How Does Enterprise Risk Management

Published Date: 02 Nov 2017

I.D. STUDENT: 120024631

PROGRAMME: MSc. International Oil and Gas Management

COURSE: CP 52070

Risk and Crisis Management

TITLE OF THE

RESEARCH PAPER: HOW DOES ENTERPRISE RISK MANAGEMENT AND CORPORATE GOVERNANCE INTERELATE?

ABSTRACT: In recent times risk has become a very critical component to both individuals and businesses all over the world. Risk is inevitable and individuals and businesses have to plan well to manage this future uncertainty. There is also an increasing awareness of the complexity of risk than it has ever been because of more businesses springing up as a result of the world becoming more global. Risk management is increasingly becoming an important element of good corporate governance. The collapses of businesses like Enron, WorldCom, Adelphia, metallgesellschaft and Barrings have instituted regulatory pressures to improve corporate governance by enhancing effectiveness of internal controls (Ratnatunga and Alam, 2008). Whether these are associated to the rising levels of risk companies faced (Raber, 2003), People see risk as the key contributor, and emphasize the significance of an appropriate corporate governance structure for managing risk (Tao and Hutchinson 2013).

WORD COUNT: 2500 – 3000

PRESENTED TO: Dr. Evangelia Fragouli

MODULE DIRECTOR

CONTRACT CONCERNING PLAGIARISM

I, the undersigned, have read the Code of Practice regarding plagiarism contained in the Students Introductory Handbook. I realize that this Code governs the way in which the Centre for Energy, Petroleum and Mineral Law and Policy regards and treats the issue of plagiarism. I have understood the Code and in particular I am aware of the consequences, which may follow if, I breach the Code. I also authorise the centre to scan the e-copy of my research paper through the Plagiarism Detection Software to detect plagiarism.

SIGNED: ___________________________

Date: Day – Month –

Table of Contents

INTRODUCTION

In recent times risk has become very critical component to both individuals and businesses all over the world. Risk is inevitable and individuals and businesses have to plan well to manage this future uncertainty (Holmes, 2003). There is also an increasing awareness of the complexity of risk than it has ever been because of more businesses springing up as a result of the world becoming more global. Indeed, Tony Blair, the UK’s former Prime Minister, "once publicly stated that the complex nature of risk is making it much harder to identify, manage and control".

Recent corporate scandals and collapses of businesses like Enron, WorldCom, Adelphia, metallgesellschaft and Barrings have instituted regulatory pressures to improve corporate governance by enhancing effectiveness of internal controls (Ratnatunga and Alam, 2008). Whether these are associated to the rising levels of risk companies faced (Raber, 2003), People see risk as the key contributor, and emphasize the significance of an appropriate corporate governance formation for managing risk (Tao and Hutchinson 2013). This raises questions such as who is responsible to manage risk in an organization or firm.

This paper seeks to find out if corporate governance has a role to play in Enterprise risk management and the relationship between them. Chapter two of this paper will discuss the concept of enterprise risk management (ERM). The next chapter will look at corporate governance and chapter four will analyze the relationship between risk management and corporate governance. The final chapter will be a conclusion.

Chapter 2 Enterprise Risk Management (REM)

Before one delves into a deeper understanding of risk management, there is the need to explain the term "risk". Risk has been defined by many writers in different ways. Young and Tippins (2000) define risk as the difference in outcomes about expectation. Risk is the likelihood or threat of harm, injury, loss, liability or other negative event that is caused by internal or external vulnerabilities, which may be neutralized through preventive action (Business dictionary). Risk by meaning, has a level of uncertainty coupled with it. If an occurrence were certain there would be no risk. Risk Management is an intentional set of measures planned to identify, quantify, manage and monitor actions that might lead to loss, which is mainly equated to monetary loss (Holems 2004).

Phases of Risk Management

Risk Identification

Risk Assessment

Risk Mitigation

Risk Monitoring or Control

Recently there has been a paradigm shift with respect to the way organisations look at risk management. Spira and Page (2003) discussed in detail the evolution of risk definitions from the pre-seventeenth century onwards. In pre-rationalism times risk was seen as a consequence of natural causes that could not be anticipated or managed, but with more modern, scientific based thinking there emerged a view that risk was both quantifiable and manageable via the judicious use of avoidance and protection strategies instead of looking at risk management from a silo-based perspective where each risk is treated separately. Kleffner, Lee and McGannon (2003) it is now a holistic approach which is generally referred to as ERM, because the silos- based approach does not work since risks are highly interdependent and cannot be segmented and managed by entirely independent units. Although it was difficult to pinpoint the key deficiency in the silos-based risk management practices a lack of integration and communication appears to be one of the most significant problems. It also prevented many firms from understanding their true exposure and consequently, firms response to the changing financial landscape during 2007-2008 were slow and in many cases too late. The silo-based approach was used by companies to hedge financial risk exposures, with this approach, Risk Managers at those companies would analyze the specific type of risk assigned to them example, credit, market, foreign currency, operational risk etc and design or purchase financial products to mitigate that risk. This approach was limited to separate and individual silos and risk managers hardly discuss or assess the company’s entire risk profile.

Selim and McNamee (1999, p.161) observe what was referred to as "major paradigm shifts in organizations approach to risk management". The modern based approach to risk management is commonly known as Enterprise risk management (ERM). ERM as defined by Lam (2003. P.45) "is a comprehensive and integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value". ERM is also defined as "a process initiated by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004, p.2). This definition contains a number of important phrases: first place, ERM is an initiative by the board of directors, but it cuts across the organization through line management. Secondly, it is broad based because of the fact that it includes all likely events which may affect the achievement of organisational objectives. Finally, ERM seeks to hold risk within the confines or borders of a particular risk appetite and give specific measures in this respect. This broader view of risk management requires the development of a very detailed strategy to identify, assess, mitigate and control a huge aspect of risk exposures, and communicate to the staff at various level through the formation of a risk awareness culture the risk policies of the company. It is quite clear that risk managers have a challenge in implementing ERM in an organisation because of the fact that risk is found in all the organisational structure as well as the multiple functions they play. There is an empirical evidence to show that till date, ERM has not been implemented in most organisations. A survey of internal auditors conducted by Beasley, Clune and Hermanson (2005) centered mainly on companies based in USA, It became clear that only forty eight per cent (48%) of the 174 participants had at least a partial ERM system in place in their organisations and in addition one third of the participants were planning to implement ERM in the future. Beasley and Co. findings cannot be generalized because the response to the survey was only 10%, and most of respondents were from large American corporations with yearly revenue surplus of $1.3 billion. Notwithstanding, the findings provide useful indications that the adoption of ERM is still in its teething stages. More surveys from other practitioners and writers such as Miccolis and Shah, 2000; CFO Research Services, 2002; Tillinghast-Towers Perrin, 2002, show an empirical evidence that the implementation of ERM program in organisations is still in its early stages cited in (Liebenberg and Hoyt 2003) Although implementing ERM in an organisation is difficult, its aim is to help in the achievement of strategic objectives and aligns the interests of the risk manager with those of the entity as a whole. In practice, there should be the possibility of incorporating ERM into existing control and performance management systems. The fusion of ERM might raise concerns of professional rivalry between parties such as internal auditors and risk managers, but there is no obvious intrinsic conflict between the aims of ERM and any other control system. ERM aims at addressing the challenges or setbacks of the silos approach. There is an increasing concern for the general discussion that organisations will enhance their efficiency if ERM concept is adopted. Planning and implementing ERM is very peculiar to each organization, however, it generally involves the board of directors and top management by first designing the firm’s business strategies and risk. Gaining an understanding of the relationship between top risk exposures and key strategies and objectives will assist to identify risks where they are overlapping with an individual strategy and where certain risks may affect several strategies. By identifying organisations’ risk exposure and key strategies and objectives, the board and management are able to evaluate the firm’s portfolio of key risks and assess the effect and the possibility of each risk event and develop the firm’s risk appetite. The key component of the ERM programme is centered on effective and efficient communication channels and actively monitors the firm’s risks versus its risk portfolio and risk appetite. Risk advocates emphasis the need for risk managers to report directly to the board and several contact points to promote the free-flow of information and lessen the possibility that risk reports were presented but not heard. Organisations are also motivated to design important indicators that promote an effective monitoring of likely risk events.

2.2 Components of ERM

As cited by Lam (2003), for ERM programme to be successful, it must be separated into seven main components which each must be developed and allied to work as an incorporated whole. These components are as follows:

Corporate governance: create top-down risk management. To make sure that management and the board have in place the requisite organisational processes and corporate controls to assess and manage risks across the organisation.

Portfolio management: think and perform similar to a ‘fund manager’. To amassed risk exposures, include diversification effects and supervise risk concentrations alongside recognised risk limits.

Line management: organisation strategy placement. To incorporate risk management into the income generating activities of the organisation together with business development, relationship management, pricing and so on.

Transfer: to mitigate or decrease risk exposures that are seemed so high to transfer out to a third party rather than to keep it in the organisations’ risk portfolio

Data & Technological resources: incorporate data and schemes, to help the analytics and supporting processes

Stakeholders management: to communicate and report the organisations’ risk information to its main stakeholders

Risk analytics: build up modern analytical tools

2.3 Benefits of Adopting ERM

A survey conducted by RIMS in Canada (in June 2001) outline some benefits of ERM, however, the survey did not cover a broad spectrum of companies but limited to those listed as members of RIMS.

ERM would enhance coordinated and consistent approach to risk management, resulting in lower costs and better communication across the company.

It would also promote a company-wide philosophy concerning risk management; the introduction of ERM approach was a means to align every employee to the same objective.

ERM was also seen as a very strategic approach to manage risk. Instead of companies simply transferring their risk through insurance ERM was a means to increase risk awareness, which paved way for more effective decision making.

These benefits have also been echoed in the literature of Lam (2003) as:

Increased organizational effectiveness: To set up top-down coordination and interdependencies of risk.

Improved business performance: Supports important management decisions like capital allocation, product development and pricing: take portfolio view of all risks, the relation between assets, profitability and risks and rationalizing the organisations’ risk transfer strategies yield complete risk reduction, rising earning, decreasing losses and improving shareholder value.

Better risk reporting: To make timely and significant risk reporting to the board and senior management.

Chapter 3. Corporate Governance

Corporate governance continues to be an area of focus for most companies. Not considering whether they are involved in global operations, firms still struggle with several questions and issues:  What is good corporate governance and why is it so key? Why are lots of firms and governments promoting better techniques in corporate governance? (Adamson, 2011)

Corporate governance in general, is about how firms make decisions, how they organise themselves and how they communicate with shareholders and the rest of the world. Naturally, corporate governance deals with issues like how boards and executives are chosen, what responsibilities and mandate boards and executives have, whether shareholders have any right to partake in certain types of corporate decisions through voting and, if so, what form these shareholder rights take (Adamson, 2011). "Corporate governance is the relationship among various participants in determining the direction and performance of corporations". The primary participants are "shareholders, management (led by the chief executive officer) and board of directors" (Lam, 2003, p. 58). Sir Adrian Cadbury (2002, p. 11) defines corporate governance as "the system by which companies are directed and controlled".

Companies are very worried and preoccupied with corporate governance and risk management because they have recognised that good corporate governance and risk management is good business practice and good business strategy. Many firms are focusing on these to improve their business, especially in the rising global marketplace where firms are continually trying to surpass each other to make their business more effective and to draw new investors. Those firms that are well-managed, desire to develop good business practices, improve their decision-making and give reasons for investors to invest in the firms. While these firms are extremely motivated and successful at adopting and implementing good corporate governance practices, other firms may not see the significance and value to adopt and invest in corporate governance (Adamson 2011).

Most firms or organizations have structures, policies and processes that create a governance process. Whether obligatory or by the necessity to create a decision-making process, some have also gone past these basic governance requirements and have focused on types of techniques and processes that permit them to improve the quality of their boards, management team, and relationship with shareholders which is termed as good corporate governance. Good corporate governance techniques may consist of improvements in how management and board are chosen and compensated, how much information is made available to the investors and the community at large, how firms identify and analyze risks including the exposure of these risks In other to understand how corporate governance is developing and changing, businesses have to take note of the following important ideas that are serious for businesses.

Companies must not only implement general corporate governance practice but must focus on best practices in good corporate governance

A key element of good corporate governance is managing a company’s reputation in both local and global community

Another element of good corporate governance is good risk management (Adamson, 2011).

Recent corporate scandals and collapses of businesses like Enron, WorldCom, Adelphia, metallgesellschaft and Barrings have instituted regulatory pressures to improve corporate governance by enhancing effectiveness of internal controls (Ratnatunga and Alam, 2008). All these scandals that to a large extent contributed to the main bankruptcies recorded in US Canada, UK, and other countries led to the passing of corporate governance guidelines like The H.R 3763, commonly known as the Sarbanes-Oxley Act of 200, Basel III, TSE and NYSE Leblanc and Gillies (2003) just to mention a few.

Chapter4.THE RELATIONSHIP BETWEEN ERM AND CORPORATE GOVERNANCE.

Corporate governance has been recognised as a much higher profile because the beginning of the last decade was marked by more dramatic corporate frauds and failures example Enron, WorldCom and Adelphia just to mention a few (Lam 2003).

Both corporate governance and ERM have almost the same direction on strategic objectives, corporate integration and motivation from the top of the organisation. The ultimate aim of both is to prevent much more dramatic corporate fraud and failures. Inefficient risk management and ineffective corporate governance were responsible for the scandals that threatened organisations such as metallgesellschaft and Barrings. Organization with ineffective corporate governance practices usually experience inefficient risk management skills and the reverse is also true Management and the board of directors also play the role of ensuring effective risk management in an organisation-a responsibility to business partners and shareholders who stand a chance of losing their money and employees who may also lose their livelihoods, and other stakeholders in the firm. An organisation or firm can manage its risk profile effectively through corporate governance (Lam 2003).

Many writers have accused corporate governance for most of the scandals and collapses of businesses all over, Pirson and Turnbull (2011), blamed the board for failing to manage risk well by giving two reasons: "board members did not get relevant information about risks incurred by management because they lacked control over information supply; board members were not able to process such risk-related information and lacked incentives or power to influence managerial decision making". Tiscin and Donato (2006) also argued that even if some of the corporate scandals in the United State can be considered as a result of the market bubble burst in 2000, the broadness of corporate misconduct and misreporting could be blamed for such scandals.

Again, openly traded companies in, the United States, Canada and the United Kingdom have come up with stricter corporate governance guidelines and rules during the 1990s. These changes are as a result of corporate governance failure to manage risk. Reasons remain that either directors were asleep at the wheel or inundated from various risk that faced their companies as such Bre-X Minerals Limited and Livent Incorporated (Kleffner, Lee and McGannon 2003).

Sridharan, Dickes, and Caines, (2002) Also hold corporate governance responsible for the collapse of Enron, a major US publicly traded corporation with global operations. The Enron case clearly shows the impact corporate failure has on capital markets and American society and underscores the need for better corporate governance in companies.

In as much as each component of corporate governance has a role to play in risk management, the sole responsibility of managing risk lies on the board. Cited in enterprise risk management (2003), both the Dey Report and the Organization for Economic Cooperation and Development (OECD) Principles of Corporate Governance clearly mention that the board has a responsibility to ensure that the right system and polices for managing risk are in place. The Australian Security Exchange (ASX) Corporate Governance Council’s Corporate Governance Principles and Recommendations second edition 2008, places the responsibility for the entity’s Risk Management oversight and monitoring clearly with the Board of Directors.  A crucial component of effective corporate governance is Effective Risk Management.

CONCLUSION

It is clear that companies that fail to take on good corporate practices do not face the adverse effect alone but also investors and the community as a whole. Indeed there are quite a number of examples where failures of corporate governance have caused huge liabilities for organisations and their shareholders. Though not all of these problems can be attributed to the failures of corporate governance, a lot of them can. For example, Enron, WorldCom, metallgesellschaft and Barrings provides famous examples of systemic problems within an organisation that could have been resolved by effective corporate governance. The current disaster of BP oil spill and the global financial crisis are yet other examples of how the failure of executives and boards to comprehend and manage risks resulted in governance failures with adverse effects, both for financial instructions and businesses, and for individuals and national economies around the globe. As cited in Pirson and Turnbull (2011) "suggested that risk management is a central corporate governance task as it sustains value creation"

REFERRENCES

Books

Deloitte and Touche LLP (1997) Perspectives on Risk, Deloitte & Touche Tohmatsu

International. Holmes, A. (2004). Smart Risk, Willey Co., Sussex, UK.

Lam, J. (2003). Enterprise Risk Management. John Wiley & Sons, Inc. New Jersey, USA.

Young, P. and Tippins, S. (2000). Managing Business Risk: An Organization-Wide Approach to Risk Management AMACOM, American Management Association, NY, USA.

Journals and Articles

Adamson, R (2011) ‘Corporate Governance, Risk Management and Corporate Social Responsibility in Emerging Markets: A Symbiotic Relationship’.

Cadbury, A., (1998) ‘The Future for Governance: the Rules of the Game’, Journal of General Management, Vol. 24, No. 1, Autumn 98, pp. 1-14.

Harner, M.M., (2010) ‘Barriers to effective risk management’ 40 Seton Hall L. Rev 1323 ‘The effect of corporate governance on the use of enterprise risk management: evidence from Canada’. Risk Management and Insurance Review 6 (1), 53–73

Leblanc, R and Gillies, J (2003)‘The coming revolution in corporate governance’, IVEY Management Services

Liebenberg, P. A. and Hoyt, E. R (2003) ‘The determinants of enterprise risk management: evidence from the appointment of chief risk officers’ Risk Management and Insurance Review, Vol. 6, No. 1, 37-52

Raber, R. W. (2003) ‘The role of good corporate governance in overseeing risk’, Corporate Governance Advisor, 11(2), 11-16.

Selim, G. and McNamee, D. (1999) ‘The risk management and internal auditing relationship: developing and validating a model’, International Journal of Auditing, Vol. 3, pp.159–174.

Spira, L. and Page, M. (2003) ‘Risk management: the reinvention of internal audit and the changing role of internal audit’, Accounting, Auditing and Accountability Journal, Vol. 16, No. 4, pp.640–661.

Tao, B. N and Hutchinson, M.(2013) ‘Corporate governance and risk management: The role of risk management and compensation committees’, Journal of Contemporary Accounting & Economics

Tiscin, R. and Donato, F. D., (2006) ‘The relation between accounting frauds and corporate governance systems: An analysis of recent scandals’,

http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan033868.pdf

Uma V. Sridharan, Lori Dickes, W. Royce Caines, (2002) ‘The social impact of business failure: Enron’, American Journal of Business, Vol. 17 Iss: 2, pp.11 – 22

Reports and others

Beasley, M.S., Clune, R. and Hermanson, D. (2005) ‘ERM: a status report’, The Internal Auditor, Vol. 62, No. 1, pp.67–73.

Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management Integrated Framework, September 2004.

Institute of Chartered Accountants of England and Wales (ICAEW) (2002) ‘No surprises: working for better risk reporting’, London: ICAEW.

Institute of Risk Management (2002) A Risk Management Standard, London: IRM

Pirson, M .and Turnbull, S (2011) Corporate Governance, Risk Management, and the Financial Crisis – An Information Processing View Fordham University Schools Of Business Working Paper No 2011-003

Ratnatunga, J. and Alam, M. (2008) ‘Corporate Governance in a High Risk Industry The Theory and the Emerging Role of Management Accounting in Practice’, American Accounting Association Conference, August, Anaheim, USA.

Internet Sources

http://www.businessdictionary.com/definition/risk.html#ixzz21jCvbbsy