Lecture #7 Part #1
If you have not already, read and understand our previous lectures on risks and risk management, so that this section makes sense to you.
COMPONENTS OF ENTERPRISE RISK MANAGEMENT:
There are 8 components of an Enterprise Risk Management which are interrelated. We will discuss them in this lecture.
1. INTERNAL ENVIRONMENT: If you take companies in banking industry, each company will have different ways in which they operate, even though they belong to the same industry. This purely depends on the management, and their employees and how they run their business. They will have their own set of integrity, ethical values, risk appetite( some companies will be ready to take more risks, whereas some would not want to take too many risks) and their risk management philosophy (management's attitude towards risks).
Even though the top management's perspective about risks are different, sometimes, people in the middle and lower management levels and other staffs will have different attitude and perspectives about risks and their integrity, ethical values might differ from those of the top management. Risk Management is framed, taking the internal environment into consideration.
2. OBJECTIVE SETTING: Before proceeding to define and formulate a risk management plan for the organization, it is very essential for the organization to set an objective. The risk management plan has to be aligned with the entity's overall objective. The management should ideally formulate the risk management plan, its risk appetite having the entity's objective in mind ( for example, it cannot take too many risks compromising the entity's objective).
3. EVENT IDENTIFICATION: We discussed about identifying potential events which will have an impact on the entity. The events could be internal or external which will affect the strategy implementation and achievement of its objectives. While identifying, the entity will come across many events, some of which will be threat, some events will bring in some opportunities to the entity and some will be a combination of both. All these events are identified , they are aligned with the objectives, taking advantages from those which will provide opportunities and a plan to manage those which come with risk.
4. RISK ASSESSMENT: After risk identification, the next step is to analyse the risk to manage them effectively. On analysis, the management will usually come with a range of output and the probability of their occurrence. Based on this evaluation, the management has to formulate a plan to manage them effectively.
5. RISK RESPONSE: Based on the assessed risk, the management then comes out with an effective plan to manage them based on its risk appetite and risk tolerance. The personnel usually comes up with different plans, some to avoid risks, some to accept risk, plans to reduce them in certain cases and plans to share risk (Reduce, Avoid, Accept and Share). The plan totally depends on the nature of the event, entity's risk appetite and their risk tolerance.
6. CONTROL ACTIVITIES: Control activities are not something wholly concerned with the control of risks, but here we are talking about the implementation of controls to ensure that all the plans in relation to avoiding, reducing, sharing risks are carried out effectively and efficiently.
7. INFORMATION AND COMMUNICATION: As a part of overall risk management strategy, managers and other staffs are required to communicate about the risky event, when they occur to the top management. The communication is supposed to be timely and in the manner or form defined earlier. This means that a staff has to communicate such things only in the manner specified (example in the form of emails, system alert etc) and if some of the information are not supposed to be communicated orally, then the staffs and other middle level managers have to abide by these set policies. These information may flow up (to the top management from the middle management), may flow down,( from the middle management to the staffs, instructing them to take appropriate actions) or across ( between departments). These seamless flow of information will ensure that the appropriate actions are taken by people who are responsible to carry it out.
8. MONITORING: On implementing the risk management plan, it cannot be left as such, but should be monitored on periodical basis to ensure that it is consistent, stays relevant for the period, is not outdated. If requires, these plans have to be modified or altered accordingly. Hence a periodical review of the risk management plan has to take place effectively in order to achieve this.
If you have not already subscribe to our exam oriented quick revision notes in PDFs, EIS & SM weekly tips and tricks to score high marks, sent to your mailbox directly. Drop us an email to email@example.com