enterprise risk management and business ethics

73
Energy Risk Professional ERP Exam Course Pack 2015 © 2015 Global Association of Risk Professionals. All rights reserved. REQUIRED ONLINE READINGS The Enterprise Risk Management and Business Ethics section of the 2015 ERP Study Guide includes several additional readings from online sources that are freely available on the GARP website. These readings include the following learning objectives that will be tested on the 2015 ERP Exam: 1. COSO. “Understanding and Communicating Risk Appetite” (January 2012). Compare and contrast the roles of risk appetite and risk tolerance and explain how an organization can align its risk tolerance to its risk appetite. Provide examples of considerations a firm must make in determining its risk appetite, and explain how an organization’s risk appetite can differ for various risk factors. Evaluate the objective and characteristics of an effective risk appetite statement. Describe effective strategies for how senior management can develop, communicate, monitor and update an organization’s risk appetite. 2. COSO. “Risk Assessment in Practice” (October 2012). Compare impact, likelihood, vulnerability, and speed of onset of potential risk events and explain how a scale can be created to assess these four factors with respect to specific potential risk events. Identify examples of actions a firm can take to reduce its vulnerability to specific risk events. Compare and contrast qualitative and quantitative measurement techniques in assessing risks, and describe examples of each. Capture interactions between various risk factors using techniques such as risk interaction maps and the bow-tie diagram. Create a hierarchy of risks using heat maps and MARCI (Mitigate, Assure, Redeploy, and Cumulative Impact) charts to aggregate, compare, and prioritize risks faced by a firm. 3. Robert Bea, Ian Mitroff, Daniel Farber, Howard Foster and Karlene H. Roberts. A New Approach to Risk: The Implications of E3 (Palgrave Macmillan 2009). Discuss the factors used to assess risk within a complex organization or system. Understand the interdisciplinary aspect of modeling risk associated with a complex system. Provide an example of a Type Three Error (E3) and explain how mismanagement of this error can undermine a risk management strategy. Describe the elements used in a Complex Infrastructure System (CIS) risk assessment. Explain why human error may be overlooked in risk assessment and why engineering analyses often underestimate the probability of a system failure. 4. Global Association of Risk Professionals (GARP). Code of Conduct. Explain the responsibility of each GARP member with respect to professional integrity, ethical conduct, conflicts of interest, confidentiality of information and adherence to generally accepted practices in risk management. Understand the potential consequences of violating the GARP Code of Conduct.

Upload: john-smith

Post on 05-Jan-2016

22 views

Category:

Documents


2 download

DESCRIPTION

Its good

TRANSCRIPT

Page 1: Enterprise Risk Management and Business Ethics

Energy Risk ProfessionalERP Exam Course Pack

2015

© 2015 Global Association of Risk Professionals. All rights reserved.

REQUIRED ONLINE READINGS

The Enterprise Risk Management and Business Ethics section of the 2015 ERP Study Guide includes

several additional readings from online sources that are freely available on the GARP website. These

readings include the following learning objectives that will be tested on the 2015 ERP Exam:

1. COSO. “Understanding and Communicating Risk Appetite” (January 2012).• Compare and contrast the roles of risk appetite and risk tolerance and explain how an

organization can align its risk tolerance to its risk appetite.

• Provide examples of considerations a firm must make in determining its risk appetite, and

explain how an organization’s risk appetite can differ for various risk factors.

• Evaluate the objective and characteristics of an effective risk appetite statement.

• Describe effective strategies for how senior management can develop, communicate,

monitor and update an organization’s risk appetite.

2. COSO. “Risk Assessment in Practice” (October 2012).• Compare impact, likelihood, vulnerability, and speed of onset of potential risk events and

explain how a scale can be created to assess these four factors with respect to specific

potential risk events.

• Identify examples of actions a firm can take to reduce its vulnerability to specific risk events.

• Compare and contrast qualitative and quantitative measurement techniques in assessing

risks, and describe examples of each.

• Capture interactions between various risk factors using techniques such as risk interaction

maps and the bow-tie diagram.

• Create a hierarchy of risks using heat maps and MARCI (Mitigate, Assure, Redeploy, and

Cumulative Impact) charts to aggregate, compare, and prioritize risks faced by a firm.

3. Robert Bea, Ian Mitroff, Daniel Farber, Howard Foster and Karlene H. Roberts. A New Approach to Risk: The Implications of E3 (Palgrave Macmillan 2009).• Discuss the factors used to assess risk within a complex organization or system.

• Understand the interdisciplinary aspect of modeling risk associated with a complex system.

• Provide an example of a Type Three Error (E3) and explain how mismanagement of this

error can undermine a risk management strategy.

• Describe the elements used in a Complex Infrastructure System (CIS) risk assessment.

• Explain why human error may be overlooked in risk assessment and why engineering

analyses often underestimate the probability of a system failure.

4. Global Association of Risk Professionals (GARP). Code of Conduct.• Explain the responsibility of each GARP member with respect to professional integrity,

ethical conduct, conflicts of interest, confidentiality of information and adherence to

generally accepted practices in risk management.

• Understand the potential consequences of violating the GARP Code of Conduct.

Page 2: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 3

w w w . c o s o . o r g

By

Dr. Larry Rittenberg and Frank Martens

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

T h o u g h t L e a d e r s h i p i n E R M

Understanding andCommunicating Risk Appetite

E n T E R p R i S E

R i S k

M A n A g E M E n T

Page 3: Enterprise Risk Management and Business Ethics

2 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

w w w . c o s o . o r g

Authors

Dr. Larry Rittenberg Ernst & Young Professor of AccountingUniversity of Wisconsin-Madison School of Business Frank MartensDirector, PricewaterhouseCoopers (PwC)

This project was commissioned by COSO, which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations. COSO is a private sector initiative, jointly sponsored and funded by the following organizations:

American Accounting Association (AAA)

American institute of CpAs (AICPA)

Financial Executives international (FEI)

The institute of Management Accountants (IMA)

The institute of internal Auditors (IIA)

COSO Board Members

David L. LandsittelCOSO Chair

Larry E. RittenbergCOSO Chair - Emeritus

Committee of Sponsoring Organizationsof the Treadway Commission

w w w . c o s o . o r g

preface

Richard F. ChambersThe Institute of Internal Auditors

Mark S. Beasley/Douglas F. prawittAmerican Accounting Association

Chuck E. LandesAmerican Institute of CPAs (AICPA)

Marie n. HolleinFinancial Executives International

Jeff C. ThomsonInstitute of Management Accountants

Page 4: Enterprise Risk Management and Business Ethics

T h o u g h t L e a d e r s h i p i n E R M

Committee of Sponsoring Organizations of the Treadway Commission

January 2012

Research Commissioned by

Understanding andCommunicating Risk Appetite

E n T E R p R i S E

R i S k

M A n A g E M E n T

Page 5: Enterprise Risk Management and Business Ethics

Copyright © 2012, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).1 2 3 4 5 6 7 8 9 0 PIP 198765432

All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or by any means without written permission. For information regarding licensing and reprint permissions please contact the American Institute of Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials.Direct all inquiries to [email protected] or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.

w w w . c o s o . o r g

Page 6: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | iii

Executive Summary 1

Overview 3

Risk Appetite Statements 6

Risk Appetite and Risk Tolerance 1 1 Developing Risk Appetite 15

Communicating Risk Appetite 18

Monitoring and Updating Risk Appetite 20

Roles 2 1

Summary of Considerations 23

About COSO 24

About the Authors 24

Content Outline Page

w w w . c o s o . o r g

Page 7: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 1

Executive Summary

Organizations encounter risk every day as they pursue theirobjectives. In conducting appropriate oversight, managementand the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives? Added to this, regulators and other oversight bodies are calling for better descriptions of organizations’ risk management processes, including oversight by the board.

This thought leadership document is one of a series of papers, sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), to help organizations implement enterprise risk management (ERM). The COSO document Enterprise Risk Management — Integrated Framework explicitly states that organizations must embrace risk in pursuing their goals. The key is to understand how much risk they are willing to accept. Further, how should an organization decide how much risk it is willing to accept? To what extent should the risks accepted mirror stakeholders’ objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization’s appetite for specific kinds of risk?

These questions are embodied in the notion of an entity’s “risk appetite.” The objective of this paper is to help an organization — its senior management, board, and key operating personnel — to develop and communicate a clear understanding of its risk appetite, both to determine which objectives to pursue and to manage those objectives within the organization’s appetite for risk.

Many organizations view risk appetite as the subject of interesting theoretical discussions about risk and risk management, but do not effectively integrate the concept into their strategic planning or day-to-day decision making. We believe that discussions about applying risk appetite go well beyond theory, and that when properly communicated, risk appetite provides a boundary around the amount of risk an organization might pursue. An organization with an aggressive appetite for risk might set aggressive goals,

while an organization that is risk-averse, with a low appetite for risk, might set conservative goals.

Similarly, when a board considers a strategy, it should determine whether that strategy aligns with the organization’s risk appetite. When properly communicated, risk appetite guides management in setting goals and making decisions so that the organization is more likely to achieve its goals and sustain its operations.

Enterprise Risk Management and Decision MakingERM is not isolated from strategy, planning, or day-to-day decision making. Nor is it about compliance. ERM is part of an organization’s culture, just as making decisions to attain objectives is part of an organization’s culture.

To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.). For example, one CEO recently reported that his organization needed to increase its risk appetite amid expectations that key measures of its profitability would fall or stagnate. A financial organization with a lower risk appetite might choose to avoid opportunities that are more risky, but offer greater returns. Finally, another organization with a high risk appetite might decide to procure natural resources from a volatile country where the total investment could be wiped out at the whim of the political leader. The rewards may be high, but so too may the risks. Organizations make decisions like these all the time. Only if they clearly think about their risk appetite can they balance risks and opportunities.

An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue. To determine risk appetite, management, with board review and concurrence, should take three steps:

1. Develop risk appetite

2. Communicate risk appetite

3. Monitor and update risk appetite

These three steps are discussed briefly below, and in detail in the body of this paper.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

w w w . c o s o . o r g

Page 8: Enterprise Risk Management and Business Ethics

2 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Develop Risk AppetiteDeveloping risk appetite does not mean the organization shuns risk as part of its strategic initiatives. Quite the opposite. Just as organizations set different objectives, they will develop different risk appetites. There is no standard or universal risk appetite statement that applies to all organizations, nor is there a “right” risk appetite. Rather, management and the board must make choices in setting risk appetite, understanding the trade-offs involved in having higher or lower risk appetites.

Communicate Risk AppetiteSeveral common approaches are used to communicate risk appetite. The first is to create an overall risk appetite statement that is broad enough yet descriptive enough for organizational units to manage their risks consistently within it. The second is to communicate risk appetite for each major class of organizational objectives. The third is to communicate risk appetite for different categories of risk.

Monitor and Update Risk AppetiteOnce risk appetite is communicated, management, with board support, needs to revisit and reinforce it. Risk appetite cannot be set once and then left alone. Rather, it should be reviewed in relation to how the organization operates, especially if the entity’s business model changes. Management should monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate evaluations. Internal auditing can support management in this monitoring. In addition, organizations, when monitoring risk appetite, should focus on creating a culture that is risk-aware and that has organizational goals consistent with the board’s.

Can it Be Done?This is a common question. Its tone implies two things: (1) articulating risk appetite is too difficult, and (2) risk is considered when management sets strategies, and to further communicate risk appetite is an exercise that simply adds overhead and does not contribute to organizational growth.

Recent world events — involving governments, businesses, not-for-profit organizations, and the recent financial crisis — clearly show that having a communicated risk appetite built into organizational activities could have preserved a considerable amount of capital. We all know the costs of failing to manage risk. Examples include the cost to companies and travellers when air travel closed down after a volcanic eruption in 2010 in Iceland; the cost of the financial crisis to U.S. taxpayers, stockholders, and debtholders; and the social cost of government budgets in Greece, Spain, Ireland, and Portugal.

Perhaps organizations are still tied to the old-school thinking that “it will not happen here.” The easy rebuttal is that it has happened somewhere, so all organizations should work to manage their risks within their risk appetite. Rather than asking “Can it be done?” let’s say “Let’s get it done.” Determining risk appetite is an element of good governance that managements and boards owe to stakeholders.

Develop/Revise

RiskAppetite

Monitor Communicate

w w w . c o s o . o r g

Page 9: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 3

Overview

1 COSO, Enterprise Risk Management — Integrated Framework, p. 19.

Risk Appetite is an integralpart of Enterprise Risk Management

COSO’s Enterprise Risk Management — Integrated Framework defines risk appetite as follows:

The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.1

This definition raises some important points. Risk appetite

• is strategic and is related to the pursuit of organizational objectives;

• forms an integral part of corporate governance;

• guides the allocation of resources;

• guides an organization’s infrastructure, supporting its activities related to recognizing, assessing, responding to, and monitoring risks in pursuit of organizational objectives;

• influences the organization’s attitudes towards risk;

• is multi-dimensional, including when applied to the pursuit of value in the short term and the longer term of the strategic planning cycle; and

• requires effective monitoring of the risk itself and of the organization’s continuing risk appetite.

As an organization decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis for making those important decisions. Those in governance roles should explicitly understand risk appetite when defining and pursuing objectives, formulating strategy, and allocating resources. The board should also consider risk appetite when it approves management actions, especially budgets, strategic plans, and new products, services, or markets (in other words, a business case).

In working towards their objectives, organizations choose strategies and develop metrics to show them how close they are to meeting those objectives. Managers are motivated to achieve the objectives through reward and compensation programs. The strategy is then operationalized by decisions made throughout the organization. Decisions are made to achieve the objectives (increase market share, profitability, etc.). But achieving objectives also depends on identifying risk and determining whether the risks are within the organization’s risk appetite.

w w w . c o s o . o r g

Page 10: Enterprise Risk Management and Business Ethics

4 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Considerations Affecting Risk AppetiteRisk appetite is not developed in isolation from other factors. An organization should consider its capacity to take on extra risk in seeking its objectives. It should also

consider its existing risk profile, not as a determinant of risk appetite but as an indication of the risks it currently addresses. An overview of the considerations affecting risk appetite is shown in Exhibit 1.

Exhibit 1

Overview of Considerations Affecting Risk Appetite

ExistingRisk profile

RiskCapacity

RiskTolerance

AttitudesTowards Risk

The current level and distribution of risks acrossthe entity and across various risk categories

The amount of risk that the entity is able tosupport in pursuit of its objectives

Acceptable level of variation an entity is willing to accept regarding the pursuit of its objectives

The attitudes towards growth, risk, and return

Determinationof

RiskAppetite

There may be other factors to consider as well. Some organizations may gauge how quickly their competitive environment is changing. A telecommunications company, for example, must anticipate how technology and user preferences will affect product development, making a relevant time frame important.

As an example of high risk appetite, a defense contractor dealing in trucks decided that the risk of being behind in technology was so large that it essentially “bet the company” on developing a vehicle appropriate for the types of wars occurring around the world. If the contractor had been unsuccessful in procuring a new government order, it would have been out of business. The risk appetite was high, but it was understood by all involved in the process.

However, the board was well aware of the risks, having debated the issue extensively in board meetings, and itconcurred with management’s decision (an acknowledgementof risk appetite and the linkage of risk appetite and strategy). The investing public was also aware because the nature of the risks had been communicated (and the stock dropped to historic lows). What is notable is that the risk was carefully debated and the company was going to succeed or die —as opposed to almost certainly dying (slowly) if it did not take on risk through an aggressive strategy.

The point is that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. That consideration takes place throughout the execution of the strategy, and it is most important when strategy is being formulated with due regard for risk appetite.

w w w . c o s o . o r g

Page 11: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 5

One major problem that led to the current financial crisis was that although objectives had been created, there was no articulation of risk appetite or identification of thoseresponsible when risks were incurred.

An organization has a number of goals and objectives it can pursue. Ultimately, it will decide on those that best meet stakeholder preferences for growth, return, safety, sustainability and its willingness to accept risk. The objectives, in turn, may be pursued using a number of alternative strategies. As shown in Exhibit 2, the articulation of a risk appetite provides bounds on the choice of strategies and the operational decisions that are made to pursue those objectives.

Exhibit 2

interrelationship of Strategy, Management Decisions, and Risk Appetite

Sets strategicgoal andobjectives

Formulates strategies • Strategy 1 • Strategy 2 • Strategy 3 • ...

Establishesoperations,compliance,and reportingobjectives

Considers risk appetite in setting of strategies, objectives, and how to manage risks

Makes decisionson how to managerisks relating to the achievement of objectives

In a recent survey, less than half of the respondents saidthey had a formal process for developing andcommunicating risk appetite.2

Steps in Adopting Risk AppetiteEach organization must determine its own risk appetite; thereis no single universal risk appetite. But how does an organizationget to the point of having a risk appetite statement that can be communicated through the organization? And how does risk appetite stay relevant over time?

To effectively adopt risk appetite, an organization must take three key steps:

1. Management develops, with board review and concurrence, a view of the organization’s overall risk appetite.

2. This view of risk appetite is translated into a written or oral form that can be shared across the organization.

3. Management monitors the risk appetite over time, adjusting how it is expressed as business and operational conditions warrant.

These three steps will be discussed in detail in later sections of this paper.

2 Towers Watson, 2011 Risk and Finance Manager Surveyw w w . c o s o . o r g

Page 12: Enterprise Risk Management and Business Ethics

6 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Risk Appetite Statements

An organization’s risk appetite should be articulated and communicated so that personnel understand that they need to pursue objectives within acceptable limits. Without some articulation and communication, it is difficult for management to introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits. A risk appetite statement effectively sets the tone for risk management. The organization is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance, and reporting objectives.

The length of a risk appetite statement will vary by organization. Some statements require several sentences

to express how much risk is acceptable, while others may be more succinct and still clearly communicate management’s appetite for risk. The aim is to balance brevity with the need for clarity.

Characteristics of EffectiveRisk Appetite StatementsA risk appetite statement is useful only if it is clear and can be implemented across the organization. As we noted earlier, risk appetite must relate to the pursuit of organizational objectives and must start at the top. In developing and evaluating a statement, the organization should ensure that risk appetite (Exhibit 3)

Risk appetite should be descriptive enough to guide actions across the organization. Management and the board should determine whether compensation incentives are aligned with risk appetite, not only for top management but throughoutthe organization.

RiskAppetite

Link toObjectives

Time Frame,Portfolio of Projects

FacilitateMonitoring of Risk

OperationsDecisions

FacilitateAlignment

People, Process,Infrastructure

DetermineAcceptable Risk

TolerancesSpecific

Objectives

State WithSufficient precision

Communicate,Monitor, Adjust

Exhibit 3

• directly links to the organization’s objectives;

• is stated precisely enough that it can be communicated throughout the organization, effectively monitored, and adjusted over time;

• helps with setting acceptable tolerances for risk, thereby identifying the parameters of acceptable risks (discussed in the next section);

• facilitates alignment of people, processes, and infrastructure in pursuing organizational objectives within acceptable ranges of risk;

• facilitates monitoring of the competitive environment and considers shareholders’ views in identifying the need to reassess or more fully communicate the risk appetite;

• recognizes that risk is temporal and relates to the time frame of the objectives being pursued; and

• recognizes that the organization has a portfolio of projects and objectives, as well as a portfolio of risks to manage, implying that risk appetite has meaning at the individual objective level and at the portfolio level.

w w w . c o s o . o r g

Page 13: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 7

Reluctance to Embrace Risk AppetiteSome organizations are reluctant to develop and communicate risk appetite. Others might argue that risk management did not prevent the recent financial crisis and thus question the usefulness of ERM in general. Others believe that they have expressed their organization’s riskappetite in the normal course of business, and that developing further risk appetite statements will not result in any new approach to managing risk.

Such arguments can be misleading to management and the board. To forgo discussion of an organization’s risk appetite is to assume that everyone will understand vague comments. History shows that when risk appetite is not considered (especially in compensation schemes),the organization often suffers from greater risks than anticipated. For example, had financial institutions clearly communicated a risk appetite for unsecured mortgage-backed financial instruments, their management and boards would have likely asked questions that would leadto better risk identification, such as the following:

• What if housing failures differ from the historical model?

• What if mortgages fail systematically and are highly correlated to an area we are investing in?

• Could decisions made by some of our operational personnel be creating risks that go beyond our risk appetite?

Risk Appetites Are not All the SameRegulators and investors are calling for greater disclosure of risk management processes so that shareholders can better understand not only the risks an organization faces, but the organization’s appetite for risk and how it manages (or accepts) that risk. For example, a mining company we are aware of clearly identified its risk appetite and risk mitigation procedures for operational risks. At the same time, it decided it could not manage commodity price risk,leaving stakeholders to decide how to consider that risk in developing their portfolios.

Some companies embrace a high appetite for regulatory risk believing that it will lead to greater profitability because regulator fines were significantly lower than the cost of mitigating the compliance risks. One company ignored many health and safety regulations and fines when incurred, but it did not fully understand the magnitude of risks, such as the government shutting down its operations. While the company had a high risk appetite for fines, itslack of appreciation for the risk of shutdown led to a poorly articulated and implemented risk appetite. Organizations can choose to have high or low risk appetites, but those appetites need to consider shareholder interests and the type and magnitude of risks that the organization needs to manage. We have no preference for a particular level of appetite. Whatever the risk appetite is, it should be stated clearly enough that it can be managed throughoutthe organization, and reviewed by the board of directors.

To earn an “adequate” score for overall ERM from some rating agencies, management must be able to articulate risk appetite and assess and reconcile the appropriateness of individual risk limits given to operational management.

w w w . c o s o . o r g

Page 14: Enterprise Risk Management and Business Ethics

8 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

“Business performance can be increased if capital and resources are allocated more effectively, reflecting the balance of risks andrewards in a more integrated and dynamic fashion. In that respect,risk appetite can be considered the cornerstone of modern approaches to bank management, such as value-based management (VBM) and its various implementations.” 3

3 IBM, Risk Appetite: A Multi-faceted Approach to Risk Management, April 2008.

Examples of Risk Appetite StatementsRisk appetite statements often start out broad and become more precise as they cascade into departments and operations across the organization. Some organizations find that broad statements crafted around terms such as “low,” “medium,” or “high” appetite meet the characteristics of risk appetite statements listed above. Others are more precise, making statements like “We are not comfortable accepting more than a 10% probability that we will incur losses of more than a set dollar amount in pursuit of a specific objective.”

Which type of statement is best for a particular entity is a management decision. Some organizations may find terms like “low appetite” clear enough to be communicated and monitored effectively within the organization. However, such statements are vague and can be difficult to communicate and implement. Often, as organizations become more experienced in risk management, their risk appetite statements will become more precise.

The following examples of risk appetite statements illustrate the characteristics we identified above.

Health Care Organization: The following represents one part of the health care organization’s risk appetite statement. The organization has specific objectives related to (1) quality of customer care, (2) attracting and retaining

high-quality physicians and health researchers, and(3) building sustainable levels of profit to provide access to needed capital and to fund existing activities. The statement starts as follows:

The Organization operates within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives.

In our view, this risk appetite statement does threethings effectively:

• Communicates, with sufficient precision, that the organization wants to sustain its business over a long period of time

• Expresses a low risk appetite in pursuing all the organization’s objectives

• Expresses a very low appetite for risks associated with employee safety and compliance

w w w . c o s o . o r g

Page 15: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 9

University: The university’s main objective is to continue as a preeminent teaching and research university that attracts outstanding students and is a desired place of work for top faculty.

The university’s risk appetite statement acknowledges that risk is present in almost every activity. The critical question in establishing the risk appetite was “How willing

is the university to accept risk related to each area?” In thinking through the process, members of management used a continuum (Exhibit 4) to express risk appetite for the university’s major objectives (teaching, research, service, and operational efficiency). They placed various risks along the continuum as a basis for discussion at the highest levels.

Increasedcosts due to

incompatibilitywith legacycomputersystems

Reducedsecurity of IT

Reducedteaching

reputation

Reducedresearch

reputation

Acceptable not Acceptable

Exhibit 4

From an operational viewpoint, for example, management assigned a high risk appetite to the cost of computer incompatibility, a more moderate risk appetite to issues of teaching excellence, a low risk appetite to information system security, and a very low risk appetite to its reputation as a leading research organization.

The university found that ordering its risk appetites across the continuum helped it shape a risk statement. Putting this into practice, the university

• exhibited a higher risk appetite when approving a new computer system that offered greater processing capacity but also had potential compatibility issues with legacy systems;

• exhibited a low risk appetite for significant breaches of security or unauthorized access to classified records (the new system was viewed as better controlled than the legacy system, thus supporting the decision to approve the new system);

• expressed a moderate risk appetite for teaching quality; and

• expressed a very low risk appetite for risks that would significantly reduce its research reputation.

w w w . c o s o . o r g

Page 16: Enterprise Risk Management and Business Ethics

10 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

This example illustrates how risk appetite and strategy interact at the highest levels of an organization. The discussion of risk appetite guided the university’s strategies for dealing with issues such as budget cuts and their effect on teaching, research, service, and operations.

Financial Services Organization: This company considers quantitative measures to be part of setting risk appetite, and it focuses on economic capital as a primary measure. The company manages its financial operations to attain a reasoned risk/return relationship, which serves as a guideline for acceptable credit risks, market risks, and liquidity risks. The company’s business operations also involve risks related to strategic, reporting, compliance, and operations objectives.

This organization’s view of risk appetite specifies not only risk appetite but also acceptable tolerances around that risk appetite that require action to be taken. For example, the company communicates its risk appetite for loan impairment losses by stating that such losses should not exceed 0.25% of the loan portfolio. The company has a low tolerance for exceeding this level, and significant remediation is expected should losses go beyond 0.28%. The same company has a low risk appetite related to its insurance business, stating that claims incurred should be no more than 70% of insurance premium revenue.

This organization reviews its risk appetite annually, adjusting it by type of risk and setting target values for risk-specific indicators in light of the economic cycle and market prospects. The board reviews the risk appetite and associated policies whenever the economic outlookchanges significantly.

w w w . c o s o . o r g

Page 17: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 11

Risk Appetite and Risk Tolerance

Risk tolerance relates to risk appetite but differs in one fundamental way: risk tolerance represents the application of risk appetite to specific objectives. Risk tolerance is defined as:

The acceptable level of variation relative to achievement of a specific objective, and often is best measured in thesame units as those used to measure the related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives.4

While risk appetite is broad, risk tolerance is tactical and operational. Risk tolerance must be expressed in such a way that it can be

• mapped into the same metrics the organization uses to measure success;

• applied to all four categories of objectives (strategic, operations, reporting, and compliance); and

• implemented by operational personnel throughout the organization.

Because risk tolerance is defined within the context of objectives and risk appetite, it should be communicated using the metrics in place to measure performance. In that way, risk tolerance sets the boundaries of acceptable

performance variability. A simple example in the financial industry would be to state an appetite for risks associated with collateralized debt obligations (CDO) where the CDOs are divided into tranches reflecting the estimated credit worthiness of the underlying debt. An entity buying these CDOs may set minimum risk rating levels for these tranches and then set a tolerance reflecting the maximum downside risk that is acceptable.

Some tolerances are easy to express in qualitative terms. For example, an organization may have a low risk appetite for non-compliance with laws and regulations and may communicate a similarly low tolerance for violations — for example, a zero tolerance for some types of violationsand slightly higher tolerances for other types of violations. Or tolerance may be stated in quantitative terms. A company could say that it requires backup on its computer systems sothat the likelihood of computer failure is less than 0.01%.

Risk tolerances are always related to risk appetite andobjectives (Exhibit 5). Tolerances can apply to detailed areas such as compliance, computer security, product quality, or interest rate variability. Risk appetite and risk tolerances, together with objectives, guide the organization’s actions.

4 COSO, Enterprise Risk Management — Integrated Framework, p. 20.

Risk tolerances guide operating units as they implement risk appetite within their sphere of operation. Risk tolerances communicate a degree of flexibility, while risk appetite setsa limit beyond which additional risk should not be taken.

Managementsets

OBJECTiVESwith board oversight.

Management, with boardreview and concurrence,

articulates aRiSk AppETiTE

that is acceptable in pursuitof those objectives.

Management setsTOLERAnCES

around risks acceptable at theorganizational unit level

or functional unitlevel in measuring the

achievement of objectives.

Exhibit 5

w w w . c o s o . o r g

Page 18: Enterprise Risk Management and Business Ethics

12 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Most organizations have multiple operational objectives related to profitability, some of which might create additional or complementary risks. For example, the managers of an aerospace company might want to improve a product’s profitability but know the company has a low risk appetite for not meeting client expectations. They know they cannot reduce product costs if such changes would decrease performance. For example, the company might use new technology, but it cannot use inferior components.

To further illustrate, assume management and the board have set specific profit objectives by product line — for example, maintain a specific gross margin or return on capital for the product line. But they have communicated a low risk appetite for product failure, for loss of customers because of product quality or delivery, and for potential lawsuits related to product design or performance. The articulation of risk tolerances helps guide the company’s operational development.

Linking Risk Appetite and Risk ToleranceThe following examples illustrate the relationship between risk appetite and related risk tolerances.

Aerospace Supplier: This company translates its risk appetite statement into tolerances for operational implementation. A high-level objective is to grow by 8% a year (revenue and operating earnings) by working with customers to improve products and market share. Because of the long-term nature of its supply arrangements and product development, the company has communicated the broad parameters of its risk appetite, which then cascade into risk tolerances relating to operations, reporting, and compliance, as shown below. While the company seeks to grow at this rate, acquisitions should not put the company’s capital structure at risk. There is a low risk appetite for allowing the capital structure to be so leveraged that ithinders the company’s future flexibility or ability to make strategic acquisitions.

Operations Tolerances

• Near zero risk tolerance for product defects

• Low risk tolerance for sourcing products that fail to meet the company’s quality standards

• Low, but not zero, risk tolerance for meeting customer orders on time, and a very low tolerance for failing to meet demands within x number of days

• High risk tolerance for potential failure in pursuing research that will enable the company’s product to better control, and increase the efficiency of, energy use

Reporting Tolerances

• Low risk tolerance concerning the quality, timing, and accessibility of data needed to run the business

• Very low risk tolerance concerning the possibility of significant or material deficiencies in internal control

• A low risk tolerance related to financial reporting quality (timeliness, transparency, GAAP, etc.)

Compliance Tolerances

• Near zero risk tolerance for violations of regulatory requirements or the company’s code of ethics

w w w . c o s o . o r g

Page 19: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 13

Company management has been comfortable communicating risk appetite through its actions and performance reviews. However, as the company has grown, it has found that the risk appetite is not fully understood, especially among new operational units. Nor is it understood that policies relate to objectives and are often designed to minimize the risks involved in pursuing those objectives. One division, for instance, failed to follow a company policy because it did not fully understand that the policy was in place to mitigate a significant risk, thus leading to losses. Linking the policy to the risk and risk appetite would have led to better mitigation of the underlying risks.

University: The university in our earlier example has a very low appetite for risk associated with its research reputation. However, given budget shortages, the university also knows it cannot make the same commitment to research and teaching as in the past. The organization has expressed a higher risk appetite for actions resulting in lower-quality teaching. In other words, research that leads to better understanding and innovation is extremely important, but the quality of teaching, though important, is an area where the university can accept more risk for potential decreases.

The university communicated its risk appetite in broad terms, both through the university and, as a public institution, within the state. However, to operationalize the risk appetite within each of its schools, the university had to express risk tolerances for the two key objectives of excellence in research and teaching — while dealing with a 10% budget decrease. The risk tolerances were expressed as follows.

Research: Tolerance StatementsConsistent With Low Risk Appetite

• The university does not expect any decrease in the nature, quality, or number of publications related to its research mission.

• The university does not expect any decrease in the number or dollar value of outside research grants generated by faculty.

Teaching: Tolerance Statements Consistent With Moderate Risk Appetite

• Student teaching evaluations should not decline by more than 5%.

• Where individual schools within the university are ranked by outside evaluators on student preparedness and quality of students, there should be no more than a 5% decline.

• The caliber of students wanting to attend the university should not decline by more than 2%, as measured by standard university admissions data such as SAT or ACT scores, percentile ranking in high school graduating class, or extent of community service before attending university.

The idea behind the risk tolerances is that if the university falls below any of the measures, corrective action will take place. Corrections will come not from adjusting the risk appetite butfrom reassessing the risk appetite and the strategies the university has implemented in the context of the risk appetite.

w w w . c o s o . o r g

Page 20: Enterprise Risk Management and Business Ethics

14 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Examples of Risk Tolerance StatementsThe following examples from organizations show how risk tolerance might be stated and aligned with broader risk appetite.

Risk Appetite

The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.

The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses.

A health services organization places patient safety amongst its highest priorities. The organization also understands the need to balance the level of immediate response to all patient needs with the cost of providing such service. The organization has a low risk appetite related to patient safety but a higher appetite related to response to all patient needs.

A retail company has a low risk appetite related to the social and economic costs for sourced products from foreign locations that could be accused of being child sweatshops or having unhealthy working conditions.

A manufacturer of engineered wood products operates in a highly competitive market. To compete, the company has adopted a higher risk appetite relating to product defects in accepting the costsavings from lower-quality raw materials.

Risk Tolerance

While we expect a return of 18% on this investment, we are not willing to take more than a 25% chance that the investment leads to a loss of more than 50% of our existing capital.

We will not accept more than a 5% risk that a new line of business will reduce our operating earnings by more than 5% over the next ten years.

We strive to treat all emergency room patients within two hours and critically ill patients within 15 minutes. However, management accepts that in rare situations (5% of the time) patients in need of non-life-threatening attention may not receive that attention for up to four hours.

For purchasing agents, the risk tolerance is set at near zero for procuring products that do not meet the organization’s quality and sourcing requirements.

The company has set a target for production defects of one flaw per 1,000 board feet. Production staff may accept defect rates up to 50% above this target (i.e., 1.5 flaws per 1,000 board feet) if cost savings from using lower-cost materials is at least 10%.

w w w . c o s o . o r g

Page 21: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 15

Developing Risk Appetite

We have identified the characteristics of an effective risk appetite statement and noted how those characteristics are useful in managing risk. We have also examined the relationship between risk appetite and risk tolerances. Now we will discuss how an organization can bring out the many “implicit feelings” that management and the board may have about what they believe is the organization’s risk appetite and how discussion of those feelings leads to development of risk appetite.

Developing a risk appetite is not an end in itself and should not require an inordinate amount of time. Remember the purposes of risk appetite are

• to provide effective communication throughout the organization in order to drive the implementation of enterprise risk management;

• to change discussions about risk so that they involve questioning of whether risks are properly identified and managed within the risk appetite; and

• to provide a basis for further discussion of risk appetite as strategies and objectives change.

Also, keep in mind that any expression of risk appetite must be preceded by a discussion of strategies and objectives. The risk appetite must be linked to those objectives.

Management and boards often use one of three approaches to discuss and develop their risk appetite: (1) facilitated discussions, (2) discussions related to objectives and strategies, or (3) development of performance models.

Facilitated DiscussionsFacilitated discussions can be very effective for a variety of organizations. After several iterations, management and the board can develop a risk appetite statement that reflects the combined views of the organization’s leadership and governance bodies.

The major advantage of this approach is that the facilitators encourage management and the board to clearly prioritize their objectives and their risk appetite. In addition, various scenarios can be discussed to see how the risk appetite would influence decision making throughout the organization. When discussing risk appetite, those involved should keep the organization’s strategic plan, including goals and mission, at the forefront.

A questionnaire can help capture views on risk appetite and business scenarios. Exhibit 6 shows an example. Note that the questions are broad and should be tailored to the unique factors that drive an organization’s success.

Discussions Related to Objectives and StrategiesOften the risk appetite an organization is willing to accept becomes more evident when management considers major issues facing the organization, such as new product lines, acquisitions, or joint ventures. Management of organizations with a lower risk appetite will usually react differently to acquisition, expansion, competition, and market volatility than will peers with a higher risk appetite. Reviewing and assessing these reactions can provide insight into the organization’s current risk appetite.

This approach allows management to go the extra step in discussing major strategies because it asks what the perceived risks are in pursuing objectives. The board then reviews and supports management’s identification and communication of risk appetite as it relates tospecific objectives.

Developing risk appetite is about managing the organization. It is not about developing a statement to be filed in a report. There are many ways to create a clear statement of risk appetite. Organizations should identify the parameters of their risk appetite along key strategic, operational, reporting,and compliance objectives.

Develop/Revise

RiskAppetite

Monitor Communicate

w w w . c o s o . o r g

Page 22: Enterprise Risk Management and Business Ethics

16 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Exhibit 6

Questions to Facilitate Discussion of Risk Appetite at Management and Board Level

1. On a scale of 1 to 10, with 1 being the lowest, describe what you believe the organization’s overall risk appetite has been and what you think it should be. Explain any differences between what you perceive it has been and what you believe it should be. Relate this to your number one strategic goal.

2. Various operations help an organization achieve its objectives. Using the categories below, or other categories consistent with the organization’s operations, rate the desired risk appetite related to the following (rating can be broad, such as high, medium, or low, or precise, such as specific metrics that should not be exceeded): a. Meeting customer requirements b. Employee health and safety c. Environmental responsibility d. Financial reporting e. Operational performance f. Regulatory compliance g. Shareholder expectations h. Strategic initiatives / growth targets

As you rate each category, indicate areas where you believe the organization is taking either too much or too little risk in pursuing its objectives.

3. How would you rate the effectiveness of the organization’s process for identifying, assessing, managing, and reporting risks in relation to the overall risk appetite? What are the major areas for improvement?

4. Are management’s strategies communicated sufficiently for there to be meaningful discussion of risk appetite in pursuit of those strategies, both at the broad organizational level and at the operational level, and for consistency to be analyzed?

5. How satisfied are you that the board is providing effective oversight of the risk appetite through its governance process? This includes board committees and/or the board itself to help set the appetite and to monitor over time that management is adhering to the overall risk appetite in pursuit of value.

6. Whom do you see as more accepting of risk, or more willing to take risks to meet the goals of the organization? a. Management b. Board c. Management and board have similar levels of acceptable risk

7. Does the organization motivate management (senior management and operational management) to take higher than desired risks because of the compensation plans in place? If yes, how do you believe the compensation plans should be modified to bring approaches for generating high performance within the risk appetite?

8. What do you believe the organization should do? a. Reduce its risk appetite b. Increase its risk appetite c. Make no change

9. Do you believe there are risks considered to be above the organization’s existing risk appetite that need to be reduced? In other words, are there areas where the risk appetite, as currently used, is too low?

10. What risks over the past five years were, in your view, above the organization’s risk appetite? Were the risks understood when a strategy was developed? How could management have communicated its risk appetite so that the board could both (a) evaluate the risk appetite and (b) provide proper oversight? How could management have communicated its risk appetite so as to hold operational units to actions consistent with the risk appetite?

w w w . c o s o . o r g

Page 23: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 17

One advantage to this approach is that the board can be seen as supporting or challenging management’s risk appetite. Another is that management gains a sense of the board’s risk appetite for specific strategies and can incorporate that knowledge into a risk management process. The major disadvantage of this approach is that it can be less comprehensive. It often does not generate the specificity needed for the organization’s day-to-day activities.

Development of performance ModelsSome organizations, particularly financial institutions, use quantitative measures to express their overall risk appetite. They often arrive at these measures through performance modelling.

A company could, for instance, use economic capital to express risk appetite. Economic capital is the amount of capital a financial institution needs to remain solvent. This determination is based both on regulatory requirements and on management’s assessment of how much economiccapital the institution needs to retain.

As an example, management might set its economic capital at 6% of total assets. As the organization models different scenarios of economic activity, economic situations, and its asset portfolio, it needs to set some probability around the ability to maintain economic capital. A managementand board with a low risk appetite might want to be 99.9% confident (999 out of 1,000 model results) that economic activities will not place the institution below its desired levelof economic capital. A company with a higher risk appetite might start with the same dollar amount but require a confidence level of only 95% (950 out of 1,000 model results). Thus, risk appetite can be composed of both dollar elements and probability elements.

As part of developing (and monitoring) risk appetite, a company may model its overall risk profile. This involves taking “bottom-up” risk information and developing models that consider company-specific risks, including industry factors and broad economic factors, to create a calculatedrisk profile. The profile can then be compared to the overall risk appetite, helping management and the board to discuss how much risk the organization is prepared to accept. Some organizations also review key ratios from peer companies and industries to gain more input into the risk level suitable for their organization.

Modelling is typically only one part of the process of setting risk appetite. For one thing, an organization needs considerable data to prepare these calculations. For another, there are usually certain risks that are difficult to quantify and model with precision. Management and the board still need to debate and discuss the levels above which capital at risk is seen to be too high and in excess of appetite.

w w w . c o s o . o r g

Page 24: Enterprise Risk Management and Business Ethics

18 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Communicating Risk Appetite

Once an overall risk appetite is developed, management must then choose the right mechanism for communicating it. As we noted earlier, risk appetite statements will vary, and organizations may communicate risk appetite at various levels of detail or precision. The point is that each organization should determine the best way to communicate risk appetite to operational leaders in a specific enough manner that the organization can monitor whether risks are being managed within that appetite.

To be effective, risk appetite must be

• operationalized through appropriate risk tolerances;

• stated in a way that assists management in decision making; and

• specific enough to be monitored by management and others responsible for risk management.

We have encountered three main approaches for communicating risk appetite: (1) expressing overall risk appetite using broad statements, (2) expressing risk appetite for each major class of organizational objectives, and (3) expressing risk appetite for different categories of risk.

Broad Risk Appetite StatementOrganizations that communicate overall risk appetite in broad terms may develop high-level statements that reflect acceptable risk levels in pursuing their objectives.

Some organizations use graphics, like those at right, in discussing risk appetite. A common approach is to apply some form of color banding within a heat map that indicates acceptable versus unacceptable risk levels. With this approach, risks are grouped by objective, summarized, and then plotted on the risk map. The organization sets either the assessment criteria or the location of the color banding to express higher versus lower risk appetites. For instance, theheat maps on the right show that risks related to objectives 1 and 2 would exceed the appetite of a company with a low risk appetite, but not necessarily that of a company with a high risk appetite. Risks related to objective 3 would exceed the appetite of both companies.

The advantage of this approach is that it is simple to convey the level above which risks are seen as unacceptable. We also find that discussions with management and the board on the relative positioning of the bands can draw out important differences between management’s and the board’s views on desired risk appetite.

The broad descriptions are effective when they are partitioned to show that not all objectives have the same risk appetite.

Risks Related to Organizational ObjectivesOrganizations that communicate risk appetite for each major class of organizational objectives are likely to communicate risk appetite in some form of statement. Consider the risk appetite statement from the health care organization we referred to earlier:

The Organization operates within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives.

Develop/Revise

RiskAppetite

Monitor Communicate

Alm

ost n

ever

Unlik

ely

Poss

ible

Likel

y

Alm

ost c

erta

in

CatastrophicMajor

ModerateMinor

Insignicant

1

3

24

LowRisk Appetite

Alm

ost n

ever

Unlik

ely

Poss

ible

Likel

y

Alm

ost c

erta

in

CatastrophicMajor

ModerateMinor

Insignicant

1

3

24

HighRisk Appetite

w w w . c o s o . o r g

Page 25: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 19

The advantage of this approach is that it allows for more delineation between the levels of acceptable risk for each class of objectives. It does not, for instance, treat risks related to legal compliance the same way as risks related to operations. This approach may also help with decision making, especially if resources are limited and need to be allocated across a company’s organizational units. Another advantage is that viewing risks in relation to classes of objectives requires less effort than, say, the third approach below. The challenge is to develop a statement that accommodates specific risk types that should be viewed differently in terms of acceptable level of risk.

Categories of RiskThe third option is to communicate appetite for categories of risk. Some organizations use broad, generic risk categories, such as economic, environmental, political, personnel, or technology, in their risk appetite statements. Others use more tailored risk categories that apply to their field. For example, a company in information processing may group risks related to system availability, data security and privacy, system scalability, system design, andrelease management.

A mining company we are aware of has specific objectives for cash flow and capital structure that include maintaining low volatility of cash flow. There are many causes of cash flow volatility, ranging from operations to uncertain commodity prices. Management believes that investorsunderstand commodity price risk, and it has pursued objectives that enable the company to benefit from price increases while being exposed to losses from price decreases. Management believes that this price risk — even though it can result in volatile earnings — is within the appetite of the organization (and its stakeholders). Therefore, the company has not attempted to mitigate this exposure through a commodity price hedge program. Conversely, the same company is unwilling to accept a similar level of cash flow volatility caused by productiondelays, and it has adopted rigorous processes to maintain steady production.

The advantage of communicating risk appetite according to categories of risk is that management can exercise judgment about acceptable levels given the unique considerations of each group of risks. By allowing for greater judgment, this approach reduces the perception that risk management is overly prescriptive.

Risk Appetite Cascades Through the OrganizationThe method of communicating a risk appetite statement is important, but so is the ability to communicate that statement across the organization in a way that ensures operations are consistent with the risk appetite. It is especially important for those who pursue the operationaltactics related to organizational objectives (e.g., local sales forces, country managers, strategic business units) to clearly understand and be aligned with risk appetite. All too often, the risk appetite and tolerances set by the organization are not adhered to or understood in context bythose managing the day-to-day business, facing customers and potential risks every day.

Risk appetite needs to be communicated by management, embraced by the board, and then integrated across the organization. The ERM framework is often depicted as a cube (see below). It is important not to overlook the side of the cube, which shows that all units must understand the organization’s risk appetite and related risk tolerances.

Risk appetite and risk tolerances are set across the organization. Risk appetite is set at the highest level of the organization in conjunction with goals and objectives. As risk appetite and objectives are communicated throughout the organization (subsidiary, division, or business unit level) the strategic goals and risk appetite are expressed in more specific performance terms. Strategies are reflected in performance objectives, and risk appetite is expressed in terms of risk tolerance. The more precise articulation of performance objectives and risk tolerances helps management to identify situations where corrective actions are needed. Performance metrics and risk tolerances that are more specific lend themselves to better monitoring.

Sub

sidiary

Business U

nitD

ivision

Entity-Level

Strategic

Operations

Reporting

Compliance

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

w w w . c o s o . o r g

Page 26: Enterprise Risk Management and Business Ethics

20 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Monitoring and Updating Risk Appetite

Once an organization’s risk appetite is developed and communicated, management, with board support, must revisit and reinforce it. Risk appetite cannot be set once and then left alone for extended periods. Rather, it should be reviewed and incorporated into decisions about how theorganization operates. This is especially important if the organization’s business model begins to change. Management cannot just assume that responsible individuals will implement risk management within the appropriate risk appetite. Therefore, some organizations will review the application of risk appetite through a series of monitoring activities. Management should monitor theorganization’s activities for consistency with risk appetite through the specifics identified with risk tolerances. Most organizations have key performance risk metrics that they use to measure performance. It is easy to integrate risk tolerances into the monitoring process used to evaluateperformance. Internal auditing can provide independent insight on the effectiveness of such processes.

Creating a CultureFor many organizations, monitoring risk tolerances requires a culture that is aware of risk and risk appetite. Management, by revisiting and reinforcing risk appetite, is in a position tocreate a culture whose organizational goals are consistent with the board’s, and to hold those responsible for implementing risk management within the risk appetite parameters.

Many organizations are effective at creating a risk-aware culture: a culture that emanates from senior management, cascades through the organization, and is supported bythe board. In an effective culture, each member of the organization has a clear idea of what is acceptable, whether in relation to behaving ethically, pursuing the wrong objectives, or encountering too much risk in pursuing the right objectives.

Creating a culture is one way of reinforcing overall risk appetite. The approach is best used when the organization has a well-communicated risk appetite and associated risk tolerances, to the point at which the following outcomes exist:

• Consistent implementation across units

• Effective monitoring and communication of risk and changes in risk appetite

• Consistent understanding of risk appetite and related tolerances for each organizational unit

• Consistency between risk appetite, objectives, and relevant reward systems

This approach draws on ongoing and separate evaluations conducted as part of the organization’s monitoring. The individuals doing the monitoring consider whether the objectives being set and the risk response decisions being made are consistent with the organization’s stated risk appetite. Any variation from the stated (or desired) risk appetite is then reported to management and the board as part of the normal internal reporting process.

Develop/Revise

RiskAppetite

Monitor Communicate

w w w . c o s o . o r g

Page 27: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 21

Roles

It is management’s role to develop the risk appetite and to obtain the board’s agreement that the risk appetite is suitable for the organization. We believe that the board is in place to oversee management and to monitor the broader risk management process, including whether the organization is adhering to its stated risk appetite. Any board, serving any organization of any size or structure (for-profit, not-for-profit, private), has a fiduciary responsibility to question management’s development and implementation of a risk appetite and to require changes if it believes the risk appetite is either badly communicated or inconsistent with shareholder values.

Effective board oversight of an organization’s risk appetite should include

• clear discussion of the organization’s objectives and risk appetite;

• oversight of the organization’s compensation plan for consistency with risk appetite;

• oversight of management’s risk identification when pursuing strategies to determine whether the risks exceed the risk appetite;

• oversight of strategies and objectives to determine whether the pursuit of some objectives may create unintended consequences or organizational risks in other areas; and

• a governance structure that requires regular conversations on risk appetite, through the board and board committees, concerning matters such as strategy formulation and execution, M&A activity, and business cases to pursue major new initiatives.

Governance does not stop with board oversight. It includes management’s development of the infrastructure for risk management and the allocation of resources across the organization. Exhibit 7 is a summary of matters for the board and management to consider in evaluating how effective their processes are for developing, communicating, and monitoring risk appetite.

Boards are very good at questioning strategies. They are only a step away from addressing meaningful questions that can help with setting the organization’s risk appetite. For example, when the board asks how much an organization should payfor an acquisition, it is an expression of risk appetite.

Board Oversight

Management

Develop/Revise

RiskAppetite

Monitor Communicate

w w w . c o s o . o r g

Page 28: Enterprise Risk Management and Business Ethics

22 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

Exhibit 7

Board and Management Responsibilities

1. Management establishes risk appetite: An organization cannot know how well it is managing risk unless it establishes ranges of acceptable risk it can take in pursuit of its objectives. In doing so, management must effectively and clearly communicate: a. Goals and objectives b. Strategies c. Metrics (to know whether objectives are being achieved) d. Relevant time periods for pursuing the objectives e. Ranges of risk the organization is willing to take in pursuing the objectives

2. Board oversees risk appetite: Oversight of the risk appetite (or acceptable ranges of acceptable risk) should be considered at the board level in conjunction with the senior management team.

3. Applies throughout organization: Risk appetite needs to be applied regularly throughout all functional units of the organization. Culture is important: the organization must work to build the board’s view of risk appetite into the organizational culture.

4. Aligns with stakeholders and managers: Because individuals are accountable for their results, every organization needs a robust governance process to ensure that compensation and incentive systems are aligned with the organization’s objectives and are managed to fall within the organization’s risk appetite.

5. Manages risks and risk appetite over time: Organizations need to understand that risk appetites may change over time. Boards must be proactive on two levels: a. Communicating their articulation of risk appetite b. Monitoring organizational actions, processes, etc., to determine whether organizational activity has strayed outside the organization’s risk appetite

6. Monitors to ensure adherence to risk appetite: Adherence to an organization’s risk appetite, as well as to its risk management processes, should be monitored regularly. The results of the monitoring should be reported to the audit committee and/or board and to the relevant members of executive management.

7. Supports culture: The tone at the top influences the culture of the organization. The tone can be either positive or negative in ensuring that risks are managed within acceptable limits. Ideally, prudent risk taking is built into the organization’s culture in its public statement of core values.

8. Considers resources: It takes effort to operate within the organization’s risk appetite. Resources must be available and dedicated to operating within this appetite.

9. Communicates through strategies and objectives: Risk appetite is communicated effectively only if the organization can clearly communicate its major strategies and objectives at both the global level and the functional/operational level.

10. Clearly communicates how much risk the organization is willing to accept at all levels: Risk appetite and risk tolerance are complementary concepts. They can be combined to determine acceptable ranges of risk for the organization.

Risk appetite is developed by management and reviewed by the board. COSO’s Enterprise Risk Management — Integrated Frameworkemphasizes the board’s important role in overseeing risk management. Oversight should begin with a studied discussionand review of management’s articulation of risk appetite relative to the organization’s strategies.

w w w . c o s o . o r g

Page 29: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 23

Summary of Considerations

The COSO Enterprise Risk Management — Integrated Framework sets out five principles related to risk appetite:

1. It is a guidepost in strategy setting.

2. It guides resource allocation.

3. It aligns organization, people, processes, and infrastructure.

4. It reflects the entity’s risk management philosophy and influences the culture and operating style.

5. It is considered in strategy setting so that strategy aligns with risk appetite.

Risk appetite does not exist in a vacuum; rather, it is an integral part of an organization’s strategies for achieving objectives. The concept of risk appetite permeates all organizations, from charities and governments to small businesses and publicly traded corporations.

A statement of risk appetite is an effective way to communicate across an organization a sense of acceptable risks. In addition, it provides a basis for evaluating and monitoring the amount of risk an organization faces to determine whether the risk has risen above an acceptable range.

Organizations can, and should, come to terms with what they believe to be their appetite for risk. Once stated, risk appetite can be communicated and refined over time as the organization becomes more experienced with the concept.

Most importantly, developing risk appetite is the start of an organization’s commitment to effective enterprise risk management. As with pursuing corporate objectives, the end objective is adding value through effective enterprise risk management in pursuit of organizational goals. Developing and communicating a risk appetite moves organizations in that direction.

w w w . c o s o . o r g

Page 30: Enterprise Risk Management and Business Ethics

About COSO

Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control and fraud deterrence. COSO’s supporting organizations are The Institute of internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA).

24 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM

w w w . c o s o . o r g

Dr. Larry Rittenberg is the Ernst & Young Professor of Accounting at the University of Wisconsin-Madison School of Business. He is one of only eight academics on the list of the United States’ 100 most influential people in finance. Dr. Rittenberg was on the COSO steering committee that oversaw the development of Enterprise Risk Management — Integrated Framework and later served as chair of COSO. As chair, he led the effort to provide guidance for small and midsize companies on developing effective internal controls, and later led COSO in developing guidance on monitoring of internal controls.

On the University of Wisconsin faculty since 1976, Dr. Rittenberg teaches in the area of audit and assurance, including risk management and corporate governance. His current research deals with the effectiveness of audit committees, corporate governance, and assurance services. He has received The Institute of Internal Auditors’ highest award, the Bradford Cadmus Memorial Award, for his contributions to the internal auditing profession.

Frank Martens is a Director in the Advisory Practice of PricewaterhouseCoopers (PwC). He provides services related to enterprise risk management, internal audit, and internal control to a wide range of companies. Mr. Martens is a Chartered Accountant with over 20 years of external audit experience.

Mr. Martens was one of the principal contributors from PwC in developing COSO’s Enterprise Risk Management — Integrated Framework. He was also a principal contributor to COSO’s Internal Control over Financial Reporting — Guidance for Smaller Public Companies, a guidance document for using COSO’s Internal Control — Integrated Framework.

About the Authors

note to ReadersThe information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your professional adviser. This thought paper represents the views of the authors only, and does not necessarily represent the views or professional advice of the University of Wisconsin, PwC, or COSO.

Page 31: Enterprise Risk Management and Business Ethics

By

Deloitte & Touche LLP

Dr. Patchin Curtis | Mark Carey

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute

for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.

T h o u g h t L e a d e r s h i p i n E R M

R I S K A S S E S S M E N T

I N P R A C T I C E

Page 32: Enterprise Risk Management and Business Ethics

Authors

Deloitte & Touche LLP

Principal Contributors Dr. Patchin Curtis Director, Deloitte & Touche LLP Mark Carey Partner, Deloitte & Touche LLP

This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.COSO is a private-sector initiative jointly sponsored and funded by the following organizations:

American Accounting Association (AAA)

American Institute of CPAs (AICPA)

Financial Executives International (FEI)

The Institute of Management Accountants (IMA)

The Institute of Internal Auditors (IIA)

Committee of Sponsoring Organizationsof the Treadway Commission

w w w . c o s o . o r g

Preface

COSO Board Members

David L. LandsittelCOSO Chair

Douglas F. PrawittAmerican Accounting Association

Richard F. ChambersThe Institute of Internal Auditors

Marie N. HolleinFinancial Executives International

Chuck E. LandesAmerican Institute of CPAs (AICPA)

Sandra RichtermeyerInstitute of Management Accountants

Page 33: Enterprise Risk Management and Business Ethics

Committee of Sponsoring Organizations of the Treadway Commission

October 2012

Research Commissioned byResearch Commissioned by

T h o u g h t L e a d e r s h i p i n E R M

Page 34: Enterprise Risk Management and Business Ethics

Copyright © 2012, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).1234567890 PIP 198765432

All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or by any means without written permission. For information regarding licensing and reprint permissions please contact the American Institute of Certified Public Accountants’ licensing and permissions agent for COSO copyrighted materials.Direct all inquiries to [email protected] or AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.

w w w . c o s o . o r g

Page 35: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | iii

Introduction 1

The Risk Assessment Process 2

Develop Assessment Criteria 3

Assess Risks 8

Assess Risk Interactions 12

Prioritize Risks 14

Putting It into Practice 18

About COSO 19

About the Authors 19

Contents Page

w w w . c o s o . o r g

Page 36: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 1

w w w . c o s o . o r g

Value is a function of risk and return. Every decision either increases, preserves, or erodes value. Given that risk is integral to the pursuit of value, strategic-minded enterprises do not strive to eliminate risk or even to minimize it, a perspective that represents a critical change from the traditional view of risk as something to avoid. Rather, these enterprises seek to manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk—no more, no less—to effectively pursue strategic goals. This is the “sweet spot,” or optimal risk-taking zone, referred to in exhibit 1.

That’s why risk assessment is important. It’s the way in which enterprises get a handle on how significant each risk is to the achievement of their overall goals.

To accomplish this, enterprises require a risk assessment process that is practical, sustainable, and easy to understand. The process must proceed in a structured and disciplined fashion. It must be correctly sized to the enterprise’s size, complexity, and geographic reach. While enterprise-wide risk management (ERM) is a relatively new discipline,1 application techniques have been evolving over the last decade. The purpose of this paper is to provide leadership with an overview of risk assessment approaches and techniques that have emerged as the most useful and sustainable for decision-making. It represents another in a series of papers published by Committee of Sponsoring Organizations of the Treadway Commission (COSO) aimed at helping organizations move up the maturity curve in their ongoing development of a robust ERM process.

Introduction

1 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework, 2004.

Exhibit 1: Optimal Risk-Taking

Risk Level

“Sweet Spot”

ExpectedEnterprise Value

InsufficientRisk-Taking

OptimalRisk-Taking

ExcessiveRisk-Taking

Page 37: Enterprise Risk Management and Business Ethics

2 | Risk Assessment in Practice | Thought Leadership in ERM

The Risk Assessment Process

Within the COSO ERM framework,2 risk assessment follows event identification and precedes risk response. Its purpose is to assess how big the risks are, both individually and collectively, in order to focus management’s attention on the most important threats and opportunities, and to lay the groundwork for risk response. Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being overcontrolled or forgoing desirable opportunities.

Events that may trigger risk assessment include the initial establishment of an ERM program, a periodic refresh, the start of a new project, a merger, acquisition, or divestiture, or a major restructuring. Some risks are dynamic and require continual ongoing monitoring and assessment, such as certain market and production risks. Other risks are more static and require reassessment on a periodic basis with ongoing monitoring triggering an alert to reassess sooner should circumstances change.

2 COSO, Enterprise Risk Management – Integrated Framework (2004).

w w w . c o s o . o r g

Identify risks. The risk (or event) identification process precedes risk assessment and produces a comprehensive list of risks (and often opportunities as well), organized by risk category (financial, operational, strategic, compliance) and sub-category (market, credit, liquidity, etc.) for business units, corporate functions, and capital projects. At this stage, a wide net is cast to understand the universe of risks making up the enterprise’s risk profile. While each risk captured may be important to management at the function and business unit level, the list requires prioritization to focus senior management and board attention on key risks. This prioritization is accomplishedby performing the risk assessment.

Develop assessment criteria. The first activity within the risk assessment process is to develop a common set of assessment criteria to be deployed across business units, corporate functions, and large capital projects. Risks and opportunities are typically assessed in terms of impact and likelihood. Many enterprises recognize the utility of evaluating risk along additional dimensions such as vulnerability and speed of onset.

Assess risks. Assessing risks consists of assigning values to each risk and opportunity using the defined criteria. This may be accomplished in two stages where an initial screening of the risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks.

Assess risk interactions. Risks do not exist in isolation. Enterprises have come to recognize the importance of managing risk interactions. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity. Therefore, enterprises are gravitating toward an integrated or holistic view of risks using techniques such as risk interaction matrices, bow-tie diagrams, and aggregated probability distributions.

Prioritize risks. Risk prioritization is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds. Risk is viewed not just in terms of financial impact and probability, but also subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.

Respond to risks. The results of the risk assessment process then serve as the primary input to risk responses whereby response options are examined (accept, reduce, share, or avoid), cost-benefit analyses performed, a response strategy formulated, and risk response plans developed.

Discussions of event identification and risk response are beyond the scope of this paper. For detailed treatment, refer to the COSO Enterprise Risk Management – Integrated Framework (2004).

Exhibit 2: Assess Risks Process Flow Diagram

Assess Risks

Identify Risks

Respondto Risks

AssessRisks

Assess Risk Interactions

Prioritize Risks

Develop Assessment

Criteria

Page 38: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 3

w w w . c o s o . o r g

Traditional risk analysis defines risk as a function of likelihood and impact. Indeed, these are important measures. However, unlikely events occur all too often, and many likely events don’t come to pass. Worse, unlikely events often occur with astonishing speed. Likelihood and impact alone do not paint the whole picture.

To answer questions like how fast could the risk arise, how fast could you respond or recover, and how much downtime could you tolerate, you need to gauge vulnerability and speed of onset. By gauging how vulnerable you are to an event, you develop a picture of your needs. By gauging how quickly it could happen, you understand the need for agility and rapid adaptation.

Developing Assessment ScalesSome form of measurement of risk is necessary. Without a standard of comparison, it’s simply not possible to compare and aggregate risks across the organization. Most organizations define scales for rating risks in terms of impact, likelihood, and other dimensions. These scales comprise rating levels and definitions that foster consistent interpretation and application by different constituencies. The more descriptive the scales, the more consistent their interpretation will be by users. The trick is to find the right balance between simplicity and comprehensiveness.

Scales should allow meaningful differentiation for ranking and prioritization purposes. Five point scales yield better

dispersion than three point scales. Ten point scales imply precision typically unwarranted in qualitative analysis, and assessors may waste time trying to differentiate between a rating of six or seven when the difference is inconsequential and indefensible.

Illustrative scales are provided for impact, likelihood, vulnerability, and speed of onset. Every enterprise is different and the scales should be customized to fit the industry, size, complexity, and culture of the organization in question.

ImpactImpact (or consequence) refers to the extent to which a risk event might affect the enterprise. Impact assessment criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer, and operational impacts. Enterprises typically define impact using a combination of these types of impact considerations (as illustrated below), given that certain risks may impact the enterprise financially while other risks may have a greater impact to reputation or health and safety. When assigning an impact rating to a risk, assign the rating for the highest consequence anticipated. For example, if any one of the criteria for a rating of 5 is met, then the impact rating assigned is 5 even though other criteria may fall lower in the scale.

Some entities define impact scales for opportunities as well as risks.

Develop Assessment Criteria

Page 39: Enterprise Risk Management and Business Ethics

4 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

3 Financial impact is typically measured in terms of loss or gain, profitability or earnings, or capital.

Illustrative Impact Scale

Rating Descriptor Definition

5 Extreme • Financial loss of $X million or more3 • International long-term negative media coverage; game-changing loss of market share • Significant prosecution and fines, litigation including class actions, incarceration of leadership • Significant injuries or fatalities to employees or third parties, such as customers or vendors • Multiple senior leaders leave

4 Major • Financial loss of $X million up to $X million • National long-term negative media coverage; significant loss of market share • Report to regulator requiring major project for corrective action • Limited in-patient care required for employees or third parties, such as customers or vendors • Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

3 Moderate • Financial loss of $X million up to $X million • National short-term negative media coverage • Report of breach to regulator with immediate correction to be implemented • Out-patient medical treatment required for employees or third parties, such as customers or vendors • Widespread staff morale problems and high turnover

2 Minor • Financial loss of $X million up to $X million • Local reputational damage • Reportable incident to regulator, no follow up • No or minor injuries to employees or third parties, such as customers or vendors • General staff morale problems and increase in turnover

1 Incidental • Financial loss up to $X million • Local media attention quickly remedied • Not reportable to regulator • No injuries to employees or third parties, such as customers or vendors • Isolated staff dissatisfaction

Page 40: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 5

w w w . c o s o . o r g

LikelihoodLikelihood represents the possibility that a given event will occur. Likelihood can be expressed using qualitative terms (frequent, likely, possible, unlikely, rare), as a percent probability, or as a frequency. When using numerical values, whether a percentage or frequency, the relevant time period should be specified such as annual frequency or the more

relative probability over the life of the project or asset. Sometimes enterprises describe likelihood in more personal and qualitative terms such as “event expected to occur several times over the course of a career” or “event not expected to occur over the course of a career.”

Illustrative Likelihood Scale

Rating Annual Frequency Descriptor Definition

5 Frequent Up to once in 2 years or more

4 Likely Once in 2 years up to once in 25 years

3 Possible Once in 25 years up to once in 50 years

2 Unlikely Once in 50 years up to once in 100 years

1 Rare Once in 100 years or less

ProbabilityDescriptor Definition

Almost 90% or greater chance of certain occurrence over life of asset or project

Likely 65% up to 90% chance of occurrence over life of asset or project

Possible 35% up to 65% chance of occurrence over life of asset or project

Unlikely 10% up to 35% chance of occurrence over life of asset or project

Rare <10% chance of occurrence over life of asset or project

Page 41: Enterprise Risk Management and Business Ethics

6 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

VulnerabilityVulnerability refers to the susceptibility of the entity to a risk event in terms of criteria related to the entity’s preparedness, agility, and adaptability. Vulnerability is related to impact and likelihood. The more vulnerable the entity is to the risk, the higher the impact will be should the event occur. If risk responses including controls are not in place and operating as designed, then the likelihood of an event increases. Assessing vulnerability allows entities to gauge how well they’re managing risks.

Vulnerability assessment criteria may include capabilities to anticipate events such as scenario planning, real options,4 capabilities to prevent events such as risk responses in place, capabilities to respond and adapt quickly as events unfold, and capabilities to withstand the event such as capital buffer and financial strength. Other factors can also be considered such as the rate of change in the industry or organization. There is no one-size-fits-all assessment scale. Every entity must define scales to meet its needs.

Illustrative Vulnerability Scale

Rating Descriptor Definition

5 Very High • No scenario planning performed • Lack of enterprise level/process level capabilities to address risks • Responses not implemented • No contingency or crisis management plans in place

4 High • Scenario planning for key strategic risks performed • Low enterprise level/process level capabilities to address risks • Responses partially implemented or not achieving control objectives • Some contingency or crisis management plans in place

3 Medium • Stress testing and sensitivity analysis of scenarios performed • Medium enterprise level/process level capabilities to address risks • Responses implemented and achieving objectives most of the time • Most contingency and crisis management plans in place, limited rehearsals

2 Low • Strategic options defined • Medium to high enterprise level/process level capabilities to address risks • Responses implemented and achieving objectives except under extreme conditions • Contingency and crisis management plans in place, some rehearsals

1 Very Low • Real options deployed to maximize strategic flexibility • High enterprise level/process level capabilities to address risks • Redundant response mechanisms in place and regularly tested for critical risks • Contingency and crisis management plans in place and rehearsed regularly

4 A real option is an option involving real, as opposed to financial, assets. Real assets include land, plant, and machinery. Real option analysis uses option pricing theory to value capital investment opportunities. An example of a real option would be the overbuilding of a facility to provide strategic flexibility in the event that demand were to increase faster than production capacity.

Page 42: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 7

w w w . c o s o . o r g

Inherent and Residual RiskWhen assessing risks, it’s important to determine whether respondents will be asked to assess inherent risk, residual risk, or both. In Enterprise Risk Management – Integrated Framework (2004), COSO defines inherent risk as the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Residual risk is the risk remaining after management’s response to the risk. Applying this concept is trickier than it might seem at first glance. Some entities interpret inherent risk to be level of risk assuming responses currently in place fail,and residual risk to be the level of risk assuming existing

responses operate according to design. Other entities interpret inherent risk to be the current level of risk assuming existing responses operate according to design and residual to be the estimated risk after responses under consideration are put into place. The first approach is focused more on controls effectiveness of the current environment and the second approach on evaluating risk response options. There is no one right answer and either approach may be useful depending upon the purpose of the assessment and the nature of the risks being considered.

Speed of Onset (or Velocity)Speed of onset refers to the time it takes for a risk event to manifest itself, or in other words, the time that elapses between the occurrence of an event and the point at which

the company first feels its effects. Knowing the speed of onset is useful when developing risk response plans.

Illustrative Speed of Onset Scale

Rating Descriptor Definition

5 Very High • Very rapid onset, little or no warning, instantaneous

4 High • Onset occurs in a matter of days to a few weeks

3 Medium • Onset occurs in a matter of a few months

2 Low • Onset occurs in a matter of several months

1 Very Low • Very slow onset, occurs over a year or more

Page 43: Enterprise Risk Management and Business Ethics

8 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

Assess Risks

Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by a more quantitative treatment of the most important risks and opportunities lending themselves to quantification (not all risks are meaningfully quantifiable). Qualitative assessment consists of assessing each risk and opportunity according to descriptive scales as described in the previous section. Quantitative analysis requires numerical values for both impact and likelihood using data from a variety of sources.

The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used. Model assumptions and uncertainty should be clearly communicated and evaluated using techniques such as sensitivity analysis.

Both qualitative and quantitative techniques have advantages and disadvantages. Most enterprises begin with qualitative assessments and develop quantitative capabilities over time as their decision-making needs dictate.

Measurement Techniques Comparison

Technique Advantages

Qualitative • Is relatively quick and easy • Provides rich information beyond financial impact and likelihood such as vulnerability, speed of onset, and non-financial impacts such as health and safety and reputation • Is easily understood by a large number of employees who may not be trained in sophisticated quantification techniques

Quantitative • Allows numerical aggregation taking into account risk interactions when using an “at risk” measure such as Cash Flow at Risk • Permits cost-benefit analysis of risk response options • Enables risk-based capital allocation to business activities with optimal risk-return • Helps compute capital requirements to maintain solvency under extreme conditions

Disadvantages

• Gives limited differentiation between levels of risk (i.e. very high, high, medium, and low)• Is imprecise – risk events that plot within the same risk level can represent substantially different amounts of risk• Cannot numerically aggregate or address risk interactions and correlations• Provides limited ability to perform cost-benefit analysis

• Can be time-consuming and costly, especially at first during model development • Must choose units of measure such as dollars and annual frequency which may result in qualitative impacts being overlooked• Use of numbers may imply greater precision than the uncertainty of inputs warrants• Assumptions may not be apparent

Page 44: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 9

w w w . c o s o . o r g

For qualitative assessments, the most commonly used assessment techniques are interviews, cross-functional workshops, surveys, benchmarking, and scenario analysis. Quantitative techniques range from benchmarking and scenario analysis to generating forward looking point estimates (deterministic models) and then to generating forward looking distributions (probabilistic models). Some of the most powerful probabilistic models from an enterprise-wide standpoint include causal at-risk models used to estimate gross profit margins, cash flows, or earnings over a given time horizon at given confidence levels.

Analysis of Existing DataReviewing internal and external data can help individuals assess the likelihood and impact of a risk or opportunity. Sources of risk occurrence data include internal and external audit reports, public filings, insurance claims and internal loss event data including near misses, published reports by insurance companies, industry consortia, and research organizations. While relying on existing data provides objectivity, it’s important to evaluate the relevance of the data under current and projected conditions. Adjustments may be warranted using expert judgment. In these cases, the rationale for adjustments must be clearly documented and communicated.

Interviews and Cross-Functional WorkshopsAssessment can be conducted through one-on-one interviews or facilitated meetings. Cross-functional workshops are preferable to interviews or surveys for assessment purposes as they facilitate consideration of risk interactions and break down siloed thinking. Workshops improve understanding of a risk by bringing together diverse perspectives. For example, when considering a risk such as information security breach, workshop participants from information technology, legal and compliance, public relations, customer service, strategic planning, and operations management may each bring different information regarding causes, consequences, likelihoods, and risk interactions. Interviews may be more appropriate for senior management, board members, and senior line managers due to their time constraints. Workshops may not work well in cultures that suppress free sharing of information or divergent opinions.

SurveysSurveys are useful for large, complex, and geographically distributed enterprises or where the culture suppresses open communication. Survey results can be downloaded into analytical tools allowing risks and opportunities to be viewed by level (board members, executives, managers), by business unit, by geography, or by risk category.

Surveys have drawbacks too. Response rates can be low. If the survey is anonymous, it may be difficult to identify information gaps. Quality of responses may be low if respondents give survey questions superficial attention in a rush to completion, or if they misunderstand something and don’t have the opportunity to ask clarifying questions. But perhaps most of all, respondents don’t benefit from cross-functional discussions which enhance people’s risk awareness and understanding, provide context and information to support the risk ratings, and analyze risk interactions across silos. For these reasons, surveys should not be considered a substitute for workshops and other techniques for in-depth analysis of key risks.

BenchmarkingBenchmarking is a collaborative process among a group of entities. Benchmarking focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities. Data on events, processes, and measures are developed to compare performance. Some companies use benchmarking to assess the likelihood and impact of potential events across an industry. Benchmarking data are available from research organizations, industry consortia, insurance companies and rating agencies, government agencies, and regulatory and supervisory bodies. For example, an oil field services company might benchmark its safety risk using measures such as lost time injuries using data for similar companies available from the Bureau of Labor Statistics, the Occupational Health and Safety Administration (OSHA), the American Petroleum Institute (API), or others.

Page 45: Enterprise Risk Management and Business Ethics

10 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

Scenario AnalysisScenario analysis has long been recognized for its usefulness in strategic planning. It is also useful for assessing risks and tying them back to strategic objectives. It entails defining one or more risk scenarios, detailing the key assumptions (conditions or drivers) that determine the severity of impact, and estimating the impact on a key objective. In the example below, management wanted to understand how earnings could be negatively impacted.

Six scenarios impacting earnings were identified, causal factors (such as price or volume changes or state of the economy) determined, detailed assumptions calibrated, and the earnings impact estimated. Scenarios can be developed jointly by risk owners and ERM personnel and built out and validated with specialists from various functions and management.

Scenario Analysis

Scenario Description Detailed Assumptions EBIT* Impact ($MM)

1) Currency changes impact • 15% volume decrease - $500 competitive landscape • 20% price decrease • Sustained for 9 months • Recovery takes additional 9 months 2) Natural gas prices increase • $5/MM Btu increase - $150 • Sustained for 12 months • No ability to pass through increase

3) Crude oil prices increase • 100% increase - $15 • Sustained for 3 months • Pass through 25% of cost increase

4) Technology shift • 15% volume decrease/year - $275 • 15% price decrease/year • $2MM less in R&D expenditures

5) Competitive pressure • 10% price decrease - $200 • Sustained for 24 months

6) Supply chain disruption • 10% volume decrease - $175 • Sustained for 6 months

* Earnings before interest and taxes. Source: Frederick Funston and Stephen Wagner, Surviving and Thriving in Uncertainty (Hoboken, NJ: John Wiley & Sons, Inc., 2010), 69.

Page 46: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 11

w w w . c o s o . o r g

Causal At-Risk ModelsGross Margin at Risk (GMaR), Cash Flow at Risk (CFaR), and Earnings at Risk (EaR) are metrics built on causal models where specific risk factors drive future uncertainty of key cash flow or earnings components. Each risk factor can be modeled in detail and incorporated into the overall model. Using a causal at-risk model can provide insight into how historical relationships might become uncoupled and deviate meaningfully from expectations. Armed with the knowledge of how each risk factor could vary in the future and impact cash flow or earnings, risk can be better measured and managed. It is the added insight of the risk factors driving uncertainty that makes causal models a step up from simply extrapolating past relationships in a pro forma approach.

In reality, both pro forma models built around historical ratios and causal at-risk models can be helpful and should be seen as complementary views of an uncertain future. Regardless of the type of model, the confidence placed on estimates of levels of risk and assumptions made in the analysis should be clearly stated.

Model inputs may be derived from past records, relevant experience, relevant published literature, market research, public consultation, experiments and prototypes, and economic, engineering or other models. Where historical data are not available, not relevant, or incomplete, expert elicitation may be used. Expert elicitation is most commonly used to estimate reasonable probabilities especially for low likelihood, high impact events. Experts are valuable sources of information and knowledge. But experts also bring biases. Fortunately, a large body of knowledge exists with regard to heuristics and biases and ways to address them. For example, see COSO’s recently issued thought paper, Enhancing Board Oversight: Avoiding Judgment Traps and Biases (March 2012).

Page 47: Enterprise Risk Management and Business Ethics

12 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

ERM enables an integrated and holistic view of risks. The key here is that the whole does not equal the sum of the parts. To understand portfolio risk, one must understand the risks of the individual elements plus their interactions due to the presence of natural hedges and mutually amplifying risks. Understanding risk interactions and then managing them requires breaking down silos.

A simple way to consider risk interactions is to group related risks into a broad risk area (such as grouping risks related to sourcing, distribution channels, vendor concentrations, etc.

into supply chain risk) and then assigning ownership and oversight for the risk area. Three explicit ways to capture risk interactions increasing in level of complexity and richness of information are risk interaction maps, correlation matrices, and bow-tie diagrams.

Risk Interaction MapA risk interaction map is the simplest form of graphical representation in which the same list of risks form the x and y axes. Risk interactions are then indicated by an X or other qualitative indicator.

Assess Risk Interactions

Exhibit 3: Illustrative Risk Interaction Map

Risk

Supply Chain Disruption

Customer Preference Shift

Copper Price Increase >25%

Work Stoppage >1 Week

Economic Downturn

Supplier Consolidation

Local Competitor Enters Market

New Substitutes Available

Cost of Capital Increase >5%

Tighter Emission Standards

FCPAViolation

Exchange Rate Fluctuations

Sup

ply

Cha

in

Dis

rup

tion

Cus

tom

er

Pre

fere

nce

Shif

t

Cop

per

Pri

ce

Incr

ease

>25

%

Wor

k St

opp

age

>1 W

eek

Econ

omic

D

ownt

urn

Sup

plie

r C

onso

lidat

ion

Loca

l Com

pet

itor

E

nter

s M

arke

t

New

Sub

stit

utes

A

vaila

ble

Cos

t of

Cap

ital

In

crea

se >

5%

Tig

hter

Em

issi

on

Stan

dar

ds

FCPA

V

iola

tion

Exc

hang

e R

ate

Fluc

tuat

ions

Page 48: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 13

w w w . c o s o . o r g

Where historical data are available, risk interactions can be expressed quantitatively using a correlation matrix. This is an especially useful technique to apply within a risk category such as market risk. Difficulties in determining correlations for risks include the possibility that past causal relationships will not be indicative of future relationships, lack of historical data, differences in time frames (short-, medium-, and long-term), and the large numbers of risks required for an enterprise-wide assessment.

Developing the Full Picture—Fault Trees,Event Trees, and Bow-Tie DiagramsDiagrams that break a complex risk occurrence into its component parts showing the chains of events that could lead to or result from the occurrence can be indispensable

for identification and assessment of risk responses and key risk indicators. The diagrams can be qualitative or serve as the basis for quantitative models. Three commonly used diagrams are fault trees, event trees, and bow-ties. Fault trees are used for analyzing events or combinations of events that might lead to a hazard or an event. Event trees are used for modeling sequences of events arising from a single risk occurrence. A bow-tie diagram combines a fault tree and an event tree and takes its name from its shape. Probabilistic models built on bow-tie diagrams are versatile for quantifying inherent and residual risk levels and performing what-if, scenario, and sensitivity analyses.

Exhibit 4: Bow-Tie Diagram

Risk Factors Risk Consequences

Consequence

Consequence

Consequence

Consequence

Consequence

Consequence

Consequence

TriggerEvent

TriggerEvent

Condition

Risk

Condition

Condition

EndEvent

EndEvent

EndEvent

EndEvent

EndEvent

EndEvent

EndEvent

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

IntermediateEvent

End Event(Loss)

Note: The terms fault tree, event tree, and bow-tie diagram are sometimes used interchangeably.

Page 49: Enterprise Risk Management and Business Ethics

14 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

Once the risks have been assessed and their interactions documented, it’s time to view the risks as a comprehensive portfolio to enable the next step – prioritizing for risk response and reporting to different stakeholders. The term risk profile represents the entire portfolio of risks facing the enterprise. Some entities represent this portfolio as a hierarchy, some as a collection of risks plotted on a heat map. Entities with more mature ERM programs and quantitative capabilities may aggregate individual risk distributions into a cumulative loss probability distribution and refer to that as the risk profile.

Similar to assessing risks, ranking and prioritizing is often done in a two-step process. First, the risks are ranked according to one, two, or more criteria such as impact rating multiplied by likelihood rating or impact multiplied

by vulnerability. Second, the ranked risk order is reviewed in light of additional considerations such as impact alone, speed of onset, or the size of the gap between current and desired risk level (risk tolerance threshold). If the initial ranking is done by multiplying financial loss by likelihood, then the final prioritization should take qualitative factors into consideration.

Hierarchies and Rolling Up and Drilling Down The simplest way to aggregate risks is to organize themaccording to a hierarchy. This is often done in risk management systems where risks can be organized by organizational unit, risk type, geography, or strategic objective. The better systems allow users to roll up and drill down for analysis and reporting. This provides a complete listing of the assessed risks but does not help with prioritizing.

Prioritize Risks

Exhibit 5: Risk Hierarchies

Risk Hierarchy by Org. Unit Risk Hierarchy by Risk Type

Enterprise Enterprise

Business Unit 1 Strategic

Financial

Operational

Business Unit 2

Compliance

Risk ABC Risk ABC

Risk n . . .

Risk DEF

Risk UVW

Risk GHI

Risk DEF

Risk ABC

Risk UVW

Risk UVW

Risk DEF Risk ABC in Bus. Unit 1

Risk DEF in Bus. Unit 1

Risk UVW in Project 1

Risk UVW in Project 2

Risk GHI in Bus. Unit 2

Risk DEF in Bus. Unit 1

Risk ABC in Bus. Unit 2

Risk GHI

Risk XYZ

Risk XYZ

Project 1

Risk JKL

Project 2

Page 50: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 15

w w w . c o s o . o r g

Risk MapsAnother simple way to view the portfolio is to create a risk map, often called a heat map. These are usually two-dimensional representations of impact plotted against likelihood. They can also depict other relationships such as impact versus vulnerability. For even richer information, the size of the data points can reflect a third variable such as speed of onset or the degree of uncertainty in the estimates.

The most common way to prioritize risks is by designating a risk level for each area of the graph such as very high, high, medium, or low, where the higher the combined impact and likelihood ratings, the higher the overall risk level. The boundaries between levels vary from entity to entity depending on risk appetite. For example, an entity with a greater risk appetite will have boundaries between risk levels shifted toward the upper right, and an entity with greater risk aversion will have boundaries between risk levels shifted toward the bottom left. Also, some entities adopt asymmetric boundaries placing a somewhat greater emphasis on impact than on likelihood. For example, a risk having an impact rating of moderate and likelihood rating of frequent has an assigned risk level of high, whereas a risk having an impact rating of extreme and a likelihood rating of possible has an assigned risk level of very high.

After plotting on the heat map, risks are then ranked from highest to lowest in terms of risk level. These rankings may then be adjusted based on other considerations such as vulnerability, speed of onset, or detailed knowledge of the nature of the impact. For example, within a group of risks having a designation of very high, those risks having extreme health and safety or reputational impacts may be prioritized over risks having extreme financial impacts but lesser health and safety or reputational impacts.

When using numerical ratings in a qualitative environment, it’s important to remember that the numbers are labels and not suitable for mathematical manipulation although some entities do multiply the ratings, such as for impact and likelihood, to develop a preliminary ranking.

Where entities have defined impact scales for both opportunities and risks, they may plot risks on a map such as that illustrated in exhibit 6. This allows a direct comparison of the highest rated opportunities and risks for consideration and prioritization.

Exhibit 6: Illustrative Combined Risk and Opportunity Map

Impact

Opportunities RisksLikelihood

Frequent

Likely

Possible

Unlikely

Rare

Extreme Major Moderate Minor Incidental Incidental Minor Moderate Major Extreme

Page 51: Enterprise Risk Management and Business Ethics

16 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

Consider the following example: A company identified 60 risks to include in its risk universe. It then determined appropriate assessors. It used a combination of interviews, workshops, and a survey to perform an initial qualitative assessment of impact, likelihood, vulnerability, and speed of onset criteria. Risk interactions were evaluated for the

highest risks and the assessments were refined. Risks were plotted on a heat map to perform an initial prioritization. Twelve risks plotted in the ‘Very High’ risk level designated as red in the below heat map. These risks were designated ‘key’ risks meaning that they will be reported to and monitored by executive leadership and the board of directors.

Exhibit 7: Illustrative Heat Map

5

4

3

2

1

1 2 3 4 5

ID Risk I L V S

1 Supply chain disruption 4.8 3.7 3.8 4 2 Customer preference shift 4.1 3.3 3.5 2 3 Copper price rise >10% 4.3 4.7 2.3 4 4 Work stoppage > 1 week 4.4 4.5 4.1 3 5 Economic downturn 4.0 3.7 3.5 2 6 Supplier consolidation 3.8 4.2 3.2 1 7 Local competitors enter 3.9 4.5 3.6 1 8 New substitutes available 4.5 3.6 4.2 1 9 Cost of capital rise >5% 2.9 4.0 2.9 310 Tighter emission standards 3.4 4.6 2.9 1 11 FCPA violation 4.0 4.0 3.3 512 Exchange rate fluctuations 2.7 4.1 2.7 4n . . . ... ... ... ...60 Impairment of assets 1.6 2.7 1.6 1

I = Impact L = Likelihood V = Vulnerability S = Speed of onsetDots represent risk #1 - #nDot size reflects speed of onset: Very Low Low Medium High Very High

60

10

6

8

7

n

4

9n12

1

3

11

n

n

n

nnn

nn

n

nn

n

n

nn

n

n

nn

n

n

n

n

n

n

nn

n

5

2

Lik

elih

ood

Impact

Page 52: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 17

w w w . c o s o . o r g

Aggregating in a Quantitative EnvironmentIn situations where key risks have been quantified using a common measure such as financial loss or an at-risk measure, it is possible to aggregate the individual probability distributions into a single distribution reflecting correlations and portfolio effects. Measures that are gaining traction for this purpose are gross margin at risk, cash flow at risk, and earnings at risk.

The primary applications for a single at-risk measure presenting an aggregate view of risk (over a given time horizon at a specified confidence level) are capital allocation, solvency assessments, and measures of risk utilization and capacity relative to risk appetite. Risk aggregation models are extremely variable from one enterprise to another, even within the financial services industry.

Another useful plot for prioritizing is the MARCI chart (for Mitigate, Assure, Redeploy, and Cumulative Impact), depicted in exhibit 8. The MARCI chart plots risks along the two axes of impact and vulnerability, and indicates each risk’s speed of onset by the size of the data points. This is particularly useful when the primary purpose of the prioritization exercise is for risk response: risks plotting the farthest in the upper right quadrant represent the highest impact and vulnerability and would benefit the most from additional management effectiveness in managing the risks.

Continuing our example, the 12 risks rated ‘Very High’ were plotted on a MARCI chart to further refine the prioritization

and to perform a preliminary evaluation of the type of appropriate risk response. In this view, the company can see how its hedging program reduces its vulnerability to copper price increases (risk 3), and evaluate its previous decision to not hedge against currency fluctuations (risk 12). Leadership can also see that supply chain disruption (risk 1) can occur with little warning and severe impact. This and the other risks in its quadrant require action to reduce vulnerability. The executive leadership team and board members will pay particular attention to management’s actions to respond to these risks. The top 12 risks were tagged for further quantification and probabilistic modeling.

Exhibit 8: Illustrative MARCI Chart

5

4

3

2

1

1 2 3 4 5

ID Risk I L V S

1 Supply chain disruption 4.8 3.7 3.8 4 2 Customer preference shift 4.1 3.3 3.5 2 3 Copper price rise >10% 4.3 4.7 2.3 4 4 Work stoppage > 1 week 4.4 4.5 4.1 3 5 Economic downturn 4.0 3.7 3.5 2 6 Supplier consolidation 3.8 4.2 3.2 1 7 Local competitors enter 3.9 4.5 3.6 1 8 New substitutes available 4.5 3.6 4.2 1 9 Cost of capital rise >5% 2.9 4.0 2.9 310 Tighter emission standards 3.4 4.6 2.9 1 11 FCPA violation 4.0 4.0 3.3 512 Exchange rate fluctuations 2.7 4.1 2.7 4

I = Impact L = Likelihood V = Vulnerability S = Speed of onset

Dots represent risk #1 - #nDot size reflects speed of onset: Very Low Low Medium High Very High

10

6

4

9

12

1

3

11 52

Pote

ntia

l Im

pac

t

Potential Vulnerability

Assurance of Preparedness

Redeploy Resources Measure of Cumulative Impact

8

7

Assurance of Preparedness

Redeploy Resources Measure of Cumulative Impact

Enhance Risk MitigationEnhance Risk Mitigation

Page 53: Enterprise Risk Management and Business Ethics

18 | Risk Assessment in Practice | Thought Leadership in ERM

w w w . c o s o . o r g

To be effective and sustainable, the risk assessment process needs to be simple, practical, and easy to understand. Success depends upon executive commitment and resources. The process must be performed by people with the right skills supported by technology that is correctly sized for the task at hand.

A corporate-level ERM function is indispensable for defining common standards, coordinating assessments across business units, and facilitating analysis of risk interactions. The central ERM function must be staffed by people with the necessary facilitation, project management, and analytical skills along with knowledge of risk management leading practices. The ERM function must be augmented by people in line positions closest to the risks. The risk owners ultimately bear responsibility for the assessed levels of risk and defining and implementing risk response plans to bring risks within tolerance. This hybrid top-down and bottom-up approach brings the best of both worlds achieving consistency and comprehensive coverage while embedding accountability and leveraging expertise of the people in the organization closest to the risks.

People aren’t enough. To be efficient, they must be supported by the right technology. Many entities begin their ERM journey in a simple spreadsheet environment. This can be practical in the early stages of development as both risk owners and senior leadership ascertain their analytical and reporting requirements. Later years can be quite challenging without automation, especially if the entity is large, complex, and geographically distributed.

Fortunately, a large number of software vendors have entered the ERM space, and each year brings new innovations and improved offerings. Systems exist at an array of price points with analytical capabilities increasing with price. Most systems will quickly pay for themselves in saved labor costs.

Finally, risk assessment cannot exist in a vacuum or it becomes a fruitless exercise. COSO’s Enterprise Risk Management – Integrated Framework emphasizes the need to assess and oversee risks from a holistic perspective. The process must sit within a larger framework that uses the information gleaned to make decisions about risk responses and monitoring, and feeds information back into the strategic planning process. The ERM function must be empowered to monitor and oversee implementation of risk responses. If participants don’t see that their contributions and hard work during risk assessment lead to concrete actions that make a real difference, they will become cynical and withdraw from the process in future years.

You’ll know you’re doing risk assessment right when leaders at every level use the information to make decisions regarding value.

Putting It into Practice

Page 54: Enterprise Risk Management and Business Ethics

Thought Leadership in ERM | Risk Assessment in Practice | 19

About COSO

Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control, and fraud deterrence. COSO’s supporting organizations are the Institute of Internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA).

“Deloitte” is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to provide audit, consulting, financial advisory, risk management and tax services to selected clients. These firms are members of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee. In the United States, Deloitte LLP is the member firm of DTTL. Deloitte & Touche LLP, a subsidiary of Deloitte LLP, provides internal control and enterprise risk services in the United States. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. The contributing authors from Deloitte & Touche LLP are Dr. Patchin Curtis, Director, and Mark Carey, Partner. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About the Authors

w w w . c o s o . o r g

Page 55: Enterprise Risk Management and Business Ethics

© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

www.palgrave-journals.com/rm/

Original Article

A new approach to risk: The implications of E3

Robert Bea a , * , Ian Mitroff b , Daniel Farber c , Howard Foster d and Karlene H. Roberts e a Department of Civil and Environmental Engineering, University of California,

Berkeley, CA, USA.

E-mail: [email protected]

b Marshall Goldsmith School of Management, Alliant International University,

University of California , Berkeley , CA , USA .

E-mail: [email protected]

c The California Center for Environmental Law and Policy, University of

California , Berkeley , CA , USA .

E-mail: [email protected]

d Institute of Urban and Regional Development, University of California ,

Berkeley , CA , USA .

E-mail: [email protected]

e Haas School of Business, University of California , Berkeley , CA 94720 , USA .

E-mail: [email protected]

* Corresponding author: Department of Civil & Environmental Engineering, 212 McLaughlin Hall,

University of California, Berkeley, CA 94720, USA

Abstract The fundamental thesis of this paper is that no matter how much physi-

cal science and technology are involved in complex systems, no system is ever purely or

solely physical or technical. Certainly no system of which we are aware is purely scientifi c

or technical in its operation or management. Furthermore, while research on and the

modeling of complex systems usually rely heavily on the consideration of technological

variables and processes, they typically fail to consider the contributions of individual psy-

chological, organizational and contextual factors. This paper argues that we need models

that avoid committing errors of the third kind, solving the wrong problem precisely. The

paper sets out a mechanism for developing models that include contextual as well as

technological variables.

Risk Management (2009) 11, 30 – 43. doi: 10.1057/rm.2008.12

Keywords: risk analysis ; human factors ; organizational factors ; geographic information systems ; environmental impact statements ; high reliability organizations

Page 56: Enterprise Risk Management and Business Ethics

A new approach to risk

31© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

Introduction

What do the Exxon Valdez spill, the Katrina levee failure and fl ood and the Piper Alpha Platform failure disasters have in common? They occurred because of the failure to recognize oil infrastructure,

ship-safety and fl ood control as complex infrastructure systems (CISs). Such systems require risk assessments that include psychological, social, organiza-tional and political processes – in addition to those typical of traditional engi-neering practices. As a result, we suggest reformulating the problem of risk. To give appropriate weight to social processes in risk assessment, we suggest ap-plying fi ndings from other disciplines including agent-based modeling (ABM), the use of geographic information systems (GISs) to integrate multi-scale and multi-discipline input, technology delivery system (TDS) design and high relia-bility organization (HRO) management principles.

The Assessment and Calculation of Risk

In engineering infrastructures that must cope with natural hazards, designers traditionally calculate risk for two reasons: to prioritize design so that the most likely and potentially most damaging hazards get the most attention, and to evaluate the adequacy of design. For example, when a design lowers the threat of a hazard to a value comparable to other acceptable hazards, that design is good enough. Risk assessment shapes design, construction and management of infrastructure systems solutions so great attention needs to be paid to how it is done.

Risk assessment in complex systems is strongly dependent on fi ve crucial factors:

1. the inherent complexity of the system and the environment in which it exists and operates;

2. the models used to represent the system; that is, how the system and its environment, and hence its complexity, are represented in the fi rst place;

3. whether the models give equal weight to technical, individual human, organizational and socio-political (for example, legal) variables in deter-mining the operation and the failure modes of the system; for instance, whether certain variables (for example, engineering or technical) are emphasized or privileged over others, and whether the representation of the system is fundamentally biased or fl awed to begin with;

4. as a direct result of factor 3, the number and kinds of terms included in determining the probability, or the probabilities, of failure of the system, and;

5. how the consequences of the failure of the system are also represented and determined.

Page 57: Enterprise Risk Management and Business Ethics

Bea et al

32 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

The fundamental thesis of this paper is that no matter how much physical science and technology are involved in a complex system, no system is ever purely or solely physical or technical . Certainly no system of which we are aware is purely scientifi c or technical in its operation or management.

Every ‘ system ’ consists of a complex set of (a) technical processes and vari-ables that interact strongly with a complex set of (b) individual human (that is, psychological), (c) organizational and (d) socio-political processes and varia-bles. Technical, individual, and so on variables that compose the system can only be distinguished from one another with great diffi culty. In other words, the variables are so strongly coupled that it is almost impossible to determine where one kind typically begins and others end or leave off.

By its very nature, modeling complex systems is inherently interdisciplinary. This means that determinations of the probabilities of system failure are also inherently interdisciplinary. In turn, the assessment of risks associated with complex systems is inherently interdisciplinary as well.

In spite of this, the modeling and risk assessment of complex systems have not been as interdisciplinary as they need to be. As a result, a basic and funda-mental error underlies the vast majority of risk assessments. This error is known as the Error of the Third Kind, or the Type Three Error (E3) ( Mitroff and Linstone, 1992 ).

E3 is defi ned as the ‘ probability of solving the ‘ wrong ’ problem precisely. ’ Whereas Type One (E1) and Type Two (E2) errors are well known and utilized in statistics, E3 is not. E1 and E2 (accepting or rejecting a ‘ null hypothesis ’ ) relate to problems that are already known or well defi ned. In sharp contrast, E3 pertains to how problems are defi ned or formulated in the fi rst place. In this sense, E3 is both prior to and more basic than E1 and E2.

This paper shows that by taking (a) technical, (b) individual human, (c) or-ganizational and (d) socio-political variables equally into account , E3 can be expressed on a quantitative basis like E1 and E2. Anything less leads to dan-gerously misleading risk assessments.

An interdisciplinary approach to modeling complex systems allows us to formulate and determine the E3s associated with them. Combating E3s in practice also requires an interdisciplinary approach. Organizations that rele-gate risk assessment to individuals with narrow technocratic expertise will in-evitably commit E3s. Only by incorporating multiple perspectives and being alert to discrepancies between models and reality can organizations deal with risk in a realistic way.

Background

Work on this paper started almost two decades ago with an investigation by one of the authors (Bea) of the dramatic failure of the Piper Alpha offshore oil and gas drilling and production platform in the North Sea. This platform

Page 58: Enterprise Risk Management and Business Ethics

A new approach to risk

33© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

served as a ‘ hub ’ in a major part of the oil and gas infrastructure in the North Sea. The investigative report stated that the majority of the causes of this failure (80 per cent or more) were fi rmly rooted in human, organi-zational and institutional malfunctions. The remaining causes could reasona-bly be attri buted to malfunctions in the engineered parts of this complex system. This was a rude awakening because the platform was intensely studied prior to its failure using traditional engineering approaches and ‘ engi-neering fi xes ’ were put in place. However, these fi xes proved to be totally ineffective.

Defi ning the problem as primarily an ‘ engineering problem, ’ commits a ma-jor E3. Hence, problem defi nition is critical in designing, operating, maintain-ing and managing critical CISs. In the Piper Alpha situation a new problem was exposed that involved other parts of this production infrastructure. When the fi rst fi res and explosions erupted on the platform, personnel on intercon-nected production platforms realized that the pressures in the pipelines had dropped. In response to the drop in pipeline pressure and organizational pres-sures to ‘ catch up ’ on back production, these platforms increased production to the Piper Alpha platform, further escalating and accelerating the ‘ fi nal melt down ’ of the system.

It was subsequently recognized that a broader, more holistic problem defi ni-tion is of critical importance in designing, operating, maintaining and manag-ing CISs. Findings such as this are now common in investigations of other disasters (for example, Challenger and Columbia, Texas City and Bhopal, Katrina and Betsy, and so on). Most recently, this background was incorpo-rated into an NSF-funded research project to investigate the causes of the fail-ure of the fl ood defense system for the Greater New Orleans Area ( Kardon et al , 2006 ; Seed et al , 2007a – c ).

The human, organizational and institutional causes are termed ‘ extrinsic. ’ The categories of uncertainties traditionally addressed by engineers – natural or inherent (aleatory) and those associated with parametric, state and analyti-cal model uncertainties (epistemic) are termed ‘ intrinsic. ’ Because the neglected extrinsic factors are actually fundamental to system performance, expected risks were under-predicted by factors of 100 or more. These fi ndings are con-sistent with a large body of research that highlights the role of ‘ extrinsic ’ fac-tors in large-scale system failures (for example, Perrow, 1984 ; Roberts, 1990 ; Clarke and Short, 1993 ; Vaughan, 1996, 1999 ).

Traditional engineering analyses and processes also result in inappropriate strategies for managing risk. Another example of an E3 that is the result of thinking that overemphasizes improving ‘ things ’ such as system compo-nents, rather than addressing ‘ process ’ and ‘ people ’ factors that produce risk and the consequences of risk. Compelling evidence for this is available in re-ports of major catastrophes such as Bhopal ( Shrivastava, 1987 ), Columbia ( Gehman et al , 2003 ) and Katrina ( Farber et al , 2007 ).

Page 59: Enterprise Risk Management and Business Ethics

Bea et al

34 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

A Proposal for Studying Complex Systems

This paper proposes a new approach to developing a holistic approach to un-derstanding and managing risks and their consequences associated with CIS failures. As shown in Figure 1 , this new approach incorporates analytic meth-ods that model relationships among factors and processes taking place at four levels of analysis: physical systems, organizational processes and practices, and the broader societal context.

Level 1, physical systems and their components, is the domain of traditional engineering risk analysis and management. Level 2 includes human elements of organizations traditionally studied by psychologists. These include individual differences, personality, training, and so on. Scholars specializing in the sociol-ogy of organizations, management science, organizational communication and related fi elds traditionally study level 3, which encompasses organizational at-tributes and processes. Included in this level is a range of factors, including organizational structure, culture, management and problem-identifi cation, and problem-solving strategies. Level 4 incorporates broader societal factors that affect both organizational processes and the physical elements of CISs. This level consists of more macro-level factors such as governance, laws and regula-tory regimes, and social, demographic and economic forces that must also be taken into account in CISs risk and vulnerability analyses.

Figure 1 : Evaluating and managing CISs risks.

Page 60: Enterprise Risk Management and Business Ethics

A new approach to risk

35© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

Often level 1 analyses fail to address the critically important issues associ-ated with the consequences of failure – particularly those associated with res-cue and recovery resilience. Levels 2, 3 and 4 are the important additional elements contributed by individual differences psychology, organizational and social sciences to enable a more holistic assessment of risks and the manage-ment alternatives that are available to reduce the likelihoods of failures and consequences contributing to the CISs risks ( Roberts and Sloane, 1988 ; Roberts et al , 2004, 2005 ).

The guiding logic of our approach is that a full understanding of CIS vulner-ability can only be achieved through the analysis of interactions within and across these four levels, in context and over time. As discussed above, prior engineering research has focused on the fi rst level – the physical elements that make up engineered systems – while treating the other two levels as ‘ extrinsic ’ to formal analytic frameworks. In contrast, this paper recognizes that manag-ing risks associated with CISs is a multi-dimensional problem that must be addressed through collaborative research and educational activities that cross and transcend disciplinary boundaries.

An Approach to Assessing Risks Associated with CISs

The probability of failure, P ( F ), of a CIS is

P F P F F( ) ( )= ∪I E

(1)

where I stands for intrinsic factors, E stands for extrinsic factors and � stands for the Union operator. I typically stands for technical factors such as the fail-ure of levees and pumping systems, while E stands for organizational / social factors such as the breakdown of communications between different entities charged with managing a CIS.

In turn,

P F P F E P E P F E P E

P F E P E

( ) ( / ) ( ) ( / ) ( )

( / ) ( )

= ++

I I

E

Not Not

(2)

The fi rst term in equation (2) addresses the likelihood of system failure due

to intrinsic factors (technical) given (that is, conditional upon) the uncertain-ties associated with extrinsic factors (psychological, organizational, social, legal, and so on). The second term addresses the same likelihood given no extrinsic factors. By our initial assumption that every complex system is com-posed of the interactions between technical and social variables, the second term is impossible. We include it, nonetheless, for an important reason that will become apparent shortly. The third term addresses the likelihood of system failures due directly to extrinsic factors.

Page 61: Enterprise Risk Management and Business Ethics

Bea et al

36 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

Equation (2) leads to an interesting and important way to measure E3. Recall that E3 is the probability of solving the wrong problem precisely. This can be expressed as follows in equation (3)

P P F P P F E P E

P F E P E

[ ( )] [ ( / ) ( )

( / ) ( )]

=+

I

I Not Not

(3)

P [ P ( F )] is a probability distribution / function like any other probability distribution / function. It is the probability that the probability of failure function only includes the fi rst two terms . That is, P ( P ( F )) is a way to measure whether assessing the probability of failure of a complex system is solving the wrong problem through the use of the wrong (that is, incomplete) formula.

The Practical Signifi cance of E3

E3 is critically important in understanding system failures. As noted earlier, work relevant to this article started almost two decades ago with a study of an oil platform failure. This experience led to researcher involvement in investiga-tions of other failures of engineered systems including the Exxon Valdez, the Columbia space shuttle, the Texas City BP refi nery and the fl ood protection system for the Greater New Orleans area ( Kardon et al , 2006 ; Bea, 2007a, b ; Farber et al , 2007 ; Seed et al , 2007a – c ). The theme developed from these experiences was that the majority (80 per cent or more) of the causes of failures were human – organizational – institutional in nature. These causes are termed ‘ extrinsic. ’ The balance of the causes of failure can be traced to two categories of uncertainties traditionally addressed by engineers – natural or inherent (aleatory) and those associated with parametric, state and analytical model uncertainties (epistemic). These causes are termed ‘ Intrinsic. ’

This was an important fi nding because it helped to explain why traditional engineering analyses of the likelihoods of failures do not match the actual or actuarial likelihoods of failure – they under-predict the real likelihoods by fac-tors of 10 or more. Engineering models do not include the critical human and organizational parts of the system – resulting in a critical E3. A similar situa-tion also was found with the consequences of failure – these too were under-predicted by factors of 10 or more. Thus, ‘ expected ’ risks taken as the product of the likelihood of failure and the consequences given failure were under-predicted by factors of 100 or more.

Traditional engineering analyses and processes result in ‘ distorted ’ ap-proaches to better manage risks (combination of likelihoods and consequences of failures). Again, another major E3. Frequently, attempts are made to fi x ‘ things ’ rather than ‘ processes and people. ’ Traditional approaches focus on proactive assessments and management strategies. But, experience with these

Page 62: Enterprise Risk Management and Business Ethics

A new approach to risk

37© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

failures clearly indicates there are important limitations to proactive assess-ments and the associated management strategies. The future changes things; systems are more organic than mechanical; and predictability is extremely limi-ted. Even reactive (after the accident or failure) analyses and associated approaches are limited because they focus on ‘ things ’ not on ‘ processes and people. ’ This leads to trying to fi x the wrong things in the wrong ways.

Ways to Deal with E3

A major cause of E3s is that key portions of interactive systems – particularly the ‘ soft ’ human and organizational portions – are omitted from analysis in part because of the absence of rigorous modeling methodologies. ABM is a promising method for addressing these issues ( Gilbert and Terna, 2000 ; Cummings et al , 2006 ; Axelrod and Tesfatsion, 2007 ). ABM is a specifi c simulation technique that models complex adaptive systems via computer-generated agents that interact in a virtual environment. These ‘ agents ’ can represent individual people, but they can also represent social groupings such as operating teams, organizations, fi rms, communities and agencies. The inter-actions occur according to representative programmed behavioral rules that create the unpredictable self-organizing behavior seen in complex adaptive systems. The behavioral rules are informed by case studies, observations of CISs operations and expert judgment.

GISs provide another important modeling tool. GISs have long been used to store, manipulate and display spatial data. In addition to their obvious utility in managing environmental data, they allow designers to encode solutions so they can be evaluated and compared with each other quantitatively in terms of whatever measures are determined to be useful. In addition, because a GIS al-lows the display of concepts and relationships in map form to large audiences, it is the ideal tool for integrating traditional engineering and social science analyses. GISs can serve as a monitoring tool to integrate sensor data, fi eld reports, remote sensing data, and so on, so system management can be inte-grated with design solutions. Finally, for managing complex systems, generali-zation algorithms ( Radke and Mulan, 2000 , Radke et al , 2000 ) aggregate observational data so that broad trends can be recognized and responded to.

A key objective in this research is to create and validate methods and proce-dures to enable meaningful characterizations and quantifi cations of P ( E ). How-ever, quantifi cations are not the primary goal. The primary goal is to develop insights into how P ( E ) can be reduced by improving the process and people aspects of CISs. The quantifi cations provide ‘ metrics ’ to assist evaluations of alternatives and progress toward improving the quality and reliability of CISs.

Ultimately, we need better delivery of Risk Assessment and Management Infrastructure Systems technology. Some preliminary work was done to design an advanced TDS ( Bea, 2007b ). This work resulted in identifi cation of three

Page 63: Enterprise Risk Management and Business Ethics

Bea et al

38 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

interrelated components: (1) the public / s (people affected by the CISs), (2) the governments (of, by and for the people with responsibilities for the CISs) and (3) industry (responsible for providing CISs). The linkages among these com-ponents are facilitated and enhanced with modern communication and infor-mation technology – including the media and GISs. The fundamental objective is to provide improved information and knowledge that will help impact val-ues, beliefs and behaviors in ways benefi cial to the publics and to the environ-ments in which they exist. At present the concepts associated with the TDS are used in efforts to integrate fl ood protection strategies and procedures into improving the fl ood protection systems for the Greater New Orleans and Sacramento Delta areas.

Developing effective TDSs is one of the most critical parts of building resil-ient and sustainable CISs. Without the required societal and political ‘ wills, ’ the technology ‘ ways ’ to improve resilience, sustainability and reliability of CISs will not be effectively implemented.

For the last 20 years research on HROs examined a number of adaptive management strategies that work to render organizations highly reliable and sustainable. One fi nding suggests that adaptable organizations change their structures in response to changing conditions. When their environments are very uncertain HROs fl atten their structures considerably, returning to more hierarchical structures as their environments gain more certainty. Another characteristic of HROs is that they push decision making to the lowest level of the organization commensurate with the knowledge needed to make that deci-sion. In other words, if a decision about refueling an aircraft in the fast paced and potentially dangerous environment of an aircraft carrier is best made by a chief petty offi cer on the deck, it is certainly not given over to the ship ’ s captain on the bridge of the ship ( Weick and Roberts, 2003 ). These kinds of structural and decision-making strategies render the organization more resilient than are organizations who do not follow them. This resilience opens the organization up to the possibilities of looking for potential E3s and doing something to correct the situation.

It is hypothesized that the adaptable CISs do much the same thing. A good deal of networking research has been done in organizational behavior. An ini-tial step in understanding how CISs adapt and make decisions is to uncover their networks of relationships. It is hypothesized that more resilient CISs have more tentacles into other complex systems than less resilient CISs. Other as-pects of the infl uence of both political decisions and organizational processes need to be included in dealing with CISs.

Engineers are trained to focus on technical errors. Narrow and exclusive focus on technical factors is a source of E3s, simply because engineers tend to place too much reliance on technical models without realizing the likelihood that those models fail to capture key elements of risk. If engineers and other system designers can learn to take a broader perspective, E3s can be reduced.

Page 64: Enterprise Risk Management and Business Ethics

A new approach to risk

39© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

Nevertheless, even ‘ enlightened ’ technical designers inevitably have limited perspectives, based on their own training and limited sources of information. Minimizing E3s requires opening the planning process to those with other perspectives, including natural and social scientists. The planning process also needs to include individuals with ‘ on the ground ’ experience with the system in question. Thus, what is frequently a closed technocratic planning process must become much more open and public.

A More Open and Public Perspective

Ideally, the environmental assessment procedure can provide one path toward this expanded planning process. Major infrastructure projects typically involve participation by government decision makers in either funding or licensing. The planning process used by these decision makers makes some effort to con-sider issues of resilience and sustainability, as well as potential interactions among infrastructures. A primary tool for considering these issues is environ-mental assessment. These assessments take the form of environmental impact statements (EISs) or environmental impact reviews (EIRs) ( Gerschwer, 1993 ). One part of creating better decision tools for infrastructure is understanding the role of environmental assessment in current planning efforts. Understand-ing what works and does not work (attempting to avoid E3s) creates the opportunity for improved methodologies. Criticisms of environmental assess-ments provide rich research issues ( Klick, 1994 ). Two relevant criticisms are that the process places undue confi dence in predictions and too little emphasis on monitoring and adaptive management. In addition, conside ration of inter-action between projects is handicapped by a series of Supreme Court decisions ( Karkkainen et al , 2000 ).

Despite the inadequacies of current environmental assessment, its aspira-tions are consistent with the kind of system analysis needed to avoid E3s. The National Environmental Quality Act (NEPA) directs all federal agencies to engage in systematic, interdisciplinary approaches that include integrated use of the natural and social science and the environmental design arts ( West Publishing Co., 2008 ). It also requires agencies to recognize that environmen-tal issues are worldwide and long-range and where consistent with US foreign policy to maximize international cooperation in dealing with the decline in the quality of mankind ’ s world environment ( West Publishing Co., 2008 ). The environmental assessment process also includes provisions designed to open the process to multiple perspectives. Public notice and the opportunity to submit written comments are routine. Perhaps more importantly, agencies are required to engage in consulting other agencies, many of which have different goals and perspectives that can be critical in identifying E3s. Too often project designers view environmental review as an irksome constraint on their plan-ning, rather than recognizing it as an opportunity to avoid critical E3s.

Page 65: Enterprise Risk Management and Business Ethics

Bea et al

40 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

GIS can provide a methodology for the kind of broad-gauged planning proc-ess needed to minimize E3s. For example, one use of GIS for environmental assessment broke the geographical area into cells of areas with similar vegeta-tion, climate and soils. A model was used to predict, on a cell-by-cell basis, the growth and aging of a forest, including the size and distribution of each forest type. Those calculations in turn were used together with a habitat suitability model to predict impacts on wildlife ( Eady, 1995 ). In another instance, the Bureau of Reclamation made good use of GIS in performing an assessment of the operations of the Glen Canyon Dam. Public interest was very high, with more than 30 000 people commenting on the draft of the environmental EIS. Thus, GIS contributed signifi cantly to the planning process, both in terms of procedure and in terms of allowing a broad synthetic analysis, as the White House Council on Environmental Quality (1997) explained:

GIS provides the analyst with management of large data sets, data overlay and analysis of development and natural resource patterns, trends analysis, mathemati-cal impact modeling with locational data, habitat analysis, aesthetic analysis, and improved public consultation. Using GIS has the potential to facilitate the effi cient completion of projects while building confi dence in the NEPA process.

We also need to consider the incentives that will lead system designers to broaden their horizons and augment the planning process. One such mecha-nism is the potential for civil liability. The potential for liability can push de-signers to consider broader ranges of risk. Similarly, insurance companies can play a proactive role in encouraging safe design, bringing to bear their broad range of experience with other system failures and safety methodologies.

In seeking to avoid E3s, we can also benefi t from the rich literature about organizational learning. Organizations learn by embedding historical experience in their routines (Levitt and March, 1988 ). Organizational routines are based on implicit models that help the organization make sense of the world and respond to perceived problems. These models are as subject to E3 as are the more formal engineering models. However, without conditions motivating change, routines are often relatively stable and organizations generally tend to be inert, relying on existing models and adapting less than perfectly to and falling in and out of alignment with their environments (Nelson and Winter, 1982 ). Disaster prepara-tion calls for a different form of learning in which organizations draw on not only their own experiences but also those of other organizations. Such network effects exist for a variety of learning processes (for example, Argote et al , 1990 ; Baum and Ingram, 1998 ; Beckman and Haunschild, 2002 ).

HROs are also concerned with learning. They are careful to accept input from individuals at all levels of the organization, thereby broadening their base of knowledge and perspectives, and they pay careful attention to unex-pected outcomes and system failures ( Roberts, 1990 ; Weick and Roberts,

Page 66: Enterprise Risk Management and Business Ethics

A new approach to risk

41© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

2003 ). Thus, they are able to detect the shortcomings of their implicit models and avoid E3s.

Over the past few decades, scholars from many disciplines have advocated rela-tional or systems approaches, as opposed to reductionist approaches that study particular events and entities in isolation ( Miller, 1972 ; Wolf, 1980 ). For instance, collaborative governance involving multiple organizations – both public and pri-vate – is a principal focus in recent environmental and administrative law scholar-ship ( Freeman, 1997 ; Minow, 2003 ). We are gaining solid information about how these interactions work in the context of regulation ( Freeman, 1997 ; Cunningham et al , 2003 ), and in developing policy networks ( Agranoff, 2003 ). Researchers are beginning to understand how law can facilitate formal and informal relations that achieve the appropriate balance between accountability to public goals, and fl exi-bility necessary for maximizing the utility of private-sector involvement ( Karkkai-nen et al , 2000 ; Bamberger, 2006 ).

Conclusion

All too often, researchers and decision makers focus exclusively on E1s, the risk of accepting a false hypothesis about the true value of a variable. They fail to take into account E2s, the risk of rejecting a true hypothesis about the true value of a variable. Thus, statistical reliability trumps statistical power. But even more important are E3s – the risk that the entire model used in the analysis is wrong, often because it omits key variables. For researchers, this can be merely a meth-odological headache, which goes under the name of specifi cation error or omit-ted variables bias. But for decision makers, the consequences can be literally deadly. Models can produce precise calculations of the value of a risk that are nonetheless meaningless because the model is radically incomplete.

In this paper, we attempted to propose methodologies for dealing with E3s in risk assessment. As we saw, E3s are to some extent subject to rigorous analysis, and promising methodologies exist with which to improve formal mod-eling. But the greater challenge may be to design human systems for risk analysis that allow E3s to be detected and corrected. Such systems require broad input and a willingness to reassess models in light of the unexpected. In designing such systems of risk assessment, we must both improve formal modeling and learn from the organization literature to design better processes for decision-making.

Acknowledgement

This project was supported, in large part, by the National Science Foundation (NSF) under EFGRI Grant No. 0836047. Any opinions, fi ndings and conclu-sions or recommendations expressed in this material are those of the authors and do not necessarily refl ect the views of NSF.

Page 67: Enterprise Risk Management and Business Ethics

Bea et al

42 © 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

References Agranoff , R . ( 2003 ) A New Look at the Value-adding Functions of Intergovernmental

Networks . Paper presented for National Public Management Research Conference, Georgetown University, Washington DC .

Argote , L . , Beckman , S . L . and Epple , D . ( 1990 ) The persistence and transfer of learning in industrial settings . Management Science 36 (2) : 140 – 154 .

Axelrod , R . and Tesfatsion , L . ( 2007 ) On-line guide for newcomers to agent based modeling in the social sciences , www.econ.iastate,edu/testfatsi/abmread.htm , accessed 5 January 2007 .

Bamberger , K . A . ( 2006 ) Blurring Boundaries: Organizational Theory, Regulated Firms, and the Administrative State . Berkeley: University of California. Working paper .

Beckman , C . M . and Haunschild , P . R . ( 2002 ) Network learning: The effects of partners ’ heterogeneity of experience on corporate acquisitions . Administrative Science Quar-terly 47 (1) : 92 – 124 .

Baum , J . A . C . and Ingram , P . ( 1998 ) Survival-enhancing learning in the Manhattan hotel industry, 1898 – 1980 . Management Science 44 (7) : 996 – 1016 .

Bea , R . G . ( 2007a ) Reliability Assessment and Management Lessons from Hurricane Katrina, OMAE 2007-29650 , Proceedings of the Sixth International Conference on Offshore Mechanics and Arctic Engineering, New York: American Society of Mechanical Engineers .

Bea , R . G . ( 2007b ) Lessons From Failure of the Flood Protection System for the Greater New Orleans Area During Hurricane Katrina, OMAE 2007-29649 , Proceedings of the Sixth International Conference on Offshore Mechanics and Arctic Engineering, New York: American Society of Mechanical Engineers .

Clarke , L . and Short , J . ( 1993 ) Social organization and risk: Some current controversies . Annual Review of Sociology 19 : 375 – 399 .

Cummings , M . C . , McGarvey , D . C . , Vinch , P . M . and Colletti , B . W . ( 2006 ) Homeland Security Risk Assessment, RP05-024-01a , Arlington, VA: Homeland Security Institute .

Cunningham , N . , Kagan , R . A . and Thornton , D . ( 2003 ) Shades of Green: Business, Regulation, and Environment . Stanford, CA: Stanford University Press .

Eady , W . ( 1995 ) The use of GIS in environmental assessment . Impact Assessment 13 : 199 – 206 .

Farber , D . A . , Bea , R . G . , Roberts , K . , Wenk , E . and Inkabi , K . ( 2007 ) Reinventing fl ood control . Tulane Law Review 81 (4) : 1085 – 1127 .

Freeman , J . ( 1997 ) Collaborative governance in the administrative state . UCLA Law Review 45 (1) : 1 – 99 .

Gehman , H . W . Jr . et al. ( 2003 ) Columbia Accident Investigation Report , Vols. 6 , Washington DC: Government Printing Offi ce .

Gerschwer , L . ( 1993 ) Informational standing under NEPA: Justiciability and environmen-tal decisionmaking process . Columbia University Law Review 93 : 996 – 1001 .

Gilbert , N . and Terna , P . ( 2000 ) How to build and use agent-based models in social science . Mind and Society 1 : 57 – 72 .

Miller , J . G . ( 1972 ) Living Systems . New York: McGraw Hill . Minow , M . ( 2003 ) Partners, Not Rivals: Privatization and the Public Good . Boston, MA:

Beacon Press . Kardon , J . B . , Bea , R . G . and Williamson , R . B . ( 2006 ) Validity and Reliability of Forensic

Engineering Methods and Processes . Herndon, VA: American Society of Civil Engineers . Karkkainen , B . C . , Fung , A . and Sabel , C . ( 2000 ) After backyard environmentalism:

Toward a performance-based regime of environmental regulation . American Behavio-ral Scientist 44 (4) : 690 – 709 .

Page 68: Enterprise Risk Management and Business Ethics

A new approach to risk

43© 2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 30–43

Klick , K . A . ( 1994 ) The extraterritorial reach of NEPAs EIS requirement after environ-mental defense fund v. Massey . American University Law Review 44 : 291 – 322 .

Levitt , B . and March , J . G . ( 1988 ) Organizational learning . Annual Review of Sociology 14 (2) : 319 – 340 .

Mitroff , I . I . and Linstone , H . ( 1992 ) The Unbounded Mind . New York: Oxford University Press .

Nelson , R . R . and Winter , S . G . ( 1982 ) An Evolutionary Theory of Economic Change . Cambridge, MA: Harvard University Press .

Perrow , C . ( 1984 ) Normal Accidents: Living with High Risk Technologies . New York: Basic Books .

Radke , J . and Lan , M . ( 2000 ) Spatial decompositions, modeling and mapping service regions to predict access to social programs . Geographic Information Sciences 6 (2) : 105 – 112 .

Radke , J . T . , Cova , M . F . , Sheridan , M . , Troy , A . , Lan , M . and Johnson , R . ( 2000 ) Application challenges for GIS science: Implications for research education, and policy for risk assessment . Emergency Preparedness and Response (RAEPR)? URISA Journal 12 (2) : 15 – 30 .

Roberts , K . H . ( 1990 ) Some characteristics of one type of high reliability organization . Organization Science 1 (2) : 160 – 176 .

Roberts , K . H . and Sloane , S . B . ( 1988 ) An Aggregation Problem and Organizational Effectiveness . In: B. Schneider and D. Schoorman (eds.) Facilitating Organizational Effectiveness . Lexington, MA: Lexington Press , pp. 125 – 144 .

Roberts , K . H . , Madsen , P . and Desai , V . ( 2004 ) Bridging Levels, Variables, and Metho dologies . In: F.J. Yammarino and A.E. Dansereau (eds.) Research in Multi Level Issues: An Annual Series . Oxford, UK: Elsevier , pp. 69 – 78 (also in Science Direct ) .

Roberts , K . H . , Madsen , P . and Desai , V . ( 2005 ) The Space Between in Space Transporta-tion: A Relational Analysis of the Failure of STS 107 . In: M. Farjoum and W. Starbuck (eds.) Organizations at the Limit: Lessons from the Columbia Disaster . Malden, MA: Blackwell Publishing , pp. 81 – 98 .

Seed . , R . B . et al. ( 2007a ) Investigation of Levee Performance in Hurricane Katrina: The New Orleans Drainage Canals , Proceedings Geo, Denver, 2007, ASCE .

Seed , R . B . et al. ( 2007b ) Investigation of Levee Performance in Hurricane Katrina: The Inner Harbor Navigation Canal , Proceedings Geo, Denver, 2007, ASCE .

Seed , R . B . et al. ( 2007c ) Investigation of the Performance of the New Orleans Regional Flood Protection Systems During Hurricane Katrina: Lessons Learned , Proceedings Geo , Denver, 2007 ASCE, pp. 1 – 16 .

Shrivastava , P . ( 1987 ) Bhopal: Anatomy of a Crisis . Cambridge, MA: Ballinger . Vaughan , D . ( 1996 ) The Challenger Launch Decision: Risky Technology, Culture, and

Deviance . Chicago, IL: University of Chicago Press . Vaughan , D . ( 1999 ) The dark side of organizations: Mistake, misconduct, and disaster .

Annual Review of Sociology 25 : 271 – 305 . Weick , K . E . and Roberts , K . H . ( 2003 ) Collective mind in organizations: Heedful

interrelating on fl ight decks . Administrative Science Quarterly 38 : 357 – 381 . West Publishing Co. ( 2008 ) Selected Environmental Statutes 2008 – 2009 , Educational

edn. St. Paul, MN . White House Council on Environmental Quality . ( 1997 ) The National Environmental

Policy Act: A Study of its Effectiveness after 25 Years , http://www.nepa.gov/nepa/nepa25fn.pdf .

Wolf , F . A . ( 1980 ) Taking the Quantum Leap . New York: Harper and Row .

Page 69: Enterprise Risk Management and Business Ethics

GARP Code of Conduct

Adopted: February 26, 2007Revised: June 23, 2010

Page 70: Enterprise Risk Management and Business Ethics

June 23, 2010 GARP Code of Conduct

1

I. Introductory Statement

The GARP Code of Conduct (“Code”) sets forth principles

of professional conduct for Global Association of Risk

Professionals (“GARP”), Financial Risk Management (FRM®)

and Energy Risk Professional (ERP®) certifications and other

GARP certification and diploma holders and candidates,

GARP’s Board of Trustees, its Regional Directors, GARP

Committee Members and GARP’s staff (hereinafter collec-

tively referred to as “GARP Members”) in support of the

advancement of the financial risk management profession.

These principles promote the highest levels of ethical con-

duct and disclosure and provide direction and support for

both the individual practitioner and the risk management

profession.

The pursuit of high ethical standards goes beyond

following the letter of applicable rules and regulations and

behaving in accordance with the intentions of those laws

and regulations, it is about

pursuing a universal ethical

culture.

All individuals, firms

and associations have an

ethical character. Some of

the biggest risks faced by

firms today do not involve

legal or compliance viola-

tions but rest on decisions

involving ethical considerations and the application of

appropriate standards of conduct to business decision

making.

There is no single prescriptive ethical standard that can

be globally applied. We can only expect that GARP Mem-

bers will continuously consider ethical issues and adjust their

conduct accordingly as they engage in their daily activities.

This document makes references to professional stan-

dards and generally accepted risk management practices.

Risk practitioners should understand these as concepts

that reflect an evolving shared body of professional stan-

dards and practices. In considering the issues this raises,

ethical behavior must weigh the circumstances and the

culture of the applicable global community in which the

practitioner resides.

II. Code of Conduct

The Code is comprised of the following Principles, Pro-

fessional Standards and Rules of Conduct which GARP

Members agree to uphold and implement.

1. Principles

1.1 Professional Integrity and Ethical Conduct. GARP

Members shall act with honesty, integrity, and compe-

tence to fulfill the risk professional’s responsibilities

and to uphold the reputation of the risk management

profession. GARP Members must avoid disguised con-

trivances in assessments, measurements and processes

that are intended to provide business advantage at the

expense of honesty and truthfulness.

1.2 Conflicts of Interest. GARP Members have a respon-

sibility to promote the interests of all relevant con-

stituencies and will not knowingly perform risk

management services directly or indirectly involving

an actual or potential conflict of interest unless full

disclosure has been provided to all affected parties

of any actual or apparent conflict of interest. Where

conflicts are unavoidable GARP Members commit to

their full disclosure and management.

1.3 Confidentiality. GARP Members will take all reasonable

precautionary measures to prevent intentional and un-

intentional disclosure of confidential information.

The pursuit of high ethical

standards goes beyond following

the letter of applicable rules

and regulations and behaving

in accordance with the intentions

of those laws and regulations,

it is about pursuing a universal

ethical culture.

GARP Code of Conduct[ ]

Page 71: Enterprise Risk Management and Business Ethics

2

2. Professional Standards

2.1 Fundamental Responsibilities.

• GARP Members must endeavor, and encourage

others, to operate at the highest level of profes-

sional skill.

• GARP Members should always continue to perfect

their expertise.

• GARP Members have a personal ethical respons-

ibility and cannot out-source or delegate that

responsibility to others.

2.2 Best Practices.

• GARP Members will promote and adhere to applica-

ble “best practice standards,” and will ensure that

risk management activities performed under his/her

direct supervision or management satisfies these

applicable standards.

• GARP Members recognize that risk management

does not exist in a vacuum. GARP Members commit

to considering the wider impact of their assess-

ments and actions on their colleagues and the wider

community and environment in which they work.

2.3 Communication and Disclosure. GARP Members

issuing any communications on behalf of their firm will

ensure that the communications are clear, appropriate

to the circumstances and their intended audience, and

satisfy applicable standards of conduct.

III. Rules of Conduct

1. Professional Integrity and Ethical Conduct

GARP Members:

1.1 Shall act professionally, ethically and with integrity

in all dealings with employers, existing or potential

clients, the public, and other practitioners in the

financial services industry.

1.2 Shall exercise reasonable judgment in the provision

of risk services while maintaining independence of

thought and direction. GARP Members must not offer,

solicit, or accept any gift, benefit, compensation, or

consideration that could be reasonably expected to

compromise their own or another’s independence and

objectivity.

1.3 Must take reasonable precautions to ensure that the

Member’s services are not used for improper, fraudulent

or illegal purposes.

1.4 Shall not knowingly misrepresent details relating to

analysis, recommendations, actions, or other profes-

sional activities.

1.5 Shall not engage in any professional conduct involving

dishonesty or deception or engage in any act that

reflects negatively on their integrity, character, trust-

worthiness, or professional ability or on the risk

management profession.

1.6 Shall not engage in any conduct or commit any act

that compromises the integrity of GARP, the (Financial

Risk Manager) FRM designation or the integrity or

validity of the examinations leading to the award of the

right to use the FRM designation or any other creden-

tials that may be offered by GARP.

1.7 Shall endeavor to be mindful of cultural differences

regarding ethical behavior and customs, and to avoid

any actions that are, or may have the appearance of

being unethical according to local customs. If there

appears to be a conflict or overlap of standards, the

GARP member should always seek to apply the higher

standard.

2. Conflict of Interest

GARP Members:

2.1 Shall act fairly in all situations and must fully disclose

any actual or potential conflict to all affected parties.

2.2 Shall make full and fair disclosure of all matters that

could reasonably be expected to impair their independ-

ence and objectivity or interfere with their respective

duties to their employer, clients, and prospective clients.

June 23, 2010 GARP Code of Conduct

Page 72: Enterprise Risk Management and Business Ethics

3. Confidentiality

GARP Members:

3.1 Shall not make use of confidential information for

inappropriate purposes and unless having received

prior consent shall maintain the confidentiality of their

work, their employer or client.

3.2 Must not use confidential information to benefit

personally.

4. Fundamental Responsibilities

GARP Members:

4.1 Shall comply with all applicable laws, rules, and

regulations (including this Code) governing the GARP

Members’ professional activities and shall not knowingly

participate or assist in any violation of such laws, rules,

or regulations.

4.2 Shall have ethical responsibilities and cannot out-source

or delegate those responsibilities to others.

4.3 Shall understand the needs and complexity of their

employer or client, and should provide appropriate and

suitable risk management services and advice.

4.4 Shall be diligent about not overstating the accuracy or

certainty of results or conclusions.

4.5 Shall clearly disclose the relevant limits of their specific

knowledge and expertise concerning risk assessment,

industry practices and applicable laws and regulations.

5. General Accepted Practices

GARP Members:

5.1 Shall execute all services with diligence and perform all

work in a manner that is independent from interested

parties. GARP Members should collect, analyze and

distribute risk information with the highest level of

professional objectivity.

5.2 Shall be familiar with current generally accepted risk

management practices and shall clearly indicate any

departure from their use.

5.3 Shall ensure that communications include factual data

and do not contain false information.

5.4 Shall make a distinction between fact and opinion in

the presentation of analysis and recommendations.

IV. Applicability and Enforcement

Every GARP Member should know and abide by this Code.

Local laws and regulations may also impose obligations on

GARP Members. Where local requirements conflict with the

Code, such requirements will have precedence.

Violation(s) of this Code by may result in, among other

things, the temporary suspension or permanent removal

of the GARP Member from GARP’s Membership roles, and

may also include temporarily or permanently removing

from the violator the right to use or refer to having earned

the FRM designation or any other GARP granted designa-

tion, following a formal determination that such a violation

has occurred.

June 23, 2010 GARP Code of Conduct

3

Page 73: Enterprise Risk Management and Business Ethics

Creating a culture of risk awareness.TM

Global Association ofRisk Professionals

111 Town Square PlaceSuite 1215Jersey City, New Jersey 07310USA+ 1 201.719.7210

Minster House, 1st Floor42 Mincing LaneLondon EC3R 7AEUK+ 44 (0) 20 7397 9630

www.garp.org

© 2010 Global Association of Risk Professionals. All rights reserved. 6-10

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated topreparing professionals and organizations to make better informed risk decisions. Membership represents over 100,000 risk manage-ment practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional(ERP®) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management viacomprehensive professional education and training for professionals of all levels. www.garp.org.