It goes without saying that an ERM program must include all business activities of an organization, whether these are directly generating revenue or supporting the people and activities that supplement revenue generation. For a CRO, however, ensuring this is true is much harder than saying it is true.
While most discussions of the risk management process focus on risk identification, assessment and treatment, the risk objects that define the scope of ERM do not attract as much attention – but are just as important. How do we define these objects? What’s their connection to risk owners, and what specific role do they play in the development of a comprehensive risk management framework?
Risk Objects
Risk objects are the human capital, physical assets, documents and concepts (e.g., “outsourcing”) that pose risk to an organization. Stephen Hilgartner, a Cornell University professor, once described risk objects as “sources of danger” or “things that pose hazards.” The basic idea is that any simple action, like driving a car, has associated risk objects – such as the driver, the car and the roads.
Brenda Boultwood
Sources of risks and opportunities can be found within countless objects. Before risk can be identified, assessed and treated, every risk object related to an organization must be explicitly included in the scope of risk management. Your risk management policy should therefore begin with a description of risk objects.
After the risk objects have been defined, the risk management processes of identification, assessment and treatment can begin. The goal of ERM is to develop a standardized system that not only acknowledges the risks and opportunities in every risk object but also assesses how the risks can impact decision-making.
For every risk object, hazards and opportunities must be acknowledged by the risk owner. Risk owners are the individuals managerially accountable for the risk objects. These leaders and their risk objects establish a scope for the risk management process. Moreover, they ensure that all risks are properly managed based on approved risk management policies.
To complete all aspects of the risk management process, risk owners must guarantee that risks are accurately tied to the budget and organizational strategy. If the ultimate risk owner is the board of directors, risk ownership will be delegated to the lowest managerial level in the organizational hierarchy. This hierarchy will also establish the channels of risk governance – i.e., the organizational chain of command for approval of risk actions.
Risk governance ensures the actions taken to acknowledge and treat risks are transparent and considered at all levels in the organization for decision-making. Decisions made by risk owners must be reviewed and agreed upon by management, up to the board of directors.
ERM Processes
For many CROs, ERM processes (see Figure 1) are a work-in-progress, with practices varying with the level of organizational risk management maturity. Careful description of risk objects in the risk management policy guarantees individual accountability for actions related to risks, across all risk management activities.
Figure 1: An Overview of Enterprise Risk Management Processes
Risk objects are the first consideration in defining the scope of ERM. Subsequently, risk identification and assessment can happen, followed by decisions about appropriate risk treatment actions when actual levels of risk are outside risk appetite boundaries.
Risk treatments allow adjustments of residual risk levels, but with costs that may require budget trade-offs. After the treatments stage, aggregated risks can be prioritized and linked to strategy. (We’ll take a closer look at each of these topics in future columns.)
Illustrative Risk Objects
Large financial institutions should develop standard terminology and descriptions for typical risk objects (see Figure 2). Terminology will differ across organizations, and should be adapted to reflect the vocabulary of your business.
Figure 2: Illustrative “Level 1” Risk Object Categories
As organizational risk management practices mature, additional risk object levels should be defined. For example, “Geography” may be a level 1 risk object, while the level 2 object could be “country” and the level 3 could be “states, provinces or cities.” This specificity is required to ensure consistency in applying risk management processes across the organization. Additional granularity also allows risk ownership to reach lower levels within the organization, subject to risk governance approvals.
Ross Johansen
Risk Perceptions and Risk Data
A risk object will create different risk perceptions, depending on the owner. Take geography, for example. A product owner will perceive risk based on the ability of the product to meet demand in a geographic region, while an operations manager will consider risks to operations in that region.
The CFO, meanwhile, will have a risk perception of the geographic region based on the adequacy of people and systems in that region to manage financial reporting requirements. A sales manager, on the other hand, will consider the region's risks to revenue generation and customer service.
Each of these risk perceptions is valid; together, they form a holistic assessment of geographic risks.
Another way to think about risk objects is to imagine how the data will be visualized and classified. The classification of risk objects will ensure that risks can be discussed – not only in aggregate but also for important disaggregated levels, such as geography, product and third party.
Practical Advice
The success and longevity of an ERM program depends on the ability of risk management processes to adapt to changing business circumstances. Is the organization, for example, exiting a product, entering a new region, or changing its business strategy? All may be reasons why risk data must be reported and adapted over time.
The granularity of risk objects will determine a firm’s ability to drill down and aggregate up to allow custom reports, detailed analytics and decision-support.
As CRO, you may be very clear about what is in scope for risk management activities. But until your risk management policy describes the risk objects, even the best-intentioned business or operations manager will guess about the scope of their risk management responsibilities.
Parting Thoughts
Risk assessment, identification and treatment approaches cannot be completed without risk objects – a critical first step in ERM. Risk objects answer the question of “what” in risk management, allowing us to then explore “which risks” and “how much risk.” Clear risk ownership and a basis for risk governance, in turn, can be aligned with the organizational structure.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Ross Johansen is a Midshipman at the United States Naval Academy studying Quantitative Economics. His research focuses on the scope of risk management developed by risk objects, risk ownership and risk governance. This focus is one aspect of a larger project to develop a standardized risk management framework for managing risks across time, with links to budget and strategy.
Topics: Enterprise
