees for construction on the hillside was found to have made the soil unstable and more vulnerable to collapse. However, people believed that the illegal construction of the overcrowded hillsides should have been tackled before the disaster happened since storms and torrential downpours have been found to be common in August and September in Sierra Leone. As a result of the disaster, the citizens were exposed to the risk of waterborne diseases such as cholera and typhoid while many lives and homes were lost. This is an indication that there could be correlation between risks.
In the financial sector, the regulators have had to intervene in a number of companies due to inadequate capital and poor liquidity positions. Sometimes, inability of the companies to raise new capital when required, or depletion of its capital through huge loan default or significant receivables or erosion of its capital through poor governance has been responsible for failure of several of the institutions. The same problem often manifested in different forms and present different types and level of risk.
3.3 Designing Enterprise Risk Management Framework
Effective ERM program is rooted in two primary goals.
- The need to identify, evaluate and measure risks and their correlation and dependencies from all sources across an enterprise
- The need to effectively implement risk treatment strategies that is influenced by a clear understanding of the enterprise risks in order to achieve appropriate risks and return trade-offs in line with the values a d goals of the institution
This shows that enterprise risk management is a process-based solution for effective management of business risks. It will therefore require a holistic examination of the enterprise in order to develop an appropriate framework to guide implementation of its risk management strategies. Some of the concepts that financial organizations need to engage in building an effective ERM Framework include what we term the ‘’8 Ps’’ and these are Purpose, Plan, Process, Picture, Pattern, Performance and Practices
3.4 Enterprise Risk Management Process
According to the COSO, ERM process is designed to
- Identify potential events that may affect the organization
- Manage risks to be within the organization risk appetite
- Provide reasonable assurance regarding the achievement of the organization’s objectives
To assist in the implementation of ERM process, COSO developed the ERM integrated framework known as the COSO Cube 2004.
Fig 2: COSO Cube 2004
Holistic approach to Managing all the risk inherent within the enterprise
Source: Committee of Sponsoring Organizations of the Treadway Commission (COSO)
However, this has been updated in 2017 to include five interrelated components and 23 relevant principles which were arrayed among the components to emphasize the changing focus of ERM from that of simply helping to protect stakeholders’ value to that of helping organizations to grow and enhance its value.
Fig 3: COSO Cube 2017
This forces management to accommodate uncertainties that present both risk and opportunity with the potential to erode or enhance stakeholders’ value. It is assumed that stakeholders’ value is maximized when management strikes an optimal balance between growth, return goals and related risks. The process of achieving this is engrained in the business and based on a close cooperation between operative management and all functions working with the different parts of the risk management process. This must be clearly dimensioned and therefore, a typical ERM process is as follows:
Fig 4: The Enterprise Risk Management Process
3.5 Risk Governance
The risk governance structure emphasises and balances strong central oversight and control of risks with clear accountability for and ownership of risks within each business unit.
Fig 5: Risk Governance Structure
3.6 Corporate Governance
Corporate failures in banks, insurance companies, mortgage institutions and Board and top management scandals have diminished confidence in governance of financial institutions and financial reporting among investors and creditors. This has renewed the call for effective corporate governance from Regulators, Boards of Directors, Management, Auditors, and other Stakeholders. Corporate governance is a process through which the Board provides direction, authority, and oversight of management for the company’s stakeholders.
3.6.1 The 5 pillars of corporate governance
The term corporate governance should be understood to be much more than rules, regulations, accountabilities, structures and frameworks by which an entity or state or corporation is governed. Rather, it is largely about institutional and individual attitudes, leadership, values and behaviors of those who wield authority and exercise power within the system.
We can identify five integrated elements that underpin a firm’s ability to engage in effective corporate governance, manage its risks, and implement new regulatory changes. They are Culture, Leadership, Alignment, Systems, and Structure (CLASS).
Boards and senior executives can review each CLASS element to build and fortify risk management and governance capabilities. Each element positively reinforces the other and strengthens strategic risk management.
- I) Culture
This is the shared values, beliefs and attitudes that characterize a company and guide its practices. It is rooted in an organization’s goals, strategies, structure, and approaches to its workforce, customers, investors, and the greater community. Aspects of culture that can work against good governance and risk management include:
- Unethical behavior
- Excessive internal rivalry
- Intolerance of failure
- Propensity for risk-taking
- Persecution of people who speak up (whistle-blowers).
- II) Leadership
It is often said that an organization rises or falls on its leadership. Thus, it is tempting to blame organizational failures solely on top management, but leadership requires conducive environment, cooperative stakeholders and committed and consenting followers to succeed.
Boards of Directors can improve leadership and its effects on governance and risk management in a variety of ways which include:
- Making timely formal appointments to roles such as the role of the chief risk officer
- Centralizing key risk management activities in a corporate department
- Planning a balance of competencies and experience in executive teams
- III) Alignment
Alignment is the process of bringing the actions of an enterprise functional departments and workforce in line with organizational long-term goals and objectives. The ability of the enterprise to achieve its strategic goals is enhanced through ensuring that both its employees and functional departments are closely working together and decision making is progressive.
- IV) Systems
Systems play a critical role in effective functioning of an enterprise. It plays a reinforcing role in shaping behaviour and culture. It also provides the Board of Directors the necessary information to determine whether the organization is managing risk appropriately.
- V) Structure
Implementing a structure requires identifying appropriate systems to ensure communication across the organization, and creating systems that enable the structure to function. Structure affects culture by reinforcing individual organizational roles.
3.6.2 Elements of Corporate Governance
To make for effective risk governance, the entire corporate governance system of the enterprise must be designed to achieve the following:
- Efficiency and Effectiveness
- Reliability and predictability
- Openness and Transparency
3.7 Intergrating Enterprise Risk Management and Corporate Governace
It is evident that both ERM and corporate governace serve one and the same purpose. These are merely two sides of the same coin. So, the argument about which of them is bigger does not exist. A strong corporate governace will enable ERM while the effective implementation of ERM will thrive within an efficient corporate governance system.
It will appear that the resilience and robustness of the risk-based capital system employed in the United States in the1990s for the regulation of financial institutions had encouraged Europe and the rest of the World to also embrace the provisions of basel II (banking sector) and solvency II(Insurance sector) for the success of their financial institutions. In West Africa, the three pillars of solvency II:capital, governance and disclosures have become the catalyst for implemetation and enforcement of ERM and corporate governance.
FOR MORE INFORMATION ON ENTERPRISE RISK MANAGEMENT, CONTACT
Paul Esther Consulting Limited
Phone number: 09019209764, 08022901011
Facebook: Paul Esther Consulting Limited
LinkedIn: Paul Esther Consulting Limited
- Aljazeera (2017). Sierra Leone mudslide: What, where and why. https://www.aljazeera.com/indepth/features/2017/08/sierra-leone-mudslide-170816053741558.html
- Argyrou, M. (2015). Adopting enterprise risk management (ERM) in high growth insurance market: The trust re-experience. Trust Re Perspectives. trustre.com
- Beasley, M. (2016). What is enterprise risk management. Enterprise risk management initiative, Poole college of management. www.erm.ncsu.edu
- Committee of Sponsoring Organizations of the Treadway Commission -COSO (2004). Enterprise risk management: integrated framework. Executive summary
- Committee of Sponsoring Organizations of the Treadway Commission -COSO (2004). Enterprise risk management: integrated framework. Application Techniques, pp 1-105
- Committee of Sponsoring Organizations of the Treadway Commission -COSO (2017). Enterprise Risk Management: Integrating with Strategy and Performance Executive Summary, pp1-10
- Drew, S.A. Kelley, P.C. and Kedndrick, T. (2006). Class: Five elements of corporate governance to manage strategic risk. Business Horizons, 49, pp127-138.
- ERM Committee of the American Academy of Actuaries (2013). Insurance enterprise risk management Practices. A public policy practice note. American Academy of Actuaries: Washington DC.
- Isa, A.(2014). Risk Management in Financial Service Industry. Central Bank of Nigeria: Understanding monetary policy series, no 40, pp 1-25
- Jeroen De Flander(2015). Strategy execution in the 21st Washinton DC
- Monetary Authority of Singapore (2013). Enterprise risk management for insurers. Singapore
- Pierre Veyrat (2017). What is enterprise risk management? Risk is inevitable and sometimes desirable. https://www.heflo.com/blog/risk-management/enterprise-risk-management/
- PWC (2015. Enterprise risk management in the public sector
- Securitas Annual report (2017). Four step process for managing enterprise risk
- Sobel, P.J. and Reding, K.F. (2004). Aligning corporate governance with enterprise risk management. Management accounting quarterly winter 2004, vol 4(2), pp 29-37
- Grojean, M. W., Resick, C. J., Dickson, M. W., & Smith, D. B. (2004). Leaders, values, and organizational climate: Examining leadership strategies for establishing an organizational climate regarding ethics. Journal of Business Ethics, 55(3), 223 – 241.