enterprise risk - Thomson Reuters Accelus

ENTERPRISE RISK: ESTABLISHING THE
RISK APPETITE FOR UNIFYING THE
LINES OF DEFENSE
The views and opinions expressed in this paper are those of the author and do not
necessarily reflect the official policy or position of Thomson Reuters.
“Lines of defense” has become an increasingly
prominent expression and/or topic in research
journals, academia, business publications
and regulator speeches. It describes how
management, risk, compliance and internal
audit departments work together and is an
illustrative phrase that is generally understood
and easy enough to apply to an organization,
a soccer field or scientific research. The
expression originates from medieval castle
systems - not necessarily the dreamy stone
castles that withstood time and still remain
today. The moats, drawbridges and stone walls
were built in response to advancements in
weaponry, as the original castles were mostly
wood and earth mounds and it was necessary
to create look-outs. In other words, the lines
of defense were forced to evolve based on
external risks. Civility has prevailed, however
the lines of defense as a modern expression
is still appropriate from a defensive (and
sometimes offensive) view for any organization.
Current day references and research around
lines of defense point to three internal “lines”
that come together to protect the organization:
•T
he first line encompasses operations, from
business units to centralized processes and
from products/services to legal entities, as
well as the organizational hierarchy beneath
them. This line sometimes includes senior
management, as this line owns the internal
controls (not only financially significant
controls as identified by Sarbanes-Oxley or
other internal controls regulations.)
•T
he second line encompasses risk and
compliance oversight and management. This
line can involve diverse naming conventions
as a result of the organization’s industry,
regulators, physical/monetary size, etc.
2
LINES OF DEFENSE
• T
he third line is usually referred to as
internal audit - the independent and
objective function that reports to the audit
committee, with a dotted line to executive
management. Note that this is distinct from
internal controls, as they are owned by senior
management, and are sometimes included in
the first line of defense.
The lines of defense are meant to be separate
and distinct from each other, having differing
roles with a single unifying objective - to
manage and monitor all risks across the entire
organization. Sadly, the unifying objective
has many differing perspectives or frames of
reference, as modern day organizations are
overly complex, continuously evolving and
somewhat bifurcated across many different
proverbial lines, including:
• Businesses, industries and customers
• Product and service lines
• Geographies
• Legal entities
• Operating units, etc.
Each of the bifurcations has a valid rationale
and purpose, but when it comes to lines of
defense, they further complicate how the
organization manages and monitors all of its
risks. Consequently, most genuine attempts
to unify the organization along the lines of
defense are unsustainable and lack appropriate
momentum within the organization. Such lack
of momentum is often due to the lack of an
appropriate mandate, inadequate executive
involvement in the process and the challenge
inherent in acknowledging that the lines of
defense do not present an opportunity to cut
costs. The modern day use of the expression
“lines of defense” in speeches and publications
APRIL 2015
is intended to demonstrate organizational
depth through a unified single objective and
cohesive organizational response. Sounds
easy, except when one realizes that the lines
of defense have matured their approaches,
processes and methods over the years. The
lines of defense are sometimes further broken
up by IT security, IT compliance, privacy,
environmental health and safety, and other
various efforts to monitor and mitigate risk
within the organization. All of a sudden, the
lines of defense have turned into herding cats
around a risk management initiative!
WHICH CAME FIRST, THE CHICKEN OR
THE EGG?
Rather than debate whether the greater priority
is to harmonize practices across the lines or
within each line, let’s start with the headlines.
In the last twenty plus years, Enterprise Risk
Management (ERM) as an organizational
initiative has gone through various peaks and
troughs and, depending on the organization’s
industrial sector(s), the expectations around
risk management have also ebbed and flowed.
Some consider the notion of ERM to be more
critical for banks, financial institutions, insurers
and organizations regulated within certain
countries and less important for other industrial
sectors or geographies. For others, ERM is
about risk management and often considered
a secondary focus within the business. The
Global Association of Risk Professional (GARP)’s
definition of ERM is:
“Enterprise Risk Management is a
collection of processes, methods, and
other approaches businesses and other
organizations use to manage, monitor, and
measure risks.”
3
LINES OF DEFENSE
In other words, ERM as a broad initiative is
adopted, defined, executed and controlled
depending on the organization. While some
ERM industry specifications and standards
exist, organizational adoption is truly a selfdefined framework and approach. ERM
industry specifications and standards can be
found in COSO ERM, ISO 31000, with broad
disclosure guidance from the U.S. SEC, the
UK Trumbull Act, the Toronto Stock Exchange,
KonTraG and the credit rating agencies,
Standard & Poors (S&P) and Moody’s Analytics.
All of the above provide varying contexts for
ERM and demonstrate the fundamental need
for an organization to establish its own view
of ERM. Said another way, ERM provides the
unifying objective on how the organization
manages and monitors its greatest risks across
the organization.
WHAT HEADLINE STORY ABOUT THE
ORGANIZATION WOULD ALTER HOW THE
ORGANIZATION VIEWS AND HANDLES
ENTERPRISE RISKS?
Before the above question is answered, it is
important to consider whether the headline
was due to a lack of ERM or due to a potentially
larger corporate governance issue. Too often,
the enterprise risks within an ERM initiative
are documented, prioritized, managed and
even monitored, but they lack the appropriate
context, relevance and accountability for them to
be actionable. For example, the enterprise risks:
• Do not align with the organization’s objectives
•A
re thought to be more of a matter
between executive management and senior
management
• Are too outlandish to be possible
•A
re less of a priority than the issues that the
Board of Directors is already handling
APRIL 2015
Organizations hope that tomorrow’s headline
stories will not center on how their cyber
risk management approach failed to protect
transactional records or how their vendor risk
management failed to stop illegal contracts with
customers or suppliers. These two enterprise
risks are well known and well documented and
are active topics in the news and most business,
IT, academic and corporate publications and
trade journals. In other words, the headline
stories should not have been a wake-up call
to management, but rather a confirmation of
the organization’s exposure and a heightened
demonstration of how the organization responds
to and manages such enterprise risks when they
are realized.
investment analysis to justify the actions that
were or were not taken. They would be factually
correct that the costs to manage the enterprise
risk at the time that it was a known exposure
to the organization were probably greater than
the perceived benefits of managing it. In other
words, incurring the costs could not necessarily
mitigate the risk of occurrence. Unfortunately,
they would be guilty of silo thinking because
enterprise risks usually result in collateral
damage to the organization. The collateral
damage is hard to quantify, but it is very easy
to qualify the damage to reputation, brand and
how management manages the organization.
Regrettably, what usually happens is that
approximately five to seven days after the
headline, it emerges that the Board of Directors
and executive management were either
uninformed about these enterprise risks or that
the risks were not treated as priorities, given
the likelihood of them being realized and their
expected impact. These are not flawed ERM
initiatives, but rather corporate governance
failures, as enterprise risks were not actively
managed in that they were not communicated
on a routine basis to the Board of Directors and
executive management.
In a 2012 news story, an employee found a USB
drive in the employee parking lot and picked it
up, but only to hand it over to the company’s IT
department. The employee’s actions point to a
thorough risk awareness within the organization.
The company’s IT department later confirmed
that the USB drive contained malware and
further that the employee’s prompt action
prevented an attempt at corporate espionage.
Numerous other organizations have used this
actual news story to conduct scenario tests and
uncover vulnerabilities, unfortunately with very
different results. Employees are aware of the
risk of using a foreign USB drive, however the
scenario presents both civility and vulnerability
in a whole new light.
A number of ERM naysayers will point to a few
facts to support their position, maintaining that
it is impossible to mitigate all risks within the
organization. In other words, an organization’s
sole purpose is not to reduce or mitigate all of
its risks. This is correct, but it is also important
to know that ERM is about managing risk, not
mitigation and these were well known risks
with known organizational exposures, not
emerging, inconsequential risks. Other ERM
naysayers will point to cost-benefit or return on
4
LINES OF DEFENSE
A useful illustration of the difficulty in calculating
the benefits of an ERM initiative follows.
THE RISK APPETITE
ERM, at its core, is about establishing a risk
appetite for the organization that articulates
how each employee, director, contractor or
consultant is accountable and evaluated,
based on how they handle risk on a daily basis.
The risk appetite describes the organization’s
position on risk, as well as expectations around
APRIL 2015
communicating and acknowledging risk (risk
awareness) and actively managing or mitigating
risk based on various measures or indicators.
The organization’s position is a managementdefined (executive or senior) approach as to
which risks should be managed vs. which
risks should be mitigated. The managed
risks are tracked on a periodic basis, while the
mitigated risks are monitored more frequently.
Depending on the nature of any of the risks,
different levels of management and the Board
of Directors will be involved in the various
tracking and monitoring exercises. In summary,
an organization’s risk appetite is what aligns
the lines of defense to act cohesively in the
monitoring or mitigation of such risks and their
residual implications.
The Committee on Sponsoring Organizations
(COSO) authored in their 2004 Enterprise Risk
Management Integrated Framework that:
“Risk appetite is the amount of risk, on
a broad level, that an entity is willing to
accept in pursuit of value. It reflects the
entity’s risk management philosophy, and
in turn influences the entity’s culture and
operating style. Many entities consider risk
appetite qualitatively, with such categories
as high, moderate, or low, while others take
a quantitative approach, reflecting and
balancing goals for growth, return, and
risk. A company with a higher risk appetite
may be willing to allocate a large portion of
its capital to such high-risk areas as newly
emerging markets. In contrast, a company
with a low risk appetite might limit its
short-term risk of large losses of capital by
investing only in mature, stable markets.
Risk appetite is directly related to an entity’s
strategy. It is considered in strategy setting,
as different strategies expose an entity to
different risks. Enterprise risk management
5
LINES OF DEFENSE
helps management select a strategy that
aligns anticipated value creation with the
entity’s risk appetite…
Risk appetite guides resource allocation.
Management allocates resources among
business units and initiatives with
consideration of the entity’s risk appetite
and the unit’s plan for generating desired
return on invested resources. Management
considers its risk appetite as it aligns
its organization, people, and processes,
and designs infrastructure necessary to
effectively respond to and monitor risks.”
COSO’s definition of the risk appetite does
a tremendous job in making it almost
immediately actionable with the ability to be
engrained into performance. While numerous
regulators, quasi-government associations and
professional associates have accepted and, at
times, enhanced the definition, it still remains
somewhat vague for the three lines of defense.
An example of how other quasi-government
associations have also sought to define the risk
appetite statement can be found in the 2013
definition by the Financial Stability Board (FSB):
“The articulation in written form of the
aggregate level and types of risk that a
financial institution is willing to accept, or
to avoid, in order to achieve its business
objectives. It includes qualitative statements
as well as quantitative measures expressed
relative to earnings, capital, risk measures,
liquidity and other relevant measures as
appropriate. It should also address more
difficult to quantify risks such as reputation
and conduct risks as well as money
laundering and unethical practices.”
APRIL 2015
The FSB’s definition is useful in linking the
types of risk with the matters that are key to
financial institutions. The definition is still vague
for the lines of defense and lacks some of the
actionable nature found in the COSO definition.
In both definitions of the risk appetite, there is
not enough context on how the organization
came to define this as their risk appetite, how
the specific risks were deemed to be more
significant than other, more mundane risks, and
finally how the risk appetite statement needs
to distill the complexity into layman’s terms.
How do organizations keep enterprise risks from
becoming corporate governance failures? In
essence, this is done by keeping the risk appetite
current, aligned with relevant organizational
strategies and agreed upon objectives, and top
of mind for all internal stakeholders.
RISK CULTURE
Over the last 25 years, more and more attention
has been placed on organizational culture
and specifically on how risk is handled within
an organization. This is risk culture. The term
organizational culture has many definitions
that demonstrate the many perspectives and
factors involved in its definition. In 1985, Edgar
Schein, a Massachusetts Institute of Technology
(MIT) professor emeritus in the Sloan School of
Management, published what has become the
definition for organizational culture in his book
entitled “Organizational Culture and Leadership”:
“A pattern of shared basic assumptions that was
learned by a group as it solved its problems of
external adaptation and internal integration,
that has worked well enough to be considered
valid and, therefore, to be taught to new
members as the correct way to perceive, think,
and feel in relation to those problems.”
In re-reading the above definition in the context
of risk, it should become clear how risk evolves
within an organization.
6
LINES OF DEFENSE
In the context of risk, the above definition spurs
numerous questions, here are only two:
1. W
hat mechanisms within the organization
exist to manage risk as it evolves?
2. In teaching new members, how does an
organization provide experiential context
to situations and events unknown to both
teacher and student?
Edgar Schein’s definition does a wonderful job
in articulating the intricacies of organizational
culture that are taken for granted based on
what is thought to be accepted versus what
is actually understood. Similarly, the foreign
USB drive story seems to describe a mundane,
ordinary risk, where the employee, rather
than attempting to confirm the potential risk,
sought the involvement of IT to handle the
vulnerability. In fact, the individual understood
that the unknown posed a potential risk to
corporate property and potentially to their
own property and therefore, rather than add
an additional risk of independently confirming
it, relinquished it to others that could better
quantify the potential risk. This is a wonderful
demonstration of how the risk appetite
statement of ERM and the organizational
culture unify across the lines of defense.
CONCLUSION
So let us review the requirements for the lines
of defense:
•T
he lines of defense should be assembled
for the right reasons and not the wrong ones,
including:
- Cost cutting
- Procurement of solutions or services
- W
indow dressing for a regulator or the
external auditors
APRIL 2015
•T
he lines of defense need to be unified based
on a risk appetite statement that reflects
the organization’s culture and articulates
the organization’s position on risk as well as
expectations around communicating and
acknowledging the risk (risk awareness) and
actively managing or mitigating such risk
based on various measures or indicators.
-T
he lines of defense need to be supported
by an active, ongoing, 24 hour a day, 7 day
a week, 365 day a year initiative and an
appropriate organizational mandate:
- T
he initiative must be underpinned by
appropriate leadership, accountability,
clearly articulated objectives and
active performance measures
- O
versight should be provided by both
executive management and the Board
of Directors
- C
ontinuous fine-tuning and
improvements must be implemented
Once the above items have been established,
the lines of defense can be empowered to move
forward in collaborating and developing cohesion
- whether in a castle or a financial institution!
7
LINES OF DEFENSE
APRIL 2015
ABOUT THE AUTHOR
Noah Gottesman is a Certified Internal Auditor with over fifteen years of compliance, internal
audit, internal control and risk management experience. At Thomson Reuters Accelus, Noah
serves as the Audit Advisory and Innovation Director within Professional Services, assisting clients
with Accelus implementations. Prior to joining Thomson Reuters, Noah spent thirteen years with
a big-four accounting firm, gaining global experience across a wide range of industries, including
banking and financial services, technology and insurance.
8
LINES OF DEFENSE
APRIL 2015
THOMSON REUTERS ACCELUS™
The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set
of solutions designed to empower audit, risk and compliance professionals, business leaders, and the
Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity.
Thomson Reuters Accelus connects business transactions, strategy and operations to the everchanging regulatory environment, enabling firms to manage business risk. A comprehensive
platform supported by a range of applications and trusted regulatory and risk intelligence data,
Accelus brings together market-leading solutions for governance, risk and compliance management,
global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence,
training and e-learning, and board of director solutions.
For more information, visit accelus.thomsonreuters.com
© 2015 Thomson Reuters GRC02311/3-15