SOX risk assessment

ERM: A Tool for Risk-Informed Strategic Planning and Decision Making

Emma Marcandalli, Managing Director Risk and Compliance, Protiviti - Italy

At the end of last year, Protiviti conducted a webinar, Deriving Value from the Updated COSO ERM Framework. I had the pleasure of hosting the webinar, along with my colleagues: Dolores Atallo, a Managing Director in the Risk and Compliance practice, Jim DeLoach, Managing Director and member of the COSO Advisory Council (and host of this blog), and Bob Hirth, Senior Managing Director and COSO Chairman and member of the Sustainability Accounting Standards Board.

I want to take the opportunity in this post to address some of the more fundamental questions about enterprise risk management (ERM) generally – questions our audience was also interested in.

What are some of the expectations of ERM in the global marketplace?

Over the past few years, we have observed an increasing number of companies that want to get more value from ERM. Many organizations are wondering if “enterprise risk listing” is still enough to navigate the increased uncertainties of the new business environment while making sound business decisions. They are questioning whether they have the right focus on ERM. For example, are they looking to comply and conform, or are they looking to become a more risk-informed organization? As they consider the increasingly demanding business environment, these companies often arrive at the conclusion that they need to change the direction toward an ERM program that helps them anticipate, adapt and respond to changes, focusing their efforts and resources on risks and opportunities that can impact their strategy and performance.

We know from experience that forward-thinking organizations are already using ERM to (1) challenge strategy, business planning and key decision-making processes, (2) quantify the impact of major risks and opportunities on expected results, (3) estimate the degree of volatility of expected results due to risks and opportunities and (4) proactively select and implement risk responses that can help management drive better business performance. Based on these observations, we strongly believe that it is time for companies to change the ERM conversation, go beyond an initial assessment and, hence, embed risk as a relevant element for consideration in strategy-setting and performance management.

Can ERM be leveraged as a tool for strategic planning?

Working with clients, we have learnt that, by integrating ERM into strategic or business planning processes, management and the board are more prepared to discuss and, therefore, respond in advance to some key questions, such as:

  • What are the main risk and opportunity events that can affect achievement of our business objectives and related key value drivers?
  • How much do they impact expected performance?
  • Is the estimated variation from expected performance acceptable and/or sustainable over the plan’s timeframe?
  • Is this variation in line with the entity’s risk appetite? If not, do we need to make alternative decisions or do we have to take specific risk responses into consideration to reduce risk to an acceptable level?
  • Finally, is our plan robust enough or is it too ambitious? Do we need to change some of the underlying assumptions, review some of our expectations, and integrate within the plan specific risk responses to reduce unacceptable risk exposures?

When applied to the evaluation and selection of strategic options – such as alternative investments – the same approach can help organizations better understand and assess the risk profile of each option, thus selecting the one that has a risk-return balance more aligned with the entity’s risk appetite. This discipline offers a strong tool to support capital allocation based on risk-return considerations.

Moreover, we have learned that the integration of ERM into the planning process can facilitate the quantification of risk impacts on target financial results (such as EBITDA or cash flow), through, for instance, the application of “what if” scenario analysis and “Monte Carlo simulation” techniques, based on both management’s inputs and the analysis of historical data (depending on the type and nature of risk). The capability to quantify the impacts on financial targets and to estimate the potential volatility of expected results can boost the value of ERM and help management and the board develop, approve and disclose, if required, the entity’s risk-informed business plans.

In short, the integration of ERM with strategy setting and business planning can change the conversation about ERM. This approach can help organizations open their eyes to the future, reduce surprises and be more prepared to face changes and uncertainties.

What is the differentiating value of risk-informed decision making?

In general, a risk-informed decision-making approach helps the organization open its eyes on the future and reduce surprises and vulnerabilities.

How can this happen? Looking at some of the risk-informed decision-making components (assumptions, risk appetite, culture, strategy, business context, risk profile), organizations can achieve several benefits. For instance:

  • Talking about strategy: Management and the board have clearer understanding of risk implications in selecting a strategy as well as in executing it. They have the additional and necessary information to make decisions (e.g., capital allocation) that can optimize the desired risk-return balance.
  • Talking about culture: By reinforcing the tone of the organization around the importance of risk management and a risk-informed philosophy, the company may rely on a more effective risk escalation process to senior management and the board.
  • Talking about risk appetite: By clearly defining risk appetite statements, limits and/or acceptable variations of performance and by cascading them down into the organization, entities may achieve a stronger balance between their entrepreneurial and control activities.
  • Talking about risk profile: By applying a risk-informed approach, the organization is more confident to address and manage those risks that are really relevant for the execution of the strategy and the achievement of expected results/performance.

In future blogs, both my colleagues and I will discuss how to leverage the COSO framework to derive more value from ERM, discuss different approaches to ERM, and understand how ERM fits with digital transformation efforts. We value your input – feel free to reach out to us, in the comment section or on our website.

Add comment