From Internal Control to ERM (Series)

Part Two: Towards the Introduction of ERM—Development of ERM Processes and Effective Frameworks

Takeru Fujimoto
Senior Consultant

June 04, 2009 (Thursday)

This three-part series introduces the relationship of ERM(*1), a management foundation for sustainable company development, with internal control in currently listed companies, as well as important points regarding the introduction of ERM. The second part of the series highlights two of the three foundations for introducing ERM: “Establishment of a continuous process,” and “Clarification of the involvement and responsibilities of executives.”

Establishment of a continuous process: Towards an ERM process that connects executive managers with the workplace

FRI divides the ERM process from phase 0 to phase 3.

In phase 0, the basic policy is established and the process and framework are designed. As long as there is no need for reexamination, once this phase is developed it can be used continuously.

In phase 1, risk information is collected and assessed. This is also known as “risk profiling.” Attribute information of the potential risks carried by each division is extracted, such as the causes and assumed effects of such risks, probability of likelihood of occurrence and impact on goals, and the main department and existing controls. The necessary tools for risk profiling should be created by the risk management department and implemented in each division. These tools, known as the “common language,” are composed of the risk universe, impact and occurrence frequency table, risk map, and so on.

In phase 2, the risk assessment information reported by the various departments is integrated. Specifically, the management risks within the entire company are refined to between 20 and 30. In the process of refining, unified risk assessment is conducted while maintaining objectivity through workshops and votes led by concerned parties.

In the final phase 3, optimal policy is examined regarding management risks. The policy is fed back to each department, and a response action plan is formulated and implemented. The risk management department is also in charge of monitoring the implementation. In the examination of optimal policy, executives can survey the risks of the entire company through a management portfolio that uses risk maps and so on, and risk management from the perspective of overall optimization becomes possible.

Clarification of the involvement and responsibilities of executives: Developing an effective ERM framework

When introducing ERM, it is important to remember that “the primary responsibly of risk management is at the workplace.” The actual workplaces understand the risks, and can manage them. The head of each department must therefore take responsibility for the risk profiling results and report to the risk management department. In addition, executives must show a top-down approach to spread the ERM process throughout the organization. Proactive involvement in specifying management risks and portfolio management are also expected of executives. In this way, clarification of the roles and responsibilities at the executive and departmental level allows for an effective ERM process.

The role of the risk management department is also important to “connect executives and departments.” Spreading the “common language” through the entire company requires the “transfer of know-how from person to person” through information sessions, training, support of risk profiling at each department, and so on. These forums are an opportunity to hear the workplace voices and make the ERM process more effective.

With internal control consulting and ACCELIA(*2) ERM know-how as a base, FRI supports the development of ERM processes and effective frameworks for our clients.