 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
| Solutions for Our Times |
For further information and to receive complete copies of any of the white papers you see here, Contact Al Uretsky, Managing Partner Estrella Partners Group, LLC Tel.: (623) 594-9283 auretsky@estrellapartners.com |
| Enterprise Risk Management: Planning an Enterprise Risk management Project By Dennis McFadden Introduction ERM defined (COSO) “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” As a business entity, when planning to implement Enterprise Risk Management, it’s likely that your business continuity plan is in place and can be utilized as a knowledge base of business functions and risk related business impacts. Both the NASD Rule 3510 and NYSE Rule 446 regarding Business Continuity and Contingency Planning, require an assessment of financial and operational risks as well as identification of all mission critical systems. A professionally developed Business Continuity Management plan will reflect the best practices as defined by the Business Continuity Institute and the Disaster Recovery Institute. It should contain a top down and bottom up assessment of business functions and risks based upon strategic and tactical business needs. Just as important, but sometimes overlooked in recovery planning, is governance and compliance during continuity of business operations. Confusion creates an opportunity for policy and regulatory violations. It’s reasonable to consider Business Continuity as a component of Enterprise Risk Management, but the broader focus of ERM is to evaluate risk from an organization-wide perspective from the top down rather than from the narrower perspectives of either the separate groups incurring each given exposure impact or the separate groups charged with hedging these impacts. When developing the indicators necessary to evaluate risk, we need to identify the critical components, and in this capacity, the operational functions captured in BCM come into play. The challenge in making the transition from BCM to ERM is to avoid some of the “silo” mentality that, almost by necessity, went into planning the business recovery event. The overall objective of ERM is to utilize the key drivers of corporate performance to make informed business decisions based on risk management principles. By breaking down the risks into categories such as Strategic, Operations, Reporting, and Compliance; a Risk Model can be developed which identifies the specific functional areas to be monitored. Within the categories, the risks can be further differentiated into processing and environmental risks. Monitoring of environmental risks (regulatory, political, and financial markets) has taken on increasing importance in the current political and business climate. A unique Risk Strategy should be established for the business in each category. Determine how much risk is acceptable (Risk Appetite) and what the variation parameters (Risk Tolerance) are. Identify the risk response options, including risk mitigation strategies and management of the risk model and risk strategy parameters in response to changing business conditions. Risk management is not a static process because risks are always changing. For further information and to receive complete copies of any of the white papers you see here, contact Al Uretsky. |