Articles: ERM Frameworks and ERM Fundamentals

  • Strengthening Enterprise Risk Management for Strategic Advantage

    November 04, 2009

    COSO’s Strengthening Enterprise Risk Management for Strategic Advantage focuses on specific areas where the board of directors and management can work together to improve the board’s risk oversight responsibilities and ultimately enhance the entity’s strategic value. This thought paper expands on COSO’s Effective Enterprise Risk Oversight: The Role of the Board of Directors and provides further detail on the four specific areas discussed in that document.

  • Effective Enterprise Risk Oversight: The Role of the Board of Directors

    September 01, 2009

    COSO’s Effective Enterprise Risk Oversight: The Role of the Board of Directors is focused on aiding boards of directors in strengthening their enterprise risk oversight responsibilities. The current economic crisis has caused the role of the board of directors to become far more challenging than in the past. The thought paper highlights critical board responsibilities by using four specific areas in COSO’s Enterprise Risk Management – Integrated Framework that contribute to board oversight of enterprise risk management.

  • How Risk Management Is Changing in Response to the Economic Crisis

    July 01, 2009

    The economic crisis is changing the risk management landscape in various ways. The government bailouts enacted in response to the economic crisis will have many effects, with the greatest potential effect on risk appetites of organizations. The magnitude and frequency of bailouts could encourage increased risk appetites or there could be increased risk aversion in response to what is currently perceived as a high-risk environment. Another way in which the economic crisis is shaping risk management is that increased security risks and decreased security budgets are encouraging an enterprise risk perspective to better enable organizations to track, quantify, and analyze shifting thresholds of risk. This enhanced perspective can then be used to address concerns such as insider threats, information risk, and product protection.

  • Enterprise Governance, Risk and Compliance Platforms

    July 01, 2009

    As enterprise-wide risk management concerns have grown, so too has the market for enterprise governance, risk and compliance GRC platform vendors. This article not only describes the underlying technologies of these platforms, but provides the detailed results of Forrester Research Inc.’s product evaluation of fourteen GRC platform vendors.

  • Six Ways Companies Mismanage Risk

    March 01, 2009

    Effective risk management is difficult even in the best situations, and failure of risk management can cause large losses within an organization. There are six fundamental mistakes risk managers routinely make: relying on historical data, focusing on narrow measures, overlooking knowable risks, overlooking concealed risks, failing to communicate, and not managing in real time. Augmenting conventional risk modeling techniques with scenario analyses of catastrophic risks and strategies for surviving these risks can improve risk management effectiveness.

  • Ten Practical Lessons for Risk Management

    March 01, 2009

    Recent events have uncovered significant deficiencies in the way risks are managed at financial institutions and many other companies. Research into these deficiencies shows ten practical lessons companies can apply to address current weaknesses and strengthen risk management systems. By wielding appropriate authority, gaining support from senior management, and thoroughly examining the models and incentive systems used, risk managers can greatly improve companies’ risk management systems.

  • Optimism Thwarts Risk Identification

    January 31, 2009

    Many culprits have been identified as causes to the current financial crisis, from faulty risk models to basic human greed. Susan Webber takes a step back to examine the culture that underlies errors which led to the current climate. In this article, she examines how a “yes man” environment creates a dangerously optimistic decision-making process. Valuing good news and positive thinking over observing realistic restraints to business strategy can prove disastrous in the long run for a company.

  • Risk Mis-Management

    January 04, 2009

    The largest banks and investment firms in the United States took excessive risks over the past few years, contributing to the current financial crisis; however, there was little indication to many that these risks existed. This is partially due to widespread institutional reliance on Value at Risk (VaR) models to measure the amount of risk in company portfolios. VaR can measure the boundaries of risk in a portfolio over a short duration in a normal market, but it does have some limitations. VaR input includes only recent events and not data from historic times of stress, it does not measure the largest risks that have a small probability of occurrence, it has problems properly accounting for leverage, and its overall measure can be manipulated. Despite these shortcomings, VaR and other risk models can still be useful when they are not relied on alone but combined with human judgment.

  • ERM is Vital for Businesses and the Economy

    January 01, 2009

    With the recent financial crisis many wonder if risk management could have prevented or minimized the fall out. The answer is yes. However many companies fail to properly implement risk management and therefore they do not fully understand the risk they are undertaking. Failures occurred because companies don’t fully understand the proper steps for effective risk management. This report addresses where companies failed and the areas companies need to improve to prevent another financial crisis.

  • Financial Industry Assesses Role of Risk in Credit Crisis

    January 01, 2009

    This global survey conducted by KPMG in conjunction with the Economist Intelligence Unit in October 2008 summarizes responses from over 500 world-wide risk management senior officers in the banking industry about the role risk management played in the current economic crisis and how enterprise risk management would be used going forward. The report based on this survey highlight several themes permeating banking culture’s utilization of risk management that helped allow the current credit crisis. The report provides insights as to possible solutions, which many of the respondents are planning to or are currently taking.

  • Global Risk Management Survey

    January 01, 2009

    AON conducted a global risk management survey in October and November 2008 with risk managers and chief risk officers comprising two-thirds of respondents. Responses represent 551 organizations of various sizes and industries in over 40 countries. A similar survey was conducted two years ago and there is a comparison of the key and emerging risk issues highlighted. The top ten risks facing businesses, overall risk preparedness, and losses related to risks are addressed. Key business topics such as identifying, assessing, measuring, and managing risk; board oversight and involvement; and risk management departments and functions are discussed. One consistent theme through all the findings is that the worldwide economic downturn has had an enormous impact on how risk is approached and managed.

  • The Convergence of Enterprise Performance Management and Risk Management

    December 31, 2008

    Organizations can increase their probability of achieving strategic objectives by taking an integrated approach to deploying strategy and managing associated risks. The Performance/Risk Integration Management Model (PRIM2) provides a framework for organizations to consistently communicate and deploy strategies, proactively identify and manage inherent risks in the strategy, and ensure integration of strategic plans, risk management, and performance management in strategy execution. PRIM2 also provides real-time transparency into an organization’s operations, facilitating continuous alignment of strategy, risk management capabilities, and performance management. While the details of a PRIM2 infrastructure will vary across organizations, there are several core elements that should be incorporated in any PRIM2 framework. Implementation of a PRIM2 framework is intended to establish and maintain a balance between the enhancement and protection of an organization’s shareholder value.

  • Keeping ERM implementation Simple

    December 01, 2008

    ERM has gained increasing attention in the current economic environment. Investors, regulators and chief officers alike look to managing enterprise-wide risks as a magic bullet to rebuild trust and prevent future major events like the credit crisis. In this article, Neil Baker looks to companies who have been engaged in ERM for the past several years. These companies appreciate the benefits, but site obstacles to implementation.

  • Contrasting Old and New Models of Risk Management

    November 30, 2008

    This article details the growing importance of ERM and contrasts ERM with old models for risk management to illustrate how ERM, if positioned correctly, can add value to companies today. ERM today is all encompassing, takes a team, requires management to set the mindset and culture of the company, is not all about insurance, requires partners in strategy development, is not a once-a-year exercise, and viewed through a wide-angle lens.

  • Preparing For S&P Integration of ERM

    October 01, 2008

    Standard and Poor’s (S&P) is integrating an evaluation of enterprise risk management (ERM) into corporate credit ratings beginning in 2009. S&P has considered ERM when rating financial institutions and insurance companies previously and decided to expand the consideration of ERM to all rated companies. This incorporation of ERM into the credit rating process signals that S&P believes that companies with strong ERM capabilities are a better credit risk. This article highlights key aspects of ERM that S&P intends to consider when evaluating ERM preparedness at organizations they evaluate.

  • Standard & Poor’s Applies ERM Analysis to Ratings

    May 01, 2008

    Beginning in the third quarter of 2008, Standard and Poor’s will incorporate Enterprise Risk Management (ERM) into discussions at regularly scheduled credit review meetings. The discussions of ERM will focus on the organization’s risk management culture and strategic risk management. This abstract provides a brief overview of S&P’s ERM evaluation plans.

  • Overview of S&P Proposed ERM Evaluation

    February 04, 2008

    Standard & Poor's proposed expansion of ERM program evaluation to the nonfinancial sector has the potential to significantly affect the credit ratings process for firms in the seventeen industry sectors to be included in their revised analyses.

  • Assess the Risks – Key Strategies for Overseeing Derivatives

    December 31, 2007

    In recent years the use of derivatives by mutual funds has soared. Yet, there has been little guidance offered to boards on the oversight roles when it comes to derivatives. This article offers nine key points to help boards better understand and assess the risks regarding the use of derivatives. Although, this paper is focused on specific boards overseeing mutual funds, many of the points can be applied to any board or manager’s oversight of derivatives.

  • Enterprise Risk Management: The Full Picture

    December 01, 2007

    An Aon Global Risk Consulting survey conducted among 103 organizations in July 2007 aimed at supporting global organizations in developing enterprise risk management (ERM) strategies throughout various organizational cultures and utilizing sufficient resources to support ERM development and maturity. Key issues are addressed that challenge organizations ability to successfully implement an ERM function, all varying across corporate cultures and regions of the world.

  • Standard & Poor’s Releases a Request for Comment on ERM

    November 15, 2007

    On Thursday, Nov. 15, 2007, S&P issued a request for comment on their proposal to include an assessment of corporate enterprise risk management practices as a key component of their overall credit ratings analysis for nonfinancial companies. S&P proposes to include ERM analysis into their corporate credit rating process as the principal methodology to evaluate management and to determine the overall business profile--a key factor in the S&P credit rating. Four major analytic components will comprise the S&P ERM evaluation. These include analyses of risk management culture and governance, of risk controls, of emerging risk preparation, and of strategic risk management.

  • Looking to the Future with ERM

    June 05, 2007

    The article focuses on the increasing number of disasters we have faced in recent years and the use of enterprise risk management (ERM) to prepare businesses for such problems. Because of ERM’s holistic approach, every operation of a business is involved with managing risks together on a daily basis. This holistic crusade for risk management is the key to success and the means for businesses to thrive long into the future.

  • Risk Language

    June 01, 2007

    Internal Auditor recently published an article titled, The Language of Risk, which stresses the need for a clear risk language throughout all organizations. By using a common language, different levels of a business can communicate more effectively. Without a common risk language, lots of time can be wasted in clarifying risk issues that are miscommunicated

  • ERM at the Federal Reserve Bank of Richmond

    March 31, 2007

    This is an examination of an implementation of an ERM discipline in one of the Federal Reserve Banks. It demonstrates a possible model where financial performance targets are not the primary measures of success. The Federal Reserve Bank of Richmond’s ERM approach captured risk within each functional area and then assessed those risk events in terms of both functional and then corporate objectives. Private sector organizations look at threat to value (net worth, revenue, etc.). Public sector firms usually have non-financial objectives. Since measures of success are different, ERM models should be different.

  • Managing Reputation Risk

    February 01, 2007

    Reputation is very important to most organizations, yet many companies do a poor job of managing risks to their reputation. Too often, companies focus their energy on addressing threats to their reputation that have already surfaced instead of proactively searching for potential reputation risks on the horizon.

  • Survey by KPMG- ERM in the US

    January 31, 2007

    A survey published by KPMG titled, Enterprise Risk Management in the United States, reflects senior executive perspectives about risk management practices and on-going efforts to successfully implement and monitor ERM processes. The report provides feedback about ERM practices from US companies that span diverse industries such as aerospace, transportation, financial services, healthcare, and manufacturing

  • Enterprise Risk Management:  Frameworks, Elements, and Integration

    December 31, 2006

    The Institute of Management Accountants (IMA) has issued a new document that emphasizes the importance of understanding and managing risks in today’s complex business environment. Topics covered in the document to assist businesses in their ERM program include summaries of numerous ERM frameworks, foundational elements for ERM, risk tolerance, and business continuity. In conclusion, IMA offers a list titled, “Hallmarks of Best-Practice ERM” as a helpful guide to consolidate current practices that have proven to be effective.

  • RIMS ERM Maturity Model

    November 01, 2006

    The Risk and Insurance Management Society (RIMS) has recently introduced its Risk Maturity Model (RMM) to help organizations better utilize Enterprise Risk Management. The RIMS Risk Maturity Model can be used by chief risk officers and other risk practitioners as a resource to aide in planning, implementing, and benchmarking Enterprise Risk Management practices within their organizations.

  • ERM:  Building on Section 404

    April 01, 2006

    Companies can gain a competitive edge from the close monitoring of all risks that comes from fully implemented ERM processes. Initial compliance with Section 404 of the Sarbanes-Oxley Act can benefit organizations in developing ERM in their organizations by providing the first step.

  • Risk Management Quantification

    February 01, 2006

    Existing enterprise risk management frameworks focus on qualitative aspects leaving room for development of a more quantitative framework. Actuarial and mathematical models could provide a more quantitative framework to provide additional guidance to those wishing to implement ERM.

  • Enterprise Risk Management Quantification – An Opportunity

    February 01, 2006

    Enterprise Risk Management has been getting increased attention in recent years, however much of the focus has been on the qualitative aspects of framework with little focus on the quantitative aspects. This article presents the opportunities for individuals with a quantitative background and develops a framework that can be used to develop a risk model for your organization.

  • ERM Guide:  Frequently Asked Questions

    January 01, 2006

    Protiviti has provided an Enterprise Risk Management Guide that addresses the fundamentals of managing risks as well as frequent questions about implementation and the value that can be achieved with ERM.

  • S&P’s Enterprise Risk Management for Financial Institutions: Rating Criteria and Best Practices

    November 01, 2005

    Standard & Poor’s Ratings Services presents Enterprise Risk Management For Financial Institutions: Rating Criteria And Best Practices. This guide presents the latest ratings criteria for assessing the trading risk management practices of financial institutions, as well as a broad look at current best practices within financial institutions with respect to Enterprise Risk Management.

  • Turnbull Report

    October 01, 2005

    "Internal Control: Guidance for Directors on the Combined Code (The Turnbull guidance) was first issued in 1999. In 2004, the Financial Reporting Council established the Turnbull Review Group to consider the impact of the guidance and the related disclosures and to determine whether the guidance needed to be updated."

  • Evolution of ERM

    September 30, 2005

    Business professionals have varied personal definitions of enterprise risk management (ERM) based on their limited exposure to the new idea and their specific encounters with its effects given their roles within their companies. However, in order to better understand risk management, and especially ERM, risk itself must be better understood with greater uniformity than that with which it has been understood in the past. Misconceptions have kept business professionals from understanding risk as measurable in both negative and positive outcomes, as existent even without the occurrence of an event, and as affective of businesses in many areas, not just in the consideration of insurance.

  • Best Practices for Structuring ERM Within the Organization

    September 01, 2005

    In order for the risk management division to function properly, it is essential to structure it properly within the firm. The risk management division should be placed in high stature within the firm and should report directly to the CEO. Risk managers should have a deep understanding of the company’s business in order to effectively communicate with risk takers in the firm. Structuring the risk management division properly will ensure a more holistic view of risk within the organization.

  • Internal Audit’s Role:  Fraud and Reputation Risks

    December 31, 2004

    Now there is more pressure than ever on executive management and internal auditors to mitigate corporate fraud and misconduct. Even though senior management most likely has direct antifraud responsibility, internal auditors are likely to be given the operational responsibility for fraud monitoring. The general role of the internal auditor with regards to antifraud plans and ten steps the internal auditor can take in an antifraud plan are discussed.

  • The Orange Book: Management of Risk – Principles and Concepts

    October 01, 2004

    The original Orange Book was published by the British government in 2001 to promote more robust risk management practices in government sectors. Since 2001, organizations have begun to now have basic risk management processes in place. The risk management challenge is no longer in the initial identification and analysis of risk and the development of the risk management process. Rather, the challenge today is in the ongoing review and improvement of risk management. Thus, the British government issued this 2004 revision of The Orange Book to include more advanced guidance, such as the importance of “horizon scanning” (a systematic activity designed to identify indicators of changes in risk). This document also examines how the organization’s risk management activities relate to the wider environment in which it functions.

  • The Australian/New Zealand Risk Standard

    September 01, 2004

    "This Standard provides a generic guide for managing risk. This Standard may be applied to a very wide range of activities, decisions or operations of any public, private or community enterprise, group or individual. While the Standard has very broad applicability, risk management processes are commonly applied by organizations or groups and so, for convenience, the term 'organization' has been used throughout this Standard."

  • COSO’s “Enterprise Risk Management - Integrated Framework”

    September 01, 2004

    "This Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process. Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge."

  • COSO’s Enterprise Risk Management – Integrated Framework

    September 01, 2004

    COSO issued Enterprise Risk Management – Integrated Framework in September 2004. This framework was issued to provide companies with key principles and concepts, a common language, and clear direction and guidance regarding the management enterprise risks. The framework defines ERM and the eight components of the framework and discusses many other aspects of ERM in detail.

  • Basel II: International Convergence of Capital Measurement & Capital Standards: A Revised Framework

    June 01, 2004

    "This report presents the outcome of the Basel Committee on Banking Supervision’s (“the Committee”) work over recent years to secure international convergence on revisions to supervisory regulations governing the capital adequacy of internationally active banks. Following the publication of the Committee’s first round of proposals for revising the capital adequacy framework in June 1999, an extensive consultative process was set in train in all member countries and the proposals were also circulated to supervisory authorities worldwide."

  • Developing a Corporate Program for Risk Management

    October 31, 2003

    The view of risk management is evolving. The question today is whether corporate risk management should be handled on an individual level or through a company-wide initiative, otherwise known as enterprise risk management.

  • Casualty Actuarial Society’s Overview of Enterprise Risk Management

    May 01, 2003

    "This document is intended primarily to further the risk management education of candidates for membership in the Casualty Actuarial Society (CAS). Current members of the CAS as well as other risk management professional should also find this material of interest."

  • ERM Infrastructure and Risk Intelligent Systems

    April 01, 2003

    Enterprise risk management (ERM) is the key to resolving some of the demands for more corporate transparency from investors. ERM is a process that changes how an organization identifies risks and manages those risks continuously. It helps to develop the steps and allocate resources to mitigate the organization’s risks and provides reasonable assurance about the organization’s ability to achieve its objectives.

  • South Africa’s King Report on Corporate Governance, 2002

    March 01, 2002

    In 1994 the King Report on Corporate Governance (King I) was published by the King Committee on Corporate Governance, headed by former High Court judge, Mervyn King S.C. King I, incorporating a Code of Corporate Practices and Conduct, was the first of its kind in the country and was aimed at promoting the highest standards of corporate governance in South Africa.Although groundbreaking at the time, the evolving global economic environment together with recent legislative developments,have necessitated that King I be updated. To this end, the King Committee on Corporate Governance developed the King Report on Corporate Governance for South Africa, 2002 (King II). King II acknowledges that there is a move away from the single bottom line (that is, profit for shareholders) to a triple bottom line, which embraces the economic, environmental and social aspects of a company’s activities.