Dodd – Frank, Sarbanes-Oxley (SOX), SEC oversight, HIPAA and numerous other regulations highlight the need for public corporations to be concerned about risk management, governance, and controls. The Board of Directors must assure that the enterprise strategy and operations anticipate events that create uncertainty and business disruption.  Approbriate documentation must evidence this.   Audit Committee responsibilities include ensuring structures and documentation for risk identification and mitigation. This structure is developed through the process of Enterprise Risk Management (ERM) and includes the following:

  • Identify Portfolio of Risks, Highlight Systemic Critical Risks – Low Frequency High Impact Events
  • Quantify:
    • Potential for Business Disruption
    • Risk Tolerance
  • Develop protocals to Reduce Risks
  • Monitor Compliance with Risk Minimization Strategies
  • Control Cost of Risk
  • Improve Share Holder Value

ERM is an integrated risk management process aligning strategy, people, processes and technology for the protection of the enterprise and it’s shareholders. It includes pre-event, post event and contingency planning.

ERM is dynamic and, in the context of the enterprise’s strategic direction, include action plans which form the central link between risk identification and ongoing active management of risks. Such plans are periodically reviewed to assure they are appropriate to changes in the environment and the enterprise and become a core responsibility of line, business and corporate managers.

The corporate risk function assures that appropriate resources are being allocated to the set of solutions identified.

The process for developing an ERM system:

  • Examine Entire Enterprise Portfolio of Risks
  • Including:  Financial, Strategic, Regulatory, Hazard and Operational
  • Develop Recommendations to Manage and Balance Risks
  • Monitor Changes in the Environment and the Enterprise

Risks are typically classified into three aspects and examples are described below:

1) Causes Inadequate Segregation of Duties Lack of Management Supervision
2) Events Internal Fraud Environmental Contamination
3) Consequences Tarnished Reputation Restitution
and more …

The work steps include:

  • Risk Identification, Classification and Database Construction
  • Quantification of Risk, Statistical Expected Value (ex: number of overheated laptop batteries) and Potential Impact
  • Development of:
    • Action Plans for Risk Mitigation
    • Key Risk Indicators (KRI’s)
    • Management Processes for KRI’s
    • Risk Reporting – Format to Ensure Appropriate and Timely Risk Response
    • Implementation Planning
    • Adjustments for Eenvironmental and Enterprise Changes

The alternative to ERM, crisis management, is much more expensive and exposes the personal liability and assets of members of the board.