Enterprising views of risk management: businesses can use ERM to manage a wide variety of risks.EXECUTIVE SUMMARY * ENTERPRISE RISK MANAGEMENT (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ) IS A STRATEGY organizations can use to manage the variety of strategic, market, credit, operational and financial risks they confront. ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete management by different risk overseers. * ERM HAS GIVEN RISE TO A QUESTION: Who should head the risk management process--internal audit or a chief risk officer? Some believe internal audit should take a back seat to preserve the checks and balances the audit function provides. Others say risk leadership should depend on what a company is comfortable with. * USING ERM ENABLES AN ENTITY TO ASSESS risk across the enterprise instead of looking at it on a per-project basis. It also gives the company a means to assess the controls in place to handle each risk and identify any gaps. This consistent approach also offers businesses an opportunity to determine authority and responsibility and allocate resources appropriately. * TO EXTRACT RISK DATA, MANY ORGANIZATIONS use business intelligence software. Many packages feature "traffic-light" Systems that show a red light if risk exceeds acceptable levels. The chief risk officer then can "drill down" to see the reasons and make more informed decisions. * OVERALL RESPONSIBILITY FOR ENTERPRISE RISK is changing because of new standards from the Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in , They require the internal audit function in a company to monitor and evaluate the effectiveness of the organzation's risk management and control systems. Industry insiders tout Tout To promote a security in order to attract buyers. tout To foster interest in a particular company or security. For example, a broker might tout a security to a client in the hope that the client will purchase the security. enterprise risk management (ERM) as the most effective strategy an organization can use to manage a plethora plethora /pleth·o·ra/ (pleth´ah-rah) 1. an excess of blood. 2. by extension, a red florid complexion.pletho´ric pleth·o·ra n. 1. of risks, running the gamut See color gamut. gamut - The gamut of a monitor is the set of colours it can display. There are some colours which can't be made up of a mixture of red, green and blue phosphor emissions and so can't be displayed by any monitor. from strategic, market, credit, operational and financial exposure to the daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin array of man-made and natural disasters. New ERM committees led by chief risk officers identify, quantify and monitor these risks via a holistic, portfolio-based management system. However, new internal audit standards from the Institute of Internal Auditors (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ) (www. theiia.org) may change the paradigm; they require internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. to assume responsibility for monitoring enterprise risk, creating tension in some organizations over who is in charge. CPAs with internal audit or risk management responsibilities can use this article to determine whether ERM is a strategy that will benefit their organizations and who should be responsible for overseeing risk management. ERM BASICS The difference between ERM and more traditional ways of managing risk (see the exhibit on page 68 for more details) is that ERM calls for high-level oversight of a company's entire risk portfolio rather than for many different overseers managing specific risks--the so-called silo or stovepipe approach. ERM, in effect, centralizes management under a chief risk officer or ERM committee who manages the individual overseers to help identify overall how much risk the entity can tolerate, assess mitigation tactics and otherwise take advantage of risk opportunities. The idea of viewing risk as an opportunity may surprise some CPAs. ERM adherents explain that absorbing, hedging or transferring risk requires capital--dollars a business might otherwise direct to other, more productive and profitable endeavors. "Since entities must hold capital to absorb the risk of loss, there is less to invest in other profit-producing activities," explains Peter Nakada, executive vice-president of ERisk, a New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of based ERM consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a and software provider. "ERM helps determine the right amount of capital companies should direct toward risk." How does ERM help a company arrive at this figure? It's done by gathering or otherwise polling risk overseers to determine the threats to the organization, the financial impact and the effectiveness of risk mitigation options. "The goal of the process is to determine the appropriate amount of capital you need. You can't get that number unless you identify and measure all the risks threatening the organization," Nakada says. "Once you know you can determine where to direct capital." Why should CPAs care about ERM? "Because it will directly affect how and why they do their job," says William Spinard, senior vice-president in the Washington, D.C., office of Marsh Inc., a large multinational insurance broker that works with clients to develop ERM strategies and systems. "With ERM an entity establishes risk definitions and tolerance levels, as well as policies. It defines procedures to measure risk and creates monitoring activities. ERM will basically be the standard bearer an officer of an army, company, or troop, who bears a standard; - commonly called color sergeantor color bearer; hence, the leader of any organization; as, the standard bearer of a political party s>. See also: Standard for risk management in a company, a role traditionally handled by internal audit." The question now emerging, Spinard says, is "Who should head ERM: the internal audit department--given the new Institute of Internal Auditors standards--or chief risk officers and other traditional risk overseers from finance?" While Spinard advocates that internal audit take a back seat to more traditional risk managers--"to effectively preserve the checks-and-balances element of the audit function"--some organizations are designating internal audit as the fiber risk manager. "Having set the standards for internal controls, the auditors are now setting the benchmarks for ERM," Spinard adds. But should internal audit manage the entity's ERM strategy? "Rather than be in charge of the process," Spinard says, "it should be critiquing it" and making suggestions for improvements. BEGIN AT START ERM's departure from silo-based risk management doesn't preclude decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. risk management. Rather it establishes a hierarchy with discrete risk managers typically reporting to a central figure using so-called dashboard technology--business intelligence software that extracts risk-based information, collates it and reports it to the chief risk officer or ERM committee, which has overall responsibility. Take the case of Capital One Financial Corp., a McLean, Virginia-based financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. organization with $71 billion in managed assets. "We have four legs to the stool--a chief risk officer who heads an ERM team that sets methodologies and reporting standards and educates the company at large; functional groups throughout the enterprise that manage risks in their own sectors and report the results to the ERM team; internal audit which is responsible for ensuring the risk management process works throughout the company as intended; and risk stewards or advisers who are experts in each individual risk category and provide guidance," says Michael Glotz, Capital One audit director for North American North American named after North America. North American blastomycosis see North American blastomycosis. North American cattle tick see boophilusannulatus. business lines and head of the company's new ERM audit team. Such a bird's-eye view bird's-eye view Noun 1. a view seen from above 2. a general or overall impression of something bird's-eye view n → vista de pájaro of risk is not available with more traditional risk management where insurance risk managers address hazard and liability risks, internal audit manages financial reporting risks, business units handle project risks, treasury deals with foreign-exchange risks Foreign-Exchange Risk 1. The risk of an investment's value changing due to changes in currency exchange rates. 2. The risk that an investor will have to close out a long or short position in a foreign currency at a loss due to an adverse movements in exchange rates. and so on. "Previously, we had been less proactive in instituting processes and reporting around risk management, with each functional area responsible for its own," Glotz explains. "That made a single version of the truth In computerized business management, svot, or Single Version of the Truth, is a technical concept describing the sequence and structure of a database formed by a particular but arbitrary sequencing of records. , in terms of Full enterprise risk, hard to come by." As in other organizations, Capital One's ERM strategy rests on a thesis that managing risks holistically offers value, in terms of identifying the breadth of organizational risks, quantifying them and distinguishing both risk correlations (two risks that may moderate each other's impact) and risk relationships (one risk that begets another, such as a product recall that creates a public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most nightmare). In the past, certain risks hedged others, but the company overlooked or undervalued Undervalued A stock or other security that is trading below its true value. Notes: The difficulty is knowing what the "true" value actually is. Analysts will usually recommend an undervalued stock with a strong buy rating. the correlations because of discrete risk management practices. Someone needed to he in a position to discern enterprise risks from 70,000 feet, observing their interplay, the effectiveness of mitigation options and the aggregate costs of the different risk transfer strategies. "Someone has to bring risk management into the strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. process to ensure business strategies are aligned with the organization's overall appetite for risk," says Glotz. That someone at Battelle Memorial Institute The Battelle Memorial Institute is a private not-for-profit applied science and technology development company headquartered in Columbus, Ohio. The institute opened in 1929 but traces its origins to the 1923 will of Ohio industrialist Gordon Battelle which provided for its is Jane Cozzarelli, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , vice-president of internal audit at the $1 billion Columbus, Ohio-based research and development entity. Cozzarelli is spearheading the development of an enterprise-level risk manage merit process at the not-for-profit organization, an effort motivated by Battelle; rapid growth. "We're doing a lot of contract research for commercial clients and want to take ownership of the intellectual property we develop," says Cozzarelli. "These new businesses and markets create new risks--unfamiliar territory for us." She says Battelle is entering a whole new world involving joint ventures, acquisitions and the like. "While we were confident about the traditional risks we confronted in a research context, we were leery of taking on new commercial-type risks without a framework." Cozzarelli says the institute decided to "assess risk across the enterprise to obtain a portfolio approach"--hence, she says, the ERM strategy. Previously, Battelle had looked at risk on a per-project basis, which limited its ability to appreciate the opportunities proper risk management creates. "Risk isn't necessarily bad," Cozzarelli, says. "By measuring your risks, you can direct capital to them more efficiently. You also are better able to understand the upside Upside The potential dollar amount by which the market or a stock could rise. Notes: This is basically an educated guess on how high a stock could go in the near future. See also: Bull, Downside and downside Downside The dollar amount by which the market or a stock has the potential to fall. Notes: You might hear someone say that the downside on stock XYZ is $10. What that means is that the stock could fall by this amount if things got bad. of undertaking a risk." For example, if Battelle undertook a $50,000 project on behalf of a pesticide company, and the Environmental Protection Agency Environmental Protection Agency (EPA), independent agency of the U.S. government, with headquarters in Washington, D.C. It was established in 1970 to reduce and control air and water pollution, noise pollution, and radiation and to ensure the safe handling and approached it to do a similar project for $2 million, the resulting conflict of interest would cause it to lose the larger project because it didn't understand the strategic risk of doing the pesticide company project. "We had no systematic process for looking at risks across the breadth of the organization," Cozzarelli says. Battelle sent out requests for proposals to consulting firms to help develop an ERM infrastructure, selecting Marsh. The broker undertook an initial assessment that involved interviews with senior managers about their risk concerns--"the stuff that keeps them awake at night from an organizational and individual market sector standpoint," Cozzarelli says. Each manager had particular market responsibility, from medical products to environmental issues to transportation. Following this initial assessment Marsh sent out an electronic questionnaire to 250 Battelle product-line managers and research support staff eliciting their perspectives on risk. The organization conducted several workshops to examine the results of the initial assessment and survey responses. Ultimately, Battelle identified its top 10 risks. Using anonymous voting techniques, it rated them for potential likelihood and impact and mapped the risks on a matrix. The next step was to assess the controls in place to address each risk and identify any gaps. "That gave us a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the to know where we needed to focus our resources," Cozzarelli says. Marsh then worked with Battelle to draft a new risk management structure governed by an executive risk management group. "We're trying to determine levels of authority and responsibility," Cozzarelli says. "Once we decide that, we will implement dashboard technology to monitor and report on risk across the enterprise." Businesses "want a process to assess all risks in a systematic, consistent way," says Spinard, who led the Battelle project at Marsh through late 2003 when Battelle decided to continue its ERM implementation in-house. Others agree about the need for a systematic approach. "What you want to do with ERM is get all the overseers together to pinpoint and measure the critical risks confronting the company and then develop a systematic way to manage them," says Ted Senko, CPA, national partner in charge of risk advisory services advisory services advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal in the Denver office of KPMG KPMG Klynveld Peat Marwick Goerdeler (accounting firm) KPMG Kaiser Permanente Medical Group KPMG Keiner Prüft Mehr Genau (German) KPMG Kommen Prüfen Meckern Gehen LLP LLP - Lower Layer Protocol . "You end up taking something that is typically a cost center--risk--and turning it into something that can give you a return. But you can't do that unless you meet with officers and key business unit managers to talk about the risks they face in trying to meet their respective goals." To elicit candid can·did adj. 1. Free from prejudice; impartial. 2. Characterized by openness and sincerity of expression; unreservedly straightforward: In private, I gave them my candid opinion. responses, KPMG tries to assemble all of the individual overseers in a conference room "to develop a frame of reference around risk." Senko says, "if that isn't feasible, we conduct a structured interview process with the overseers. We then develop a map that pinpoints 'high impact probability'--the critical risks the company must monitor and control." Senko recalls working with a Fortune 50 consumer products company to execute this process. "The company runs fairly autonomous business units. As we assembled the risk overseers, we learned that although the units confront many similar risks, such as commodity hedging, they had very different risk profiles as to when and how" they would hedge" Senko says the company learned a very tangible lesson. "Because it didn't have a consistent hedging strategy, some business units had higher or lower risk tolerances Risk Tolerance The degree of uncertainty that an investor can handle in regards to a negative change in the value of their portfolio. Notes: An investor's risk tolerance varies according to age, income requirements, financial goals, etc. than the overall corporate threshold. By having all businesses understand the company risk tolerance, they were able to optimize their individual strategies to be consistent." In effect, Senko says, "they changed their hedging strategies to be consistent with the common risk framework, which saved them money. Synchronizing synchronizing, n a technique that a therapist uses to coordinate his or her breath with that of the client; builds trust and establishes relationship. their commodity program globally enabled them to enhance their return on capital." In his consulting work with dozens of companies undertaking an ERM project, Spinard says strategic risks typically dominate the discussion. "Companies cite things such as market erosion and competitors' actions as the real threats," he says. "A risk that impedes growth targets or has significant stock implications is the one usually plotted on the section of the matrix depicting the greatest impact or severity, things such as new product development or customer issues." Spinard says his firm just consulted with a food service company that cited customer obesity concerns as presenting enormous risk. Once a company has mapped major risks on a matrix, it must align business processes to ensure data relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc each risk are routinely stored in a database the chief risk officer or executive risk committee can monitor for exceptions--risks extending beyond tolerance or threshold levels Noun 1. threshold level - the intensity level that is just barely perceptible intensity, intensity level, strength - the amount of energy transmitted (as by acoustic or electromagnetic radiation); "he adjusted the intensity of the sound"; "they measured the . "A large part of ERM rests on the efficient and correct collection and organization of data," says Dennis Ceru, director of retail brokerage and investing at Needham, Massachusetts-based Tower Group, a research and advisory firm. "That's where technology comes into play to determine potential risk trends, such as the interplay of economic factors with market trends. Provided on a timely basis, such intelligence can guide improved decision making." To extract risk data and observe them on a dashboard, organizations can use business intelligence software packages available from companies such as Hyperion Solutions Hyperion Solutions Corporation is a business performance management software company, located in Santa Clara, California, USA. Many of its products are targeted at the Business Intelligence and Business performance management market. (www.hyperion. com), Cognos Inc. (www.cognos.com), Algorithmics Inc. (www.algorithmics. com), SAP (www.sap.com) and Crystal Decisions (www.businessobjects.com), among others. The cost of such packages typically is in the six-figure range. At RBC RBC red blood cell. RBC or rbc abbr. red blood cell RBC, n See red blood cell count. RBC red blood cells; red blood (cell) count (see blood count). Financial Group, a Toronto-based financial institution with an ERM strategy in place (or two years, chief risk officer Suzanne Labarge uses business intelligence technology from Portiva Corp. (www.portiva.com) that features a traffic light system, with fed, yellow and green lights. "We mapped all our risks on a matrix and have clear data reporting responsibilities in place to ensure a constant flow of risk-based intelligence," Labarge says. "If a particular risk exceeds acceptable levels, a red light pops up on the dashboard. I can then 'drill down' into the reasons, enabling me to make more informed decisions." WHO'S ON FIRST? While the process of building an EKM EKM Enterprise Key Management EKM Encryption Key Manager strategy is similar, overall responsibility For enterprise risk is changing because of the IIA standards. The added risk responsibilities for internal audit are fomenting a controversy of considerable interest to CPAs over who should manage enterprise risks--traditional risk overseers from finance like Labarge or internal auditors such as Cozzarelli. The basic requirement for the internal audit function, as contained in the new IIA standards, is to monitor and evaluate the effectiveness of an organization's risk management and control systems. Standard 2110 of the International Standards for the Professional Practice of Internal Auditing, for example, says the internal audit activity should help the organization manage risk by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. Standard 2120 says the internal audit activity should evaluate the effectiveness and efficiency of the organization's control processes. Spinard says "several auditors are now saying they want to run ERM, and their organizations are letting them. They say ERM is a natural step forward for internal audit because they typically set and validate internal control standards. Based on their expertise they believe they should manage all controls, including risk." And, says Spinard, that's not necessarily a bad thing. "But others believe ERM should be a management function--something it needs to do because it will help it run the business better." Cozzarelli has a different opinion and notes that Battelle is considering her to become its chief risk officer. "It would make sense for internal audit to get the information we need to do risk-based audit plans, monitor risk to give management insight and report to the board," she says. "That seems to be where we're headed. I don't believe ERM needs to be a separate process with a separate group running it." Risk management, she says, should be "integrated into everyone's normal strategic planning, literally imbedded imbedded, adj See embedded. in everybody's job description. Then internal audit could reinforce both the governance and internal control issues to make sure processes were in place to adequately safeguard assets." Cozzarelli concedes that Battelle's senior management isn't certain audit should lead risk oversight. The IIA standards, she says, are "kind of fuzzy fuzz·y adj. fuzz·i·er, fuzz·i·est 1. Covered with fuzz. 2. Of or resembling fuzz. 3. Not clear; indistinct: a fuzzy recollection of past events. 4. . Risk leadership should depend on what a company is comfortable with." Obviously, she points out, you can't audit something you put together. "We need to remain objective and independent. But once processes are in place, I don't think there is any problem with audit overseeing them." The issue boils down to whether a separation of church and state
sporadic; occurring in episodes. e. falling a paroxymal disorder described in Cavalier King Charles spaniels in which affected dogs, starting at an early age, experience episodes of extensor rigidity, possibly brought on by stress. e. and deep," he maintains. "When you think about risk management, it is global and real-time, anticipating future exposures and developing contingency plans A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. and strategies to deal with them." On the other hand, Lain says, audit works on an annual cycle that is not necessarily real-time or anticipatory. Auditors go deep in terms of looking at policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental and compliance. The truth, he emphasizes, is that audit "should check risk management to ensure it is being performed appropriately, while risk management should do the actual identification, monitoring and mitigation." Glotz from Capital One notes that in large, sophisticated financial services companies, risk management traditionally is its own organization. "It's really in smaller entities where we're seeing the chief auditor taking on ERM responsibility," he says. "In financial services, the management of risk is a separate function." Still, he says, he is not sure whether the IIA standards insist that internal audit necessarily should manage risk. "We're certainly part of the ERM process, and our head of audit sits on the ERM executive committee, but we don't run the show." ERM has changed Capital One, Glotz asserts. "The risk and control processes in our business units and functional groups are more formalized for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. , which has begun to make internal audit more efficient," he says. "Now that we've identified the key risks and have processes in place to control them, internal audit's risk assessment obviously is more effective. ERM gives us more proactive risk and control management to evaluate the business and certify cer·ti·fy v. cer·ti·fied, cer·ti·fy·ing, cer·ti·fies v.tr. 1. a. To confirm formally as true, accurate, or genuine. b. controls. It formalizes what--in areas other than credit and financial risk--heretofore was pretty much ad hoc For this purpose. Meaning "to this" in Latin, it refers to dealing with special situations as they occur rather than functions that are repeated on a regular basis. See ad hoc query and ad hoc mode. risk management." A PERMANENT FIXTURE In the wake of the Sarbanes-Oxley Act See SOX. of 2002 and more stringent corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and compliance regulations, ERM--no matter who is in charge--is here to stay, says Lam. "To comply with the new governance rules in Sarbanes-Oxley and from the stock exchanges, you need to dig into Verb 1. dig into - examine physically with or as if with a probe; "probe an anthill" poke into, probe penetrate, perforate - pass into or through, often by overcoming resistance; "The bullet penetrated her chest" the underlying operational processes that give rise to the financial statements," he explains. "That requires continuous monitoring and measuring of these processes. And by the way, they all involve risk." CPAs, whether as internal auditors or as financial managers, can play a critical ongoing role in the process of minimizing and managing risk. Embracing ERM In a survey of 200 senior finance and risk management executives, * 41% said their companies were implementing some form of enterprise risk management (ERM). * 90% whose companies were pursuing ERM were very confident in their ability to manage risk, compared with just 45% of those not using ERM. * 84% believed ERM could help improve their companies' price/earnings ratios and cost of capital. Source: Enterprise Risk Management: Implementing New Solutions, The Economist Intelligence Unit The Economist Intelligence Unit (EIU) is part of The Economist Group. It is a research and advisory company providing country, industry and management analysis worldwide and incorporates the former Business International Corporation, a U.S. and MMC See MultiMediaCard and Microsoft Management Console. Enterprise Risk, www.mmcer.com. PRACTICAL TIPS TO REMEMBER * ERM can help CPAs determine the right amount of capital companies should direct toward risk by gathering or otherwise polling risk overseers to identify the threats to the organization, their financial impact and the effectiveness of risk mitigation options. * Companies can use ERM to assess risk across the enterprise. Considering risk solely on a per-project basis can limit an entity's ability to appreciate the impact the risk associated with that project can have on the entire organization. * By mapping major risks on a matrix, companies can align their business processes to ensure they are routinely collecting and storing related information in a database the chief risk officer or executive risk committee can monitor. This will make it easier to identify exceptions--risks extending beyond the company's tolerance or threshold levels. * Organizations should use business intelligence software packages to extract risk data and display them on a "dashboard." Many of these systems feature a traffic-light system, with red, yellow and green lights. If a risk exceeds acceptable levels, a red light pops up, permitting the responsible party to "drill down" into the reasons and make more reformed decisions.
Traditional RM vs. ERM: Essential Differences
Traditional risk management ERM
Risk as individual hazards Risk in the context of business
strategy
Risk identification and assessment Risk portfolio development
Focus on discrete risks Focus on critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Haphazard risk quantification Monitoring and measuring of risks
"Risk is not my responsibility" "Risk is everyone's
responsibility"
Source: KPMG LLP.
RUSS BANHAM is a business journalist and frequent contributor to the Journal of Accountancy. His most recent book is The Ford Century (Artisan, 2002), a 100-year history of the Ford Motor Co. His e-mail address See Internet address. e-mail address - electronic mail address is bzwriter@aol.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion