Organizations take, face, and respond to risks every day in pursuing of their business objectives. Elevating risk management to a strategic level in strategic and operational planning helps ensure that what is being planned, and plan execution results, are appropriately safe, sound, and compliant. To do this effectively, organizations need to establish, implement, and adhere to an Enterprise Risk Management (ERM) framework and program.
Enterprise Risk Management framework describes an organization’s structure and approach to managing risk across the organization. The objective of an ERM Framework is to ensure that the organization has the structure, governance, roles, and responsibilities as well as the culture, skills, expertise, data and technology infrastructure, and tools to manage risk. ERM can be used by organizations of any size. If an organization has a mission, a strategy, and objectives, and a need to make decisions that fully consider risks, then ERM can be applied.
An ERM Framework is structured to provide a consolidated and aggregated view of an organization’s risk and integrates inputs from all risk disciplines (e.g., compliance, operational, strategic, reputational) and activities. It is cross-functional, enlisting collaboration with the businesses, with oversight, direction, and challenge from independent risk management and compliance functions. Independent risk review and assurance functions such as internal audit validate the program design, provide ongoing independent validation, and assurance of aspects, or the entirety of program effectiveness, and provide recommendations for the advancement of the organization’s risk management practices.
- Aggregate and assess risk across the organization.
- Comply with laws, rules, and regulations.
- Protect and enhance an organization’s reputation.
- Facilitate an organization’s mission by integrating risk considerations into strategic and operational planning decisions, and by managing risk to the organization’s earning, capital, operational strength, and reputation in a manner that promotes prudent, effective decision-making, optimizes risk-reward, and instills accountability for risk in fulfilling the organization’s strategy and mission.
- Promote a strong risk culture that includes a thorough understanding of risk appetite along with clear roles, responsibilities, and accountabilities for the ownership and management of risks.
- Ensure that a strong risk infrastructure supports the effective management of risks and consistency in the management of risks.
- Maintain a risk governance structure at the board and management level that ensures identification, measurement, analysis, management, monitoring, and reporting of all material risks along with effective risk response strategies and escalation protocols.
- Ensure effective, proactive management for each of the organization’s risk categories along with anticipation and management of material risk interdependencies.
Risk and Compliance Culture
Risk culture refers to norms, attitudes, and behaviors that an organization displays in relation to risk awareness, risk taking, and risk management. These norms, attitudes, and
behaviors determine an organization’s collective ability to identify, understand, discuss, and act on existing and emerging risks.
While all employees are accountable to help manage risks and have specific role-based and general risk responsibilities, executives and managers have the responsibility and accountability to provide leadership and direction to managing the risks in their areas of responsibility and to promote a strong risk culture by setting the tone at the top. Senior leadership demonstrates the desired risk culture by word and action, and promote recognition throughout the organization that action in accordance with that risk culture is everyone’s responsibility.
A risk and compliance culture is characterized by the following principles:
- Operating in a safe and sound manner.
- Operating with integrity.
- Encouraging risk awareness, understanding and escalation, and acting on existing and emerging risks.
- Taking informed and prudent risks.
- Driving accountability for all employees.
- Complying with all applicable laws, regulations, and supervisory guidance.
- Engaging in healthy challenge.
- The following mechanisms support achievement of the desired risk culture:
- Tone at the Top – Board and senior management set a “tone at the top” emphasizing the importance of a strong risk and compliance culture.
- Accountability – Ensure clear leadership accountability for risk and compliance across the three lines of defense and emphasize the value and necessity of controls.
- Risk-Informed Decision-Making – Leadership considers all relevant risks and the views of the second and third lines of defense when evaluating risk-taking decisions and their associated processes.
- Effective Challenge – The organization’s board and senior management promote a culture in which information sharing is encouraged and rewarded, staff at all levels are comfortable raising issues of concern, risk and compliance functions are empowered to challenge business practices and decisions, and escalation channels are working as designed.
- Measure and Assess – Senior management measure, monitor, assess, and report on risk and compliance culture at least annually, using appropriate sources of quantitative and qualitative information.
- Training and Awareness – Strong processes for ongoing employee communication and training regarding risk and compliance policies and procedures as well as standards of conduct. Emphasis is placed on continuous learning
Risk management across all three lines of defense is a fundamental part of an organization’s business activity and an essential component of its integrated strategic and operational planning process.
The variety of an organization’s business portfolio requires the organization to identify, measure, manage, monitor, control, and report risks effectively, and to allocate capital among businesses appropriately. Risk is managed through a framework of policies, standards, principles, and organizational structures, as well as measurement and management processes that are integrated with the activities of the lines of business. An organization’s approach to risk management should involve a number of fundamental elements that drive processes across its lines of business.
The objective is to develop sound enterprise risk management practices that meet industry and regulatory standards. At a strategic level, risk management objectives are to:
- Comply with all laws, regulations, and standards.
- Identify the organization’s risks and ensure that business risk profiles and plans are consistent with risk appetite and limit structures.
- Optimize risk-reward by making informed decisions as close as possible to where the risk is originated (i.e., businesses and certain functional areas), while maintaining strong and independent review and challenge structures.
- Ensure that all lines of business growth plans are properly supported by effective risk infrastructure.
- Manage the aggregate risk profile of an organization and its major lines of business to ensure that specific customer and financial deliverables remain possible under a range of adverse business conditions.
- Help executives exercise ownership, control, and coordination of risk taking across the organization.
- Support the achievement of the organization’s mission and strategy by ensuring risks are appropriately identified, measured, monitored, reported, and mitigated.
- A comprehensive ERM program covers all regulatory risk categories, ensures clear accountability for the management of specific risks, and sets the requirements for control frameworks for all risk categories. Within this framework, individual control frameworks are reinforced by a robust system of review and challenge along with the governance process and broad review by lines of business, independent risk management, and internal audit.
Risk Governance Structure
Risk governance structure begins with the organization’s board and its committees, and executive management
The board serves in a governance capacity ensuring that a framework exists to ensure risks are managed in a manner that is effective. The board understands and promotes the organization’s risk philosophy and desired risk and compliance culture, approves the risk appetite, inquires about risk practices, reviews the portfolio of risks, compares the actual risks to the risk appetite and is apprised of significant risks, both actual and emerging, and determines whether management is responding appropriately to risk events. The board challenges management and ensures accountability.
The board reviews and formally approves the ERM framework. Through this approval, the board confirms their expectation that first line of defense own and are responsible and accountable for identifying and managing their risks. This approval also confirms the role of risk and compliance as the second line of defense with both the authority and independence to oversee the management of risk levels consistent with established risk appetite.
A policy is a formal statement of an organization’s strategy and position. It addresses certain subject matter and any material inherent risks, including legal and regulatory requirements and expectations, and includes who the policy applies to, when the policy applies, when the policy requires actions, and any relevant restrictions. The purpose of a policy is to (i) establish the parameters in which the business should operate based upon the organization’s risk appetite, (ii) support adherence to laws or regulations, (iii) address fundamental strategic guiding principles or long-term goals and values, and (iv) address more tactical operating principles that support long-term goals.
Policies related to risk management (i.e., risk policies) are used to define and communicate risk management requirements, expectations, roles, and responsibilities.
Practically, there are two levels of policies—
- Level 1 Policies are those policies required by a law or regulation or are associated with a material inherent risk or are of a strategic nature that requires the approval of the board, or a committee of the board.
- Level II Policies consist of content largely applicable to a specific line of business or business practice and only requires the approval of a management level committee (e.g., Asset/Liability Committee, Compliance and Operational Risk Committee).
Management Level Risk Committees
Management-level risk governance committees such as Compliance and Operational Risk Committee are formed and managed for the purpose of risk governance and decision-making. In some cases, there are regulatory requirements for committee activities, functions, and/or format reporting. While strong communication and awareness are important to effective overall governance, management-level risk governance committees should not be used solely for general and broad information sharing. Risk governance activities, such as program oversight, risk level and control adequacy monitoring decision making and policy approval, should comprise the majority of their meeting agenda items.
Three Lines of Defense
The Three Lines of Defense clarify the general roles and responsibilities and accountabilities of an organization’s business operations and management, independent risk management, and internal audit relative to the management of risk and provide a framework that supports the integrity of information escalated to risk governance committees and the board.
First Lines of Defense: Business Operations and Management
The responsibilities of business operations and management may include, but are not limited to:
- Own, identify, assess, manage, monitor, control, and mitigate risks aligned to the organization’s risk taxonomy.
- Incorporate established risk standards and parameters into business unit operating policies and procedures.
- Communicate risk appetite statement, tolerances, and limits throughout the business unit.
- Set clear expectations and accountability for risk management and compliance associated with business activities.
- Develop and execute action plans in the event of a risk trigger or appetite breach.
- Establish clear, well-defined protocols for evaluating, and where appropriate, and authorize exceptions to business level standard operating procedures.
- Conduct periodic evaluation of the types and levels of risk within the business, the effectiveness of the control environment, and the residual risk.
- Identify and monitor internal and external emerging risks, potential threats, and industry best practices.
- Aggregate risks, including by business activities or products.
- Use the risk identification and risk assessment for operational and strategic planning.
- Conduct continuous monitoring of a broad range of business performance data to ensure that established controls are working, and the business is complying with policies, standards, and procedures.
- Provide accurate, concise, and timely risk reports to executive management, the chief risk officer, internal audit, and board and management committees.
Second Line of Defense: Independent Risk Management
The responsibilities of independent risk management function (led by the Chief Risk Executive) may include, but are not limited to::
- Develop risk appetite limits by risk category in consultation with the risk-taking business units.
- Recommend risk appetite statement, limits, and metrics for board approval.
- Establish and maintain an enterprise risk management and control framework, including enterprise compliance risk management program that is aligned with the board’s risk appetite statement, the company’s business and strategic objectives, and regulatory expectations.
- Aggregate and report risk information against risk appetite, including exceedances and metrics to the board.
- Assess risk mitigation strategies, including the effectiveness of such mitigation in a range of circumstances, and recommend alternatives if concerns arise.
- Provide independent oversight, credible challenge, and monitoring of an organization’s overall control environment.
- For policies owned by independent risk management, adhere to first line of defense responsibilities.
- Identify and monitor top risks, internal and external emerging risks, thematic risks, potential threats, and industry best practices.
- Monitor business activities and reporting to identify risks, compliance deficiencies, and weaknesses in controls and provide information for periodic board and management committee updates and for adjusting testing activities.
- Develop test plan and conduct risk-based quality control and quality assurance testing of business unit activities.
- Establish a clearly defined escalation process to enable prompt escalation and remediation of material problems, including disputes between compliance and first line of defense management regarding compliance matters are resolved objectively.
- Ensure that management information systems have:
- A level of sophistication consistent with the complexity and diversity of the organization’s operations, and
- Support the responsibilities of the Board to oversee the organization’s core business lines, critical operations, and other core areas of supervisory focus.
Third Line of Defense: Internal Audit
The responsibilities of internal audit may include, but are not limited to::
- Evaluate the processes used by the organization to design and govern the risk appetite and related framework, standards, and procedures.
- Evaluate the operating effectiveness of the risk appetite framework and process, and report results to management and the board.
- Pose credible challenge to management when policies and procedures are not followed, or control weaknesses are identified.
- Provide independent assurance on the adequacy and effectiveness of the the organization’s overall control environment.
- At least annually, conduct independent risk assessments of auditable entities to determine the related risk profiles.
The core of an effective ERM framework is a risk taxonomy that names, classifies, and defines risk across the entity. Organizations establish a risk taxonomy structure to:
- Aid management in understanding the current risks faced across the entity.
- Facilitate the consistency of risk measurement and risk aggregation across the entity.
- Assign accountability and ownership for each risk area.
A risk taxonomy structure, based on an organization’s business composition, operating models, and risk exposures, may be comprised of, but may not be limited to the following principal risk areas: Price, Insurance, Credit, Market, Interest Rate, Liquidity, Compliance, Operational, Strategic, Reputation, and Legal. The principal risks are further broken down into sub-categories of risks in each risk area to provide granularity and transparency.
EXHIBIT 2 – Illustrative Risk Taxonomy
Each of the major risk categories are governed through programs, policies, procedures, and governance activities tailored for the management of the individual risk category. The ERM framework does not replace the programs for the individual risk categories but creates the framework for the holistic view and assessment of all risks, along with the understanding of potential risk interdependencies.
The following table illustrates: (a) the business units that may be accountable as risk owners for each of principal risk categories, and (b) the independent risk management unit that may be responsible for overseeing the management of each risk category.
Risk Appetite Statement (RAS)
Risk appetite describes the level of risk an organization is willing to accept and manage in pursuit of its strategic objectives. It sets the tone for effective linkage of strategy,
capital, and risk and is articulated through dedicated risk appetite statement (RAS). It communicates the organization’s fundamental approach to risk and reflects the organization’s capacity to manage inherent risks in business activities and to support safety and soundness and compliance in its operations. It establishes critical guidance for risk appetite metrics. An organization’s strategic and operational planning, tactical decisions, and all risk positions must align to its RAS and risk appetite metrics and limits. A material change in the RAS may signify a significant shift in the organization’s strategy, objectives, or external environment.
The RAS covers areas where risk is undertaken or could manifest itself. It starts with an overarching expression of risk appetite and is expanded and supported by the organization’s principal risks. It includes both quantitative and qualitative elements with implicit or explicit aggregate risk limits as appropriate. The following statement is an example of a compliance risk appetite statement: “The company will operate in material compliance with all applicable state and federal laws and regulations.”
Risk Appetite Metrics
Risk appetites are expressed through risk appetite limits and triggers (most of which are based on key risk indicators (KRIs)) that align with the RAS and balance business objectives and should be approved by the board. Limits, triggers, and other key risk indicators (KRIs) are designed to be operationalized at various levels in the organization and are used to guide and control underlying business activity. Management should manage business consistent with established risk appetite and within defined limits and triggers.
Establishing and refining risk appetite limits, triggers, and KRIs is an evolutionary process. These risk appetite metrics are formulated and evolved through a combination of “top down” and “bottom up” approaches. Through a bottom up approach, limits and triggers ranges are identified by lines of business and independent risk oversight.
Additionally, through a top down approach, management analyzes risk-taking at the business unit level to formulate KRIs, limits, and triggers. These two approaches are supplemented by qualitative and quantitative evaluations considering strategy, stress testing, scenario analysis, and direction of risk and rate of change. From these activities, management formulates risk appetite metrics that are further reviewed, refined, and escalated through the risk governance process for approval.
An organization should strive to develop and use forward looking KRIs and other risk metrics wherever possible.
Once established, risk appetite limits, triggers, and KRIs are subject to regular reporting for conformance with established limits, and exceptions are highlighted. Reporting begins with a management monitoring process and is escalated to the appropriate risk governance committee and the board.
The governance committees are responsible for ensuring that appropriate policy enhancements and approvals, reporting, accountabilities, and escalation procedures are defined and communicated for the approved limits, triggers, and KRIs for the individual risk categories.
Appetite Metric Performance Monitoring, Reporting, and Escalation
Performance relative to RAS, limits, triggers, and KRIs for each major risk category, along with the underlying limits, triggers, and KRIs that help ensure performance within the enterprise appetite should be regularly reviewed and discussed by the appropriate risk governance committee. The limits, triggers, and KRIs should be subject to analysis, reporting, and escalation as appropriate and warranted. Material issues, trends, and risk appetite metric breaches should be reported to risk governance committees and the board.
Risk appetite, when expressed as limits and triggers, defines the maximum amount of risk acceptable for a specific risk measure (“Limit”) and a level below the maximum requiring escalation and action (“Trigger”). When appetites are expressed as ranges, they define the acceptable variation around the desired level of risk for a specific risk measure.
The following illustrates one method to report performance against limits and triggers:
When performance within a trigger or limit is approaching the trigger or limit, an action plan should be considered. The action plan should be formulated and implemented to manage the activity to remain below the trigger or limit. If the trigger or limit is breached, a remediation plan should be formulated and implemented. The remediation plan should focus on risk reduction. Action items and remediation plans should be reported to, and approved by, the appropriate governance committee based on (a) the risk category and (b) the level (e.g., enterprise, line of business, function).
Where ranges are used, a consistent approach should be used for reporting. If the upper or lower limit of the range is breached, a remediation plan should be formulated and implemented. Depending on which limit is breached, the remediation plan should focus either on risk reduction or maintaining existing risk capacity.
Performance relative to risk appetite and enterprise-level limits, triggers, and KRIs should be reported and regularly discussed by enterprise-level risk governance committee. Similar reporting should be produced at least quarterly and reported to the board and board risk committee.
Strategic, Performance, Risk, and Capital Management
An effective ERM program helps management achieve performance and profitability targets and prevent losses. Through effective integration and dynamic interplay of strategic planning, risk appetite se
management, and liquidity and capital planning activities, an organization’s risk-reward opportunities are optimized.
Activities in the strategic planning process include environmental assessments (internal and external), testing assumptions (at both enterprise and line of business level), developing new strategies, managing the performance of existing strategies, and communicating strategy.
A comprehensive risk assessment of the strategic planning process is important to gauge:
- Top and/or emerging risks that may be obstacles to the achievement of objectives.
- Current risk levels, direction of risks, and effectiveness of controls.
- Estimates of projected risk levels based on proposed business strategies.
Risk executives should participate with business executives in testing assumptions, identifying opportunities and alternatives, and providing effective challenge to new strategic direction. Risk assessment standards should be designed and implemented to provide structure and guidance on risk assessment activities. Elements of the strategic plans and risk assessments should be shared with relevant support functions to ensure that risk impacts are considered across processes and activities for the enterprise. Additionally, information such as anticipated new product volumes should be shared with decision support functions for planning purposes.
Outputs of the strategic planning process include the enterprise strategy, business level strategies, projected risk levels, and direct influence on operating plans, business performance objectives, and capital plans.
The strategic plan and scenario modeling should include impacts on the organization’s capital position.
Integrated Strategic and Operational Plan
An Integrated Strategic and Operational Plan (“Integrated Plan”) ensures operational commitments support strategic goals. It is developed by the organization’s leadership with board oversight and should cover a 3-year period.
The Integrated Plan is developed consistent with the Board’s risk appetite, including risk appetite under varying stressed conditions, as well as liquidity, and capital requirements. Monitoring systems should be established to report actual outcomes, KRIs, and make certain the organization’s objectives and risks remain aligned with the risk appetite.
Risk management is integrated into strategic planning and performance management. To ensure strategic and operational outcomes are aligned, senior executives should translate strategic direction into performance objectives for executives and cascade them into business unit objectives. These objectives are then further decomposed to individual performance objectives for all employees. Finance monitors progress for the
major business units, finalizes capital allocation, ensures disciplined reporting for these groups, identifies performance trends, and recommends adjustments where appropriate.
Performance objectives are expected to include financial and market performance, risk levels (leveraging dashboard information, appetite metrics reports, etc.), and other objective measures. Additionally, incentive compensation plans would be expected to include risk measurements in determining incentive award amounts, whether formulaic or discretionary.
Risk assessments are completed, reviewed, challenged, and aggregated for a holistic view of risk. The Chief Risk Executive, through participation in various activities in the strategic planning process, provides validation that if proposed activities are executed, risk levels should either (a) remain acceptable, or (b) move toward the desired risk level as remediation plans are completed.
Capital serves many purposes and enterprise capital adequacy is an important indication of an organization’s overall financial health. An organization should maintain capital at sufficient levels to absorb unexpected losses, promote public confidence, maintain access to funding, meet obligations to creditors and counterparties, and enable continued operations in an adverse environment. An organization should define, monitor, and manage to internal capital requirements sufficient to support its strategic and business plans, and appropriate for the actual and forecasted risk profiles of those plans, including potential growth.
Capital adequacy assessment, planning, and management processes should be integrated with strategic planning, performance management, and risk management, including stress testing activities. Capital adequacy assessment processes must account for a company’s array of businesses, regardless of whether the businesses are subject to different reporting, accounting, and regulatory capital regimes (e.g., GAAP, Economic, and Statutory).
Stress testing is conducted to support management’s assessment of the ability to absorb the consequences of unexpected events financially or operationally. Stress testing programs include multiple conceptually sound stress tests with various levels of complexity including scenario analysis, sensitivity analysis, entity-wide stress testing, and reverse stress testing. The process includes integration of risk identification and controls, risk appetite measures, and should be aligned with an organization’s operational planning and strategic focus.
Strategic Oversight Activities
In an increasingly complex world, many risks can no longer be identified, measured, managed, and mitigated by merely focusing on effective management within individual risk categories. Risk management philosophy requires that risk management is approached in an integrated, enterprise-wide and anticipatory manner. Specific programs are established to ensure that all risks are managed in accordance with an
organization’s risk philosophy and within its risk appetite and metrics. The ERM Program ensures that the organization also takes an integrated and holistic view across risk categories. It directs activities that provide a more accurate and complete picture of the organization’s risk profile so that appropriate measures are taken to avoid, mitigate, and manage risks.
Strategic oversight activities ensure management of risks. These activities take an enterprise-wide view across all risks and actively challenge an organization’s risk profile, thereby provoking insights and decision support for senior management and information to allow for informed governance and challenge by the board. Strategic oversight activities also ensure that risk is managed consistently across the organization and that the interaction of various risks and the associated impact are understood and considered when strategic and tactical decisions are made. By using scenario-based, integrated, enterprise-wide overview of all risk categories across lines of business, products, asset classes and geographies, strategic oversight activities identify and anticipate risks through a variety of tools and approaches.
Risk Identification, Assessment, Measurement, and Aggregation
Risk identification is a continuous process that takes into account company and process objectives and a changing business and economic environment. The risk management process is deployed across the entire risk taxonomy and all business areas. It addresses key risks to which the business is exposed. Quantitative and qualitative techniques are leveraged to identify and evaluate risks.
Risk identification is accomplished through interviews with management and subject matter experts, risk identification brainstorming workshops, risk assessments, risk and control self-assessments (RCSAs), surveillance of the external environment, scenario analysis, stress testing, use of risk inventory tools, review of process dashboards or metrics and root cause analysis of risk or loss events.
Top and emerging risk identification is a continuous process, as the environment may change in such a way that new top and emerging risks arise or that the impact and likelihood of previously identified top and emerging risks increases or decreases. Essential to the identification of the most critical top and emerging risks is an awareness of the organization’s strategy and business objectives. This is where there may be susceptibility of new or changing threats that may change risk.
Emerging risks are defined as newly developing or changing risks, which may have a substantial impact on an organization. Key drivers of top and emerging risks include new economic, financial market, regulatory, technological, geopolitical, and economic developments. Top and emerging risks are identified through continuous top and emerging risk scanning efforts, initial analysis, on-going monitoring, communication, and escalation. All identified top and emerging risks should be aggregated and reported to senior management and BRC.
New Products and Services
A risk governance committee (e.g., new products approval committee) should evaluate and approve new, modified, and expanded products and services. Such
committee ensures that (a) new products and services are consistent with approved strategy and risk appetite, (b) risks are appropriately anticipated, evaluated and managed, and (c) approval conditions are met in a timely manner. After a new product or service is implemented, post-launch monitoring should be established and implemented to ensure the new product or service remains within established risk appetite through key risk indicators and control monitoring
Key Initiatives / Projects
Key initiatives / projects, not subject to a new product risk governance committee, are activities or decisions at an organization that could have risks associated with the organization’s risk taxonomy. These may include, but are not limited to, implementation of new systems, implementation of new regulatory changes, launch of new applications, and key outsourcing decisions. Using risk assessment methodology, key initiative’s impact on existing controls should be documented using risk assessment methodology and new controls develops, where applicable, that mitigate risk to an acceptable level within the organization’s established risk appetite.
Risk Assessment and Measurement
Risk assessments measure the inherent risk that may materially impact an organization as well as the quality of risk management activities and the controls in place to mitigate risk to desired levels. Risk assessments help determine where efforts and resources need to be allocated to manage risks as well as identify opportunities to improve business decision marking and performance. Information is proactively gathered and discussed to identify, measure, monitor, and manage risks that can affect the organization’s ability to achieve its objectives. Risk assessments by the business and functional areas should be executed against an assessment entity within a defined risk assessment universe. An assessment entity is a product or key business unit within a line of business or key functional area for which a risk assessment will be performed.
Risk assessments and risk profiles take underlying RCSAs into consideration. RCSAs identify and measure operational and compliance risks related to business processes.
The risk assessment process should be governed by standards and guidance to facilitate consistency in assessing risk throughout and across the enterprise and allow for aggregation of information from all assessment units. The consistency within this approach allows the organization to effectively compare and prioritize risks by effectively identifying and assessing risks according to a standard set of process steps, terminology, and rating standards.
Risk Assessment Scope and Process
Various methods and techniques may be used in completing a risk assessment, such as interviews, forums, models, and facilitated workshops. Techniques used to measure the significance of risks can be quantitative and/or qualitative.
Various quantitative and qualitative techniques can be leveraged in the evaluation of risks.
- Quantitative – Use facts and data to quantify the risk of discrete and specific events and stress testing to assess discrete scenarios’ impact in the organization’s key performance measures.
- Qualitative – Some organization-specific risks do not lend themselves to quantification and must be qualitatively assessed. While data may not be sufficient to model or otherwise quantify these risks, facts and projections can be used to provide a description of the key risk exposures. Risk documentation should also include any assumptions being made regarding the potential risk event that may drive either the likelihood or impact (severity) of the risk event.
Regardless of method or technique, risk assessments should be documented and retained.
Risk Monitoring and Reporting
Remediation plans should be required when insufficient and weak management and control practices are identified and/or when risks exceed risk appetite metrics or trending in that direction. Minimum standards for remediation plans should include:
- Brief description of underlying risk issue including identification of root cause
- Specific action steps needed to manage within established risk appetite limits
- Accountable parties for action steps
- Target date (specific date, not a range) to restore to “green” status and, if resolution will take longer than one quarter, quarterly target milestones
- Assumptions and interdependencies
- Other corrective actions being taken
- Identification of risk governance committee and risk executive who will oversee and monitor progress
Risk reporting is accomplished through management reporting to the various risk governance committees and ultimately the board. Risk reporting should be comprehensive, useful, accurate, and timely. It should cover current and emerging risks and adherence to risk limits and risk concentrations. To ensure effective management of risk and oversight by the board and management level risk committees, routine risk management-related reporting practices should be produced.
Risk reports should include the following:
- Aggregated overall enterprise risk profile and aggregated risks by risk category
- Aggregated overall risk profile for each business unit and aggregated business unit risks by risk category
- Calendar of all required risk assessments for the next calendar year
- Recommended changes to the risk governance framework and other risk management-related documents
- Top and emerging Risks
- Material risk issues, trends, escalated issues, and the status of corrective actions
- Audit and regulatory examination findings or regulatory concerns related to the organization’s ERM framework, or the execution thereof
- Progress against approved annual risk management plan
Risk dashboards, in conjunction with the execution of risk assessments, help to ensure that material risks are identified, measured, assessed, monitored, controlled, and reported in a timely manner. Dashboards provide synthesized and actionable summaries to executive management and the board. Risk dashboards should provide a holistic view of major risks and should include, by risk category, the following: inherent risk level, trend of risk, volatility of risk, management effectiveness, and residual risk as well as insights into any plans to improve risk management and controls. Information derived from risk assessment activities should aggregated to inform the risk dashboard.
Escalation Criteria and Process
Escalation is a critical information process in the context of an ERM framework. Business operations management makes day-to-day decisions based on applicable policies, standards, guidelines, and processes. As risks increase in significance, whether because of increased likelihood of occurrence, increased severity, or both, escalation to an appropriate level for action may be warranted.
Risk governance structures should provide criteria to guide decisions regarding escalation of risks to the appropriate risk governance committee or board. Criteria may
include any risk position that exceeds its risk appetite with a review of actions taken or risk accepted, and any risk matter that may result in one or more of the following:
- Significant negative impact to the organization’s strategic priorities
- Significant negative legislative, regulatory, or compliance impact to the organization
- Significant adverse publicity or significant adverse impact to the organization’s brand or reputation
- Significant violation of the organization’s policy
A strong risk management information system supports the identification, evaluation, remediation, and tracking of any potential or actual control deficiencies.
A control deficiency is defined as a condition, either a serious risk issue or material process breakdown that poses a perceived, potential, or real threat, exposing the organization to material loss or serious reputation impact. The three lines of defense each have a responsibility to identify and escalate any control deficiencies in a timely manner. The first two lines of defense are responsible to remediate any control deficiencies with a sense of urgency. The third line of defense has an obligation to provide assurance over remediation and is responsible for escalating remediation that is not timely or sufficiently comprehensive or sustainable.
Escalation processes include:
- Collection and analysis of exceptions and prioritization of issues, concerns, and trends warranting escalation
- Identification and notification to relevant stakeholders on critical issues or areas of concern
- Timely and accurate periodic and ad-hoc status reporting (if an issue remains open)
- Action items and/or remediation plans, including timing and accountabilities
- Aggregation of issue themes along with identification of systemic issues and an analysis of root causes
Issues represent inconsistencies with the organization’s risk appetite that arise across the enterprise and its risk taxonomy. While some issues like operational losses can be quantified, many do not lend themselves to measurement by quantitative appetite metrics. Such issues can range from instances of non-compliance with policies and procedures, control deficiencies, unacceptable residual risk levels, compliance weaknesses, adverse publicity, environmental impacts, audit and regulatory findings, and other such occurrences.
Risk aggregation and correlation provide additional insight into enterprise risk levels. During risk aggregation, aggregate risk measures (exposures, control deficiencies, residual risks, etc.) are evaluated to determine whether patterns and trends are occurring and where correlations between risks exist.
Risk Concentration, Correlation, and Interdependencies
Risk considered insignificant on its own has the potential, as it interacts with other events and conditions, to cause great damage or significant opportunity. The risk assessment process evaluates risks individually, considers their interdependencies and correlation with other risk(s), and identifies themes. Risk assessment and aggregation prompt consideration of correlations which can be across risk categories (such as operational risk affecting compliance risk or market risk affecting liquidity risk) and within a risk category (e.g., trends in one credit portfolio affecting another credit portfolio within the same business).
A system of internal controls should be implemented commensurate with an organization’s size, scope of operations, activities, risk profile, strategy, and risk appetite, and consistent with all applicable laws and regulations. Internal controls should be regularly monitored, evaluated, and tested for effectiveness. Control deficiencies should be identified and communicated in a timely manner.
Control activities help prevent and mitigate risks. Control activities can be preventive, detective, manual or automated / systematic, and can cross a range of activities. Examples of controls include:
- Policies, standards, and procedures that set expectations for and govern business activities and support functions
- Clear assignment of roles and responsibilities and appropriate separation of duties
- Physical controls for restricting access to tangible assets
- Approvals and appropriate dual authorizations for key decisions, transactions, and execution of processes
- Verifications of transaction details and periodic reconciliations, such as those comparing cash flows to account records and statements
- Access controls, change management controls, data entry, and related controls
- Escalation procedures with a system of checks and balances in situations that allow for managerial or employee discretion
- Review of operating performances
- Security of assets, general IT controls, and application controls
- Operational controls over the day-to-day execution of normal business processes
Most control activities are specific to business objectives and should be aligned to a risk category. To foster an appropriate risk-aware culture within an organization, adequate control activities should be integrated into the daily functions of all relevant personnel.
Issues management process incorporates prompt, accurate, and comprehensive identification of issues, investigation and root causes and outcomes, and appropriate remediation planning. Outputs from the issues management process should be assessed and may be inputs to understanding the organization’s risk profile.
Independent testing is a core component of a strong ERM program. As such, an organization should establish standards for risk-based, independent testing such as the frequency of testing and sampling methodologies. Risk-based independent testing activities provide insight into the operational business processes, transactions, controls, procedures, training, and other related activities to determine compliance with the policies, procedures, and applicable regulatory requirements. Material risks and/or trends identified through testing should be aggregated, analyzed, reported, and escalated, as needed.
Risk Response and Action
Once a risk is identified, assessed, and measured, a risk response must be determined, and appropriate action taken.
Risk mitigation plans and controls are developed and implemented to reduce and mitigate risk exposures within an acceptable level. Determining the appropriate mitigation strategies, controls, and triggers is the primary responsibility of the risk owner or business area, as they are usually the subject matter experts for a given risk. Risk responses integrate the identification of mitigation plans and related controls needed to help ensure the risk responses are carried out properly and in a timely manner.
Policies, standards, and procedures should describe the control activities that help ensure that the organization’s responses are carried out. Control activities occur throughout an organization, at all levels and in all functions and consider interrelationships between people, processes, and technology.
Mitigation plans document how the chosen response options are implemented. Information provided in these plans include:
- Reasons for selecting risk response options (including expected benefits to be gained)
- Individuals that are accountable for approving and implementing the plan, proposed actions, resource requirements and contingencies, performance measures and constraints, reporting and monitoring requirements, and the timing and schedule of the plan
Processes should be in place to test the design and operational effectiveness of mitigating plans and controls. Testing helps validate management’s initial residual assessment of risks and identifies changes in the overall residual risk profile. Testing may also help optimize risk responses and mitigation actions by identifying exceptions and deficiencies requiring immediate attention and additional resources.
Risk acceptance process is intended to cover risk across the entire risk Taxonomy. The process begins when an issue is identified, and the issue owner makes an informed decision that the risk is acceptable or that the costs of risk mitigation outweighs the benefit.
Once a decision has been made to accept the risk, the issue owner should provide risk acceptance documentation and supporting information to the risk owners potentially impacted by risk acceptance to allow them to opine on the issue/risk. The issue owner should then obtain proper approvals from relevant stakeholders. The severity rating of the issue/risk should guide the level of authority of the relevant stakeholder(s) accepting the risk and the governance and oversight forum that must review or be informed of a risk acceptance decision. Further, all accepted issues should be reviewed on at least an annual basis to ensure appropriateness of continued acceptance.
Risk Data and Infrastructure
Information and Reporting
Quality and timely information is critical to an effective ERM program. It raises the level and precision of reporting to management and the board and links risk and management performance to what is important and what requires focus. Also, it integrates the management of risk and the organization’s drivers of performance and provides the organization more opportunity to make informed decisions. The general objectives of quality risk information and reporting include:
- Identify, assess, and manage risks at all levels of the organization and across the three lines of defense
- Leverage information from internal and external sources to anticipate and monitor risk trends
- Ensure compliance with regulations, laws, regulatory guidance, and internal policies
- Monitor performance relative to approved risk appetite metrics
- Surveil the external environment for emerging risks and potential threats
- Surveil the internal environment for strengths and weaknesses
- Review operating and performance trends that could signal risk trends
- Produce reliable, timely, and actionable reporting for employees, managers, and executives to support decision-making
- Produce reliable, timely, and synthesized reporting for review by the Board members in their oversight responsibilities
- Improve the understanding within each line of defense of an organization’s risk profile
Data used for risk reporting must be reliable, synthesized, and presented in a format appropriate for the user such that the data becomes useful information. There are risks associated with disparate systems, manual report production, and lack of actional reporting. To ensure that the overarching risk information objectives are achieved in the long run, a Risk Management and Information System (RMIS) strategy should be implemented and managed as part of an ERM program.
Risk Management and Information Systems (RMIS)
To support the ERM Program, a RMIS strategy should be established, implemented, and periodically refreshed to meet the risk information needs of relevant stakeholders. The RMIS strategy should focus on efficiently producing information from a common, integrat
- Regular, synthesized, actionable, and timely reports for relevant stakeholders
- Effective and efficient analytics, measurement, and models, as appropriate, based on anticipated and actual risk trends and events
- Risk-reward decision making process that is integrated within each line of business
Performance Management and Incentive Compensation
Accountability is a critical attribute of a strong risk and compliance culture. Accountable employees embrace the importance of risk along with their roles, responsibilities, and accountabilities and understand that everyone must be accountable to help manage risk.
Lack of or unclear accountability creates risk in any organization. Accordingly, a cornerstone of the ERM Program is to ensure that risk accountabilities are clear, documented, and fully incorporated into performance management and incentive compensation processes.
Certain circumstances or facts have the potential to become significant risk issues. A significant risk issue is an event or circumstance that has the potential to:
- Constitute a violation of law or company policy
- Expose an organization, its employees, officers, or directors to discipline, or regulatory, civil, or criminal liability
- Expose an organization to material loss, business disruption, or negative public opinion
- Result in a material privacy or information security breach
- Pose a threat to an employee or customer
- Materially impact an organization’s ability to achieve its strategic objectives
A strong performance management system is critical to an ERM program. Performance management system is the process through which risk accountabilities are incorporated into the performance objectives for individual employees. The performance management system is used as the basis for incentive compensation considerations. Additionally, the process helps identify areas where performance needs to be enhanced and provides the tools and processes to plan and monitor performance improvement.
The process starts with establishing individual employee performance objectives (with role-specific risk performance objectives incorporated) at the beginning of the performance year. The performance objectives are then subject to evaluation during the year and at the end of the performance year.
Incentive compensation funding should be aligned to risk-based performance, and incentive compensation allocation decisions for individuals should be made taking into account critical risk performance accountabilities including effective / ineffective risk management behaviors. Specific risk behaviors should also be integrated into the leadership and management competency model so that measurement and feedback can take place.
Risk Communication and Training
Risk Communication Strategy
The board and executive management should set the tone from the top regarding accountability and open dialogue on the organization’s risk and compliance culture and expectations. Executive management should reinforce this message through ongoing, actionable, and consistent communication with their stakeholder groups. The objectives of the communication strategy would be to:
- Demonstrate leadership commitment to risk management and highlight individual accountability
- Raise awareness of the importance of risk management
- Clearly articulate roles and responsibilities
- Reinforce key risk management principles, practices, and tools
- Set expectations for future communications and developments, and highlight available resources and support
Risk topics should appropriately be incorporated into corporate event, such as employee meetings, town halls, weekly meetings, and other communications channels, as appropriate.
Core educational programs should be available for all relevant personnel and should be aimed at developing an enterprise-wide risk management culture and maintaining a level of risk management knowledge within the organization. All individuals should receive the appropriate training and development for their specific risk management related roles and responsibilities.
The board should receive ongoing training intended to improve directors’ understanding of roles and responsibilities and deepen their knowledge of the organization’s business, operations, risks, and management.
Compliance Core: Your ERM Framework Partner
Today, many businesses and organizations choose to outsource aspects of their risk management effort. As a trusted advisory and managed service provider, Compliance Core delivers risk management and regulatory compliance excellence. Our services are designed to simplify compliance risk management while retaining efficiency and effectiveness.
Compliance Core has seen first-hand how organizations run operational and compliance programs. Over the years, we have helped industry-leading businesses and organizations to streamline and transform regulatory compliance management processes. Our approach drives a more efficient, strategic, and proactive process that supports organizations’ efforts to respond to evolving regulations and comply with regulatory obligations.
This new approach to compliance risk management has helped industry-leading businesses and organizations to gain a differentiated and competitive advantage. Here’s how it works:
- Identify Scope of Risk: Develop a register of key risks across business lines, products, services, processes, and systems from which we can benchmark and orient.
- Develop a Risk Assessment Framework: Quantify risk across business sectors and divisions.
- Create Risk Treatment Strategies and Roadmap: Address risk proactively, efficiently, and effectively with reduced spend and labor.
To quickly assess your risk management and compliance program, we’ve developed a short quiz. Use this as an opportunity to identify risk management and compliance gaps. After the quiz, you’ll be given an opportunity to connect with us and discuss next steps towards your risk management and compliance goals.
©2021 Compliance Core. All rights reserved.