“There is a lot of confusion as to the meaning and difference between ERM and ORM, ERM being Enterprise Risk Management, and ORM being Operational Risk Management,” said Friday Concepts Group Managing Director Ramesh Pillai, at an IERP Tea Talk on the subject. “Because of this confusion, there is the added confusion as to the appropriate tools for dealing with ERM and ORM.” Emphasising that dealing with ERM and ORM required different tools, he said that the start point is to understand the bases and definition of ERM and ORM.
“ERM is the overarching discipline,” he said. “If you imagine a house, the actual structure of the house is ERM, and one of the rooms in the house is ORM. ORM is just one component of this overarching discipline. The other two components are market risk and credit risk.” He defined ORM as the risk of loss arising from inadequate or failed people, processes, systems and other external events. The ORM kind of risk is seen as bad; there is no risk-return trade-off. This type of risk must be reduced or eliminated.
“To evaluate the risk, you use a tool called the RCSA – Risk and Control Self-Assessment,” Ramesh explained. “Each function needs to self-assess. HR will do their own assessment (for example); Finance will do their own assessment. In RCSA, what you will normally see is that you are evaluating your preventive, detective and corrective controls. These are internal controls. That’s ORM. In ORM terms, risk is bad. There is no return on taking risk. Therefore we want to reduce or eliminate risk.”
Under an ERM scenario, risk is anything that prevents the achievement of objectives. The aim or objective of ERM is not only to achieve organisational objectives but also improve the quality of decision making. Ramesh explained that under best practice scenarios, where they were allowed to operate properly, the risk management functions would normally be involved in doing risk reviews of all proposal papers.
Before papers go to the approving authorities for consideration, the risk management team reviews it from a risk perspective, to give an opinion as to whether or not they believe all the relevant risk issues, risk considerations, and risk explanations have been incorporated in the paper. “They are giving a validation. They do not write the risk issues. The person who wants the proposal to be approved, does the risk analysis, completes the whole risk section, and the risk management team reviews it for completeness and for accuracy,” he said.
They don’t have to agree with what the person who wrote the paper actually wrote. If they disagree, they will document that disagreement and send their report with the actual proposal paper to the approving authority for the approving authority to have a better idea of the actual situation. Independent validation of the risk issues in the paper improve the quality of decision making. With ERM there is the risk-return trade-off; in ERM terms, the higher the risk, the higher the returns. The aim of ERM is to optimise the risk, whereas in ORM, you always want to reduce or eliminate risk.
“In ERM, because you are looking not only at reduction or elimination, but also at optimisation, you may want to consider increasing the risk because you believe there is a great opportunity,” he said. “But to try and realise the opportunity, you have to take a bigger risk. So you take more risk because you want a higher return.” The tool with which you look at, manage, record or deal with enterprise risks, is called the risk registers. These are different from the RCSAs.
“Some people may call their RCSAs their risk registers but RCSA is the process through which you look at the effectiveness of controls, internal controls to control, reduce or eliminate your operational risk,” Ramesh clarified. “RCSAs are normally used to deal with risks in processes; they generally do not look at organisational risks. You use a different document called risk registers to look at organisational risks.”
The RCSAs look at operational risks, which are risks in processes. The objective is to provide reasonable assurance from an ORM perspective that all business objectives will be met, in relation to how the processes are utilised. RCSAs can be used as a checklist or questionnaire, but a workshop-based approach is recommended, as all stakeholders in the process can then get together to identify and assess the risks in that process end to end. The validation is done by subject matter experts.
“When you execute or implement the RCSAs properly, you will have subject matter experts who know what they are talking about reviewing the RCSAs of the various departments and the various processes which these departments control and implement, Ramesh said. “They will therefore make sure that there is a very robust evaluation of the risks and the controls used to control or minimise the exposure in relation to those risks.”
Facilitated RCSAs help to improve the control environment of any function or process within the organisation in two ways: by increasing awareness of what the organisation is actually intended to achieve; and the role of internal controls in achieving goals and objectives. It also motivates personnel to carefully design and implement all control processes and emphasises that it is their responsibility to continually improve operating control processes because it is a self-assessment.
“The primary objective of the RCSA is to ensure the reliability and integrity of information, which is part of the evaluation process,” Ramesh added. “It also has to ensure that compliance is managed with all internal and external policies, plans, laws, procedures, regulations, contracts – everything given the context and scope of the organisation. This safeguards assets, helps to ensure economic and efficient use of resources, and helps to achieve the established objectives and goals of operations and programmes.”
He summarised RCSA benefits as encouraging management and staff to assume responsibility because it is self-assessment; providing opportunity to focus efforts on formal and informal controls; acting as a bottom-up feedback mechanism; and helping organisations be proactive and reducing exposure by looking at weaknesses and potential gaps from an operational perspective. “RCSAs were meant for the line,” he said. “It was designed for people who do the hard work like managers, assistant managers, and those (in the line) who know what is going on.”
Emphasising again that RCSA was not a risk register, he said that risk registers were done by senior people whereas RCSA was done at the micro or process level. The RCSA process helps generate the information needed when viewing operational risks, internal controls, and anything that will be useful in trying to judge the quality of controls. It can show how to improve the control environment, and is a very strong tool for performance management. It can be done manually or automated using appropriate software.
ERM, on the other hand, is about looking at things more strategically; it starts not by identifying the risk, but what the user’s objectives are. It follows the objective-centric, not taxonomic, approach. “In ERM, you categorise the risk according to causality, i.e., the root cause of impediments that prevent you from achieving your organisational objectives,” Ramesh explained. “The start point is not just the objectives. You have to go back to the vision and mission; the original objective of the company is its vision and mission.”
Risk professionals need to see how this cascades throughout the organisation, its departments and divisions, and how it creates the objectives in its departments and divisions, and figure out the vision, mission and objective of the individual departments or divisions, that will contribute to the company’s overall attainment of vision, mission, and objective. ERM wants to achieve these four cornerstones: maximise return on capital; ensure long-term growth in shareholder value; optimise volume and profitability; and maximise operational cost effectiveness.
“To do this, we have to make sure that we do our business planning, strategy planning and formulation, and execution effectively,” he advised. “We have to take into account new strategies and new risks, and make sure we take care of our markets, products, customers and operational strategy, the effects of new ventures, and any risks on capital impacts.” Additionally, operational and change management processes must be properly managed as the organisation adjusts to change or restructuring.
Risk strategy is derived from the four general areas of the business that contribute to all this, but many companies do not have a risk strategy, even though it’s about the risk framework and the processes for identification and assessment. The framework determines monitoring, how controls will be implemented, and how capital will be managed. “Corporate governance says that the way to do this is to run the business properly, in line with international best practice,” Ramesh stated. “The document used to control, record, identify and monitor risks is called the risk register.”
The idea and purpose of risk registers is to assess and discuss all the things done in the organisation including business strategy and operationalisation, and all objectives from the enterprise-line and business-line perspectives, from the top down. RCSA is a bottom-up approach; risk registers use the top-down approach. The idea is to identify impediments, i.e., what will prevent the achievement of objectives. Expanding on the differences between the use of taxonomy and the objective-centric approach, Ramesh said that using the taxonomic approach was fast, cheap and easy to do.
But apart from that, it had no strategic use, ownership by the line or direct linkage to strategy, objectives or performance, nor can it be audited because it is a brainstorming process. “You are not identifying risk, you are identifying effects of risk,” he said. “You need to identify risk according to objectives.” The advantage of ERM is that it is owned by the line, which must identify objectives and impediments. “It is very structured, very complete. Because it is so structured, it is auditable.”
It is important to understand the distinction between ERM and ORM, so that processes can be crafted more accurately to achieve objectives either from a process or organisational perspective. ORM uses RCSAs; ERM uses risk registers. Ramesh urged risk practitioners to “keep the tools and techniques simple. Keep the spreadsheets simple. Keep the requirements simple. Do your research carefully, understand carefully, gain credibility and awareness, then implement. If you do everything properly, you will be able to ensure proper sustainability, agility and resilience for your organisation.
This is precisely the aim of ERM: to drive organisational sustainability and resilience, supported by all the ancillary disciplines such as market risk, credit risk and operational risk. ERM is the overarching discipline, and ORM is one of its components.
