statements on management accounting...this sma provides an overview of the erm process and...

Statements on Management Accounting

E N T E R P R I S E R I S K A N D C O N T R O L

C R E D I T S

T I T L E

IMA®would like to acknowledge the work of William G.Shenkir, Ph.D., CPA, and Paul L. Walker, Ph.D., CPA, bothof the McIntire School of Commerce, University ofVirginia, who were the authors of this SMA. Thanks also go to Patrick Stroh, CMA, Executive Director atUnitedHealth Group and Jeffrey Thomson, MS, VicePresident of Research at IMA who served as reviewersand Raef Lawson, Ph.D., CMA, CPA, of IMA who servesas series editor.

Enterprise Risk Management:Frameworks, Elements, and Integration

Published byInstitute of Management Accountants10 Paragon DriveMontvale, NJ 07645-1760www.imanet.org

Copyright © 2006 by Institute of ManagementAccountants

All rights reserved


T A B L E O F C O N T E N T S



I. Rationale . . . . . . . . . . . . . . . . . . . . . . . 4

II. Defining Risk and ERM . . . . . . . . . . . . . 5

III. Scope . . . . . . . . . . . . . . . . . . . . . . . . . .5

IV. Total Risk Classification . . . . . . . . . . . . . .6

V. The Role of the Management Accountant . . .7

VI. ERM Frameworks: A Global Perspective . . . .9

The Combined Code and Turnbull Guidance . . . . . . . . . . . . . . . . . .9

King II Report . . . . . . . . . . . . . . . . . . . .10

A Risk Management Standard by Federation of European Risk Management Association (FERMA) . . . . .10

Australian/New Zealand Standard 4360—Risk Management . . . . . . . . . . .10

COSO’s Enterprise Risk Management—Integrated Framework . . . . . . . . . . . . . .11

IMA’s “A Global Perspective on Assessing Internal Control over Financial Reporting” (ICoFR) . . . . . . . . .12

Basel II . . . . . . . . . . . . . . . . . . . . . . . . .14

Standard & Poor’s and ERM . . . . . . . . .14

VII. ERM Foundational Elements . . . . . . . . .14

Organizational Context . . . . . . . . . . . . . .14

Tone at the Top . . . . . . . . . . . . . . . .16

Risk Management Philosophy and Risk Appetite . . . . . . . . . . . . . .16

Integrity and Ethical Values . . . . . . .16

Scope and Infrastructure for ERM . . .17

Basic Components of ERM Framework . . . . . . . . . . . . . . . . . . . . . .18

Set Strategy and Objectives . . . . . . .18

Identify Risks . . . . . . . . . . . . . . . . .18

Assess Risks . . . . . . . . . . . . . . . . .18

Treat and Control Risks . . . . . . . . . .22

Communicate and Monitor . . . . . . . .24

VIII. Integrating ERM into Ongoing Management Activities . . . . . . . . . . . . .25

Strategic Planning . . . . . . . . . . . . . . . . .26

Balanced Scorecard . . . . . . . . . . . . . . .28

Budgeting . . . . . . . . . . . . . . . . . . . . . . .29

Total Quality Management and Six Sigma . . . . . . . . . . . . . . . . . . . . . . .30

Business Continuity (Crisis Management) . . . . . . . . . . . . . . .30

Corporate Governance . . . . . . . . . . . . . .30

The Board and Stock Exchanges . . . . . .31

Risk Disclosures . . . . . . . . . . . . . . . . . .32

Proxy Statements . . . . . . . . . . . . . .32

Management’s Discussion and Analysis . . . . . . . . . . . . . . . . .32

10-K Item 1A—Risk Factor Disclosure . . . . . . . . . . . . . . . . . . .32

Other Voluntary Disclosures . . . . . . .32

IX. Transitioning from SOX to ERM . . . . . . . .33

X. Conclusion . . . . . . . . . . . . . . . . . . . . .33

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Bibliography . . . . . . . . . . . . . . . . . . . . . . . .35



T A B L E O F E X H I B I T S


Exhibit 1: Evolution of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Exhibit 2: Overview of Australia/New Zealand Standard 4360—Risk Management . . . .11

Exhibit 3: COSO Enterprise Risk Management Framework . . . . . . . . . . . . . . . . . . . . .12

Exhibit 4: COSO Enterprise Risk Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Exhibit 5: Core Components of a Risk-Based Approach . . . . . . . . . . . . . . . . . . . . . . .15

Exhibit 6: A Continuous Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . . .17

Exhibit 7: Risk Indentification Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Exhibit 8: Risk Quantification and Qualitative Techniques . . . . . . . . . . . . . . . . . . . . . .20

Exhibit 9: Subjective Assessment of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Exhibit 10: Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Exhibit 11: Detailed Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Exhibit 12: Color-Coded Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Exhibit 13: Functional Risk Assessment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Exhibit 14: Linking Objectives, Events, Risk Assessment, and Risk Response . . . . . . . .26

Exhibit 15: Strategy, the Balanced Scorecard, and the Budget . . . . . . . . . . . . . . . . . . .27

Exhibit 16: Balanced Scorecard and Strategic Risk Assessment . . . . . . . . . . . . . . . . . .29

Exhibit 17: Risk/Crisis Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Exhibit 18: Hallmarks of Best-Practice ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

I . RAT IONALELeadership is about making a difference. If lead-ers of organizations in the 21st Century are tomake a difference and grow their organizationsto greatness, they must have the capability tonavigate in a very risky and dangerous world.Thus, understanding and managing risk hasbecome imperative for successful leadership oforganizations in today’s world.

A variety of risks confront organizations today,and any one of them could threaten an organiza-tion’s success and ultimately lead to a decreasein stakeholder value. The need for greater riskawareness by leaders is driven by much morethan just terrorism. Forces such as globalizationand the geopolitical environment in which orga-nizations operate add complexity to business,thereby increasing risks. Technology and theInternet require companies to rethink their busi-ness models, core strategies, and target mar-kets. Customers have ever-increasing demandsfor customized products and services leading tomore risks. If customer expectations are notmet, market share and, ultimately, revenue andprofits can be significantly and quickly impacted.Organizations must also comply with increasedregulations in some cases and deregulation inothers, both of which drive risks. Mergers andrestructurings are causing organizations todownsize and undergo changes in managementresponsibilities, which also creates the potentialfor enterprise risks.

Another important driver for more attention to riskmanagement is the accounting and reporting defi-ciencies, such as unjustified revenue recognitionand convoluted business transactions as found inspecial purpose entities and backdating of stockoptions. More complex financial instruments suchas derivatives are also part of the reality todayrequiring greater understanding of the risks

embedded in such instruments. Given all of theseforces, leaders must have a heightened state ofawareness of the necessity for holistic risk man-agement and for a stronger governance structurefor their organization.

Well-managed organizations have always hadsome focus on risk management, but typically ithas been on an exposure-by-exposure basisthrough various risk management silos. Forexample, the treasury function focused on risksemanating from foreign currencies, interestrates, and commodities—so called financialrisks. An organization’s insurance group focusedon hazard risks such as fire and accidents.Operating management looked after variousoperational risks, and the information technologygroup was concerned with security and systemsrisks. The accounting and internal audit functionfocused on risks caused by inadequate internalcontrols and trends in performance indicators.The general assumption was that executive man-agement had their eye on the big picture ofstrategic risks facing the enterprise in the shortterm and over the life of the strategic plan.

As organizations grow in complexity and serveglobal markets, the leadership challenge is tounderstand fully how the various organizationalunits interact and relate, and, in turn, how therisks cut across the silos. Instead of managingrisk in many individual silos, enterprise risk man-agement (ERM) takes an integrated and holisticperspective on risks facing an organization. Risk-centric leadership does not mean that the orga-nization will be risk adverse, but that it strives toidentify, assess, and manage risks and, whentaking risks, the leadership does so intentionallyrather than unknowingly. The key is to take calcu-lated risks across the enterprise and appropri-ately manage and mitigate the risks for the ben-efit of the stakeholders.

4


I I . DEF IN ING R ISK AND ERMOrganizations are confronted by events thataffect the execution of their strategies andachievement of their objectives. These eventscan have a negative impact (risks), a positiveimpact (opportunities), or a mix of both risk andopportunity. In the 2004 publication EnterpriseRisk Management—Integrated Framework:Executive Summary Framework, the Committeeof Sponsoring Organizations of the TreadwayCommission (COSO) stated that ERM is:

l “A process, ongoing and flowing through an entity,l Effected by people at every level of an

organization,l Applied in strategy setting,l Applied across the enterprise, at every level

and unit, and includes taking an entity-levelportfolio view of risk,

l Designed to identify potential events that, ifthey occur, will affect the entity and to managerisk within its risk appetite,

l Able to provide reasonable assurance to anentity’s management and board of directors,

l Geared to achievement of objectives in one ormore separate but overlapping categories.”

Several points to emphasize from this broad def-inition include:

l Risk management should be viewed as a corecompetency; and

l It is part of everyone’s job—whether at the levelof setting the organization’s strategy, a unit’sobjectives, or running the daily operations.

Organizations seek to create value for theirstakeholders, and ERM is implemented with thatgoal in mind. Accordingly, ERM is:

A structured and disciplined approach: Italigns strategy, processes, technology, and

knowledge with the purpose of evaluatingand managing the uncertainties the enter-prise faces as it creates value.…It is a trulyholistic, integrated, forward-looking, andprocess-oriented approach to managing allkey business risks and opportunities—not just financial ones—with the intent of maximizing shareholder value as a whole.1

The authors of this Statement on ManagementAccounting (SMA) have stated in previous publica-tions that the goal of ERM is “to create, protect,and enhance shareholder value by managing theuncertainties that could either negatively or posi-tively influence achievement of the organization’sobjectives.” Given that ERM is applicable to alltypes of organizations, as noted below, somemight prefer to use the term “stakeholder value”in this definition instead of “shareholder value.”

I I I . SCOPEThis SMA provides an overview of the ERMprocess and frameworks. ERM frameworks can beadapted to fit the specifics of the organization’sculture and can be implemented in large or smallorganizations, service or manufacturing business-es, profit, not-for profit, or private entities.

The information in this SMA provides manage-ment accountants and others interested inimplementing ERM with:

l A definition of ERM;l A classification of various risks;l An understanding of the roles and responsibilities

of management accountants in ERM projects;l An overview of ERM frameworks from several

different professional organizations around theworld;

5


1 J.W. DeLoach, Enterprise-wide Risk Management: Strategiesfor Linking Risk and Opportunity, Financial Times, London,England, 2000, p. 5.

l A discussion of the foundational elements ofERM;

l Suggestions of how ERM can enhance ongoingmanagement activities; and

l Ideas for adding value to the Sarbanes-Oxley(SOX) 404 compliance requirement by employ-ing a risk-based approach to identify, test, anddocument key internal controls to assureinvestors on the quality of the firm’s financialstatements and related disclosures.

The information in this SMA provides an overviewfor an organization considering implementationof ERM. This document is not intended to pro-vide a comprehensive discussion of ERM. Othersources, such as those identified in the bibliog-raphy, should also be consulted.

IV. TOTAL R ISK CLASSF ICAT IONTaking the perspective of the total entity, risksmay be classified in a variety of risk frameworks.One frequently used framework is:

l Strategic Risk: examples include risks relatedto strategy, political, economic, regulatory, andglobal market conditions; also could includereputation risk, leadership risk, brand risk, andchanging customer needs.

l Operational Risks: risks related to the organiza-tion’s human resources, business processes,technology, business continuity, channel effec-tiveness, customer satisfaction, health and safe-ty, environment, product/service failure, efficien-cy, capacity, and change integration.

6


Enterprise Risk

Management

OperationalMarket

Strategic

FinancialCreditCredit

HazardHazardHazard

1990s1980s1970s

EXHIBIT 1: EVOLUTION OF RISK MANAGEMENTEXHIB IT 1 : EVOLUTION OF R ISK MANAGEMENT

l Financial Risks: includes risks from volatility inforeign currencies, interest rates, and com-modities; also could include credit risk, liquidi-ty risk, and market risk.

l Hazard Risk: risks that are insurable, such asnatural disasters; various insurable liabilities;impairment of physical assets; terrorism.2

As noted in Exhibit 1, traditional risk managementgenerally focused on financial risk and hazardrisk. Approaching risk from an enterprise-wide per-spective began to be considered and implement-ed in the 1990s. This holistic risk approachshould enable management to identify most ofthe key risks that confront the organization.Implementing ERM, however, does not mean thatan organization will be able to anticipate every riskthat could result in loss of stakeholder value. Thelimitation of ERM is captured in the aphorism:“There are known knowns, known unknowns, andunknown unknowns.” In the ERM process, knownrisks will be identified and some previouslyunknown risks will become known. Even with arobust process, however, some unknown risks willnot be identified. The organization must have abusiness continuity or crisis management planready to execute when unknown risks materializeand affect the organization negatively.Alternatively, unknown risks can create uniqueopportunities, and companies must be ready tocapitalize on those opportunities.

V. THE ROLE OF THE MANAGEMENT ACCOUNTANTAdopting ERM is a major commitment for anorganization. Successful implementationrequires champions at the C-level (CEO, CFO,controller, chief audit executive, chief informationofficer) of the organization. Some companieshave appointed chief risk officers (CROs)

or established executive-level risk committees,which may report directly to the board of direc-tors audit committee, thereby enhancing theirindependence and importance. The ERM initia-tive gains momentum when it is strongly support-ed by the board of directors and audit commit-tee. Executive management cannot merely beginthe process and then move on to other activities.The last thing most organizations need is anoth-er mandate imposed from on high and then leftto wither and fade away. If ERM implementationis to be successful, it cannot be viewed as“another program from headquarters” or the“management fad of the month.” Education inthe ERM framework, the language of risk, andthe value of proactive risk management is animperative for successful ERM deployment. The2006 Oversight Systems “Financial ExecutiveReport on Risk Management” shows that com-panies are embracing the concept of ERM butcontinue to have difficulty with its implementa-tion, noting that 68% of financial executives saytheir CEO is placing greater emphasis on themanagement of all types of risk on a holisticbasis, and 58% say their company has an ERMapproach that considers various risk categoryinteractions. On the other hand, only 41% believethere is a consistent and well communicated def-inition of “risk” across the enterprise, and onlyone-third of the financial executives surveyedbelieve there are formal training programs forsenior and line management.

It is important for executive management to com-municate that they view ERM as an integral com-ponent of sound business management.Implementing an integrated and holistic riskmanagement approach across the entire organi-zation will undoubtedly affect the role of somewell-ensconced fiefdoms engaged in silo riskmanagement. Risk champions can be influentialin getting general acceptance of ERM. It is impor-

7


2 Paul L. Walker, William G. Shenkir, and Thomas L. Barton,Enterprise Risk Management: Pulling It All Together, TheInstitute of Internal Auditors Research Foundation, 2002, p. 3.

tant that executives set the tone at the top bycalling for big picture alignment, strong corporategovernance, and risk educational programs.

The management accountant can make majorcontributions to moving the organization fromsilo risk management (or no meaningful riskmanagement process at all) to an integrated andholistic approach. In the “new” era of the financeorganization, in the migration from a counter ofwealth to assisting in the creation of wealth (i.e.,independent strategic business partner), themanagement accountant is increasingly beingasked to serve on, if not lead, cross-functionalteams to implement critical enterprise-wide initiatives. ERM provides a wealth of opportuni-ties for the management accountant to helpimplement a disciplined, systematic process tomaximize the value of the enterprise. Some specific activities where the skills and competen-cies of the management accounting professionalcan be useful in ERM implementation include:

l Serve as a champion for ERM, supporting thechange from risk management in silos to ERM;

l Help to resolve conflict between supporters ofERM and traditional risk managementapproaches;

l Educate others in the organization of the ERMprocess;

l Provide expertise to operational management onthe organization’s ERM framework and process;

l Serve on cross-functional and diverse ERMcommittees;

l Assist executive and operational managementin analyzing and quantifying the organization’srisk appetite and risk tolerances for individualunits;

l Assist in implementing ERM within the financefunction;

l Provide information to operational manage-ment to assist in risk identification;

l Perform benchmarking studies for use in riskidentification;

l Gather best practice information on ERM;l Assist in quantifying impact and likelihood of

individual risk on risk maps;l Assist in identifying and estimating costs and

benefits of various risk mitigation alternatives,and coach management in responding to risks;

l Design reports to monitor risks, and developfinancial and nonfinancial metrics to evaluatethe effectiveness of risk mitigation (treatment)actions;

l Advise management on integrating ERM withthe balanced scorecard and budgeting process;

l Participate in development of business conti-nuity (crisis management) plans;

l Advise on risk disclosures in the SEC Form 10-K and the annual report;

l Serve as a champion for strong corporate governance incorporating ERM; and

l Coach management on the value of extendingSOX 404 compliance to encompass ERM,including business process owners and otheroperational functions conducting a holisticassessment of risks impacting achievement oftheir business objectives.

Once executive management has decided toembark on implementing ERM, it is in the enlight-ened self-interest of management accountantsto do what they can to keep the project moving.An effective ERM implementation provides a con-text for management accountants to performtheir duties and responsibilities knowing thatpeople at all levels of the organization are awareof risk while doing their work and are heldaccountable for how they manage risks.

8


VI . ERM FRAMEWORKS: A GLOBAL PERSPECTIVEERM is a globally accepted and growing field. Asa result, a number of risk frameworks and state-ments have been published by professionalorganizations around the world. Some of thepublications urge businesses to use theseframeworks. Other risk frameworks have a “com-ply or explain why not” approach. Still otherframeworks are legally mandated or implied intheir respective country. Some of the documentswere written by guidance-setting organizationssuch as COSO, while others were written by indi-viduals with a wide range of backgrounds, includ-ing insurance, government, safety, and engineer-ing. The different backgrounds lead to very differ-ent approaches in these risk frameworks. Somelean toward financial reporting and internal con-trol, and others lean toward management, corpo-rate governance, and accountability. Ambitiously,some even try to cover every possible aspect ofrisk. Still, enterprise risk management frame-works are valuable tools. They usually provide adiagram or approach that includes the steps necessary for ERM implementation in addition toproviding guidance and examples. In this section,the following ERM frameworks are briefly discussed:

l The Combined Code and Turnbull Guidancel King II Reportl A Risk Management Standard by the

Federation of European Risk ManagementAssociation (FERMA)

l Australian/New Zealand Standard 4360—RiskManagement

l COSO’s Enterprise Risk Management—Integrated Framework

l The Institute of Management Accountants’ (IMA)“A Global Perspective on Assessing InternalControl over Financial Reporting” (ICoFR)

l Basel IIl Standard & Poor’s and ERM

The Combined Code and Turnbull GuidanceIn the United Kingdom, the Financial ReportingCouncil published the Combined Code onCorporate Governance (the Code) in 2003.Although the Code is not specifically labeled asan ERM framework, it does have many similaraspects, and “risk” is mentioned more than 100times. The Code states that the role of the boardis to provide a framework of effective control sothat risk is assessed and managed. The board isalso required to review the effectiveness of con-trols, including all controls over financial, opera-tional, and compliance areas as well as riskmanagement systems.

In 2005, the Financial Reporting Council alsopublished Internal Control—Revised Guidance forDirectors on the Combined Code, which is a revision of the Turnbull report first published in1999. This guidance assumes that a company’sboard uses a risk-based approach to internalcontrol. The guidance suggests that to assess acompany’s risk and control processes, the follow-ing elements must be reviewed:

l Risk assessment;l Control environment and control activities;l Information and communication; andl Monitoring.

The guidance offers sample questions that couldbe used to assess the effectiveness of risk andcontrol processes. Questions related to riskassessment focus on the presence of clear objec-tives, effective direction on risk assessment,measurable performance targets, identificationand assessment of all risks on an ongoing basis,and a clear understanding of acceptable risks.

9


King II ReportThe King Report on Corporate Governance forSouth Africa (King II Report) was published in2002 to promote corporate governance. Thisreport has five sections:

l Board and directors;l Risk management;l Internal audit;l Integrated sustainability reporting; andl Accounting and auditing.

The King II Report also includes an appendix on“risk management and internal controls.”

According to this report, the board is responsiblefor the risk management process and its effec-tiveness. The board should:

l Set risk strategy policies;l Assess the risk process;l Assess the risk exposures, such as physical

and operational risks, human resource risks,technology risks, business continuity and disaster recovery, credit and market risks, andcompliance risks;

l Review the risk management process and significant risks facing the company; and

l Be responsible for risk management disclosures.

A Risk Management Standard by Federationof European Risk Management Association(FERMA)A consortium of U.K. organizations, including theInstitute of Risk Management, the Association ofInsurance and Risk Managers, and the NationalForum for Risk Management in the Public Sector,published A Risk Management Standard (RMS) in2004. The RMS represents best practices thatcompanies can compare themselves against todetermine how well they are doing in the pre-scribed areas. It is not a lengthy document, but

it does provide a risk management process,which includes:

l Linkage to the organization’s strategic objectives;l Risk assessment, which the RMS breaks down

into risk analysis, risk identification, riskdescription, risk estimation, and risk evaluation;

l Risk reporting;l Decision;l Risk treatment;l Residual risk reporting; and l Monitoring.

Australian/New Zealand Standard 4360—Risk ManagementAustralia and New Zealand formed a joint technicalcommittee composed of representatives fromnumerous organizations to publish two documentson risk management in 2004. The committee isdiverse and includes groups that focus on comput-ers, customs, insurance, defense, emergency man-agement, safety, securities, and accounting,among many others. This diverse backgroundleads to a different approach than is seen in otherframeworks. The first document, initially publishedin 1999, is titled Risk Management (the Standard).The second companion document, RiskManagement Guidelines (the Guidance), providesinsights on implementing the Standard.

The Standard can be applied to any type of orga-nization and to any project or product. It attemptsto factor in both the upside and downside of risk.Although the Standard specifies the elements ofrisk management, it is not intended to enforce uni-formity. Its objective is to provide guidance in sev-eral areas, some of which are: a basis for decisionmaking, better risk identification, gaining value,resource allocation, improved compliance, andcorporate governance. The Standard’s risk man-agement process is presented in Exhibit 2.

10


The Guidance document elaborates on each ele-ment of the risk management process in Exhibit 2.For example, for the step “establishing the context,”the commentary focuses on understanding an orga-nization’s objectives and its external and internalstakeholders. As another example, the Guidanceprovides commentary on “criteria” for establishingthe context, which include the kinds of conse-quences and the definition of likelihood. The com-mentary on criteria further includes detailed caseexamples of criteria and the related objectives.

COSO’s Enterprise Risk Management—Integrated Framework COSO published Internal Control—IntegratedFramework in 1992. It followed that in 2004 withpublication of its ERM framework, Enterprise RiskManagement—Integrated Framework (see Exhibits3 and 4). As noted previously, the COSO defini-tion of ERM is very broad. The ERM framework isclearly distinct from COSO’s internal controlframework. Currently, the Securities & ExchangeCommission (SEC) requires that companiesattest in writing that their system of internal con-trols over financial reporting is effective in accor-

11


ESTABLISH THE CONTEXT

IDENTIFY RISKS

ANALYZE RISKS

EVALUATE RISKS

TREAT RISKS

RIS

K A

SS

ESS

MEN

T

CO

MM

UN

ICAT

E AN

D C

ON

SU

LT

MO

NIT

OR

AN

D R

EVIE

W

Source: Joint Standards Australia/Standards New Zealand Committee, Risk Management, 2004, p. 9.

EXHIBIT 2: OVERVIEW OF AUSTRALIA/NEW ZEALANDSTANDARD 4360—RISK MANAGEMENT

EXHIB IT 2 : OVERVIEW OF AUSTRAL IA/NEW ZEALANDSTANDARD 4360—RISK MANAGEMENT

Source: Joint Standards Australia/Standards New Zealand Committee, Risk Management, 2004, p. 9.

dance with a “suitable” framework such asCOSO’s 1992 internal control framework.Interestingly, the 2004 COSO ERM guidance isarguably more suitable for achieving the SEC’sgoal of developing and deploying “top-down, risk-based” management assessment guidance thathelps lower the costs associated with SOX 404compliance. The COSO ERM framework notesthat internal control is a part of ERM.

The COSO ERM framework has eight interrelatedcomponents (see Exhibit 4). According to COSO’sERM framework, internal environment refers tothe tone of the organization, its risk appetite,and elements such as oversight by the board.The framework states that companies must setobjectives at the strategic level and must identi-fy the risks and opportunities that impact theentity. Risks must then be assessed, and aresponse to the risk made—avoidance, reduc-tion, sharing, or possibly acceptance. Clearly,

COSO’s ERM framework is one of the most com-prehensive frameworks.

COSO also published a volume of applicationtechniques to supplement the framework. Thisdocument provides examples to assist compa-nies in implementing ERM. For example, theapplication techniques related to the internalenvironment component show sample risk man-agement philosophy statements and illustrativecodes of conduct. Other examples are given foreach of the framework’s components.

IMA’s “A Global Perspective on AssessingInternal Control over Financial Reporting”(ICoFR)IMA developed a risk-based framework to assistcompany management in more cost effective com-pliance with SOX 404 requirements. Titled “AGlobal Perspective on Assessing Internal Controlover Financial Reporting” (ICoFR), it includes self

12


EXHIBIT 13: COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK

Source: COSO, Enterprise Risk Management—Integrated Frameworrk: Executive Summary, New York, 2004, p. 7.

Stra

tegic

Oper

ation

s

Repo

rting

Com

plian

ce

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Internal Environment Subsidiary

Business U

nit

Division

Entry Level

EXHIB IT 3 : COSO ENTERPRISE R ISK MANAGEMENT FRAMEWORK

Source: COSO, Enterprise Risk Management—Integrated Framework: Executive Summary, New York, 2004, p. 7.

assessments by CFOs and business process own-ers. The framework, shown in Exhibit 5, has beenmarket tested and draws on advances in globalrisk and quality management disciplines overmany years. Some members of the business com-munity have noted that SOX 404 requirementshave resulted in smaller publicly traded compa-nies delisting or threatening to delist; larger corpo-rations employing full-time staffs and expensiveconsultants and not realizing the value in their

compliance programs; and an erosion of U.S.global competitiveness. IMA developed the frame-work and delivered it to the SEC in order to providethought leadership as the SEC develops its ownversion of management assessment guidance,which many hope will address the implementationissues associated with SOX 404 compliance inthe more than three years since the Sarbanes-Oxley Act was passed.

13


Internal EnvironmentRisk Management Philosophy – Risk Appetite – Board of Directors –

Integrity and Ethical Values – Commitment to Competence – Organizational Structure – Assignment of

Authority and Responsibility – Human Resource Standards

Objective SettingStrategic Objectives – Related Objectives – Selected Objectives – Risk Appetite

Risk Tolerances

Event IdentificationEvents – Influencing Factors – Event Identification Techniques –

Event Interdependencies – Event Categories – Distinguishing Risks and Opportunities

Risk AssessmentInherent and Residual Risk – Establishing Likelihood and Impact – Data Sources –

Assessment Techniques – Event Relationships

Risk ResponseEvaluating Possible Responses – Selected Responses – Portfolio View

Control ActivitiesIntegration with Risk Response – Types of Control Activities – Policies and Procedures – Controls Over

Information Systems – Entity Specific

Information and CommunicationInformation – Communication

MonitoringOngoing Monitoring Activities – Separate Evaluations – Reporting Deficiencies

Source: COSO, Enterprise Risk Management—Integrated Framework: Application Techniques, New York, 2004, p. 2.

EXHIBIT 4: COSO ENTERPRISE RISK COMPONENTSEXHIB IT 4 : COSO ENTERPRISE R ISK COMPONENTS


ICoFR heavily relies on advances in global riskmanagement, including how to “treat” risks oncean “assurance context” has been establishedwith appropriate business objectives. The assur-ance context as it relates to SOX 404 is materi-ally fault-free financial statements enabled by aneffective system of internal controls. The risk-based framework works equally well with otherbusiness contexts/applications, however, suchas business continuity planning, operations man-agement, and cost optimization. The ICoFRframework also relies on traditional Total QualityManagement (TQM) principles. For example,once the assurance context has been estab-lished and the initial control portfolio is selectedto address “threats to achievement” of objec-tives, the residual risk that remains is quantifi-able (e.g., by analysis of historical error rates)and tested against preestablished bounds. Thishelps determine if the risk is acceptable or not.

Basel IIThe Basel Committee on Banking Supervisionupdated its original Basel Accord with Basel IIand its related new framework. The framework isdesigned to improve the international bankingsystem and make it stronger. The framework isfocused on maintaining consistent capital ade-quacy requirements among banks. A key ideabehind the framework is that banks shouldmatch capital to the actual level of risks and toset minimum capital levels. The frameworkapplies to “internationally active banks” and hasthree pillars: minimum capital requirements,supervisory review, and market discipline.

Standard & Poor’s and ERMStandard & Poor’s (S&P) has already started toincorporate a company’s ERM practice into theS&P rating of the company. S&P currently appliesthis rating to both financial institutions and insur-ers. Its framework for evaluating ERM at banks

includes a review of ERM policies, ERM infra-structure, and ERM methodology. ERM policiesshould address risk culture, appetite, and strate-gy; control and monitoring; and disclosure andawareness. ERM infrastructure covers risk tech-nology, operations, and risk training. ERMmethodology refers to capital allocation, modelvetting, and valuation methods.

The framework for evaluating insurers includes anassessment of risk management culture, risk con-trols, emerging risk management, risk and capitalmodels, and strategic risk management. Standardand Poor’s has stated that the insurer is ratedweak, adequate, strong, or excellent. An adequaterating would mean an insurer has “fully functioningrisk control systems in place for all major risks.”

V I I . ERM FOUNDATIONAL ELEMENTSWhile a variety of ERM frameworks have beensuggested by different professional organiza-tions and consulting firms, the essential compo-nents of most frameworks are similar. They differin the language used to describe the compo-nents in the ERM process as well as in the num-ber of specific steps. In implementing ERM, acompany may want to adapt a generic frameworkto fit its culture, management philosophy, capa-bilities, needs, industry, and size. This sectiondiscusses the organizational context for ERMand the basic components in a generic ERMframework.

Organizational ContextAn effective ERM implementation requires anorganizational context that includes:

l Tone at the top;l Risk management philosophy and risk appetite;l Integrity and ethical values; andl Scope and infrastructure for ERM.

14


15


The outcome, objective, process, or subject one or more stakeholders want some type of formalized

assurance on.Assurance Context

(self-determined or mandated)

Control Portfolio— the controls selected:

________________________________________________________________________________________________

(consciously or unconsciously)

Threats toAchievement/Risks

Residual Risk Status

Acceptable?Risk

Sharing/Avoidance

YES

YES – Move On

NO

NO

PortfolioOptimized?

These are possibleproblems or situationsthat could threaten the

assurance context.

Controls are methods,procedures, equipment,

or other things that provide additional

assurance relevant risksare mitigated to anacceptable level.

Information that helpsdecision makers assess theacceptability of residual risk.

Status data can include issues/concerns, indicator data, impactinformation, impediments, risksharing mechanisms, and other

relevant data.

Is the residual risk statusacceptable to the work unit?Management? The Board?External audit? Regulators?

Other stakeholders?

Is this the lowest costset of controls given our

risk tolerance?

Reexamine control designand/or assurance contextand develop an action plan.

EXHIBIT 5: CORE COMPONENTS OF A RISK-BASED APPROACH

Source: IMA, “A Global Perspective on Assessing Internal Control over Financial Reporting,” September, 2006, p. 10.

EXHIB IT 5 : CORE COMPONENTS OF A R ISK -BASED APPROACH

Source: IMA, “A Global Perspective on Assessing Internal Control over Financial Reporting,” September 2006, p. 10.

Tone at the TopA necessary condition for effective ERM imple-mentation is the tone set by the board of direc-tors and top management, who are ultimatelyresponsible for risk management. A board with amajority of independent directors should regular-ly seek executive management’s responses tothese questions: “What are the company’s toprisks? What is their time horizon? And what isbeing done to manage them?” The board discus-sion around these questions sends a messageto top management that the board recognizesthat any organization is vulnerable to risk, andthey expect top management to maintain aneffective risk management process. In turn, theimportance that top management places oneffective ERM in its decisions sends a messageto the entire organization. Again, if the organiza-tion’s risk committee and chief risk officer reportdirectly to the audit committee of the board ofdirectors, this signals the importance of ERM.

Risk Management Philosophy and RiskAppetiteThe core of a company’s risk management philos-ophy is how it views risks and considers themwhen making decisions. Management seeks tocreate value by growing the company, and the riskmanagement philosophy serves as a control overwhich risks are acceptable in pursuing growthopportunities. An organization usually cannot pur-sue all the numerous opportunities for growth thatmay be envisioned and must choose those that fallwithin its risk appetite and tolerance.

An organization’s risk management philosophy ismanifested in its risk appetite, which reflectshow much risk the company can optimally handlegiven its capabilities and the expectation of itsvarious stakeholders. The company’s capabili-ties in terms of the core competencies of its peo-ple, technology, and capital are key determinants

of the amount of risk it can accept overall rela-tive to business and stakeholder objectives. Thecompany’s risk appetite influences its culture,strategic decisions, and operating style. Thecompany’s stakeholders—shareholders, execu-tives, employees, and others—have expecta-tions concerning the organization’s appropriateamount of risk, and, thus, they also influence thesetting of the risk appetite. Companies shouldunderstand and be fully aware of the riskappetite of all stakeholders if they wish to deliv-er optimal results.

While risk appetite is a broad, entity-wide con-cept, risk tolerance has a narrower focus. Anorganization may have different risk tolerancesfor its various operating units, but when the indi-vidual risk tolerances are combined, they shouldfall within the overall risk appetite set by topmanagement and the board. This is the essenceof ERM, which is an integrated, holistic view ofrisks, in contrast with a silo approach to riskmanagement. Additionally, risk mitigation underERM takes an enterprise perspective rather thaninefficiently mitigating risks independently.

Integrity and Ethical ValuesManagement’s uncompromising commitment tointegrity and ethical behavior in all areas of deci-sion making are prerequisites to implementingeffective ERM. If employees sense that manage-ment is cutting corners and not setting an exam-ple for acceptable behavior, they will likely followsuit and develop the same attitude about rightand wrong and putting the organization’s reputa-tion at risk. An organization’s reputation takesyears to build but can be diminished quickly byunethical behavior. Reputation risk is recognizedas one of the major risks that organizationsmust manage proactively.

16


Formal codes of conduct that are constantly rein-forced through training programs serve to setboundaries for all employees as to what is unac-ceptable behavior. Under SOX, the SEC wasdirected to set rules that require a company todisclose if it has adopted a code of ethics orexplain why it does not. This disclosure require-ment enhances the internal environment sup-porting ERM implementation.

Scope and Infrastructure for ERMIn launching an ERM initiative, the scope of theeffort should be stated clearly. Some organiza-tions initially rolled out the ERM effort in a spe-cific operating unit and beta-tested the frame-work they were using before implementing it

across the company. In addition, a decision mustbe made on the risk infrastructure from a gover-nance and leadership accountability perspective.Will the effort be overseen by a chief risk officer(CRO), the CFO, an ERM advisory committee, orsome combination? A CRO supported by a cross-functional risk advisory committee is oneapproach. Regardless of the approach, risksidentified are owned by the operating units, notthe CRO or a risk committee. Also, the ERMeffort will not succeed without champions at theC-level supporting the risk infrastructure and amajor, enterprise-wide education effort on theERM methodology.

17


IDENTIFY RISKSCOMMUNICATE &

MONITOR

ASSESS RISKSCONTROL RISKS

TREAT RISKS

SET STRATEGY/

OBJECTIVES

EXHIB IT 6 : A CONTINUOUS RISK MANAGEMENT PROCESS

Source: Adapted from The Institute of Chartered Accountants in England & Wales,No Surprises: The Case for Better Risk Reporting, ICAEW, London, U.K., 1999, p. 47.

Basic Components of ERM FrameworkThe basic components found in most ERMframeworks are (see Exhibit 6):

l Set strategy and objectives,l Identify risks,l Assess risks,l Treat risks,l Control risks, andl Communicate and monitor.

Set Strategy and ObjectivesThe first step in the ERM framework requires anunderstanding and clarity of strategy and objec-tives. The opportunities that a company decidesto pursue are articulated in its strategy andobjectives. Risks are the events or actions thatjeopardize the achievement of the strategy andrelated objectives. On the up side, a holistic andproactive understanding of risk can lead to newor previously unidentified opportunities. Theidentification of risk is dependent on clarity ofobjectives for the unit under analysis, whichmight be the overall organization, a strategicbusiness unit, a function, an activity, a process,or a reporting and compliance requirement.

One of the benefits derived from ERM is that theimplementation process may reveal that someobjectives are not clear to all stakeholders orunderstood by those responsible for achievingthem. Employees may not understand how theirdaily jobs and tasks relate to the objectives. Atthis point, some companies have found it neces-sary to devote effort in clarifying the unit’s objec-tives before they can move on to the next step.ERM requires companies to state objectivesclearly at every level of the organization whererisks are identified—literally, from the workroomto the boardroom.

Identify RisksA list of techniques available for identifying risksis presented in Exhibit 7. (These techniques arediscussed in the SMA titled Tools and Techniquesof Enterprise Risk Management). The goal inidentifying risks is to produce a comprehensivelist of risks and to assess them, narrowing thelist down to the top risks facing the organization.In selecting from the list of techniques, a consid-eration is the rigor of the technique and if it willencourage openness among the participants.Because of the diversity and complexity of risks,using several of the techniques on the list may berequired to ensure that as many risks are identi-fied as possible. If some risks fail to be identifiedin the process, they may later lead to a major prob-lem for the organization or a missed opportunity.At the conclusion of the risk identificationprocess, the company should have its own list ofrisks or risk language, with an agreement on themeaning of each one. This list is the organiza-tion’s inherent risks, and once mitigation actionsare determined, what remains are residual risks.

In identifying risks, one view is to start with ablank sheet of paper and develop the list ofinherent risks by applying one or several of thetechniques in Exhibit 7. Alternatively, a list ofrisks or a risk universe can be provided to thoseparticipating in the identification process. They,in turn, use this list to identify the risks relevantto the organization. Some combination of thesetwo approaches also may be used to develop acomprehensive list of risks.

Assess RisksOnce risks have been identified, risk assessmentis the next step. A key to ERM is to know the risksthe company can control and those over which ithas little or no control. A second and related keyis to know which risks can and cannot be meas-ured. Knowing the importance of a risk through

18


risk assessment can lead to better managementand resource allocation. Further, knowing how thatrisk interrelates with other risks in the organiza-tion can enhance ERM. A 2005 survey by Protivitiindicated that companies use a variety ofapproaches in implementing ERM:

l 39% do risk assessment workshops;l 32% do risk modeling;l 30% have risk-based metrics; andl 28% do risk mapping.

Risks must be assessed or measured in someway. Exhibit 8 presents the variety of approachesavailable, from qualitative to quantitative.

When a risk is identified, the implication is that ithas some significance and can be ranked onsome scale of importance. An example of a sub-jective assessment of risk and related rankings isprovided in Exhibit 9. In a risk assessment work-shop, each participant can rank the previouslyidentified risk on a scale of 1 to 3, and the risks

19


Internal interviewing and discussion:• Interviews• Questionnaires• Brainstorming• Self-assessment and other facilitated workshops• SWOT analysis (strengths, weaknesses, opportunities, and threats)

External sources:• Comparison with other organizations • Discussion with peers• Benchmarking• Risk consultants

Tools, diagnostics, and processes:• Checklists • Flowcharts• Scenario analysis• Value chain analysis• Business process analysis• Systems engineering• Process mapping

Source: American Institute of Certified Public Accoutants (AICPA) and Canadian Institute of Chartered Accountants (CICA), Managing Risk in the New Economy, AICPA, New York, 2000, p. 9.

EXHIBIT 7: RISK IDENTIFICATION TECHNIQUESEXHIB IT 7 : R ISK IDENTIF ICAT ION TECHNIQUES

Source: American Institute of Certified Public Accoutants (AICPA) and Canadian Institute of Chartered Accountants (CICA),Managing Risk in the New Economy, AICPA, New York, 2000, p. 9.

can be sorted by the rankings. Management canthen focus on those risks that have been rankedas the most important.

Risks can also be assessed using a low, medi-um, or high level of impact or significance.Alternatively, risks can be assessed using a dol-lar level of impact. In addition to the impact orsignificance of risks, the probability of a riskoccurring should be considered. Once impactand probability are determined, a risk map canbe generated as illustrated in Exhibit 10.

As shown in Exhibit 11, risk maps can be moredetailed by breaking down the impact into cate-

gories or a dollar amount measured by a select-ed metric. The annualized impact can be meas-ured in terms of some metric such as earningsper share or net income. The probability can alsobe expanded into categories such as greaterthan 90% chance, 30% to 60% chance, or lessthan 10% chance of the risk event occurring.

Some companies display risk in zones on mapsdesignated by color, as shown in Exhibit 12. A riskin the green zone indicates a low dollar impactand probability of occurrence, the yellow zone indi-cates moderate risk, and the risks with the high-est impact and likelihood are in the red zone.

20


QUALITATIVE:

Risk identification

Risk rankings

Risk maps

Risk maps with

impact and likelihood

Risks mapped to

objectives or divisions

Identification of risk

correlations

QUANTITATIVE:

Probabilistic techniques:

Cash flow at risk

Earnings at risk

Earnings distributions

EPS distributions

Level of difficulty and amount of data required

QUALITATIVE/

QUANTITATIVE:

Validation of risk impact

Validation of risk likelihood

Validation of correlations

Risk corrected revenues

Gain/loss curves

Tornado charts

Scenario analysis

Benchmarking

Net present value

Traditional measures

Qualitative and Quantitative Approaches to Assessment and Measurement

EXHIBIT 8: RISK QUANTIFICATION AND QUALITATIVE TECHNIQUES

EXHIB IT 8 : R ISK QUANTIF ICAT ION AND QUALITAT IVE TECHNIQUES

An advantage of risk maps with colored zones isthat companies that have assessed risks acrossthe enterprise can display the colors and com-pare the risk assessments in a report. For exam-ple, the report in Exhibit 13 shows how each riskis assessed across the enterprise by every func-tion or division. Resolving differences in riskassessments and seeking possible risk solu-tions can lead to valuable discussions. Otherquantitative analysis and risk tools are dis-cussed in Tools and Techniques of Enterprise RiskManagement.

When placing risks on a map, they can be pre-sented based on the inherent assessment,which is the level of risk in each event before anymitigation action is taken. Residual risk is whatremains after management has taken a mitiga-tion action. Risk maps can also be presentedshowing the residual risk. As an example, a com-pany identified numerous risks as part of its riskidentification process. One of the key risks wasfinancial risks, but the company’s executives andinternal auditors believed that strong controlswere already in place for the identified financial

21


EXHIBIT 9: SUBJECTIVE ASSESSMENT OF RISK

Risks: 1

3

2

2

3

3

2

3

2

3

2

1

1

1

1

1

1

2

2

2

2

1

1

2

1

2

1

3

2

1

3

1

1

1

1

1

1

1

1

1

2

1

2

2

1

1

2

1

2

2

1

1 = very important 2 = somewhat important 3 = not important

1

1

1

1

2

2

1

2

2

2

1

1

2

1

1

1

1

2

1

3

1

1

1

1

2

1

1

1

1

3

1

1

1

2

1

2

2

1

2

3

1

1

1

2

2

2

1

1

1

2

1

1

1

2

1

1

2

1

1

1

1

1

1

1

1

1

1

1

2

2

1

1

1

1

1

1

2

1

2

3

1

2

1

1

1

1

1

2

2

2

1

1

1

1

1

2

1

2

2

1

17

18

19

20

21

21

23

23

25

32

2 3 4 5 6 7 8 9 10 11 12 13 14 15 Score

Survey Responses

Brainstorming Output

Total

Sample Risk #1

Sample Risk #2

Sample Risk #3

Sample Risk #4

Sample Risk #5

Sample Risk #6

Sample Risk #7

Sample Risk #8

Sample Risk #9

Sample Risk #10

EXHIB IT 9 : SUBJECT IVE ASSESSMENT OF R ISK

risks. Therefore, their residual risk was low inthis area, and the company chose to focus onother of the top risks identified.

Treat and Control RisksAfter risks are identified and assessed, manage-ment must decide how to respond to them. One ofthe goals of ERM should be to make consciousdecisions about risk. The actions that manage-ment might take for a given risk include: avoid-ance, reduction, sharing, and acceptance.Management determines its response to a risk byconsidering the impact a given decision will have,the likelihood of the risk, and the costs and bene-fits of its action. The goal is to take actions thatwill bring the organization’s overall residual riskwithin its risk appetite. As noted previously, risk tol-erances may vary, but overall they should fall with-in the risk appetite approved by executive manage-ment and the board. Linking inherent and residualrisk with risk tolerance is illustrated in Exhibit 14.

In this analysis, the first risk analyzed was thenumber of available qualified candidates. The com-pany identified several related risks and thenadopted a risk management strategy. Through itsaction, management concluded the likelihood ofthe risk was reduced from 20% to 10%.

To respond and treat a risk properly, companiesmust also source the risk to the root causes. Forexample, a grain company identified weather asa risk. After studying the risk, the company decid-ed the risk it needed to manage was grain vol-ume, not the weather. Many things affected grainvolume besides weather, such as loss of productin shipping and handling or waste. Similarly, acompany identified an earthquake as a risk.After studying the earthquake risk thoroughly, thecompany decided that it needed to focus on sev-eral related risks. For example, the company’sbuildings could be earthquake secure, but itssuppliers’ buildings or employees’ homes may

22


High

Low Likelihood of Occurrence High

EXHIBIT 10: RISK MAP

Impact onAchievementof Objectives(Significance)

High ImpactLow Likelihood

High ImpactHigh Likelihood

Low ImpactLow Likelihood

Low ImpactHigh Likelihood

EXHIB IT 10: R ISK MAP

not be safe. Other related and critically impor-tant risks were how a potential earthquake wouldaffect customer service, research and develop-ment on new products, and expansion into newmarkets. The destruction of the physical facili-ties by an earthquake had far-reaching implica-tions that had to be analyzed.

Treating and controlling risks can require a vari-ety of actions. For example, companies canimplement new policies and controls, purchasederivatives, hire new management, or implementnew training programs. This variety of risk treat-ment approaches is why ERM is a much broaderconcept than financial reporting and internal con-trol risk. Of course, companies can still just

23


EXHIBIT 11: DETAILED RISK MAP

Risk Map

DollarThreshold

Severi

ty o

f Im

pact

Probability of Occurrence

Critical

High

Moderate

Low

NotSignificant

Annualized impactmeasured in terms of

a specific metric.

Probability measured overa one-year time horizon

>$15M

$10M–$15M

$5M–$10M

$1M–$5M

<$1M

1 2 3 4 5

<10% 10%–30% 30%–60% 60%–90% >90%

Slight Not Likely LikelyHighlyLikely Expected

5

4

3

2

1

EXHIB IT 11: DETA ILED R ISK MAP

accept and bear the risk if doing so is in align-ment with its stakeholders’ expectations. Forexample, some airlines have more aggressiveapproaches to managing the risk of fuel priceincreases and decreases than do others.

An insurance and financial services company dis-covered its sales force had slowly become out ofcontrol. To promote sales, the sales force devel-oped their own training material that was notauthorized by the company. The sales force wasincreasingly dishonest with customers and toldthem to ignore notices from the company aboutpremiums. Further, they asked customers to signblank withdrawal forms, which allowed the salesteam to withdraw funds from the customers’accounts. Simultaneously, the company alsofaced risks related to industry trends that indi-cated a shrinking market in one of their key prod-uct areas. It is probable that the broader indus-

try trends and declining market were the rootcause of the pressure on the sales force andmarketing areas. The company responded by hir-ing a new CEO with expertise in areas into whichthe company wanted to expand. Additionally, thecompany adopted new sales and marketing poli-cies to control the risk of the sales force mis-leading customers by using unauthorized adver-tising and training material. The company alsoimplemented customer support lines to helpresolve disputes with customers and engagedindependent industry organizations to verify withcustomers that they were knowledgeable aboutwhat they had purchased.

Communicate and MonitorOrganizations are generally involved in distrib-uted risk taking as each operating unit faces riskin pursuing its profit objectives and goals to growits piece of the business. The desired outcome

24


1 2 3 4 5 6 7 8 9

Likelihood

Impact

9

8

7

6

5

4

3

2

1

EXHIBIT 12: COLOR-CODED RISK MAP

Red Zone

Red Zone

Red ZoneYellow Zone

Green Zone

Yellow Zone

EXHIB IT 12: COLOR-CODED RISK MAP

for ERM is not that organizations become riskadverse, but that proactive, risk-based decisionmaking is fostered at all levels of the organiza-tion and managers knowingly and intentionallytake risk while utilizing appropriate risk indica-tors. Accordingly, communication of risk-relatedinformation must flow down, across, and up theorganization. As illustrated in Exhibit 13, summa-ry reports of risk assessments at the division orfunction level provide senior management withvaluable information on how middle manage-ment views the top risks facing the organization.

Ongoing monitoring with key performance indica-tors (KPIs) and key risk indicators (KRIs) occurs inwell-managed organizations as a normal course ofconducting business. Under ERM, monitoring isenhanced by incorporating information on riskidentification and assessment and identifying the

owners of specific risks. Monitoring is discussedfurther in the next section.

V I I I . INTEGRATING ERM INTOONGOING MANAGEMNT ACT IV IT IESThe business environment is constantly chang-ing. Consequently, implementing ERM is a con-tinuous process much like the organization’sstrategy that ERM helps to achieve. SustainingERM requires constant attention by C-level exec-utives, and integration into ongoing managementinitiatives stresses its importance to associatesat all levels. When ERM is seen as sound busi-ness management rather than “the managementfad of the month,” it becomes an integral part ofthe organization’s “DNA.” Some of the opportuni-ties for integrating ERM in ongoing managementactivities include:

25


7. Human Resource

6. Security

5. Communications

4. Operations

3. Culture

2. Customer (Internal & External) Needs

1. External Environment

Corporate Risk Assessment2000/2001

Comparison of Functional Risk Assessments

8. Information Availability/Processing/Technology

9. Financial

10. Legal/Compliance

11. Management and Monitoring of Operation

Func

tion

#1Fu

nctio

n #2

Func

tion

#3Fu

nctio

n #4

Func

tion

#5Fu

nctio

n #6

Func

tion

#7Fu

nctio

n #8

Func

tion

#9Fu

nctio

n #1

0Fu

nctio

n #1

1Fu

nctio

n #1

2Fu

nctio

n #1

3Fu

nctio

n #1

4Fu

nctio

n #1

5

Source: Paul L. Walker, William G. Shenkir, and Thomas L. Barton, Enterprise Risk Management:Pulling It All Together, The Institute of Internal Auditors Research Foundation, 2002, p. 45.

EXHIBIT 13: FUNCTIONAL RISK ASSESSMENT SUMMARYEXHIB IT 13: FUNCTIONAL R ISK ASSESSMENT SUMMARY

Source: Paul L. Walker, William G. Shenkir, and Thomas L. Barton, Enterprise Risk Management: Pulling It All Together, The Institute of Internal Auditors Research Foundation, 2002, p. 45.

l Strategic planning;l Balanced Scorecard (BSC);l Budgeting;l Total Quality Management and Six Sigma;l Business continuity (crisis management);l Corporate governance; and l Risk disclosures.

The relationship between strategic planning, thebalanced scorecard, and budgeting is shown inExhibit 15.

Strategic PlanningThe COSO definition of ERM states that ERM ispart of strategy setting. ERM and strategy set-ting should be viewed as complementing eachother and not as independent activities. If strat-egy is formulated without identifying the risksembedded in the strategy and assessing andmanaging those risks, the strategy is incompleteand at risk of failure. Similarly, if ERM does notbegin with holistically identifying risks related tothe company’s strategy, the effort will be incom-plete by failing to identify some very importantrisks. Mismanagement of strategic risks has

26



EXHIBIT 14: LINKING OBJECTIVES, EVENTS,RISK ASSESSMENT, AND RISK RESPONSE

• Hire 180 new qualified staff across all manufacturing divisions to meet customer demand without overstaffing• Maintain 22% staff cost per dollar order

Number of new qualified staff hiredObjective unitof measure

Operations objective

Tolerance

RisksInherent risk assessment

Likelihood

20%

30%

10%

20%

10%reduction in hiring → 18

unfilledpositions

Contract inplace with a third party

hiring agencyto source

candidates

Review of hiring

processconducted every two

years

5% reductionin hiring due

to poorcandidate

screenings →9 unfilled positions

10%reduction in hiring → 18

unfilledpositions

2% reductionin hiring due

to poorcandidate

screenings →4 unfilled positions

Impact Likelihood Impact

Residual risk assessmentRisk

response

Decreasing numberof qualifiedcandidates available

Unacceptable variability in ourhiring process

Alignment with risk tolerance

165–200 new qualified staff, with staff cost between 20% and 23% per dollar order

Response expected to bring company within risk tolerance

EXHIB IT 14: L INKING OBJECT IVES, EVENTS,R ISK ASSESSMENT, AND R ISK RESPONSE


been shown to be the cause for loss of majorshareholder value, as pointed out by the follow-ing two studies:

A study by Mercer ManagementConsulting analyzed the value collapsesin the Fortune 1,000 during 1993-1998.4

The analysis found that 10% of theFortune 1,000 lost 25% of shareholdervalue within a one-month period. Mercertraced the collapses back to their rootcauses and found that 58% of the losseswere triggered by strategic risk, 31% byoperational risk, and 6% by financial risk.Hazard risk did not cause any of thedecrease in shareholder value. A morerecent study by Booz Allen Hamilton ana-

lyzed 1,200 firms during 1999-2003 withmarket capitalizations greater than $1 billion.5 The poorest performers wereidentified as companies that trailed thelowest-performing index for that period,which was the S&P 500. The primaryevents triggering the loss of shareholdervalue were strategic and operational fail-ures. Of the 360 worst performers in thestudy, 87% of value destruction sufferedby these companies related to strategicand operational mismanagement.

27


4 Economist Intelligence, Enterprise Risk Management—Implementing New Solutions, The Economist Intelligent Unit,New York, 2001, p. 8.

5 Paul Kocourek, Reggie Van Lee, Chris Kelly, and JimNewfrock, “Too Much SOX Can Kill You,” Strategy+Business,Reprint, January 2004, pp. 1-5.

EXHIBIT 15: STRATEGY, THE BALANCED SCORECARD, AND THE BUDGET

Strategy

Revise theScorecard

Revise theStrategy

Allocate Review

BalancedScorecard

Budget

Operations

Source: Adapted from Robert S. Kaplan and David P. norton, The Strategy-Focused Organization,Harvard Business School Press, Boston, Mass., 2001, p. 275.

EXHIB IT 15: STRATEGY, THE BALANCED SCORECARD,AND THE BUDGET

Source: Adapted from Robert S. Kaplan and David P. Norton, The Strategy-Focused Organization,Harvard Business School Press, Boston, Mass., 2001, p. 275.

When formulating the company’s strategy, topmanagement analyzes its strategic alternativesand identifies events that could threaten theirachievement. As the risks embedded in eachstrategic alternative are identified and placed ona risk map, the alternative can be evaluatedagainst the organization’s capabilities and how italigns with the risk appetite. Some strategiesmight be outside the risk appetite of the compa-ny, and a decision is made not to pursue them—a decision to avoid the risk. Other strategies maybe very risky but can be managed and monitoredcarefully and, thus, will be pursued—a decisionto accept the risk. Another strategy may be risky,but the decision is made to pursue it through ajoint venture—a decision to share the risk. Stillanother alternative strategy with considerablerisk embedded in it might be pursued incremen-tally—a decision to reduce the risk. Strategy for-mulation is enhanced by ERM because risks areidentified and the strategic alternatives areassessed given the company’s risk appetite. Inturn, without a well articulated strategy, the foun-dation for implementing ERM is insufficient.Viewing the two together forms the basis for astrategy-risk-focused organization. For example,the front-end of the strategy formulation processis typically an environmental scan. Performedcomprehensively, this scan reveals risks andopportunities.

Balanced ScorecardThe Balanced Scorecard (BSC) is a tool for com-municating and cascading the company’s strate-gy throughout the organization. The conventionalBSC captures the company’s strategy in four keyperspectives:

l Customer;l Internal;l Innovation and learning; andl Financial.

Combining the BSC with ERM can enhance perfor-mance management. In the BSC, objectives areidentified for each of the perspectives, and, asnoted previously, ERM begins with an understand-ing of objectives. For each BSC perspective, met-rics (KPIs) are selected and stretch targets areset. ERM adds value to the BSC through the iden-tification of events (risks) that could stand in theway of achieving the targets in each of the fourperspectives. By monitoring the KPIs, manage-ment can assess how effectively their risk mitiga-tion efforts are working. In effect, the KPIs foreach perspective also serve as key risk indicators(KRIs), although they are not initially selected forthat purpose. For example, if a target for customersatisfaction is not achieved, it suggests that somerisks related to the item exist. The same metriccan be used for monitoring both strategy and risk.

The conventional BSC can be integrated withERM to manage and monitor risk related to thestrategic objectives. Using a risk scorecard forthe key risks identified in each of the BSC per-spectives is a way to assign responsibility formanaging the risk. As shown in Exhibit 16, thespecial risk scorecard begins with the articula-tion of the specific objectives for the particularperspective. Next, for each of those objectives,the key risks are identified along with suggestedcontrol processes. The focus area identifies the risks as strategic, operational, or financial.Management’s self assessment of its risk mitigation actions is shown in the worksheet byasking: “Is it in place? If so, how effective is it?”The last column focuses on identifying the ownerof the risk, who will be held accountable for man-aging it. Maintaining the risk scorecard on thecompany’s intranet allows management to reviewthe scorecard at any time, adding strength to theaccountability for the management of the risk.

28


BudgetingA company’s budget reflects the current-yearfinancial commitment to achieve the organiza-tion’s long-term strategy. The annual budget canbe integrated with ERM to provide insights onwhat the strategic business unit’s leadershipsees as the threats to meeting its financial plan.In the conventional budgeting process, the lead-ership of the strategic business unit presents itsprofit plan to senior management, who probeand ask questions to uncover the risks implicit inthe numbers.

A risk map presented with the unit’s budget pro-vides information to senior management on whatthe major threats are to meeting the financialplan for the year. The risk map gives senior man-agement a point of departure in the budgetreview process without having to waste timeuncovering the implicit budget risks. Operatingunits should know their risks if they are to haveany chance of accomplishing the plan. An addi-tional benefit of including a risk map on the

budget risks is that, as the various budgets andrisk maps are reviewed by senior management,they can compare the risks they have identifiedin the strategic plan with those identified by theoperating units. Any disparities in how the twogroups perceive the risks facing the organizationcan be analyzed further.

When a risk map accompanies the budget, sen-ior management can ask questions about theexpenses in the budget that relate to risk mitiga-tion decisions for the high impact/high likelihoodrisks (the red zone risks in Exhibit 12). If a deci-sion was made not to mitigate certain risks, italso is important to understand the impact onthe unit’s cost structure by taking that action.Another relevant issue is understanding to whatextent the cost of mitigating or accepting a riskhas been built into the price of the product orservice. ERM coupled with the budget reviewprocess can enrich a discussion and lead to abetter understanding of the threats standing inthe way of making budget.

29


EXHIBIT 16: BALANCED SCORECARD ANDSTRATEGIC RISK ASSESSMENT

*Effectiveness Rating: 1 to 10, with 10 being very effective.

Learning and Growth Objectives

No. Objective Risk

No.

Risk Suggested

Control

Processes

In Place Effectiveness* Comments Owner of

Corrective

Action

Focus

Area

Mitigation Process

EXHIB IT 16: BALANCED SCORECARD AND STRATEGIC R ISK ASSESSMENT

Total Quality Management and Six SigmaQuality initiatives focus on improving the efficien-cy and effectiveness of detailed processes. ERMrequires clarity of objectives at all levels of theenterprise, and the objectives of specificprocesses can be addressed by utilizing qualitytools and methodologies. When an organizationhas implemented a quality initiative, informationis available on detailed processes. In turn, thisinformation can be evaluated within the largercontext of the enterprise to identify risks in anERM implementation. Also, quality initiatives canprovide information on planning the mitigationaction for a process risk. The process risk ownerand source of the risk should be identified whenimplementing the quality initiative. This informa-tion should be insightful in treating the inherentrisk with some control mitigation action. Oncethe control is implemented, the gap between theinherent risk and residual risk should be clearlyevident.6

Business Continuity (Crisis Management)Regardless of how robust the effort of risk iden-tification is, some unknown risks will remainunknown at the end of the process. A companyprepares for these unknown risks through itsbusiness continuity, or crisis management,plan—an essential element of the ERM process.

A crisis is a point at one end of a continuum, withrisks at the other end. With Internet-based newmedia like bloggers, message boards, chatrooms, e-mailing lists, and independent newswebsites, a company must be prepared to recognize a crisis and respond swiftly to containit before damage is done to its reputation andbrands. A company will need to “play war games”to test the crisis management plan and ensurethat all the key employees know their roles. In

addition, an essential part of the preparation iscommunication about the plan to the entire workforce in advance of a crisis.

When a crisis occurs, it does not evolve in a linearway: If it is not recognized quickly and if efforts arenot made to contain it, a series of reactions andevents in other areas either within and/or outsidethe organization may be triggered. Exhibit 17shows the “triggering or ballooning” impact of acrisis and how it may develop exponentially. As anexample, a major company sold some contaminat-ed product in two countries that caused someusers to become ill. A failure by the company torecognize the crisis quickly led the governments ofthe two countries to pull the product from storeshelves. After some delay, the CEO traveled fromthe U.S. to the countries and eventually apolo-gized publicly. The damage was done, however, asthe company’s stock price fell, and the CEO waseventually replaced.

Corporate GovernanceERM ties in closely with corporate governancebecause it:

l Improves information flows between the com-pany and the board regarding risks;

l Enhances discussions of strategy and the relat-ed risks between executives and the board;

l Monitors key risks by accountants and man-agement with reports to the board;

l Identifies acceptable levels of risks to betaken and assumed;

l Focuses management on the risks identified;l Improves disclosures to stakeholders about

risks taken and risks yet to be managed;l Reassures the board that management no

longer manages risk in silos; andl Knows which of the organization’s objectives is

at greatest risk.

30


6 Protiviti, Guide to Enterprise Risk Management,2006, p. 106.

As noted in the list, the flow of risk information tothe board is critical in improving corporate gover-nance. For example, a major U.S. retailer presentsits risk maps to its audit committee to keep thecommittee members fully informed. It also com-municates to the audit committee its action plansfor the risks and how those risks are monitored.Finally, it informs the audit committee on how therisk assessment and metrics used to monitor therisk relate to shareholder value measurements.

Another example of how risk informationenhances corporate governance is from a not-for-profit organization. This entity analyzes risks bydivision and by the top 100 executives. Theresults of this risk analysis are discussed withthe organization’s board and top executives, whoalso use the risk information as an input into

their strategic planning. This organization identi-fies any risks over a specified materiality or risktolerance level and requires automatic reportingto the board as well as development of an actionplan by the division manager who owns that risk.

The Board and Stock ExchangesThe corporate governance rules of the New YorkStock Exchange (NYSE), which were approved bythe SEC on November 4, 2003, incorporate ele-ments of risk assessment and management intothe listing requirements. The NYSE rules statethat it is the audit committee’s responsibility todiscuss the company’s policies with respect torisk assessment and risk management. In com-mentary on this requirement, the governancerules note that the job of the CEO and seniormanagement includes assessing and managing

31


EXHIBIT 17: RISK/CRISIS ACCELERATION

Source: Paul L. Walker, William G. Shenkir, and Thomas L. Barton, Enterprise Risk Management: Pulling It All Together,The Institute of Internal Auditors Research Foundation, 2002, p. 100.

Likelihood

Impa

ct

Mas

s

Mas

s

Acceleration Acceleration

A.

Risk Occurrence

B.

Crisis Occurrence –

Gathering Storm

C.

Crisis Occurrence –

Catastrophic Force

EXHIB IT 17: R ISK/CRIS IS ACCELERAT ION

Source: Paul L. Walker, William G. Shenkir, and Thomas L. Barton, Enterprise Risk Management: Pulling It All Together,The Institute of Internal Auditors Research Foundation, 2002, p. 100.

risk. Additionally, the NYSE rules state that theaudit committee of the board should discusspolicies with the CEO and senior managementthat govern the risk process.

The NASDAQ exchange also issued new rules ofgovernance for listed companies, which wereapproved by the SEC. NASDAQ stated that itsgoals for corporate governance enhancementincluded empowering shareholders and enhanc-ing disclosure. NASDAQ’s corporate governancerequirements address distribution of reports,independent directors, audit committees, share-holder meetings, quorums, solicitation of prox-ies, conflicts of interests, shareholder approval,stockholder voting rights, and codes of conduct.NASDAQ did not incorporate risk or an ERMprocess into its listing requirements, however.

Risk DisclosuresIncreasingly, companies are disclosing moreinformation about the risks they face. In someinstances, this risk information is the result ofnew regulatory requirements. In others, it is amanagement decision.

Proxy StatementsCurrently, no disclosures about risk managementinfrastructure, processes, or management andboard responsibility in the area of risk arerequired in proxy statements. Disclosures in theaudit committee charter, however, may mention“business risk and control” or indicate that theaudit committee is asking the following groupsabout significant risks: executive management,the CFO, and the independent accountant.

Management’s Discussion and Analysis “Meaningful disclosures” was the purpose of the2003 guidance by the SEC on the Management’sDiscussion and Analysis (MD&A) section of Form10-K. According to the SEC, a good MD&A sec-

tion should help an investor see material oppor-tunities, challenges, and risks for both the shortand long term. Further, the company should dis-cuss actions taken related to these opportuni-ties and risks. The SEC added that this informa-tion may not be accounting information neces-sarily, but it instead might be nonfinancial infor-mation. Nonfinancial information related toopportunities and risks could be key indicators,key variables, time-to-market, or information oncustomer satisfaction, employee retention, orbusiness strategy. The ERM process and themanagement accountant could be a valuablesource for gathering and reporting the potentialimplications of this information.

10-K Item 1A—Risk Factor DisclosuresEffective December 1, 2005, SEC rules mandate“risk factor disclosure” in item 1A of the compa-ny’s Form 10-K. Companies are also required toissue quarterly updates for material changes inthe risk factors. The SEC noted that some com-panies already disclosed some risk related toforward-looking statements, but it is mandatingthat every company identify risk factors explicitly.The risk factor disclosures are to be based on“an evaluation of the material risks facing theissuer.” As such, companies have to know andevaluate their risks. The SEC believes these newdisclosures are not too burdensome becausecompanies will have internal controls over finan-cial reporting and disclosure controls and proce-dures already in place.

Other Voluntary DisclosuresEven if the above disclosures are made by compa-nies, this does not mean that a company activelyand continuously manages its risks as part of itsstrategic and operational planning processes. Boards,shareholders, and other stakeholders should wantto know more about a company’s ERM process.This applies to public or private organizations.

32


Some companies publicly disclose that theyhave an ERM process. Other companies disclosethat they have a risk committee, CRO, or riskinfrastructure. Still others disclose software theyare using for ERM. One biotech company disclos-es key process/operational risks in addition toother risk factors and explains how those risksfit into ERM. They further disclose how they aremeasuring and managing the risks.

IX . TRANSIT IONING FROM SOXTO ERM Companies have incurred significant costs to com-ply with the Sarbanes-Oxley legislation, especiallySection 404. Although most large companiescomply, their efforts may not be cost effectivefrom the shareholders’ perspective. Additionally,some smaller publicly traded companies aredelisting or threatening to delist to avoid regula-tion. The SEC is in the process of developing risk-based, practical management assessment guid-ance to help fix this problem, which impactsshareholder value and U.S. global competitive-ness. It would seem a natural fit for ERM to beconsidered more actively as part of the solutionfor a risk-based compliance solution, whether it bethe COSO ERM framework, IMA’s guidanceapproach, or an alternative approach. Strongerinternal controls, more effective corporate gover-nance, and implementation of ERM can lead toimproved stability, reaction time, and increasedshareholder value. A risk-based approach canhelp reduce the number of key controls that com-panies are testing and documenting, significantlylowering the cost of compliance.

Many companies created large, full-time internalstaffs to focus on SOX compliance and work withthe independent auditors. They also report somemarginal decreases in compliance costs andrelated headcount. These resources going for-ward could be directed to an ERM program,

which addresses risks more holistically than thatrequired by SOX. The key, however, is properlytrained and certified specialists who are knowl-edgeable in all aspects of ERM.

Companies that have implemented SOX andSection 404 compliance efforts have learnedhow to identify important financial statementaccounts and disclosures, how to design effec-tive control systems, and how to test those sys-tems. They have also learned that excessive con-trols can be just as bad as no controls. Section404 requires a company to identify and managethe risks related to financial reporting. Auditcommittees have now become accustomed todiscussing these financial reporting risks.

Audit committees and the entire board of directorsshould now take the next step and expand intoERM. There is even more to be gained by manag-ing all risk, not just financial reporting risk. Giventhat most financial reporting failures are businessfailures first, it should come as no surprise thatERM not only adds shareholder value, but it alsoleads to better communication with stakeholdersand possibly fewer business failures.

X . CONCLUSIONERM is a powerful management tool, but suc-cessful implementation requires champions atthe C-level and education and training for man-agers and associates at all levels of the organi-zation, including the board. In today’s risky world,companies can no longer rely on a silo approachto risk management. An integrated and holisticperspective of all the risks facing the organiza-tion is needed. A risk-centric organization doesnot avoid risks, but rather it knowingly takesrisks aligned with its risk appetite.

Integration of ERM with ongoing managementactivities serves to embed risk management

33


throughout a company. As companies attempt toimplement ERM, some best practices (presentedin Exhibit 18) can be a valuable reference. ERMis essential in today’s business environment,

where companies are required to disclose riskfactors in the financial reports and the board ofdirectors regularly questions top managementabout the company’s risk.

34


1. Engaged senior management and board of directors that set “the tone from the top” and provide organizational support and resources.

2. Independent ERM function under the leadership of chief risk officer (CRO), who reports directly to the CEO with a dotted line to the board.

3. Top-down governance structure with risk committees at the management and board levels, reinforced by internal and external audit.

4. Established ERM framework that incorporates all of the company’s key risks: strategic risk, business risk, operational risk, market risk, and credit risk.

5. A risk-aware culture fostered by a common language, training, and education, as well as risk-adjusted measures of success and incentives.

6. Written policies with specific risk limits and business boundaries, which collectively represent the risk appetite of the company.

7. An ERM dashboard technology and reporting capability that integrates key quantitative risk metrics and qualitative risk assessments.

8. Robust risk analytics to measure risk concentrations and interdependencies, such as scenario and simulation models.

9. Integration of ERM in strategic planning, business processes, and performance measurement.

10. Optimization of the company’s risk-adjusted profitability via risk-based product pricing, capital management, and risk-transfer strategies.

Source: James Lam & Associates Inc., “Hallmarks of Best-Practice ERM,” Financial Executive,January/Febuary 2005, p. 38.

EXHIBIT 18: HALLMARKS OF BEST-PRACTICE ERM

EXHIB IT 18: HALLMARKS OF BEST-PRACTICE ERM

Source: James Lam & Associates Inc., “Hallmarks of Best-Practice ERM,” Financial Executive,January/Febuary 2005, p. 38.

GLOSSARYImpact – The significance of a risk to an organi-

zation. Impact captures the importance ofthe risk. It can be measured quantitatively orqualitatively.

Inherent Risk – The level of risk that resides withan event or process prior to managementtaking a mitigation action.

Likelihood – An estimate of the chance or proba-bility of a risk event occurring.

Opportunity – The upside of risks.Residual Risk – The level of risk that remains

after management has taken action to miti-gate the risk.

Risk – Any event or action that can keep anorganization from achieving its objectives.

Risk Appetite – The overall level of risk an orga-nization is willing to accept given its capabili-ties and the expectations of its stakeholders.

Risk Tolerance – The level of risk an organizationis willing to accept around specific objec-tives. Risk tolerance is a narrower level thanrisk appetite.

B IBL IOGRAPHYAmerican Institute of Certified Public Accountants

(AICPA) and Canadian Institute of CharteredAccountants (CICA), Managing Risk in the NewEconomy, AICPA, New York, 2000.

Augustine, N.R., “Managing the Crisis You Triedto Prevent,” Harvard Business Review,November-December 1995, pp. 147-158.

Barton, Thomas L., William G. Shenkir, and PaulL. Walker, Making Enterprise RiskManagement Pay Off, Financial ExecutivesResearch Foundation, Upper Saddle River,N.J., 2001.

Barton, Thomas L., William G. Shenkir, and PaulL. Walker, “Managing Risk: An Enterprise-wide Approach,” Financial Executive, March-April 2001, pp. 48-51.

Basel Committee on Banking Supervision,International Convergence of CapitalMeasurement and Capital Standards, ARevised Framework, June 2004.

Bernstein, P.L., Against the Gods: The RemarkableStory of Risk, John Wiley & Sons, Inc., NewYork, 1996.

Bodine, S., A. Pugliese, and P.L. Walker, “A RoadMap to Risk Management,” Journal ofAccountancy, December 2001.

Brancato, Carolyn, Enterprise Risk Management:Beyond the Balanced Scorecard, TheConference Board, New York, 2005.

Burns, Judith, “Everything You Need to KnowAbout Corporate Governance…,” The WallStreet Journal, October 27, 2003, p. R6.

Byrne, John, “Joseph Berardino (Cover Story),”Business Week, August 12, 2002, pp. 51-56.

Committee of Sponsoring Organizations of theTreadway Commission (COSO), InternalControl—Integrated Framework: ExecutiveSummary Framework, Reproduced with per-mission from the AICPA acting as authorizedcopyright administrator for COSO, New York,1992.

COSO, Enterprise Risk Management—IntegratedFramework: Executive Summary, Reproducedwith permission from the AICPA acting asauthorized copyright administrator for COSO,New York, 1992.

COSO, Enterprise Risk Management—IntegratedFramework: Application Techniques, AICPA,New York, 2004.

Corporate Executive Board, ConfrontingOperational Risk—Toward an IntegratedManagement Approach, Corporate ExecutiveBoard, Washington, D.C., 2000.

DeLoach, J.W., Enterprise-wide Risk Management:Strategies for Linking Risk and Opportunity,Financial Times London, 2000.

35


Deloitte & Touche LLP, Perspectives on Risk forBoards of Directors, Audit Committees, andManagement, Deloitte Touche TohmatsuInternational, 1997.

Economist Intelligence, Managing BusinessRisks—An Integrated Approach, TheEconomist Intelligent Unit, New York, 1995.

Economist Intelligence, Enterprise RiskManagement—Implementing New Solutions,The Economist Intelligent Unit, New York, 2001.

Emen, Michael S., Corporate Governance: TheView from NASDAQ, NASDAQ, 2004.

Epstein, Marc J., and Adriana Rejc, Identifying,Measuring, and Managing OrganizationalRisks for Improved Performance, Society ofManagement Accountants of Canada andAICPA, 2005.

Federation of European Risk ManagementAssociations, A Risk Management Standard,2003.

Financial and Management AccountingCommittee of the International Federation of Accountants (IFAC), prepared by Pricewater-houseCoopers, Enhancing Shareholder Wealthby Better Managing Business Risk, IFAC, NewYork, 1999.

Financial Reporting Council, The Combined Codeon Corporate Governance, 2003.

Financial Reporting Council, Internal Control:Revised Guidance for Directors on theCombined Code, 2005.

Gates, Stephen, and Ellen Hexter, From RiskManagement to Risk Strategy, TheConference Board, New York, 2005.

Gibbs, Everett, and Jim DeLoach, “Which ComesFirst…Managing Risk or Strategy-Setting?Both,” Financial Executive, February 2006,pp. 35-39.

Hands On, “Risk Management Issues forPrivately Held Companies.” ACC Docket, May2006, pp. 76-88.

King Committee on Corporate Governance, KingReport on Corporate Governance for South-Africa, Institute of Directors in SouthernAfrica, 2002.

Institute of Chartered Accountants in England andWales, Reproduced from No Surprises: TheCase for Better Risk Reporting, 1999 with permission the Institute of CharteredAccountants in England and Wales.

Institute of Management Accountants (IMA),“IMA Announces Bold Steps to ‘Get it Right’on Sarbanes-Oxley Compliance,” December21, 2005.

IMA, “A Global Perspective on Assessing InternalControl over Financial Reporting (ICoFR),”Discussion Draft for Comment, September2006.

James Lam & Associates Inc., “Hallmarks ofBest-Practice ERM,” Financial Executive,January/February 2005, p. 38.

Joint Standards Australia/ Standards NewZealand Committee, Risk Management,Standards Australia/Standards NewZealand, 2004.

Joint Standards Australia/Standards NewZealand Committee, Risk ManagementGuidelines, Standards Australia/StandardsNew Zealand, 2004.

Kaplan, Robert S., and David P. Norton, “TheBalanced Scorecard—Measures that DrivePerformance,” Harvard Business Review,January-February 1992, pp. 71-79.

Kaplan, Robert S., and David P. Norton, “Puttingthe Balanced Scorecard to Work,” HarvardBusiness Review, September-October 1993,pp. 134-147.

Kaplan, Robert S., and David P. Norton, TheBalanced Scorecard, Harvard BusinessSchool Press, Boston, Mass., 1996.

Kaplan Robert S., and David P. Norton,The Strategy-Focused Organization, HarvardBusiness School Press, Boston, Mass., 2001.

36


Kocourek, Paul, Reggie Van Lee, Chris Kelly, andJim Newfrock, “Too Much SOX Can Kill You,”Strategy+Business, Reprint, January 2004,pp. 1-5.

McNamee, D., and G.M. Selim, Risk Manage-ment: Changing the Internal Auditor’sParadigm, The Institute of Internal AuditorsResearch Foundation, Altamonte Springs,Fla., 1998.

Miccolis, J.A., K. Hively, and B.W. Merkley,Enterprise Risk Management: Trends andEmerging Practices, The Institute of InternalAuditors Research Foundation, AltamonteSprings, Fla., 2001.

Nagumo, T., “Aligning Enterprise RiskManagement with Strategy through the BSC:The Bank of Tokyo-Mitsubishi Approach,”Balanced Scorecard Report, HarvardBusiness School Publishing, Reprint No.B0509D, September-October 2005, pp. 1-6.

Nagumo, T., and Barnby S. Donlon, “Integratingthe Balanced Scorecard and COSO ERMFramework,” Cost Management, July/August2006, pp. 20-30.

National Association of Corporate Directors,Report of the NACD Blue Ribbon Commissionof Audit Committees—A Practical Guide,1999.

New York Stock Exchange (NYSE), Final NYSECorporate Governance Rules, November 4,2003.

Nottingham, L., A Conceptual Framework forIntegrated Risk Management, TheConference Board of Canada, 1997.

Oversight Systems, “The 2006 OversightSystems Financial Executive Report on RiskManagement,” 2006.

Protiviti, U.S. Risk Barometer—Survey of C-LevelExecutives with the Nation’s LargestCompanies, 2005.

Protiviti, Guide to Enterprise Risk Management,2006.

Protiviti, Guide to Enterprise Risk Management:Frequently Asked Questions, 2006.

Sarbanes-Oxley Act of 2002, H.R. 3763.Schwartz, Peter, The Art of the Long View,

Currency Doubleday, New York, 1991.Shaw, Helen, “The Trouble with COSO,” CFO,

March 15, 2006, pp. 1-4. Shenkir, W., and Paul L. Walker, “Enterprise Risk

Management and the Strategy-Risk-FocusedOrganization,” Cost Management, May-June2006, pp. 32-38.

Simons, Robert L., “Control in an Age ofEmpowerment,” Harvard Business Review,March-April 1995, pp. 80-88.

Simons, Robert L., “How Risky Is YourCompany?” Harvard Business Review, May-June 1999, pp. 85-94.

Slywotzky, Adrian J., and John Drzik, “Counteringthe Biggest Risk of All,” Harvard BusinessReview, Reprint R0504E, April 2005, pp. 1-12.

Smith, Carl, “Internal Controls,” StrategicFinance, March 2006, p. 6.

Smith, Wendy K., and Richard S. Tedlow, “JamesBurke: A Career in American Business (A)(B),” Harvard Business School Case 9-389-177 and 9-390-030, Harvard BusinessSchool Publishing, 1989.

Smutniak, John, “Living Dangerously: A Survey ofRisk,” The Economist, January 24, 2004, pp.1-15.

Standard and Poor’s, Criteria: AssessingEnterprise Risk Management Practices ofFinancial Institutions: Rating Criteria and BestPractices, September 22, 2006.

Standard and Poor’s, Insurance Criteria: Refiningthe Focus of Insurer Enterprise RiskManagement Criteria, June 2, 2006.

Stroh, Patrick, “Enterprise Risk Management atUnitedHealth Group,” Strategic Finance, July2005, pp. 27-35.

37


Thornton, Emily, “A Yardstick for Corporate Risk,”Business Week, August 26, 2002, pp. 106-108.

Treasury Board of Canada Secretariat, IntegratedRisk Management Framework, 2001.

Treasury Board of Canada Secretariat, IntegratedRisk Management Framework: A Report onImplementation Progress, 2003.

U.S. Securities and Exchange Commission(SEC), “Commission Guidance RegardingManagement’s Discussion and Analysis ofFinancial Condition and Results ofOperations,” Release No. 33-8350,December 19, 2003.

SEC, “Securities Offering Reform,” Release No.33-8591, December 1, 2005.

Walker, Paul L., William G. Shenkir, and ThomasL. Barton, Enterprise Risk Management:Pulling It All Together, The Institute of InternalAuditors Research Foundation, 2002.

Walker, Paul L., William G. Shenkir, and ThomasL. Barton, “ERM in Practice,” Internal Auditor,August 2003, pp. 51-55.

Walker, Paul L., William G. Shenkir, and C.Stephen Hunn, “Developing Risk Skills: AnInvestigation of Business Risks and Controlsat Prudential Insurance Company ofAmerica,” Issues in Accounting Education,May 2001, pp. 291-304.

38


statements on management accounting...this sma provides an overview of the erm process and...

Documents