Risk Management Responsibilities

Board of directors

The board of directors is ultimately responsible for the risk management process. The board needs to understand important risks faced by the enterprise and needs to provide guidelines on the enterprise’s risk appetite and risk management process. The board is responsible to continuously ensure that adequate risk management processes are in place. However, the actual risk management activities must be delegated to the risk management function.

Risk management environment

The risk management environment involves matters associated with people such as culture, philosophy, how people are trained and developed, how appropriate behaviour of employees is incentivized, reinforced and compensated.

Culture is an important part of the risk management environment. Endorsement of the appropriate risk management culture by all levels of management within the organization is vital for successful risk management processes. Such endorsement should be evident from management’s attitude as well as from resource allocation. The values of an organization need to reflect that risk management is important. Buy-in (acceptance) from all employees with regards to the importance of risk management is necessary. Accountability should be assigned to business units, divisions and employees for their required input into the risk management process.

Performance of employees should be aligned with risk management objectives. Only this way will employees will be enticed to bring their utmost effort in executing their contribution to ensure appropriate risk management. Adequate performance with regard to risk management objectives should contribute to rewards for the employee.



Enterprise Risk Management Process and Infrastructure

Enterprise risk management involves a process consisting of establishing the following:

  1. strategy
  2. appropriate infrastructure
    1. different kinds of structure established within an enterprise such as organizational structure, different kinds of systems such as information system which refer to how information is collected, used and shared, determination of accountability, responsibility, methodologies to be used, control procedures
  3. environment
    1. involves matters associated with people such as culture
  4. operating philosophy
    1. refers to command and control or empowering (centralized or decentralised), how people are trained and developed, how appropriate behaviour of employees are incentivized, reinforced and compensated)

Enterprise risk management provides organizations with knowledge which allows them to systematically manage risks in an enhanced manner.

Enterprise risk management infrastructure

ERM infrastructure refers to a type of structure within an organization which is required for a successful risk management process. It refers to different tools that risk management process can use to ensure its success and includes the following:

  1. An organizational structure
  2. Risk management systems
    1. An example of a risk management system is the information system which meets informational risk management needs throughout the enterprise. Information systems should be designed and managed in a way which ensures that the system is flexible, meaning that the way in which information presented will allow various users within the enterprise to use it for their specific informational needs. The information system must also be user friendly. This will ensure that employees within the enterprise can obtain the maximum value from the system. Information systems should allow for fast recording, evaluation, summary, consolidation and sharing of information. The informational system should also be efficient. This refers to the necessity for the system to be designed in an efficient way to ensure that no tasks are unnecessarily duplicated throughout the enterprise as well as to make sure that no unnecessary activities are performed
  3. Determination of accountability and responsibility
  4. Methodologies and techniques to be used in risk management:
    1. Established control procedures
    2. Risk management unit which is at the center of risk management within the organization
    3. Risk management policies and procedures – refers to the set of rules of how risk management is undertaken within the enterprise. A top-down approach should be used to develop risk management policies and procedures. A top-down approach will ensure consistency and alignment with the risk appetite (how much of risk the company wants to accept) and business strategy. Risk management policies and procedures must be developed with input from all levels of the management from all areas of the business to ensure their alignment as well as to incorporate their knowledge about specific risks faced by their areas. Risk management policies and procedures should also be understood by all employees
    4. Reporting on risk management process – the addressee of the reports on risk management process performance should be in close proximity to the risks to be able to take timely action.



Consolidation of Risk and Improved Performance

By linking consolidation of risk to improved performance of the organization, value is created. By consolidating risks, organizations obtain information which allows to undertake evaluation, analysis and management of risk more effectively.

Enterprise risk management (ERM) establishes the foundation which improves decision making with regards to risk, return and growth. The foundation consists of assessment tools, common language, determined risk tolerances and strategies, all of which are encouraged by enterprise risk management.

ERM allows identifying internal and external best practices from which all enterprises can benefit. As a result of enterprise risk management, organizations better manage risk profiles (with the help of tools such as RAROC), reduce unacceptable risks, strategic errors and undertake more timely and adequate corrective actions.

Risk management strategies create value by trying to avoid unacceptable losses, encourage using the core competencies of an organization and managing variability of performance.

To achieve connection between risk management and enhanced performance of the enterprise, we need to measure how performance is affected by changes in the risk profile which occur due to the implementation of risk management strategies.


Aggregation of Risk Measures

Consolidated risk management, which is also called enterprise-wide risk management, refers to synchronized management of total pool of risk in the enterprise. Consolidation of risks became possible due to advances in financial engineering and information technology.

Consolidation of risks is important for 5 main reasons:

  1. Consolidation of risks allows management to see the big picture of risk. Management able to see what is happening to the total pool of risk in the enterprise. Management can analyze if risks are increasing or decreasing and why such changes occur. Moreover, management is able to compare how such changes relate to the risk tolerance level of the enterprise.
  2. Since management is able to see the big picture, it is in a better position to make decisions on risk management which lead to improved performance of the enterprise risk management process.
  3. Improved performance of the enterprise risk management process leads to improved performance of the enterprise and enhanced owner’s wealth maximization, which is the ultimate objective of the enterprise.
  4. Consolidation of risks involves letting go of some particulars and allows to present risks in a straightforward and uncomplicated manner which facilitates effective management throughout the enterprise.
  5. Consolidation of risks involves analysis of the relationships between different risks. Thereafter, risks are categorized. This enhances quality of risk reporting, which in turn improves decisions associated with allocation of capital.

Approaches to consolidation of risks

Risks should be categorized into appropriate categories. If risks have the same drivers than risks are positively or negatively correlated. If risks do not have the same drivers than such risks are uncorrelated.

When risks are categorized, appropriate methods should be chosen to manage each category. Methods for managing categories of consolidated risks include:

  1. Managing it as a portfolio of risks
  2. Obtaining insurance for entire category or for each individual risk within category, whichever is less costly. Transfer costs for entire category will be more cost effective in cases when risks have low or negative correlation and high when risks have positive correlation.
  3. Hedging
  4. Using “natural hedges”. As an example, in 1984 a German airline Lufthansa signed a contract with American Boeing committing company to buy aircraft for $3 billion. The organization took forward contract for half of the amount (1.5 billion) to hedge itself against possible currency fluctuations. However, what was not taken into account is that Lufthansa’s cash flow was also essentially dollar-denominated. Therefore, Lufthansa had a “natural hedge” in this situation. Incidentally, the dollar depreciated by 30 percent in 1985 and Lufthansa incurred sizable foreign-exchange loss due to the forward contract which was unnecessary due to “natural hedge” that company had and which was overlooked.

Risk Monitoring

Techniques to undertake risk monitoring include external and internal audits, appraisal of an enterprise’s risk management strategies, policies and procedures, and physical inspections.

Target outcome of risk monitoring

The target outcome of risk monitoring is to determine if the risk management objectives were achieved and which improvements can be made to enhance the risk management process. A number of questions should be answered during the risk monitoring stage:

  • Is the risk profile of the organization altered?
  • Are assumptions on which the risk management strategy were determined are still relevant?
  • Is the risk management process effective and efficient?
  • Does the risk management strategy still comply with government laws and regulations (if changes in laws and regulations occurred)?
  • How does the risk management process contribute to the ultimate objective of the enterprise, which is wealth maximization of the shareholders?

Risk monitoring of the risk management environment includes monitoring of environmental risks and operational risks.

  • Environmental risks refer to risks which occur in the external environment and over which the enterprise has no control. For example, if an unexpected adverse event occurs, management needs to re-evaluate the situation and adjust the organization’s risk management strategy and risk management implementation plan. This will ensure that unfortunate incidents do not evolve into a crisis.
  • Operational risks refer to risks which occur in the internal environment of the enterprise and over which enterprise has control.

Ongoing risk monitoring of the enterprise risk management (ERM) process allows enterprises to identify new risks in a timely manner. As an example a new risk, such as new regulatory requirements, can be identified and attended to in a timely manner. It allows maintaining an up to date organizational risk profile. Potential opportunities and threats are also paid attention to. It also makes possible to identify risk management practices that are inefficient or inappropriate, which must be followed by suitable adjustments. This allows decreasing costs of such practices.

Further, risk monitoring allows confirming if assumptions and analysis underlying risk management strategies and implementation plans were correct. If not, timely adjustments must be made, which will lead to further improvements in the efficiency of the process. Questioning every assumption may be too time consuming. In such case, a list of key assumptions must be compiled and monitored.


One of the ways to improve the risk management process is by using benchmarking methodology. Benchmarking refers to comparing certain performance indicators of the business to those of the competitors. It also can refer to comparing certain performance indicators between business units within the same enterprise. This methodology can be expensive and time consuming. Therefore, focusing on the crucial areas for success of the risk management process may be most appropriate.

Risk management training should also be undertaken to ensure employees’ improvement in risk management abilities, skills, knowledge and awareness, and to further enhance quality of risk monitoring.


Enterprise Risk Management Function

Enterprise risk management refers to the new strategic process of structured identification and evaluation of all the risks and opportunities of the enterprise, determination of appropriate ways of managing and controlling such risks, and monitoring of this risk management process.

History of risk management

The origin of risk management as a role within a company is attributed to Fayol who is regarded as a father of management. In his 1916 article he proposed 6 functions of management which included a security function. The security function was associated with protection of people and property. The current risk management function is much more comprehensive but Fayol’s security function was a first glimpse of the current risk management function. The importance of a proper risk management function was acknowledged in 1960s in USA and thereafter spread around the world.

The term “risk management” was formally used only from the 1950s. Initially, the risk management function was closely associated with insurance. This slowed down the development of the function. The first book on risk management was entitled “Risk management in the business enterprise” was written by Robert I Mehr.

Enterprise Risk Management and Culture

Enterprise risk management incorporates risk awareness into the culture of the organization. The risk culture of the organization significantly contributes to the success of the enterprise risk management. Employees need to see risk as an integral variable which needs to be managed, controlled and monitored. Each employee needs to understand their role in the risk management of the enterprise. Leadership support of the importance of risk management significantly contributes to adequate risk management culture.

Enterprise risk management uses advances in technology for management of risk.

Enterprise-wide in the enterprise-wide risk management refers to the elimination of barriers between functions, departments and other groupings within the organization.

Risk management infrastructure & risk management capabilities – To ensure effective enterprise risk management processes, organizations need to establish an adequate set of risk management capabilities. Risk management capabilities refer to the abilities of an organization that allow it to undertake effective risk management processes. It includes abilities which allow for identification, measurement, management and monitoring of risks.

An appropriate set of risk management capabilities allows the organization to have a clear understanding of how their risk management decisions affect the bottom line and long term wealth maximization of the shareholders, which is the ultimate objective of the enterprise.

If an evaluation established that additional risk management capabilities are required, it is important to undertake cost-benefit analyses to ensure that the cost of additional risk management capabilities will be more than offset by the benefits that it will bring.

Certain risk capabilities which are adequate in one company to manage specific risk may be inadequate for another company which attempts to manage the same risk. Each organization must select risk management capabilities suitable to its particular individual needs, based on the particular risk exposure.

Risk management process monitoring and adjustment

The existing business environment is very turbulent. Risk exposures and factors affecting risks may alter all the time. Therefore, ongoing risk monitoring and adjustment of risk management strategies become an increasingly important step in the enterprise risk management process.

An organization needs to gain a good understanding of the risk management process. The main goal of the risk management monitoring process is to assess how effective the risk management process is.

Why risk management monitoring is important?

The main goal of risk management monitoring is to determine effectiveness of the enterprise risk management process. If the risk management process is not adequately monitored, shortcomings of the process may negatively affect achievement of the strategic objectives of the enterprise.

Ongoing monitoring of the performance of the risk management process and risk management environment leads to continuous improvement of the entire enterprise risk management process.

To monitor risk management performance, risk management performance standards should be established against which performance can be measured. Such standards may include areas such as time tables within which certain goals should be achieved, budgets and specific areas of enterprise’s performance which is vital for organizational success. After performance standards are established, they must be monitored on an ongoing basis.

Risk Categories

There are two main risk categories, speculative risk and an event risk.

The ultimate goal of the firm is to maximize shareholder’s wealth. The environment is changing rapidly and any change may result in additional risks and losses. Therefore, effective enterprise risk management is essential to ensure achievement of the main objective of the enterprise, which is maximizing wealth of the shareholders. Both risk categories should be diligently managed.

Speculative risks can result in a gain or loss, such as fluctuating interest rates. An enterprise may protect itself from adverse effects of speculative risks by various techniques such as hedging. Speculative risks are further subdivided into core business risks and incidental risks.

Core business risks are part of the main business of the enterprise and reflected in the mission statement. Core business risks may negatively impact the operating profit of the enterprise. Core business risks can be specific (unsystematic) and market (systemic).  Specific risks include risks which impact only the enterprise and do not impact the economy as a whole. Specific risks include those associated with sales variability, operating leverage, resource risk, profit margin and turnover. Specific risks are also called diversifiable risk. Systemic risks are risks which impact the economy and the enterprise. Systemic risks entail occurrence of a negative market-wide event such as the risk of collapse of an entire market. It is also called un-diversifiable risk. Investors require higher returns for increases in systemic risk.

Incidental risks are risks that occur naturally in the business but are not part of the main business. However, control of such risks is vital to ensure survival of the enterprise.

Whether a risk is considered to be core or incidental sometimes depends on the activities of the enterprise. For example, interest rate risk will be a core business risk for financial institution and incidental business risk for a manufacturing enterprise.

Event risks can result in losses, such as fire, or can result in no loss but cannot result in any gain. A business may protect itself from adverse effects of event risks by various techniques such as insurance. Event risks can be fundamental or particular.

Fundamental event risks refer to impersonal losses on the macro level.

Particular event risks refer to personal losses on micro level such as a car accident.

Event risks are subdivided into operational and external downside risks:

Operational risks further subdivided into people, processes and systems risks. It refers to risks which occur due to failures during execution of operations.

External downside risks are risks that cannot be directly controlled by an enterprise and which can occur due to external factors. External downside risks are all risks that occur due to external factors that may have no affect or adverse effect on the enterprise. External downside risks are very difficult to manage. Examples of external downside risks include natural disasters, terrorist attacks, criminal threats and litigation.

Blogbschool.com is powered by www.firmsconsulting.com. Firmsconsulting is a training company that finds and nurtures tomorrow’s leaders in business, government and academia via bespoke online training to develop one’s executive presence, critical thinking abilities, high performance skill-set, and strategy, operations and implementation capabilities. Learn more at www.firmsconsulting.com.

Sign up to receive a 3-part FREE strategy video training series here.