ENTERPRISE RISK: ESTABLISHING THE RISK APPETITE FOR UNIFYING THE LINES OF DEFENSE

The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.

2 LINES OF DEFENSE APRIL 2015

“Lines of defense” has become an increasingly prominent expression and/or topic in research journals, academia, business publications and regulator speeches. It describes how management, risk, compliance and internal audit departments work together and is an illustrative phrase that is generally understood and easy enough to apply to an organization, a soccer field or scientific research. The expression originates from medieval castle systems - not necessarily the dreamy stone castles that withstood time and still remain today. The moats, drawbridges and stone walls were built in response to advancements in weaponry, as the original castles were mostly wood and earth mounds and it was necessary to create look-outs. In other words, the lines of defense were forced to evolve based on external risks. Civility has prevailed, however the lines of defense as a modern expression is still appropriate from a defensive (and sometimes offensive) view for any organization.

Current day references and research around lines of defense point to three internal “lines” that come together to protect the organization:

• The first line encompasses operations, from business units to centralized processes and from products/services to legal entities, as well as the organizational hierarchy beneath them. This line sometimes includes senior management, as this line owns the internal controls (not only financially significant controls as identified by Sarbanes-Oxley or other internal controls regulations.)

• The second line encompasses risk and compliance oversight and management. This line can involve diverse naming conventions as a result of the organization’s industry, regulators, physical/monetary size, etc.

• The third line is usually referred to as internal audit - the independent and objective function that reports to the audit committee, with a dotted line to executive management. Note that this is distinct from internal controls, as they are owned by senior management, and are sometimes included in the first line of defense.

The lines of defense are meant to be separate and distinct from each other, having differing roles with a single unifying objective - to manage and monitor all risks across the entire organization. Sadly, the unifying objective has many differing perspectives or frames of reference, as modern day organizations are overly complex, continuously evolving and somewhat bifurcated across many different proverbial lines, including:

• Businesses, industries and customers

• Product and service lines

• Geographies

• Legal entities

• Operating units, etc.

Each of the bifurcations has a valid rationale and purpose, but when it comes to lines of defense, they further complicate how the organization manages and monitors all of its risks. Consequently, most genuine attempts to unify the organization along the lines of defense are unsustainable and lack appropriate momentum within the organization. Such lack of momentum is often due to the lack of an appropriate mandate, inadequate executive involvement in the process and the challenge inherent in acknowledging that the lines of defense do not present an opportunity to cut costs. The modern day use of the expression “lines of defense” in speeches and publications

3 LINES OF DEFENSE APRIL 2015

is intended to demonstrate organizational depth through a unified single objective and cohesive organizational response. Sounds easy, except when one realizes that the lines of defense have matured their approaches, processes and methods over the years. The lines of defense are sometimes further broken up by IT security, IT compliance, privacy, environmental health and safety, and other various efforts to monitor and mitigate risk within the organization. All of a sudden, the lines of defense have turned into herding cats around a risk management initiative!

WHICH CAME FIRST, THE CHICKEN OR THE EGG? Rather than debate whether the greater priority is to harmonize practices across the lines or within each line, let’s start with the headlines. In the last twenty plus years, Enterprise Risk Management (ERM) as an organizational initiative has gone through various peaks and troughs and, depending on the organization’s industrial sector(s), the expectations around risk management have also ebbed and flowed. Some consider the notion of ERM to be more critical for banks, financial institutions, insurers and organizations regulated within certain countries and less important for other industrial sectors or geographies. For others, ERM is about risk management and often considered a secondary focus within the business. The Global Association of Risk Professional (GARP)’s definition of ERM is:

In other words, ERM as a broad initiative is adopted, defined, executed and controlled depending on the organization. While some ERM industry specifications and standards exist, organizational adoption is truly a self-defined framework and approach. ERM industry specifications and standards can be found in COSO ERM, ISO 31000, with broad disclosure guidance from the U.S. SEC, the UK Trumbull Act, the Toronto Stock Exchange, KonTraG and the credit rating agencies, Standard & Poors (S&P) and Moody’s Analytics. All of the above provide varying contexts for ERM and demonstrate the fundamental need for an organization to establish its own view of ERM. Said another way, ERM provides the unifying objective on how the organization manages and monitors its greatest risks across the organization.

WHAT HEADLINE STORY ABOUT THE ORGANIZATION WOULD ALTER HOW THE ORGANIZATION VIEWS AND HANDLES ENTERPRISE RISKS? Before the above question is answered, it is important to consider whether the headline was due to a lack of ERM or due to a potentially larger corporate governance issue. Too often, the enterprise risks within an ERM initiative are documented, prioritized, managed and even monitored, but they lack the appropriate context, relevance and accountability for them to be actionable. For example, the enterprise risks:

• Do not align with the organization’s objectives

• Are thought to be more of a matter between executive management and senior management

• Are too outlandish to be possible

• Are less of a priority than the issues that the Board of Directors is already handling

“Enterprise Risk Management is a collection of processes, methods, and other approaches businesses and other organizations use to manage, monitor, and measure risks.”

4 LINES OF DEFENSE APRIL 2015

Organizations hope that tomorrow’s headline stories will not center on how their cyber risk management approach failed to protect transactional records or how their vendor risk management failed to stop illegal contracts with customers or suppliers. These two enterprise risks are well known and well documented and are active topics in the news and most business, IT, academic and corporate publications and trade journals. In other words, the headline stories should not have been a wake-up call to management, but rather a confirmation of the organization’s exposure and a heightened demonstration of how the organization responds to and manages such enterprise risks when they are realized.

Regrettably, what usually happens is that approximately five to seven days after the headline, it emerges that the Board of Directors and executive management were either uninformed about these enterprise risks or that the risks were not treated as priorities, given the likelihood of them being realized and their expected impact. These are not flawed ERM initiatives, but rather corporate governance failures, as enterprise risks were not actively managed in that they were not communicated on a routine basis to the Board of Directors and executive management.

A number of ERM naysayers will point to a few facts to support their position, maintaining that it is impossible to mitigate all risks within the organization. In other words, an organization’s sole purpose is not to reduce or mitigate all of its risks. This is correct, but it is also important to know that ERM is about managing risk, not mitigation and these were well known risks with known organizational exposures, not emerging, inconsequential risks. Other ERM naysayers will point to cost-benefit or return on

investment analysis to justify the actions that were or were not taken. They would be factually correct that the costs to manage the enterprise risk at the time that it was a known exposure to the organization were probably greater than the perceived benefits of managing it. In other words, incurring the costs could not necessarily mitigate the risk of occurrence. Unfortunately, they would be guilty of silo thinking because enterprise risks usually result in collateral damage to the organization. The collateral damage is hard to quantify, but it is very easy to qualify the damage to reputation, brand and how management manages the organization.

A useful illustration of the difficulty in calculating the benefits of an ERM initiative follows.

In a 2012 news story, an employee found a USB drive in the employee parking lot and picked it up, but only to hand it over to the company’s IT department. The employee’s actions point to a thorough risk awareness within the organization. The company’s IT department later confirmed that the USB drive contained malware and further that the employee’s prompt action prevented an attempt at corporate espionage. Numerous other organizations have used this actual news story to conduct scenario tests and uncover vulnerabilities, unfortunately with very different results. Employees are aware of the risk of using a foreign USB drive, however the scenario presents both civility and vulnerability in a whole new light.

THE RISK APPETITEERM, at its core, is about establishing a risk appetite for the organization that articulates how each employee, director, contractor or consultant is accountable and evaluated, based on how they handle risk on a daily basis. The risk appetite describes the organization’s position on risk, as well as expectations around

5 LINES OF DEFENSE APRIL 2015

communicating and acknowledging risk (risk awareness) and actively managing or mitigating risk based on various measures or indicators. The organization’s position is a management-defined (executive or senior) approach as to which risks should be managed vs. which risks should be mitigated. The managed risks are tracked on a periodic basis, while the mitigated risks are monitored more frequently. Depending on the nature of any of the risks, different levels of management and the Board of Directors will be involved in the various tracking and monitoring exercises. In summary, an organization’s risk appetite is what aligns the lines of defense to act cohesively in the monitoring or mitigation of such risks and their residual implications.

The Committee on Sponsoring Organizations (COSO) authored in their 2004 Enterprise Risk Management Integrated Framework that:

COSO’s definition of the risk appetite does a tremendous job in making it almost immediately actionable with the ability to be engrained into performance. While numerous regulators, quasi-government associations and professional associates have accepted and, at times, enhanced the definition, it still remains somewhat vague for the three lines of defense. An example of how other quasi-government associations have also sought to define the risk appetite statement can be found in the 2013 definition by the Financial Stability Board (FSB):

“Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, moderate, or low, while others take a quantitative approach, reflecting and balancing goals for growth, return, and risk. A company with a higher risk appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital by investing only in mature, stable markets.

Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, as different strategies expose an entity to different risks. Enterprise risk management

helps management select a strategy that aligns anticipated value creation with the entity’s risk appetite…

Risk appetite guides resource allocation. Management allocates resources among business units and initiatives with consideration of the entity’s risk appetite and the unit’s plan for generating desired return on invested resources. Management considers its risk appetite as it aligns its organization, people, and processes, and designs infrastructure necessary to effectively respond to and monitor risks.”

“The articulation in written form of the aggregate level and types of risk that a financial institution is willing to accept, or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and conduct risks as well as money laundering and unethical practices.”

6 LINES OF DEFENSE APRIL 2015

The FSB’s definition is useful in linking the types of risk with the matters that are key to financial institutions. The definition is still vague for the lines of defense and lacks some of the actionable nature found in the COSO definition. In both definitions of the risk appetite, there is not enough context on how the organization came to define this as their risk appetite, how the specific risks were deemed to be more significant than other, more mundane risks, and finally how the risk appetite statement needs to distill the complexity into layman’s terms. How do organizations keep enterprise risks from becoming corporate governance failures? In essence, this is done by keeping the risk appetite current, aligned with relevant organizational strategies and agreed upon objectives, and top of mind for all internal stakeholders.

RISK CULTUREOver the last 25 years, more and more attention has been placed on organizational culture and specifically on how risk is handled within an organization. This is risk culture. The term organizational culture has many definitions that demonstrate the many perspectives and factors involved in its definition. In 1985, Edgar Schein, a Massachusetts Institute of Technology (MIT) professor emeritus in the Sloan School of Management, published what has become the definition for organizational culture in his book entitled “Organizational Culture and Leadership”:

“A pattern of shared basic assumptions that was learned by a group as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems.”

In re-reading the above definition in the context of risk, it should become clear how risk evolves within an organization.

In the context of risk, the above definition spurs numerous questions, here are only two:

1. What mechanisms within the organization exist to manage risk as it evolves?

2. In teaching new members, how does an organization provide experiential context to situations and events unknown to both teacher and student?

Edgar Schein’s definition does a wonderful job in articulating the intricacies of organizational culture that are taken for granted based on what is thought to be accepted versus what is actually understood. Similarly, the foreign USB drive story seems to describe a mundane, ordinary risk, where the employee, rather than attempting to confirm the potential risk, sought the involvement of IT to handle the vulnerability. In fact, the individual understood that the unknown posed a potential risk to corporate property and potentially to their own property and therefore, rather than add an additional risk of independently confirming it, relinquished it to others that could better quantify the potential risk. This is a wonderful demonstration of how the risk appetite statement of ERM and the organizational culture unify across the lines of defense.

CONCLUSIONSo let us review the requirements for the lines of defense:

• The lines of defense should be assembled for the right reasons and not the wrong ones, including:

- Cost cutting

- Procurement of solutions or services

- Window dressing for a regulator or the external auditors

7 LINES OF DEFENSE APRIL 2015

• The lines of defense need to be unified based on a risk appetite statement that reflects the organization’s culture and articulates the organization’s position on risk as well as expectations around communicating and acknowledging the risk (risk awareness) and actively managing or mitigating such risk based on various measures or indicators.

- The lines of defense need to be supported by an active, ongoing, 24 hour a day, 7 day a week, 365 day a year initiative and an appropriate organizational mandate:

- The initiative must be underpinned by appropriate leadership, accountability, clearly articulated objectives and active performance measures

- Oversight should be provided by both executive management and the Board of Directors

- Continuous fine-tuning and improvements must be implemented

Once the above items have been established, the lines of defense can be empowered to move forward in collaborating and developing cohesion - whether in a castle or a financial institution!

8 LINES OF DEFENSE APRIL 2015

ABOUT THE AUTHORNoah Gottesman is a Certified Internal Auditor with over fifteen years of compliance, internal audit, internal control and risk management experience. At Thomson Reuters Accelus, Noah serves as the Audit Advisory and Innovation Director within Professional Services, assisting clients with Accelus implementations. Prior to joining Thomson Reuters, Noah spent thirteen years with a big-four accounting firm, gaining global experience across a wide range of industries, including banking and financial services, technology and insurance.

© 2015 Thomson Reuters GRC02311/3-15

The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity.

Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-changing regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director solutions.

THOMSON REUTERS ACCELUS™

For more information, visit accelus.thomsonreuters.com