Taking the Lead in Enterprise Risk Management

In a 2016 survey, conducted by CPA Canada and the research arm of FEI Canada, 20 per cent of Canadian finance executives reported that their organization had no documented risk management program. Nearly two-thirds reported their organization had no chief risk officer or equivalent and the majority described themselves as only “somewhat confident” in its ability to manage risk. 

As a CPA, you believe in the importance of managing risk, and you want to take a leadership role in the implementation of an Enterprise Risk Management Framework. But how do you convince key decision-makers of the need to invest, especially with the increasing sophistication and complexity that all organizations face?

 1. Define risk.

First, start with definitions to provide some context. Risk is defined as “the chance of an event happening or circumstance that will have an impact on business objectives.” Also, include definitions of the key sub-risks that exist, such as operational risk, which is “the risk of harm resulting from people, inadequate or failed internal processes and systems, or from external events.”

2. Describe how risk can arise.

Next, by focusing on operational risk, note specific industry examples of how these risks may arise. Here are some generic examples:

• The people performing an activity do not have the necessary training or the right skills set; a safety incident occurs.
• The process in place was incorrectly designed or incorrectly executed; incorrect maintenance of client records resulted in a privacy breach and a subsequent reputational event.
• The system supporting the process malfunctions or breaks down; a system outage occurs for 12 hours resulting in lost sales and a high number of customer complaints.
• An external event disrupts the organization and the surrounding environment; a disastrous weather event such as Hurricane Sandy occurs, impacting operations in a wide area for a significant period of time.

Attaching dollar amounts to specific occurrences make these examples more vivid.  Data can be obtained from risk loss events that tracked in the organization or from industry data on operational risk losses. 

3. Note the roles and responsibilities for managing risk

Then, introduce the “three lines of defence” model to highlight the need to delineate risk management roles and responsibilities:

• First line – risk owners. Business areas are responsible to manage risk through adherence to Risk Management policies and procedures and programs
• Second line – risk management group. The owner of the risk management policies, procedures and programs.  Also included in the second line of defence are centres of expertise for specific risk areas such as privacy risk and information security risk. 
• Third line – internal audit. This group provides independent assurance and oversight of the first and second lines of defence.

A salient point here is that it is everyone’s job in the organization to manage risk.

4. Highlight the components of an Enterprise Risk Management Framework.

It all begins with defining the organization’s risk appetite, which then informs the risk management policies and programs. This is a continuous and iterative process where senior management and the board are critical players.

Note the key risk management programs that the organization has or is building towards. These could include:

• Enterprise wide risk assessment program/approach for business to identify key risks and assess the adequacy of controls and drive management actions where necessary.
• Monitoring conducted to help assess changes in the risks or potential exposure that may drive management actions. Key risk indicators would be the primary tool used for monitoring risks.
• Reporting of the “risk profile” to senior management/board as a result of reviewing the risk assessments and any actions from the various risk management programs as well as carefully observing emerging risks.

Another point here is that the Enterprise Risk Management Framework is based upon relevant external risk management standards and guidelines, such as ISO 31000.  

5. Summarize the value of having an Enterprise Risk Management Framework.

Finally, focus on the key value points of having an Enterprise Risk Management Framework, including:

• Validating and improving the reliability and effectiveness of business operations.
• Enhancement of risk-based decision-making and alignment with the organization’s strategic decision making.
• Reduction of operational surprises and losses.
• Positioning the organization to effectively respond to changes in the business environment.
• Augmentation of corporate governance

Educating and convincing senior management and the board on the need to invest resources and time on an Enterprise Risk Management Framework is a critical step for any organization grappling with how to make sense of all of their risks and associated external drivers. This five-step process will help you, as a CPA, to convince key decision-makers to invest.

Bill Wesioly is a risk management consultant and trainer as well as a professional leadership coach. Visit Bill’s website, Brave New Heights Leadership Coaching. Bill can be contacted at william.wesioly@icloud.com.