Deloitte globally provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 210,000 professionals, all committed to becoming the standard of excellence. In India, Deloitte member firms are spread across 13 locations with around 30,000 professionals who take pride in their ability to deliver to clients the right combination of local insight and international expertise.
Organizations have implemented risk management programs over the last couple of decades. Hence, the time is right to evaluate the value derived from risk management initiatives across the corporate world.
Journey of Enterprise Risk Management The release of the COSO Enterprise Risk Management – Integrated Framework in 2004 was a landmark moment in the history of risk management. Here was a framework, which provided guidance to the management teams, to implement their risk management programs.
Enterprise risk management was defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Hence, in most organisations a new function called risk management was established which attempted to identify and mitigate risks, which were most often financial, operational in nature.
Are we deriving value from Risk Management?
Risk was still seen as a separate function, responsible for risk identification and response planning. There was a need, to integrate risk management into the organisation’s ways of working, for it to gain traction.
In 2015 COSO published a research document jointly with The Institute of Internal Auditors Inc. called “Leveraging COSO across the Three Lines of Defense”. The objective of the document was to enhance governance structures in the area of internal control. It required the ownership and management of risks to rest with the business teams, as they were the First Line of Defense. The risk function would support the business, by monitoring risk and controls, operating as the Second Line of Defense.
The Three Lines of Defense model, applied to risk management, would mean that all the business decisions are taken after considering the risks involved. Risk management would be an integral part of the way the business is run. This would make an organization truly risk-intelligent.
COSO update to the Framework
The COSO updated framework Enterprise Risk Management – aligning Risk with Strategy and Performance brings in this view of risk management. It defines Enterprise Risk Management as “the culture, capabilities, and practices, integrated with strategy and execution, which organizations rely on, to manage risk in creating, preserving, and realizing value”.
Risk Management is not viewed as just a process, but as the culture, capabilities that help an organisation survive and thrive.
The focus is no longer only on identifying risks to executing strategy. It extends to evaluating how strategy aligns to the organisation’s mission, vision, core values as also evaluating risks resulting from the chosen strategy. This enhanced coverage of risk management (as depicted in the picture below) should help in ensuring that stakeholder value can be created, preserved and realized.
What does that change on the ground?
Going forward, evaluation of strategic options would require that strengths and weaknesses of all alternatives are considered, including how the strategy aligns with the organisation’s mission. The risk profile of each strategy would have been thoroughly considered, before embarking upon the chosen one. Risk indicators and response can be thought through, based on the profile of the strategy. The organization is in a state of readiness to take on the uncertain times that we live in.
Periodic assessment of the strategy and its success, in the light of changing business conditions, should be carried out and action taken, to ensure the continued success of the chosen strategy.
The ability of the entity to respond to change helps it remain viable. “Enterprise Resilience” is fortified through Enterprise Risk Management. This capacity will also give the management confidence, to increase the amount of risk the organization is willing to accept and, ultimately, to accelerate growth and increase value. Therein, lies the true value of Enterprise Risk Management.
- By Sachin Paranjape, Partner and Jinal Maroo,Manager, Deloitte Touche Tohmatsu India LLP