How to Design and Build an Integrated ERM Framework

Recent scandals involving Australian and UK banks leave little doubt that we must design integrated enterprise risk management (ERM) approaches that weave “common sense” into decision-making. When done properly, ERM can help ensure that a firm is operating legally and, most importantly, with integrity.

Previously, we covered the components of a well-understood risk management program. Now let's suppose your company aspires to have these components in place, is growing fast and wants to know how to accelerate an ERM program implementation. Simultaneously, let's also assume your firm would like to avoid the scars of others and anything bespoke.

Recently, I received a request to help develop such an ERM program from a healthcare FinTech that may or may not be eyeing an IPO, with all the accompanying public company regulatory and reporting requirements. Whatever happens with the IPO, management wants to stabilize operations and ensure that incidents and issues are managed through a regularized approach. Beyond complying with SOX, the firm would also like to understand how well its control environment mitigates its primary risks and supports compliance requirements.

Many have tried to implement a risk management program by dictate from the top-down. Sometimes this type of approach is required. For example, a top-down approach is required when the risk management team operates in an ivory tower or when regulators have created aggressive orders and deadlines for filling programmatic gaps.

When neither is true, implementing a risk management program should happen in a benevolent democracy, combining top-down and bottoms-up inputs into a collaborative business design based on principles rooted in company strategy and culture. Multiple recipes for achieving these objectives (see Figure 1, below) therefore exist.

Figure 1: Business Objectives of an Integrated ERM Program

Figuring out which approach will lead to a five-star outcome, in terms of achieving these goals and accelerating the implementation of integrated ERM, is vital. We'll draw from standard practices and emerging regulatory requirements, and then dive into an approach that works.

Trust me, even some of the largest, most mature financial institutions with hundreds of risk assessments may want to use the approach outlined below to “start from scratch.” By doing so, a company can refocus on the financial and non-financial risks (NFR) that are most important, allowing the level of granularity appropriate for business owners to understand their risk and control environment - and the key action plans to prioritize investments - fully.

Implementation, and The Players

Before we dive in, it's important to understand the full context. There are three key implementation elements of any integrated ERM program: business architecture, data architecture and IT architecture (see Figure 2, below). The business architecture for integrated ERM will be covered here, while the data architecture and IT infrastructure will be addressed in future articles.

Figure 2: Implementing Integrated ERM

To establish an integrated ERM program, many people must play key roles (see Figure 3).

Figure 3: What's Being Integrated

From your group of functional and business executives, a “core team” can be developed. Typical members include the CFO, CRO, CISO and general counsel. Ideally, however, ERM integration should include leaders across all NFR areas.

The core team, and their delegates, will initially have the largest time commitment in the development of an integrated ERM approach. Governance will often be provided by the company's executive committee, including the CEO.

Business representatives will be the testers and validators of the approach, and will ultimately acknowledge the risks, own the assessment of risks and give the nod to the overall risk management approach.

Let's now explore stages of the development of an integrated ERM program.

Stages of an Integrated ERM Build

Stage 0: Research

Avoid reinventing the wheel by leveraging best practice. Bring in some experts. Poll existing employees that may have been brought into your firm from more regulated industries or from larger firms.

Investigate technologies and modern analytics, which could help reveal from existing data what is most critical. In the long run, an industry standard approach beats anything bespoke.

Stage 1: Team Formation and Language Agreement

In 2020, we can agree that no firm needs to start from scratch on this stuff. Risk and controls probably already have names within the organization, although these names may be inconsistent and differ in granularity.

The goal should be to articulate a hierarchy of risks and controls, define each and then determine which layer will be the vocabulary for which organizational group. For example, Level 1 risks and control names may become the agreed vocabulary for discussions with the board.

Alternatively, the top risks “spoken” by the board can be mapped to one or more of the standard risk names. For example, “Brexit” may be mapped to operational risks, business risks, third-party risks and others.

A proper understanding of risks and controls requires the appropriate context about organizational structure and business processes. The structure can be relatively straightforward, comprised of assessment units classified by business unit or function, geography and legal entity. Processes, on the other hand, are best thought of as the firm's critical economic functions (CEFs) in serving customers.

The core team is often responsible for developing the initial draft of the risk data taxonomy, with standard names for risks, controls, processes and business structure. (More details about the ERM taxonomy will be provided in an upcoming article on the integrated ERM data architecture.)

In addition to the players described above, there is also a need for an internal or external initiative team to document the approach and the agreed-upon language. In a later stage, this team will document outputs.

Stage 2: Business Risk Assessments

It's often helpful to perform this step based on some orchestrated guidance from your firm's board of directors. Some call it board education, but it can be helpful to frame this as an effort to give board members a deeper understanding of the business, in a consistent and easy-to-digest “one-page” format.

Based on factors such as revenue, earnings contribution and customers impacted, have the core team develop the list of 10-15 critical economic functions of the company. For each business process, leverage high-level process flow diagrams that might already exist. If they do not exist, we can make this the first stage of Process Risk Review workshops.

The time for each workshop should be limited to 90-100 minutes. You'll need a whiteboard, sticky notes and the time of the key business process owners. Start each workshop by defining success and walking through the high-level, end-to-end business process.

Name the top potential risks or issues. This could be a great exercise for the company's top brass to get their hands dirty with a more detailed understanding of their internal and external process risks and controls.

Ask the group to rate the risks subjectively as high, medium or low, based on the group's understanding of the control environment. Next, name the key actions and investments underway related to the top risks or issues.

While each workshop should flow smoothly and use the language of the business, the initiative team will need to document the outcome based on standard formats and the agreed-upon standard language. The initiative team, moreover, will need to standardize the documentation of the output of each workshop.

Stage 3: Peer Review

Ensuring that members of the firm's executive team have the ability to vet each other's Process Risk Review workshop is critical. This can be a great agenda topic for an executive committee meeting, allowing the review of peer business areas by top management.

Stage 4: Language Adaptation

The core team should revise the risk taxonomy based on the workshop learnings. This may lead to some workshop documentation revisions.

Stage 5: Business Presentation of the Workshop Output

By this time, the board should know about the initiative. Most directors will be eager to hear business leaders discuss their business and primary risk issues.

Stage 6: ERM Reports

Subjectively aggregate the risks, issues and control environment investments. Develop summary reports across the business units.

While the Process Risk Review workshops are underway, the risk experts should work in parallel to document the company's risk framework, NFR rating methodology, ERM policy and taxonomy to complete the description of the integrated ERM business architecture.

Parting Thoughts: Unexpected Benefits

Integrated ERM can have a big impact on the management of the most critical economic functions of your firm.

The majority of a firm's employees spend some part of their day, for example, managing controls. Under a comprehensive ERM program, if a control activity is not helping to mitigate a risk, comply with a regulation or adhere to policy, it can be redesigned or even rationalized. Capital and human resources should be freed to align with what is most important.

A well-designed, integrated ERM program can also help management focus on customer outcomes. More specifically, it can empower a company to mature from episodic management, where everything seems to be an incident, to a standard process for managing issues. What's more, it can provide the content and consistency to ensure board-of-director meetings run smoothly.

But effective ERM is not just about management - with the right program in place, even the most junior employee should be able to better understand the importance of his or her role in their organization's integrity.

Brenda Boultwood is a Risk Advisory Partner at Deloitte. She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Prior to joining Deloitte, she was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Before that, she worked as the global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.