THIS BOOK IS INTENDED to be a handbook of how to establish a
highly effective enterprise risk management (ERM) environment that is
actually a business tool that yields real business value. This book is a
definitive guide for members of the Boards of Directors, the C Suite, Chief Risk
Officers (CROs), and those charged with ERM, as well as all levels of management.
In addition, this book is a must have for any shareholder who owns stock
in any publicly listed corporation and should be read cover to cover to
understand why she should be concerned. This is a how-to, hands-on guide,
not a generic framework scenario.
With the advent of corporate business catastrophes such as Enron,
WorldCom, Lehman Bros., General Motors, and so on it behooves corporate
executives to get better connected with their businesses. In addition, the
government has now initiated a number of regulatory activities, including
Sarbanes-Oxley, which further complicate the lives of the auditors and the
corporate executives. The only way to be truly in compliance with Sarbanes-
Oxley is to be well aware of what is going on in your corporation, virtually
daily. To accomplish this, it is necessary for corporations to establish a highly
effective information-centric risk assessment methodology. Without such a
methodology intricately woven into the fabric of the organization, it is virtually
impossible to guarantee any type of compliance in a realistic fashion.
Enterprise-wide risk assessment is much more than simply a catchy phrase
or the latest in a string of failed corporate initiatives. If properly constructed,
it can be a highly effective governance and oversight tool, which becomes
almost irreplaceable in the arsenal of tools necessary for progressive organizations
today.
Of interest is that the Chairman Emeritus of the Committee of Sponsoring
Organizations (COSO), Larry Rittenberg, PhD., CPA, CIA attended the session I
presented for the Madison, Wisconsin, chapter of the IIA on Enterprise-Wide
Risk Assessment in 2001. The entire discussion was focused on the concept of
vii
using data to evaluate risk throughout an organization. In the presentation,
real-time triggers, key process indicators, key risk indicators, Metric Oversight
Monitoring Systems (MOMS), and numerous other concepts were discussed for
consideration by the participants. I have used these and other similar tools
during 30 years of data-centric risk assessment. These tools and methodology
will be discussed in this book.
Dave Coderre, a very talented ACL practitioner and author, published the
GTAG (Global Technology Audit Guide) on Continuous Auditing in which he
presented a very convincing argument for the necessity of continuous audit
tools, continuous monitoring, and continuous risk assessment. All of these
advanced methods, of course, revolve around the utilization of data. I had the
great pleasure of having Dave Coderre as a participant in one of my risk
assessment sessions discussing the use of data-driven risk assessment a number
of years ago. It is excellent to see that the subject matter is finally getting some
serious discussion at these levels.
This book is meant to be a reference point for all organizations that are
engaged in or will be engaged in the exercise of establishing an enterprise-wide
risk assessment and management oversight system for their organization. It
presents an alternative approach to the models that are most commonly seen.
In keeping with the underlying thought process of this book, it is straightforward
and to the point. This book is not an exercise in overcomplicating a
straightforward issue. There are many people who believe that complexity adds
value to a process or a methodology. I am not one of them. The whole premise
of the book is that complexity in most cases adds nothing to a business process
but complexity.
A risk model is no exception. The reality of the matter is that when a risk
model becomes overly complex it also becomes unusable. Therefore, as we
proceed from this point forward, everything will be clearly expressed and
understandable. There will be no complex theories to entangle endlessly what
is actually a very commonsense subject matter. Under no circumstances will
there be any abstract theories or unattainable methodologies employed.
The approach to risk assessment undertaken in this book is based upon
fact, common sense, and practical methodologies for implementation. The
model also eliminates subjectivity and guesswork as much as possible. The
model presented parallels the normal operation of the business, be able to be
effectively utilized at all levels of the business, and can be truly used to create an
all-encompassing risk model.
In Chapter 1 I discuss the subject of corporate governance and what is
wrong with it in its current format. In addition, I call attention to one of the
viii n Preface
major shortcomings of most corporations and one of its biggest risk areas,
which is systems implementation.
In Chapter 2 I address what I believe to be a significant misunderstanding
relative to the subject of risk and risk management. Essentially every model that
is out there to perform any type of enterprise risk management is based upon
the premise of subjective scoring to arrive at a conclusion. Subjective models
are always time and space dependent, and therefore inconsistent. In other
words, the same exact situation will always be viewed differently by the exact
same person on a different day in a different environment or on a different hour
in the same environment.
In addition, when dealing with the subject of risk, you must be prepared to
estimate probability and impact or exposure; these models attempt to deal with
the subject matter via scoring and unexplainable calculations. Anybody that is
the least bit familiar with risk or risk management knows that probability and
impact can only be calculated using cold hard facts and data.
Chapter 3 is centered on the business, which is what risk assessment and
risk management is all about. I discuss how to go about this and how to create
pictures of the enterprise to ensure that effective risk management is put in
place and becomes a must-have business tool.
In Chapter 4 I discuss what true business risk is, how it can be categorized,
the fact that risk is not a one-off occurrence, and how to establish a risk
universe for evaluating all risk.
In Chapter 5 I talk about one of the most critical issues in risk management—
the ability to do it objectively not subjectively. I talk about utilizing a
data-centric approach, why it is necessary, and why doing risk assessment and
management any other way really does not track logically.
In Chapter 6 I begin the discussion of how to build a fluid dynamic risk
model that is designed to flow with the movements of the enterprise and to keep
pace with changes as they occur. I also discuss options that can be utilized to
drive the model.
Chapter 7 is an extensive discussion of how to actually build a model with
all of the various components included. It talks about how to construct an ERM
environment that is absolutely centered on the organization in its day-to-day
operations. There are extensive examples given throughout the chapter relative
to the concept of enterprise risk management and key risk indicators
(KRIs). There are examples for the administrative areas of the organization as
well as operational areas.
Chapter 8 discusses the future evolution of the ERM model and why this is
absolutely essential to keep the ERM environment vibrant and connected with
Preface n ix
the business. Also, the subject of how to make systems self-monitoring from a
risk perspective, utilizing advanced tooling, is discussed.
In Chapter 9 I raise the issue of special risk situations and related topics
that presents significant exposure to the organization. The two key topics that
are discussed in this regard are outsourcing and mergers and acquisitions. In
addition, I discuss significantly reducing external audit fees through the
utilization of twenty-first-century approaches.
Chapter 10 is the last chapter of this book, and we talk about ownership of
risk, extending the impact of the ERM environment, and summarize how to
build an automated environment to handle all of your governance concerns.
Another subject that is addressed in this book is the prioritization of risk
and risk management relative to internal controls. Internal controls can exist
separately and distinctly from the business; however, business risk and the
business are inseparably intertwined.
I have finally tired of listening to a bunch of supposed experts pontificate on
what they believe enterprise risk management to be, while clearly demonstrating
they have not the slightest notion of how it should be done in a manner
that yields real business value. This approach actually evaluates and manages
risk truly on an enterprise basis, and provides a highly effective business tool as
well, while many of the others are financial or administration-centric.
Therefore, do not be surprised or alarmed when I take issue with common
practices that have been espoused by very large and well-recognized organizations.
I am not trying to be hypercritical nor implying that they are not
competent nor unethical. I am simply trying to speak the truth regarding those
situations that I believe to be counterintuitive or in some cases unacceptable
business practice and a poor use of business resources.
Also, be prepared as the approach used here is different from the norm and
as such you will have to expand your thought process and allow yourself to
accept something other than the same old recycled ideas, not that recycling is
bad, but in this case it is. Keep an open mind and shift your thought parameters
and I believe you will find a much better approach to ERM at the end of the day.
I now undertake the task of clarifying once and for all what a commonsense,
logically structured, ERM environment should look like and why if
implemented properly, it will create a singular, highly effective overriding
governance infrastructure.
Thank you for coming along on this journey!