Chief risk officer
A generic term for the senior risk professional engaged in ERM in an enterprise; distinct from “Chief Risk Officer,” a title given to some risk professionals who report to senior management.
1-1. Explain the difference between traditional risk management and ERM.
Traditional risk management (RM) considers only hazard and operational risk that can affect an organization; considers pure risk; seeks to prevent or reduce risks related only to losses
Enterprise-wide risk management (ERM) expands an organization’s risk focus to include financial and strategic risk, allowing it to account for all eventualities that can affect its ability to achieve its goals; considers both pure and speculative risk; seeks to optimize risk taking relationship to strategic goals
1-2. List the four areas in which traditional risk management differs from ERM.
These are the four areas in which traditional risk management differs from ERM:
– Risk categories: Pure risk for loss prevention (RM) vs Pure and speculative risk (ERM) for optimization of risk taking
– Strategic integration: Only in the elements of the organization’s strategy that deal with pure risk and hazard risks (RM) vs linking risk to entire enterprise strategy to address all risks together financial, strategic, operational, hazard, and other risk (ERM)
– Performance metrics: Can be measured both as an activity and as a result (RM) vs searching for the equilibrium between risk and outcome in relationship to strategic goals (ERM)
– Organizational structure: Responsibility for pure risk management may be localized within a risk management department as a central authority (RM) vs risk management responsibility being decentralized and integrated into all levels of the organization or use a Chief Risk officer to engage in organization’s management to establish risk strategic goals and engages all stakeholders (ERM)
1-3. Describe two categories of risk (pure risk) associated with traditional risk management.
These are two categories of risk specifically associated with ERM:
– Hazard risk are pure risk that include damage to property from perils such as fire and explosion or losses stemming from accidents and injuries to employees or customers.
– Operational risk are pure risk that arise out of service, processing, or manufacturing activities.
1-4. Describe two categories of risk specifically associated with ERM.
These are two categories of risk specifically associated with ERM:
– Financial risk, which include interest rate risk, competitive risk inflation, and market-timing risk, among others
– Strategic risk, which include management decisions regarding new products, emerging competitors, and planning issues.
1-5. Provide an example of an upside risk.
An upside risk is the risk that the organization will outperform its strategic goals. Examples of upside risk include situtations in which a business venture experiences an unexpected increase in revenue or market share. Such changes can present the organization with both opportunities and threats.
1-6. Explain how ERM’s strategic integration varies from traditional risk management.
Traditional risk management is normally involved only in the elements of the organization’s strategy that deal with pure risk and hazard risk.
By linking risk to the entire enterprise (ERM), the organization decouples its financial, strategic, operational, hazard, and other risks from individual operational silos and addresses them within strategy as a whole. Thus, ERM considers the global array of risks that affect the organization.
1-7. Explain how ERM differs from traditional risk management with regard to organizational structure.
The traditional risk manager (RM) generally reports to an organizational department such as finance, operations, or legal; responsibility for pure risk management may be localized within a risk management department as a local authority.
In ERM, risk management responsibility is decentralized and integrated into all level of the organization.
1-8. Explain the role of the chief risk officer in an organization’s strategic process.
The chief risk officer may report to the CEO or the board of directors and act as a facilitator of and an educator about the ERM process and serve as a coach to other risk owners in the enterprise. The chief risk officer’s responsibility in the strategic process is to help the organization develop tools that identify and manage events and perils that may cause variation from the achievement of specific strategic goals.
1-9. Explain the iterative and recursive process of ERM.
The process of ERM is both iterative and recursive — iterative in that the risk management process is engaged to identify and manage each discoverable risk, and recursive in that the risk management process is revisited regularly to maintain its optimization in relationship to strategic goals.
The core aspects of an organization, including its vision, mission, strategies, infrastructure, policies, offerings, and processes.
2-1. An organization develops ERM goals as the first step in integrating ERM into its strategic planning. What types of considerations are included in an organization’s ERM goals?
Annually, the board and executive team develops or reviews the organization’s vision statement, mission statement, strategic objectives, and financial projections to develop the organization’s ERM goals. Goals are based on several considerations:
– The organization’s risk appetite
– Why the organization is establishing the ERM program
– The business or organizational need for an ERM program
– The intended scope of the ERM program
– How ERM will assist the organization in meeting its strategic goals
– How the organization defines ERM
– Whether the organization has a function- or department-focused culture or a collaborative culture and how that will affect ERM implementation.
2-2. What is the purpose of an organization’s board and executive team assessment of risks as they relate to the organization’s mission, strategies, and goals?
An organization’s board and executives assess risks to identify threats that can undermine the organization and to identify opportunities that can benefit the organization. These risks involve changes in competition, customer demo or behaviors, technology, economy, politics and regulation, and ability to meet regulator requirements. Each risk to strategy should be considered because it may affect the organization’s success and sustainability.
2-3. Possible treatments for risks to an organization’s strategy include some traditional risk management treatments, such as avoidance and transfer. What additional treatments are applied to ERM?
Practical techniques for treating risks to strategy can be placed into these categories:
– Avoid — Use alternative approaches that eliminate the cause of the risk or its consequence
– Accept — Accept the risk by planning for ways to deal with the uncertainty if it occurs
– Transfer — Assign the responsibility to manage the risk to a third party
– Mitigate — Initiate activities to reduce the probability, impact, or timing of a risk event to an acceptable risk tolerance
– Optimize/exploit — Develop actions to optimize positive consequences to achieve gains
2-4. How do an organization’s executives monitor risks to its strategy?
Risk to strategy are periodically monitored by identifying trends, triggering events, and warning signs during the assessment phase of each risk identified. Information will come from a variety of sources, such as newsletters, regulatory announcements, and surveys. For risks that pose potentially high severity and likelihood, an organization may seek relationships with key individuals in positions to know when changes are imminent that can trigger conditions that could result in an event. With such information, the organization can be prepared to launch treatments.
3-1. Summarize the two important benefits of the ERM approach.
An organization that has adopted an ERM approach monitors risks, threats, and opportunitis that arise from many sources. This approach provides two important benefits:
– Enhanced decision making — enables an organization to quickly meet emerging marketplace challenges and provides several additional advantages such as increased profitability or economic efficiency, reduced volatility, improved ability to meet strategic goals, and increased management accountability. An ERM approach allows an organization to systematically explore new opportunities for economic efficiences while managing threats that stem from internal and external contexts.
Improved risk communication — strong communication can also result in greater management consensus and improved acceptance by both internal and external stakeholders. ERM also encourages an organization to widely communicate its risk management approach across all of its layers. This includes making all managers aware of the need to identify obstacles that could interfere with achievement of the organization’s strategic goals.
3-2. Explain how an ERM approach increases profitability.
An ERM approach increases an organizations profitability because it monitors systemic risks inherent in the organization that can adversely affect its long-term financial outlook. When an organization adopts an ERM approach, unexpected occurrences or variations cause much less disruption because the organization has already incorporated the possibility of such occurrences or variations into its decision-making process, allowing it to increase its profitability.
3-3. Explain how an ERM approach can result in reduced earnings volatility for an organization.
In addition to maintaining cash flows and balancing its budget, an organization must manage its cash flows to ensure an adequate pipeline of capital to meet challenges and to explore strategic growth opportunities. ERM provides a systematic framework that allows organizations to deploy capital through organization-wide decision making, which ultimately results in stable earnings projections to fund future projects.
3-4. Summarize how an ERM approach improves an organization’s ability to meet strategic goals.
An ERM approach improves an organization’s ability to meet strategic goals by providing for organization-wide involvement in the strategic formulation and decision-making process. This process examines factors in the internal and external environments to identify risks that would impede growth and achievement of established goals. ERM can minimize variation through thorough risk identification and assessment, thus improving the organization’s ability to meet its strategic goals.
3-5. Explain how the ERM process can lead to increased management accountability.
Those closest to a particular risk are in the best position to evaluate and manage it. The board and senior executives establish the organization’s overall mission, vision, and strategic goals, but each manager is responsible and accountable for decision making about risks within his or her individual unit. ERM increases management accountability, leading to improved corporate practices and greater managerial understanding of and consensus regarding corporate strategy.
3-6. Summarize how management consensus is achieved in an organization using an ERM approach.
ERM improves management consensus by creating a corporate culture that embraces risk as an additional component of each decision. By empowering all managers to consider risk optimization and the cost of risk, ERM provides them with the complete information about the potential effects of a decision, including its downsides and upsides. This builds a sense of management consensus, as opposed to the traditional hierarchal model of management, in which a series of decisions is driven from the top down.
3-7. Describe how an ERM approach will improve an organization’s acceptance by internal and external stakeholders.
ERM improves acceptance by internal stakeholders by building a spirit of cooperation among management. Managers will build an understanding that the way they manage risk will have a positive impact on the organization, which, in turn, will benefit them personally. A strong ERM program also encourages the buy-in of an organization’s external stakeholders by establishing management strategies that protect the organization’s reputation and assets.
4-1. Describe the purpose and focus of ISO 31000:2009.
ISO 31000:2009 is a publication issued by the International Organization for Standardization. ISO 31000:2009 provides an international standard for risk management as well as a generic approach to risk management applicable within any industry sector. It focuses on commonly accepted principles, such as meeting goals and the importance of risk communication. Overall, the standard emphasizes that risk management is integral to an organization’s structures, strategies, and goals.
4-2. Excluding ISO 31000:2009, list four frameworks and standards that are recognized as best practices for risk management implementation.
Four other frameworks and standards are these:
– BS 31100 (British Standard Institution) has four goals (Ensuring that an organization achieves its goals, Ensuring that risks are managed in specific areas or activities, overseeing risk management in an organization, and providing “reasonable assurance” on an organization’s risk management)
– COSO II (Committee of Sponsoring Organizations of the Treadway Commission) defined ERM as a process driven from an organization’s board of directors that establishes an organization-wide strategy to manage risk within its risk appetite. Intended audience is an organization of sufficient size to examine risk appetite at the board level.
– AS/NZS 4360 (Australian/New Zealand Standard for ERM) is intended to provide a wide range of organizations with only a broad overview of risk management so that organizations are expected to interpret this guide in the context of their own environments to develop their own specific ERM approaches. Accompanied by HB 436-2004 (Risk Management Guidelines) and HB 158-2006 (Delivering Assurance) to help auditors
– FERMA (Federation of European Risk Management Associations) with these elements (The establishment of consistent terminology, a process by which risk management can be executed, an organized risk management structure, and risk management goals) for public and private organizations. Recognizes risks’ upside and downsides.
4-3. Differentiate between Basel II and Solvency II.
Basel II was issued by the Basel Committee on Banking Supervision in 2004. It establishes risk and capital management rules designed to ensure that a bank holds capital reserves appropriate to the risk the bank exposes itself to through its lending and investment practices.
Solvency II, developed by the European Commission in 2007, consists of regulatory requirements for insurance firms that operate in the European Union. It facilitated the development of a single market in insurance services in Europe while providing adequate consumer protection.