Knowledge Leadership
ERM:
By Roland Mosimann
A Pragmatic Bottom-Up Approach (to Parallel the Top-Down)
for addressing the challenge of change and establishing successful ERM through a series of bottom-up steps that build on existing functional capabilities. These should not be seen as replacing a top-down approach. They should be seen as acting in parallel, in an iterative, mutually re-adjusting and reenforcing manner. SOX provides a great starting point for a bottom-up approach. When structured properly, the major investment for SOX compliance can now finally yield value far beyond an auditor’s attestation. The Internal Audit and IT departments can then integrate and build on this investment, each bringing longstanding experience for identifying and mitigating risk. Lastly, each Line of Business and its respective business functions also manage risk, which can be incorporated with the others together under one clear mapping. The five bottom-up steps below offer a simple, practical path that ensure that you get to this single viewpoint and that your ERM efforts are successful by leveraging existing strengths and gaining “ownership” from the frontline. STEP 1 Use Your 404 Documentation to Create a Common Map Section 404 of the Sarbanes-Oxley legislation created a single, consistent, and broad definition of the enterprise in contrast to existing financial, operational, HR, or legal definitions. These definitions served a more narrow purpose and were therefore not as comprehensive nor were they usually consistent. Until SOX, there was no “Rosetta Stone” to provide a common, universally applicable map of the business, in terms of organizational entities, transaction processes, systems, people, risks, and their overall relationship to financial accounts. A common map is the foundation for identifying risks in a consistent manner across the enterprise. It also ensures alignment across different regulatory environments, risk types, and process owners who may have to address them. STEP 2 Build on Your Top-Down, Bottom-Up Risk Assessment The new SEC guidelines and the PCAOB’s
ecent regulatory trends such as Basel II for financial services and SarbanesOxley (SOX) for publicly traded companies have heightened the importance of better enterprise risk management (ERM). So have trends like globalization, integrated financial markets, the knowledge economy, and political uncertainty. Today, more than ever, how well you take and manage risks affects your cost of capital. And yet, with the exception of industries such as banking and insurance, many companies find the notion of ERM foreign and difficult to implement. The complexity of ERM at every level is daunting?
R
» How will you determine the universe of all your risks? » How will you perform an assessment to prioritize which ones are most important? » How will you design a system of controls that effectively mitigate the risk? » How will you make sure the controls are working or your risks are at acceptable levels? » How will you integrate all of this into the daily functioning of the business?
Change Is the Challenge Anyone who has tried to initiate and gain adoption for an enterprise-wide program, such as Enterprise or Corporate Performance Management, knows that a key reason for failure is change. A fundamental challenge in implementing ERM is the ability to “sell” and “manage” the necessary change in behavior across the entire organization. Managing risk, like managing cost or revenue, cannot be done from the top alone— it must be “owned” by those closest to its occurrence, i.e. the process owners on the front line where managing risk must become just another part of their job. This paper lays out a pragmatic approach
38
WWW.COMPLIANCEWEEK.COM » 888.519.9200
OCTOBER 2007
�BI International
Auditing Standard No. 5 have heightened the awareness for an integrated top-down and bottom-up risk assessment approach to SOX. The opportunity is to rationalize the number of key controls required and streamline their testing based on relative risk. Besides the efficiency gains this yields in compliance itself, it creates a precedent for how to define risks hierarchically and so be able to “cascade” and target your efforts where they are most valuable, i.e. where “top-level” assessments can be made based on consolidated views of risk and push “down” to lower levels of assessment, monitoring, and action. STEP 3 Extend and Integrate With Internal Audit Internal Audit is the next practical step in providing a foundation for an enterprisewide view of risks. Internal Auditors have built up a history of assessing operational, financial, and compliance risks across the enterprise for prioritizing and planning annual audits. These risks and audits share the same core elements of the map— companies, locations, and processes. Of course, the shared Audit Universe created by integrating SOX with IA will also result in greater resource efficiencies and speed. STEP 4 Align With IT Governance Practices Sarbanes-Oxley requirements highlighted many existing good governance practices in IT, notably those represented by the COBIT framework. Beyond the general computer and application-level controls required for SOX, IT manages multiple risks on a daily basis, such as Business Continuity Planning, Disaster Recovery, and management of businesscritical projects to name a few, but these typically all can fit into the structure in the same way as the SOX IT controls already have.
STEP 5 Engage and Leverage Your Process Owners and LOBs The upfront disruption SOX had on process owners enlisted to create documentation, identify controls, provide self-assessments, and perform tests has largely
mance and risk, like flip sides of the same coin. How these risks are managed is critical to sustaining the goals in revenue growth, expense management, and longterm investment. The Right Information Is Critical Underlying each of these steps is the need for a single, integrated view on enterprise-wide risks that is aligned with and supports each of the functional constituencies above. Furthermore, the nature of this information requires a fairly complex structure to effectively capture the flexible hierarchies and many-to-many relationships it must convey, e.g. risks need to be dynamically categorized, assessed, and tracked by different “families” and “types” and associated to more than one location, process, activity, event, people, systems, and more. Such complexity is best addressed when the information source is based on business intelligence design, because if the information is in right, the job of slicing and dicing out what you need, when you need it, becomes a much more straightforward task that can be captured by your people and delivered into your culture in a much more expedient and powerful way. ■
About Business Intelligence International (BII): Business Intelligence International (BI International) is a global software and consulting company specializing in the development of Web-based business intelligence solutions to provide GRC + P functionality to companies of all sizes. Since 1996, BI International has provided robust, flexible, and secure solutions to enable customers worldwide to cost-effectively manage their compliance, risk, and performance initiatives. Leveraging its Aline™ Software as a Service (SaaS) platform, BI International offers a suite of affordable yet powerful and easy-to-use tools that provide a single business intelligence-designed repository of information along with integrated analytics and standard reporting. This allows clients to gain real-time visibility to critical information to identify key issues and drive critical decision making. Visit www.aline4value.com for more information.
been reduced. Initially overwhelmed in terms of both the time and learning curve required, many process owners are now far more aware of financial misstatement risks within their areas. This “culture” of managing risk locally is a valuable asset, where new types of risks can be layered onto the same risk culture and framework. Finally, risk management is more than tracking and assessing threats. When risks are tracked against a common map of the business, it is easier to establish the relationship between business perfor-
Roland Mosimann, CEO and co-founder of Business Intelligence International is an industry pioneer in helping drive initiatives around risk and performance management that are anchored in business intelligence design. In 2004, he drove the launch of the Aline™ platform for on-demand Governance, Risk, and Compliance. He recently coauthored The Performance Manager: Proven Strategies for Turning Information into Higher Business Performance, itself a follow-up to his earlier book The Multidimensional Manager — 24 Ways to Impact Your Bottom Line in 90 Days with more than 400,000 copies printed that remain in use by organizations worldwide today.
OCTOBER 2007
WWW.COMPLIANCEWEEK.COM » 888.519.9200
39
�