Enterprise Risk Management: Illuminate the Unknown - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture

Enterprise Risk Management: Illuminate the Unknown

Taking risk is how businesses grow; managing risk is how they sustain that growth -- especially under pressure from regulators. Here's how to assemble a risk management architecture that anticipates dangers ahead, translates data into useful decision-support information and ensures compliance. Explore how operations can benefit from analytics proven for credit and market appraisal.

The word "risk" comes from the same root as the Italian verb riscare, which means "to dare." In the quest for competitive advantage, businesses are nothing if not daring. Taking risks is essential. The more an organization can understand, predict and manage the dangers lurking in its path, the more it can turn daring behavior into the stuff of sustained success.

Beyond the insurance industry, the goal of most risk management efforts today is to control the variability of financial outcomes, such as profits and stock prices, while letting corporations pursue increasing levels of profitability and returns. In the financial services industry, intense interest in risk management began two decades ago with the devastating failures of Barings Bank and Long Term Capital Management. Interest has accelerated with the dot-com bubble burst and Enron and WorldCom fiascos. In each case, a major culprit was the lack of organizational control and transparency — in short, a risk management failure.

This article describes how to put together an enterprise risk management (ERM) strategy that factors in all the discrete parts of the problem. With regulatory compliance and increasingly sophisticated threats to business, organizations need the big picture that an architectural approach provides.

ERM: Get the Big Picture

There are many kinds of risk, and, as you'd expect, a lot of "silo-ization" when it comes to managing processes involved. "We had accounting granting access codes to people to look at these transactions, and then we had purchasing coming in and saying 'yep, this person can look at those transactions,'" says Jayne Gibbon, manager of Internal Audit, about the way things used to be at Kimberly-Clark Corp. "Nobody was looking at whether giving the same person access to both kinds of transaction codes would expose the company to fraud."

Gibbon worked with a tool suite from Virsa to execute rules and automate processes inside the company's huge SAP R/3 applications to oversee "the trillions of possible combinations" of access codes for authorization. "Virsa can tell us if the risk is too great to approve the authorization combination for particular employees," Gibbon says. "Business, not IT, is ultimately responsible for reducing risk by making sure access is controlled properly. We have to evaluate risk at an enterprise level."

Gaining a global view of risk management is essential for both business leaders and IT, which must look broadly, beyond the silos, to understand all types of risk and what they mean to information flow. Business decision-making must address risk and be supported by business intelligence and data warehousing.

Risk Types and Processes

ERM addresses many kinds of risk, but there are three prevalent types. Market risk (including liquidity risk) is about loss caused by adverse changes in market factors, such as stock prices and interest rates. Credit risk applies to loss due to the inability of counterparties to honor their financial obligations. And operational risk is about failures in operating processes and systems, including security loss and fraud. Also important to consider are legal and regulatory risks, plus the potential of damage to business reputation.

Companies must define their risks precisely. Obviously, businesses actively seek certain kinds of risk. A hedge fund might take on specific kinds of market risk to achieve high returns; payroll processors might provide value through operational risk transference. An example of a detrimental risk might be a danger to manufacturing operations. This is what organizations must reduce or eliminate.

You can categorize risk processes in many ways. The classification system advanced by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is influential in defining causes of fraudulent financial reporting, is a good place to start. As shown in the diagram (right), COSO classifies eight areas for risk management processes:

  1. Internal environment, or the organizational culture that is the foundation for risk management

  2. Objective setting, where the focus is on goals that may be adversely affected by risky events

  3. Identification of risk events that can affect the organization's objectives

  4. Risk assessment, considering the likelihood of a risk event and what its effects would be on organizational goals

  5. Risk response, where the focus is on determining options and assessing the choices for risk mitigation

  6. Control activities, focusing on the policies and procedures to ensure proper execution of the risk response

  7. Information and communication, which is about keeping interested parties (including management, shareholders and regulators) informed

  8. Monitoring, which is about watching over the organization's risk in its management processes.

These eight areas would be prioritized and addressed iteratively depending on where your organization's structure is most scrutinized. The first three areas are clearly process and document driven; technology comes into play mostly in areas four through eight.

The diagram maps these areas against the common risk types. Investment banks, for example, generally have taken on market risk first and then created frameworks incorporating the eight COSO areas. As they've grown to rely on their market risk management, these firms have moved on to credit and operational risk. (Note: The third dimension of the cube reminds us that we must factor in the distinct views that lines of business need to customize risk types and management processes.)

The Enterprise Architecture

Before detailing ERM itself, we need to define the key elements of enterprise architecture. The Open Group Architectural Framework (TOGAF) has become a starting point for many organizations. TOGAF describes all aspects of an organization; here we are primarily interested in the information systems architecture, which is about applications and data, but we can't forget that this architecture must support business processes.

A TOGAF enterprise architecture contains six main components:

  • Transactional systems and data repositories support core business processes. These systems detail transactional information necessary for successful business operations.

  • Enterprise data repositories aggregate information from large cross-sections of the enterprise. ERM depends on such a view.

  • Decision-support environments focus on analyzing data in enterprise data repositories.

  • Business process management (BPM) automation improves organizational efficiency by systematically detecting and proactively responding to relevant events. BPM is a critical area for ERM because risks can rapidly escalate through processes to cause severe losses.

  • Enterprise data transport depends on data extract, transformation and load (ETL) middleware and service-oriented architecture (SOA) components, such as Web services; it delivers disaggregated information from operational systems to enterprise data repositories and user applications.

  • Interfaces for corporate stakeholders give user access to components within the enterprise. For risk management and compliance, some important constituents are regulatory authorities, corporate management and investors. These are stakeholders who sit outside mainstream enterprise operations. Applications built to satisfy their demands tap into operational data repositories as well as decision-support environments.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll