TO STUDY ENTERPRISE RISK MANAGEMENT A COMPETITIVE EDGE FOR THE COMPANY AND HOW IT ADDS VALUE TO ITS SHAREHOLDERS This term paper is submitted in partial completion of MBA Page 1 of 73 SUBMITTED TO: Faculty Guide: Mr. C.T. Sunil Assistant Prof - Finance & Accounts Amity University, Dubai, SUBMITTED BY: Student: Ms. Anu Damodaran Registration No: AUD0260 Program: MBA - General (Semester 2)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TO STUDY ENTERPRISE RISK MANAGEMENT
A COMPETITIVE EDGE FOR THE COMPANY
AND
HOW IT ADDS VALUE TO ITS SHAREHOLDERS
This term paper is submitted in partial completion of MBA
Page 1 of 48
SUBMITTED TO:
Faculty Guide: Mr. C.T. Sunil
Assistant Prof - Finance & Accounts
Amity University, Dubai, U.A.E.
SUBMITTED BY:
Student: Ms. Anu Damodaran
Registration No: AUD0260
Program: MBA - General (Semester 2)
Year: 2012 to 2014
CERTIFICATE FROM FACULTY GUIDE
This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA –
General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term
paper - “To study ERM - A competitive edge for the company and how it adds value to
its shareholders” from 01-Apr-2013 to 12-May-2013.
She has completed the term paper successfully. She has done this term paper work
independently and submitted the same on 19-May-2013.
Mr. C.T. Sunil, Faculty Guide,
Assistant Professor of Finance & Accounts,
Amity University, Dubai, UAE
Page 2 of 48
ACKNOWLEDGEMENT
I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance
extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity
University, Dubai, U.A.E. toward successful completion of this term paper “To study ERM
- A competitive edge for the company and how it adds value to its shareholders”.
I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the
guidance toward completion of this term paper.
Thanking you,
Yours sincerely,
Ms. Anu Damodaran
Reg. No. AUD0260,
1st Year MBA – General, 2nd Semester
Amity University, Dubai, U.A.E.
Page 3 of 48
TABLE OF CONTENTS
No.
TOPICPAGE
NO
EXECUTIVE SUMMARY 7
OBJECTIVE 8
1 CHAPTER 1 – INTRODUCTION 9
1.1 – BACKGROUND 10
1.2 – RELATED INFORMATION 11
1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT 13
1.4 – RELEVANCE OF ERM 13
1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM - PROTECT AND ENHANCE ENTERPRISE VALUE
14
1.6 – WHAT IF THERE IS NO ERM 14
2 CHAPTER 2 – REVIEW OF LITERATURE 15
2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK APPETITE AND EVENT
16
2.2 – INDUSTRY SPECIFIC EXAMPLES 26
2.3 – HEALTH CARE ORGANIZATION 30
2.4 – AEROSPACE SUPPLIER 31
2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III) 32
3 CHAPTER 3 – EXPLORATION COMMENT ON ERM 33
3.1 - RISK MAPPING 33
3.2 - THE CAPABILITY MATURITY MODEL 37
3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES WITH IMPLEMENTING ERM
40
3.4– ADVANTAGES 42
3.5 – SUITABILITY 44
3.6 – LIMITATIONS 45
CONCLUSION 47
REFERENCES 48
Page 4 of 48
TABLE OF TABLES
No. TABLE NAMEPAGE
NO
Table 1DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK MANAGEMENT AND ENTERPRISE RISK MANAGEMENT
23
Table 2 TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES 23
Table 3EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT
26
Table 4 STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION 27
Table 5OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER EDUCATION
28
Table 6 LIST OF RISKS SEPARATED BY CATEGORY 29
Table 7 A RISK MODEL 34
Table 8SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT RISK
37
Table 9 PRIORITIZATIONS OF FUNCTIONALITY 41
Page 5 of 48
TABLE OF FIGURES
No. FIGURE NAMEPAGE
NO
Fig.1 THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK 13
Fig.2 CONSOLIDATED RISK PROFILE 33
Fig.3 A RISK DRIVERS MAP 35
Fig.4A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION
36
Fig.5 KEY QUESTIONS A BUSINESS CASE MUST ADDRESS 44
Page 6 of 48
EXECUTIVE SUMMARY
ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage
the variety of strategic, market, credit, operational and financial risks they confront.
ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete
management by different risk overseers.
ERM has given rise to a question: Who should head the risk management process internal
audit or a chief risk officer? Some believe internal audit should take a back seat to preserve
the checks and balances the audit function provides. Others say risk leadership should
depend on what a company is comfortable with.
Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a
per-project basis.
ERM also gives the company a means to assess the controls in place to handle each risk and
identify any gaps. This consistent approach also offers businesses an opportunity to
determine authority and responsibility and allocate resources appropriately.
To Extract Risk Data, Many Organizations use business intelligence software. Many
packages feature "traffic-light" systems that show a red light if risk exceeds acceptable
levels. The chief risk officer then can "drill down" to see the reasons and make more
informed decisions.
Overall responsibility for enterprise risk is changing because of new standards from the
Institute of Internal Auditors. They require the internal audit function in a company to
monitor and evaluate the effectiveness of the organization's risk management and control
systems.
ERM can help CPAs (Certified Public Accountants) determine the right amount of capital
companies should direct toward risk by gathering or otherwise polling risk overseers to
identify the threats to the organization, their financial impact and the effectiveness of risk
mitigation options.
By mapping major risks on a matrix, companies can align their business processes to ensure
they are routinely collecting and storing related information in a database the chief risk
officer or executive risk committee can monitor. This will make it easier to identify
exception risks extending beyond the company's tolerance or threshold levels.
Page 7 of 48
OBJECTIVE
To understand what Enterprise Risk Management is, why it is important for any business
and how it can be measured.
To know whether by measuring and managing the risks consistently and systematically can
a company strengthen its ability to carry out its strategic plan.
To understand the methods/ tools used by firms to manage Enterprise Risk.
To study the processes and challenges in implementing Enterprise Risk Management and to
identify how much risk can be retained and how much should be laid off.
Page 8 of 48
CHAPTER 1 – INTRODUCTION
Enterprise Risk Management (ERM) is a data intensive process that measures all of a
company's risks. Enterprise Risk Management (ERM) is an integrated approach to
enterprise-wide risk management intended to protect and increase value for all parties with
an interest in the organization. Businesses have always faced a variety of risks, but these are
times when the pace of change and the resulting consequences to a business seem to be
greater than ever.
Example:
1. Globalization has increased exposure to international events
2. The need for increased and escalated efficiency, innovation and differentiation
3. Cost of strategic error is rising in the global marketplace
4. Understanding and responding to customer wants in this demanding era of
increasingly focused niche markets
5. Outsourcing raises questions about clarifying the retention and transfer of risk
6. The unthinkable can happen
7. Due to highly publicized public fiascos and high demands on certifying officers,
financial reporting is now a significant risk area as companies focus on sustainability
of their disclosure process and internal control structure
At most institutions today, the responsibility for enterprise risk management ultimately falls
to the chief executive officer since many of the senior people in the company who manage
risk on a day-to-day basis already report to him or her, including the CFO and chief lending
or credit officer. But institutions need to consider appointing a chief risk officer and forming
a management level risk committee."
The risk management function should be as independent as possible. However, true
independence would require the use of parallel structures where one team of individuals
would be responsible for a business unit like small business banking or an activity like
regulatory compliance, while a separate team of individuals would be focused solely on
Page 9 of 48
managing risk. "To be successful, the business units must view the risk management
function as a partner and a facilitator, rather than being in charge of saying no. There is a
danger, if ERM looks interchangeable with internal audit, that the business units will view it
as either an impediment or redundant, but one size does not fit all."
1.1– BACKGROUND
Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the
ultimate approach to risk management. Risk management has been practiced for thousands
of years. One can imagine a risk manager burning a fire at night to keep wild animals away.
Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one
individual and by restricting loans to those considered most likely to repay them. Individuals
and firms learned to manage the risk of fire through the choice of building materials and
safety practices, or after the introduction of fire insurance, by shifting it to an insurer.
Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management.
They enumerated the following steps for the risk management process:
Identifying loss exposures
Measuring loss exposures
Evaluating the different methods for handling risk assumption
Risk transfer
Risk reduction
Selecting a method
Monitoring results
Initially, the risk management process focused on what has been termed “pure risks”. Pure
risks are those in which there is either a loss or no loss. A typical example of a pure risk is
that your house may burn down or be hit by an earthquake. If none of these occur then you
are in the no loss position.
Beginning in the 1970s, financial risk became an important source of uncertainty for firms
and, shortly thereafter, tools for handling financial risk were developed. These new tools
Page 10 of 48
allowed financial risks to be managed in a similar fashion to the ways that pure risks had
been managed for decades.
Although financial risk had become a major concern for institutions by the early 1980s,
organizations did not begin to apply the standard risk management tools and techniques to
this area. The reason for this failure was because risk managers had built a wall around their
specialty, called pure risk, within which they operated. Thus, the refusal to expand into other
areas of risk has simply delayed by a number of decades.
1.2– RELATED INFORMATION
The US 'Committee Of Sponsoring Organizations Of Treadway Commission' (COSO)
defines Enterprise Risk Management as, "a process, effected by an entity's board of
directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risks
to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
“COSO divides ERM process into eight components:
(1) Internal environment,
(2) Objective setting,
(3) Event identification,
(4) Risk assessment,
(5) Risk response,
(6) Control activities,
(7) Information and communication,
(8) Monitoring.
Page 11 of 48
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
joint initiative of five private sector organizations, including the Institute of Management
Accountants (IMA), the American Accounting Association (AAA), the American Institute
of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and
Financial Executives International (FEI) established in the United States, dedicated to
providing thought leadership to executive management and governance entities on critical
aspects of organizational governance, business ethics, internal control, enterprise risk
Student behavior and community Alumni, parents, students, faculty, president
Contracting and related processes Attorneys and executive management
Endowment management Trustees, staff, alumni, other donors
Table 5
Page 28 of 48
2.2.5 - LIST OF RISKS SEPARATED BY CATEGORY
Risk category Sample risks
Hazard risks
Domestic terrorismCatastrophic natural eventsPandemicLaboratory safetyFacilities and ground safety
Financial risks
Conflicts of interest in financial transactions and agreementsBudget impairmentIneffective service center, auxiliary managementNon – compliant cost transfersInsufficient oversight over third party vendorsImproper governmental activities including fraud, embezzlement or misuse of university resources
Information technology risks
Unauthorized modification of dataDecentralization of systems leading to data inconsistencies and fragmentationDisclosure of confidential informationObsolescence of systems/technologyLack of common data definitionsInability to recover from system lossLack of comfort with third party vendor system security
Human resource risks
Personal issues or workplace violenceProfessional liability claimsWorkers compensation claimsEmployee recruitment and retention
Research risks
Falsification of data or resultsIntellectual property infringementUnethical or unapproved researchInadequate lab practices and processes for the promotion of environmental health and safetyThreat to safety of researchers
Contract and grant risks
Regulatory fines or penaltiesNon - compliance with sponsoring agency terms and conditions and agreementFunds used but agreement terms and conditions not followedFailure to maintain equipment inventories in accordance with grant requirementsSub – recipients not managed properly
Student life risksSports or public event disturbancesStudent mental healthSafety and security of students on and off campus
Facilities and maintenance risks
Deferred maintenanceIncrease in energy costsEquipment/ facility malfunction
Table 6
Page 29 of 48
2.2.6 – ERMIS
As a key support, a University can develop the ERM information system (ERMIS) to
provide management with current information in minutes in the form of key performance
indicators (KPIs). ERMIS reduces the cost of risk by improving the efficiency of
retrospective reviews and monitoring the effectiveness of controls to prevent reoccurrences.
The ERMIS includes:
1. Dashboard reporting on major risks
2. Risk assessment tools
3. Control and accountability tracking platform
4. Risk mitigation and monitoring tools
5. Survey capabilities
2.3 – HEALTH CARE ORGANIZATION
Specific objectives:
1. Quality of customer care
2. Attracting and retaining high quality physicians
3. Building sustainable levels of profit to provide access to needed capital and fund
existing activities
Statement of risk appetite:
The organization’s lowest risk appetite relates to safety and compliance objectives,
including employee health and safety, with a marginally higher risk appetite towards its
strategic, reporting and operations objective.
Page 30 of 48
2.4 – AEROSPACE SUPPLIER
A high level objective is to work with customers to improve products and market share.
There is a low risk appetite for allowing the capital structure to be leveraged that it hinders
the company’s future flexibility or ability to make strategic acquisitions.
Operations tolerances:
1. Near zero risk tolerance for product defects
2. Low risk tolerance for sourcing products that fail to meet the company’s quality
standards
3. Low risk tolerance for meeting customer orders on time
4. High risk tolerance for potential failure in pursuing research that will enable the
company’s product to better control and increase the efficiency of energy use
Reporting tolerances:
1. Low risk tolerance concerning the quality, timing and accessibility of data needed to
run the business
2. Very low risk tolerance concerning the possibility of material deficiencies in internal
control
3. Low risk tolerance related to financial reporting quality (timeliness, transparency,
Generally accepted accounting principles)
Compliance tolerances:
1. Near zero risk tolerance for violations of regulatory requirements or the company’s
code of ethics.
Page 31 of 48
2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS
(BASEL III)
The Basel Accords are a set of rules on banking regulations in regards to capital. Basel III is a series of additions to the existing accords designed to limit the likelihood and impact of a future financial crisis. It requires banks to hold more higher-quality capital against more conservatively calculated risk weighted assets (RWAs). It also looks to ensure sufficient liquidity during times of stress and to reduce excess leverage.
Capital: A minimum of 7 per cent of a bank’s RWAs must be core tier one to act as a buffer against losses. This compares with the 2 per cent required under Basel II. The definition of which liabilities can be classified as core tier one will narrow. There is a counter-cyclical buffer of 0 to 2.5 per cent, which is to be built up when the economy is strong so that it can be called upon in tougher times. Additional requirements will also be introduced for large banks deemed vital to the global financial system. Important Financial Institutions (G-SIFIs) – to hold an extra 1 to 2.5 per cent of core tier one capital. Risk Weighted Assets: In addition to increasing the quality and quantity of capital, Basel III also updates the risk weighted asset (RWA) calculation for counterparty credit risk. This will see the introduction of the Credit Valuation Adjustment (CVA) capital charge, which increases the capital, held against the risk that the mark-to-market value of derivatives will deteriorate due to a change in counterparty credit worthiness. The Financial Institution Asset Value Correlation (FI AVC) will be amended to increase the RWAs for banks’ exposures to large and / or unregulated financial institutions. Liquidity: The Liquidity Coverage Ratio (LCR) defines the amount of unencumbered, low risk assets (such as cash or gilts) that banks must hold to offset forecast cash outflows during a 30-day crisis. Outflows are estimated, based on the nature of the customer relationship and the type of product Leverage. A new leverage ratio of 3 per cent is due to become mandatory in 2018. This seeks to ensure banks apply adequate capital to all their exposures, including those off balance sheets, and without applying any risk weightings. Timing: Basel III requirements are being introduced from 2013 but some areas are still subject to change and total compliance is not expected until 2019. The long lead-in is designed to prevent sudden lending freezes as banks improve their balance sheets. These measures aim to: Improve the banking sector's ability to absorb shocks arising from financial and economic stress, whatever the source improve risk management and governance to strengthen banks' transparency and disclosures.
Page 32 of 48
CHAPTER 3 – EXPLORATION COMMENT ON ERM
3.1 - RISK MAPPING
Risk mapping is probably the most common tool used by companies to identify and
prioritize the risks associated with their business activities. It is a directional tool.
Consolidated risk profile
Imp
act
Man
agea
ble
Maj
or
C
riti
cal
Critical
Remote Possible Likely
Likelihood
Fig.2
Page 33 of 48
A RISK MODEL
Environment risk Process riskInformation for
decision making riskCompetitorCustomer wantsTechnological innovationSensitivityShareholder expectationsCapital availabilitySovereign/PoliticalLegalRegulatoryIndustryFinancial mattersCatastrophic loss