Given the increased emphasis on strict compliance, better corporate governance and more effective risk management post-Sarbanes-Oxley, boards and senior management believe they need greater assurance that business risks are being identified and controlled. As a result, company spending on risk management is continuing to grow, especially with regulators now more keen to hand out stiffer financial penalties and seek criminal convictions.

According to accountants Ernst & Young’s latest report, Managing Risk Across the Enterprise: Building a comprehensive approach to risk, leading companies achieve a practical and balanced approach to risk through two main objectives: recognising the value of executing solid compliance and risk management activities to prevent most problems and to reduce their impact; and leveraging risk management activities to help them improve their business.

Main challenges
However, the report adds that companies face three key challenges in trying to implement an effective enterprise-wide risk management process:
• Risk assessments are carried out by numerous business and functional areas, sometimes overlapping, with little or no alignment, co-ordination or leverage;
• The company’s risk coverage activities, especially outside of financial reporting, may not focus on the most important areas because of limitations in the risk assessment process or through a shortage of appropriate skills to assess and monitor key risk areas; and
• The volume and disparity of risk reports from across the enterprise overwhelms directors and executives, who, as a result, feel apprehensive and exposed.

Risk premiums
But overcoming these challenges can pay dividends, says E&Y. According to the report, investors are willing to pay a premium for effective risk management. A survey carried out by the accountancy firm last year of 138 of the world’s largest institutional investors found that 82% are willing to pay a pr emium on share price for companies that demonstrate effective risk management practices.

Furthermore, says E&Y, ratings agencies have expanded their assessments within some regulated industries to include more qualitative factors around risk management. This is because both investors and ratings agencies believe that effective risk management is likely to improve corporate governance and compliance, as well as reduce earnings fluctuations through “governance surprises”, thereby increasing stakeholder confidence. Added to that, they believe that better strategic and financial decisions are made within companies when a structured consideration of risk is built into existing activities and is a key part of the decision-making process.

To improve risk assessment and risk management, E&Y – like the remaining Big Four firms and corporate governance associations – recommends that companies opt for an enterprise risk management (ERM) approach. This practical approach is based on a framework that embeds risk management in an organisation to help achieve its business objectives by protecting the business and helping the business perform more effectively. This framework assesses key risks and risk management performance and improves the way risks are managed.

Manage the risk
An enterprise risk management approach relies on three components:
1. Enterprise risk assessment
The organisation builds a clear picture of its most significant risks.
2. Risk management performance assessment
The organisation carries out a risk management performance assessment to determine if the level of risk management performance across the organisation is appropriate.
3. Building a comprehensive approach to risk
The organisation identifies areas where its focus on identifying and controlling risk needs to be improved and decides how these improvements should be carried out.

This is achieved by:
• Embedding enhanced activities to manage risk within existing functions and processes;
• Enhancing framework components that support co-ordination and alignment; and
• Developing plans to improve and monitor significant risks.

An enterprise risk management approach will only succeed if it is embedded throughout the organisation and becomes part of the company’s usual compliance and defence mechanisms. It also depends on the effectiveness of executive management, the board and the audit and risk committees to oversee that the strategy is taking hold.

E&Y says that an effective ERM framework has four defence layers that create a network of risk management activity across the organisation. These are:
• Business operations – These groups manage risk as a part of everyday activities and serve as the first line of defence against risk;
• Support – This group may have primary ownership of certain entity-level risks, but it also provides risk management support for other groups. These support functions form the second line of defence and back up business operations that are faced with significant risk;
• Monitoring and risk functions – This group provides guidance to the business operations and support functions on how to improve the effectiveness and efficiency of risk management and control activities. It confirms that risk management is being discharged effectively within the business operations and support functions; and
• Oversight – Made up of the board, executive management and the audit and risk committees, this group has the highest level of accountability for risk management within the organisation and assures stakeholders that ultimate responsibility for sound corporate governance and risk management stays at the top of the organisation. Executive management is responsible for proper management of risk across the organisation, while the board oversees its efforts to manage risk effectively on behalf of the organisation’s stakeholders.

Useful links
To read a copy of the E&Y report, go to www.ey.com, then click on the issues & perspectives drop down menu and select overview, then risk.

For more on enterprise risk management, go to www.aon.com and click on the business solutions drop down menu.