Risk Management: Protect and maximize stakeholder value from Oracle

III. KEY CONSIDERATIONS FOR IMPLEMENTING A RISK

MANAGEMENT PROGRAM

While a company may die a quick death if it fails to manage its critical risks, it will

certainly die a slow death if it does not take on enough risk. Enterprise Risk

Management (ERM) models -such as COSO s 2004 Enterprise Risk Management-

Integrated Framework, the 2006 Risk Maturity Model for ERM established by the

Risk and Insurance Management Society and the 2009 ISO 31000 Standard on

Principles and Guidelines on Risk Management Implementation- describe an

approach for identifying, analyzing, responding to, and monitoring risks and

opportunities. They can be the starting point to classify and manage mutually

dependent risks and instill a common risk language within the enterprise.

SOX as an ERM Framework?

Can existing work on Sarbanes-Oxley

(SOX) be leveraged to jumpstart an

Enterprise Risk Management (ERM)

program?

SOX dwells on assessing financial

reporting risks while ERM delves

into all types of risks, financial and

non financial, internal and external

Risk assessment can be an annual

process under Sarbanes-Oxley

while ERM is a constant process

since organizations change and

new risks emerge

But some SOX best practices are

relevant to ERM:

o Reapply SOX risk

assessment process to areas

of risk management. Risk

assessment may be limited in

scope under SOX but the

approach can be reused for

ERM

o Get commitment at the board

and management level,

leveraging the understanding

they have of the value of

reducing fraud risk,

enhancing governance, and

strengthening controls for

effective ERM

o Establish a risk department

and appoint a chief risk

officer or other key person to

be responsible for the SOX

or ERM process

ERM vs. Risk Assessment: An Analysis,

Compliance Week, March 2008

A. Set Goals for Risk Management

By addressing all risks comprehensively as opposed to dealing with individual types

of risks (such as IT risks, financial reporting risks, environmental or legal risks), risk

management can quickly feel overwhelming. Objective setting is therefore key.

There are three common goals for risk management, which also correspond to the

stages that organizations typically go through in developing their risk management

capabilities:

Goal 1: Protect against downside risks

Goal 2: Manage volatility around business and financial results

Goal 3: Optimize risk and return

The combination of all three comprises Enterprise Risk Management, but each

organization must decide which focus to take. When a company fails to clarify how

it understands risk and what it wants to achieve with risk management, sponsorship

and ownership for risk management may be deficient, risk appetite unqualified, risk

prioritization flawed, and resources misallocated.

B. Define Risk Tolerance

Until now, many companies have neglected to set and communicate their risk

appetite. At an acceptable level, risk is perfectly fine but it is imperative that

management defines what that acceptable level is in the interest of achieving the

company s goals. The danger surfaces when one person's definition of a high risk

equates to another person's medium risk. The difference in perception leads to

inadequate risk assessment results with underrated risks being ignored and

overrated risks consuming excessive resources. Unfortunately, many organizations

still have disjointed, periodic or inadequate assessments. It s no surprise that eighty

percent of companies do not believe they are getting as much value from their risk

assessments as they should. Only one in three says they achieve effective results

that properly align activities with objectives in light of risk tolerance, according to

the 2007 Open Compliance and Ethic s Group Risk Study.

Risk Management: Protect and Maximize Stakeholder Value Page 5