By Christopher S. Johnson, CPA
ERM can be a difficult concept to absorb because it varies widely in application; one size does not fit all. In its most refined form, ERM may encompass rigid frameworks such as those adopted by the Casualty Actuarial Society or the Committee of Sponsoring Organizations of the National Commission on Fraudulent Financial Reporting (the Treadway Commission), both viewed as authoritative sources in the ERM world. By contrast, and in a simpler setting, ERM could be summarized in a spreadsheet that serves as a checklist used routinely by management to avoid the seemingly endless obstacles that are a reality of operating a business or program. Regardless of the degree of complexity, a successful ERM program will always be comprised of certain key elements.
??Documentation: The best of plans is doomed to fail if not committed to paper. To be effective, ERM must be in the form of a documented set of policies and procedures that can be monitored and evaluated for effectiveness.
??Structure: Effective ERM is reliant upon a suitably-designed process to identify, quantify, and prioritize risks; delegating the responsibility of mitigation; and establishing suitable monitoring. To deal with judgmental aspects, a structured approach whereby risks are quantified and weighted will typically be utilized. This will generally be in the form of a spreadsheet with a series of questions with assigned values. Answering the questions results in a ?score? for purposes of measuring the severity of risks. As such, using an appropriate structure or template is critical.
??Process Ownership:? Accountability is an inherent element of ERM and therefore, each risk and each mitigating control must be assigned an ?owner? or responsible party. Although results can vary, the means by which identified risks can be most economically mitigated will typically be best developed when the process owner participates in the design process. As such, participation at the director or trustee level would generally consist of approval of the ERM program and on-going monitoring.
??Monitoring:? Once specific risk management processes are in place, they must be monitored on an on-going basis to provide assurance that risks are being appropriately mitigated as planned. This means the design of any process must be conducive to monitoring by virtue of regular reporting or a similar audit trail that can be spot-checked periodically. Monitoring also involves periodic re-assessment of the risk and the suitability of the control process implemented to mitigate it. It?s not unusual for operational or staffing changes to render a process ineffective or unnecessary.
You may be wondering why your organization doesn?t have a formal ERM process and, like many, you may have already concluded that it?s not really necessary. After all, if there?s no net financial benefit and if it?s not mandated by some regulatory authority, what?s the incentive behind implementing ERM, especially when it seems like a lot of work!? Well, as it turns out, there really are incentives to implementing ERM. In evaluating risks, there will normally be some improvements in efficiency, either through identifying redundant controls or those with a poor cost/benefit relationship, or through identifying risks associated with lost opportunity. And when process owners understand that ERM is as much about streamlining their workloads as it is about protecting the future of the organization and its mission, the result is usually a high level of enthusiasm.
In terms of the regulatory mandate issue, there is currently no direct regulatory requirement to utilize ERM, although it?s certainly considered a best practice. Naturally, the AICPA has embraced the concept since ERM is an excellent process for designing entity-wide as well as transactional-level internal controls. In July of 2012, the AICPA issued its annual Financial Reporting Alert for Not-for-Profit Entities in which it cited government regulations (compliance) as an example of a risk for which ERM is an appropriate mitigation strategy, and in 2010, the AICPA added an ERM component to its ?Not-for-Profit Audit Committee Toolkit?, long considered a staple for basic good governance practices. These are part of a long list of ERM documents and links that the AICPA offers on a dedicated ERM-only web page with an accelerating growth rate (18 new items added in 2011 as compared to just one in 2005). With so much building support from the AICPA, it would not be a surprise to see ERM adopted in some authoritative form in the near future, a move which could open the door for regulatory requirements in the same manner in which Governmental Auditing Standards (the ?Yellow Book?) has incorporated the existing AICPA audit risk standards by reference.
Regulatory mandate or not, ERM is here to stay and the Not-for-Profit sector, with all of its regulatory requirements, appears to be the perfect environment for implementation. Whether the objective is a leaner and more effective system of controls, detection and prevention of situations that may develop into financial losses, or documenting prudent oversight and governance practices, ERM is a proven method to help your organization achieve its mission.
For more information on this topic, contact cjohnson@pmn.com
Note: This article represents a general overview of Federal and/or Massachusetts general topic issues or developments and should not be relied upon without an independent, professional analysis of how any legal provisions alluded to may apply in a specific situation.
IRS CIRCULAR 230 NOTICE: In compliance with U.S. Treasury Circular 230 Regulations and any applicable state laws, we hereby notify you that any tax advice contained in the body of this document, or attachments thereto, was not intended or written to be used, and cannot be used, by the recipient or any other party for the purpose of (1) avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions, or (2) promoting, marketing or recommending to another party any transaction or matter addressed herein.
Source: http://www.pmn.com/blog/enterprise-risk-mgmt/
nba finals K Michelle roger clemens multiple sclerosis falling skies rodney king sandusky
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.