Enterprise Risk Management
Enterprise / Operational Risk Management
IT Audit Manager City National Bank California State Polytechnic University, Pomona
Enterprise risk management (ERM) is a relatively new discipline that focuses on identifying, analyzing, monitoring, and controlling all major risk classes (e.g., credit, market, liquidity, operational risk classes). Operational risk management (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operational risk. The purpose of this paper is to explain what enterprise risk management is and how operational risk management fits into the ERM framework. In our conclusion, we discuss what is likely to happen in the ERM / ORM environment over the next 5 years. Introduction As the Internet has come of age, companies have been rethinking their business models, core strategies, and target customer bases. “Getting wired,” provides businesses with new opportunities, but brings new risks and uncertainty into the equation. Mismanagement of risk can carry an enormous cost. In recent years, business has experienced numerous, related risk reversals that have resulted in considerable financial loss, decrease in shareholder value, damage to company reputations, dismissals of senior management, and, in some cases, the very dissolution of the business. This increasingly risky environment, in which risk mismanagement can have dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational Risk Management? Clearly, there is a correlation between effective risk management and a well-managed business. Over time, a business that cannot manage risk effectively will not prosper and, perhaps fail. A disastrous product recall could be the company’s last. Rogue traders lacking oversight and adequate controls have destroyed old well-established institutions in a very short time. But, historically, risk management in even the most successful businesses has
IT Audit Manager City National Bank California State Polytechnic University, Pomona
Enterprise risk management (ERM) is a relatively new discipline that focuses on identifying, analyzing, monitoring, and controlling all major risk classes (e.g., credit, market, liquidity, operational risk classes). Operational risk management (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operational risk. The purpose of this paper is to explain what enterprise risk management is and how operational risk management fits into the ERM framework. In our conclusion, we discuss what is likely to happen in the ERM / ORM environment over the next 5 years. Introduction As the Internet has come of age, companies have been rethinking their business models, core strategies, and target customer bases. “Getting wired,” provides businesses with new opportunities, but brings new risks and uncertainty into the equation. Mismanagement of risk can carry an enormous cost. In recent years, business has experienced numerous, related risk reversals that have resulted in considerable financial loss, decrease in shareholder value, damage to company reputations, dismissals of senior management, and, in some cases, the very dissolution of the business. This increasingly risky environment, in which risk mismanagement can have dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational Risk Management? Clearly, there is a correlation between effective risk management and a well-managed business. Over time, a business that cannot manage risk effectively will not prosper and, perhaps fail. A disastrous product recall could be the company’s last. Rogue traders lacking oversight and adequate controls have destroyed old well-established institutions in a very short time. But, historically, risk management in even the most successful businesses has
Bibliography: Barton, Thomas L.; Shenkir, William G.; Walker, Paul L. Making Enterprise Risk Management Pay Off. New Jersey: Financial Times / Prentice Hall, 2002. “Basel II Mandates a Nest http://web2.infotrac.galegroup.co Egg for Banks” US Banker. (July 1, 2002) 48. July 2002. BITS. BITS Technology Risk Transfer Gap Analysis Tool. Washington, D.C.: BITS, 2002. Bock, Jerome T., The Strategic Role of "Economic Capital" in Bank Management, Wimbledon, London: MidasKapiti International, 2000. Business Banking Board. RAROC and Operating Risk. Washington, D.C.: Corporate Executive Board, 2001. Business Banking Board. Risk Management Structure. Washington, D.C.: Corporate Executive Board, 2001. Consultative Document Operational Risk. 2001. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http://www.bis.org/publ/bcbsa07.pdf Crouhy, Michel; Galai, Dan; Mark, Robert, Risk Management. New York: McGraw-Hill, 2001. “Elements of a Successful IT Risk Management Program”. Gartner. (May 2002.) 9. July 2002. http://www.gartner.com/gc/webletter/bindview/issue1/ggarticle1.html Ernst & Young, Integrated Risk Management Practices. Unpublished PowerPoint slides, Ernst & Young: 2000. Hively, Kevin; Merkley, Brian W.; Miccolis, Jerry A. Enterprise Risk Management: Trends and Emerging Practices. Florida: The Institute of Internal Auditors Foundation, 2001. Hoffman, Douglas G. Managing Operational Risk. New York: John Wiley & Sons, Inc., 2002. “In Brief: Ferguson Urges Investing in Risk Control”. American Banker. (March 5, 2002) 1. July 2002. http://0proquest.umi.com.opac.library.csupomona.edu James, Christopher, RAROC Based Capital Budgeting and Performance Evaluation: A Case Study of Bank Capital Allocation. Pennsylvania: The Wharton School, 1996. Jameson, Rob; Walsh, John, “The Leading Contenders,” Risk Magazine, (November 2000). 6. July 2002. http://www.financewise.com/public/edit/riskm/oprisk/opr-soft00.htm Insurance Industry - Participating companies: Allianz, AXA, Chubb, Mitsui Sumitomo, Munich Re, Swiss Re, Tokio Marine and Fire, Xl, Yasuda Fire and Marine and Zurich. Insurance of Operational Risk Under the New Basel Accord. Insurance Industry, 2001. Lam, James, “Top Ten Requirements for Operational Risk Management” Risk Management (November 2001) July 2002. http://0-proquest.umi.com.opac.library.csupomona.edu Marks, Norman, “The New Age of Internal Auditing” The Internal Auditor (December 2001) 5. July 2002. http://0-proquest.umi.com.opac.library.csupomona.ed McNamee, David; Selim, George M. Risk Management: Changing the Internal Auditor’s Paradigm. Florida: The Institute of Internal Auditors Research Foundation, 1998. National Association of Financial Services Auditors. “Enterprise Risk Management,” National Association of Financial Services Auditors. Spring 2002. 12-13. netForensics is a Web site that discusses those regulations that govern information security in financial services, healthcare and government. http://www.netforensics.com/verticals.html 10 Ong, Michael; “Why bother?” Risk Magazine, (November 2000). 6. July 2002. http://www.financewise.com/public/edit/riskm/oprisk/oprcommentary00.htm Practice Advisory 2100-3: Internal Audit’s Role in the Risk Management Process. March 2001. The Institute of Internal Auditors. July 2002. http://www.theiia.org/ecm/guide-frame.cfm?doc_id=73 Santomero, Anthony M., Commercial Bank Risk Management: an Analysis of the Process. Wharton School, 1997. Pennsylvania: The Sound Practices for the Management and Supervision of Operational Risk. 2002. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http://www.bis.org/publ/bcbs86.htm The Financial Services Roundtable, Guiding Principles in Risk Management for U.S. Commercial Banks. Washington D.C.: The Financial Services Roundtable, 1999. Verschoor, Curtis C. Audit Committee Briefing – 2001: Facilitating New Audit Committee Responsibilities. Florida: The Institute of Internal Auditors, 2001. Working Paper on the Regulatory Treatment of Operational Risk. 2001. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http://www.bis.org/publ/bcbs_wp8.pdf 11