From Internal Control to ERM (Series)
Part One: Introduction of ERM with Internal Control Activity as a Starting Point
Takeru Fujimoto
Senior Consultant
May 14, 2009 (Thursday)
Diversity and complexity are leading to higher risk environments for companies. Rife corruption, large-scale earthquakes, environment problems, subprime loans and so on threaten sustainable development. On the other hand, profit growth requires even higher risk-taking than in the past. By mapping out these business risks and working towards ERM(*1), executives can optimize the impact on business as well as achieve accountability to stakeholders through improved transparency. This three-part series will introduce the relationship of ERM, a management foundation for sustainable company development, with internal control in currently listed companies, as well as important points regarding the introduction of ERM.
The first part of the series introduces the concepts behind ERM with internal control activity as a starting point.
Listed companies are currently creating internal control reports as the final step in the first year of J-SOX(*2). On reflection, the goals of these efforts were for "executives to obtain reasonable assurance regarding the credibility of their companies' financial reporting." To obtain reasonable assurance, companies developed and implemented the following four responses as a process:
- Decide the scope for obtaining reasonable assurance with a risk approach (decision on the assessment scope).
- Extract risks and controls in the business process (documentation).
- Assess (effectiveness assessment) the remaining risks (existing controls).
- Reduce remaining risks (deficiency improvement) that go beyond the acceptable range.
Continuous management of this process is required even after the second year. Internal control has been a natural part of company activity in the past; checks have also been conducted by internal audit departments. However, concepts (definitions) of risks in financial reporting as well as measures to assess what constitutes an important risk (flaw) have not been shared within companies. Put differently, risk definitions and assessment measures have remained "implicit knowledge," and efforts to provide reasonable assurance to the credibility of financial reporting have been insufficient.
In other words, the main point of J-SOX is to turn this implicit knowledge into explicit knowledge and instill it throughout the entire company. The following are three necessary foundations for this explicit knowledge:
- Establish a continuous process (PDCA).
- Clarify the involvement and responsibilities of executives.
- Share risk definitions and assessment measures.
These three foundations are also the key to effective introduction of ERM.
Notes:
(*1) Enterprise Risk Management. A process implemented by all members of a company to manage various risks related to overall company activity.
(*2) Internal control reporting systems in The Financial Instruments and Exchange Law.
