Module 9 - Thinking Through a Risk Management Lens

Question 1

Define “enterprise risk management.”

Answer 1

“Enterprise risk management” is defined as the culture, capabilities and practices, integrated with strategy setting and its execution, that entities rely on to manage risk in creating, preserving and realizing value for stakeholders. A more in-depth look at the definition of enterprise risk management emphasizes its focus on managing risk through:

(a) Recognizing culture and capabilities
(b) Applying practices
(c) Integrating with strategy setting and its execution
(d) Managing risk to strategy and business objectives
(e) Linking to creating, preserving and realizing value.

Question 2

Define “culture,” “capabilities” and “practices” in the context of enterprise risk management.

Answer 2

Culture is developed and shaped by the people at all levels of an entity by what they say and do. It is people who establish the entity’s mission, strategy and business objectives and put enterprise risk management practices in place. Risk “culture” is defined as the attitudes, behaviours and understanding about risk, both positive and negative, that influence decisions and reflect the mission, vision and core values of the entity.

Enterprise risk management “capability” provides a core capability to an entity in its pursuit of competitive advantages to create value. Enterprise risk management helps the entity develop the skills needed to execute the entity’s mission and vision and to anticipate the challenges that may impede success. It enhances capacity to adapt to change and increases resilience and ability to evolve in the face of marketplace and resource constraints.

Risk “practices” are the methods and approaches deployed within an entity related to managing risk. Practices used in enterprise risk management are applied from the highest levels of an entity and flow down through divisions, business units and functions—applied to the entire scope of activities as well as to special projects and new initiatives. It is part of decision making at all levels of the entity. Practices are intended to help people within the entity better understand its strategy, what business objectives have been set, what risks exist, what the acceptable amount of risk is, how risk impacts performance and how to manage risk. In turn, this understanding supports decision making at all levels and helps to reduce entity bias.

Question 3

Outline the premises that underpin the benefits of taking an enterprisewide approach to risk management.

Answer 3

An enterprisewide approach to risk management is based on the premise that every entity—whether for-profit, not-for-profit or government—exists to provide “value” for its stakeholders. A related premise is that all entities face uncertainty, generally understood to be something not completely known or the condition of not being sure of something, in the pursuit of value. Effective enterprise risk management allows decision makers to balance exposure against opportunity, with the goal of enhancing the entity’s capabilities to create, preserve and ultimately realize value for stakeholders.

Question 4

Define “stakeholders,” and differentiate between internal and external stakeholders. Provide examples of stakeholders in group benefit plans or employer-sponsored pension plans who stand to benefit from effective risk management practices

Answer 4

“Stakeholders” are parties that have genuine or vested interest in an entity. Internal stakeholders are parties working within the entity such as employees, management and the board. External stakeholders are any parties not directly engaged in the entity’s operations but who are impacted by it, directly influenced by its environment, or influence its reputation, brand and trust. Key stakeholders in a group benefits plan or an employer-sponsored pension plan can include the employer (plan sponsor), employees (plan members), beneficiaries of the plan members, plan service providers and any relevant regulatory bodies such as the Canada Revenue Agency (CRA) or the pension regulator for the province or territory in which the plan sponsor operates.

Question 5

Explain how the value of an entity is influenced by management decisions.

Answer 5

Management decisions, from overall strategy decisions to day-to-day decisions, can determine whether value is created, preserved, realized or eroded.

(a) Value is created when the value of deployed resources (such as people, financial capital, technology and processes) is less than the benefits derived from that deployment.
(b) Value is preserved when the value of resources deployed in day-to-day operations sustains created benefits. For example, value is preserved with the delivery of superior products and services, which results in satisfied customers and stakeholders.
(c) Value is realized when stakeholders derive benefits created by the entity. Benefits may be monetary or nonmonetary.
(d) Value is eroded when management implements strategies that do not yield expected outcomes or fails to execute day-to-day tasks.

Question 6

Explain how enterprise risk management interfaces with strategy.

Answer 6

“Strategy” refers to an entity’s plan to achieve its mission and vision and to apply its core values. A well-defined strategy provides a road map for establishing business objectives and drives the efficient allocation of resources and effective decision making.

Enterprise risk management does not create the entity’s strategy, but it influences its development. It informs the entity on risks associated with alternative strategies considered and, ultimately, with the adopted strategy. It evaluates potential risks that may arise from strategy, including how the chosen strategy could affect the entity’s risk profile (specifically the types and amount of risk the entity is potentially exposed to). It also evaluates the critical assumptions underlying the chosen strategy by looking at how sensitive strategy alternatives are to changes in the assumptions (i.e., whether they would have minimal or significant effect on achieving the strategy).

Question 7

Explain how enterprise risk management can influence an entity’s ability to adapt, survive and prosper.

Answer 7

Every entity sets out to achieve its strategy and business objectives in an environment of change. Market globalization, technological breakthroughs, mergers and acquisitions, fluctuating capital markets, competition, political instability, workforce capabilities, and regulation, among other things, make it difficult to know all possible risks to a business strategy and business objectives. Risk is always present and always changing. While it may not be possible for entities to manage all potential outcomes of risk, they can improve how they adapt to changing circumstances. This is sometimes referred to as “organizational sustainability.” Enterprise risk management focuses on managing risks to reduce the likelihood that an event will occur, managing the impact when one does occur and adapting as circumstances dictate.

Question 8

Outline benefits of integrating enterprise risk management with strategy setting and performance management processes.

Answer 8

The benefits of integrating enterprise risk management with an entity’s strategy setting and performance management processes vary by entity. However, implementing enterprise risk management may increase the entity’s ability to:

(a) Expand the range of opportunities for creating value

(b) Identify and manage entitywide risks

(c) Reduce surprises and losses

(d) Reduce performance variability

(e) Improve resource deployment

Question 9

Explain how events, uncertainty and severity impact risk.

Answer 9

In the context of enterprise risk management, an “event” is an occurrence or set of occurrences. “Uncertainty” is the state of not knowing how potential events may or may not manifest. “Severity” is a measurement of considerations such as the likelihood and impacts of events or the time it takes to recover from events. Some risks have minimal impact on an entity, and others have a larger impact.

In the context of risk, events are more than routine transactions; they are broader factors that affect the entity such as changes in the governance and operating model, geopolitical and social influences, and contracting negotiations. Some events are readily discernable—a change in interest rates, a competitor launching a new product that affects financial viability, or a cyberattack. Other events are less evident, particularly when multiple small events combine to create a trend or condition. For instance, it may be difficult to identify specific events related to global warming, yet that condition is generally accepted as occurring. In some cases, entities may not even know or be able to identify what events may occur. The risk of an event occurring (or not) creates uncertainty.

Question 10

Explain why an event with a positive outcome can also pose a risk.

Answer 10

Commonly, the focus is on those risks that may result in a negative outcome, such as damage from a fire, losing a key customer, or a new competitor emerging. However, events can also have positive outcomes, and these must also be considered. Events that are beneficial to the achievement of one objective may at the same time pose a challenge to the achievement of other objectives. For example, if a company’s product launch has higher-than-forecast demand, it introduces a risk to supply chain management, which may result in unsatisfied customers if the product cannot be supplied.

Question 11

Outline the benefits of integrating enterprise risk management with strategy setting and strategy execution processes.

Answer 11

When enterprise risk management, strategy setting and strategy execution processes are integrated, an entity is better positioned to understand:

(a) How mission, vision and core values form the initial expression of acceptable types and amount of risk when setting strategy
(b) Possibility of strategies and business objectives not aligning with the mission, vision and core values
(c) Types and amount of risk the entity potentially exposes itself to from the strategy that has been chosen
(d) Types and amount of risk to executing its strategy and achieving business objectives.

Question 12

Define “mission,” “vision” and “core values,” and explain how they relate to an entity’s purpose.

Answer 12

“Mission” is the entity’s core purpose, which establishes what it wants to accomplish and why it exists. “Vision” is the entity’s aspirations for its future state or what the entity aims to achieve over time. “Core values” are the entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behaviour of the entity and how it wants to conduct business. Together, these elements communicate to stakeholders the entity’s purpose. For most entities, mission, vision and core values remain stable over time, and during strategy planning they are typically reaffirmed. Yet the mission, vision and core values may evolve as the expectations of stakeholders change.

Question 13

Explain the significance of alignment among strategy, mission, vison and values to enterprise risk management.

Answer 13

Mission and vision help to establish boundaries for strategy and bring focus to understanding how decisions may affect strategy. Mission, vision and core value statements guide in determining the types and amount of risk an entity is likely to encounter and accept. If an entity’s strategy is not aligned with its mission, vision and core values, its ability to realize mission and vision may be significantly reduced. This can happen even if the (mis)aligned strategy is successfully executed.

Question 14

Describe the focus of enterprise risk management in the context of strategy execution. Provide an example.

Answer 14

The focus of risk management in the context of strategy execution is on understanding the strategy as it is set out and what risks there are to its relevance and viability. There is always risk to executing strategy; a variety of techniques can be used to assess it.

For example, assume a health care provider sets a business objective of providing high-quality patient care. To assess risks associated with its execution, the provider considers risks relating to factors such as employee capability, medical care and treatment options, health care legislation requirements and health record management requirements. If these execution risks become significant enough, the health care provider may revisit its strategy and objectives and consider revisions or select other alternatives that have a more suitable risk profile.

Question 15

Explain the roles of the governance and operating models in enterprise risk management.

Answer 15

An entity’s governance model defines and establishes authority, responsibility and accountability. It aligns the roles and responsibilities to the operating model at all levels—from the board of directors to management, divisions, operating units and functions.

An entity’s operating model describes how management organizes and executes its day-to-day operations. It is typically aligned with the legal structure and management structure. Through the operating model, employees are responsible for developing and implementing practices to manage risk and stay aligned with the core values of the entity.

Both models influence the ability to identify, assess and respond to risks to the achievement of strategy.

Question 16

Explain the significance of an entity’s legal structure in risk management.

Answer 16

How an entity is structured legally influences how it operates. A variety of factors, including size of the entity and any relevant regulatory, taxation or shareholder structures influence the suitability of different legal structures. A small entity may operate as a single legal entity, and risks can be aggregated across the entity. For large entities consisting of several distinct legal entities, risks may be segregated.

Question 17

Explain the relationship between performance targets and level of uncertainty.

Answer 17

“Performance” describes how actions are carried out as measured against a preset target. There is always risk associated with a performance target. The level of uncertainty varies with the level of performance desired. For example, airlines have a certain amount of uncertainty about their ability to operate 100% of the flights on their schedule. They may be less uncertain that they can operate 90% or even 80% of their scheduled flights. There is a different amount of uncertainty associated with each level of performance.

Question 18

Explain the concept of risk profile in the context of enterprise risk management.

Answer 18

A risk profile provides a composite view of the risks for an entity as a whole or as a division, a project or an initiative. A composite view of risk allows decision makers to consider the type, severity and interdependencies of risks and how they may affect performance relative to the strategy and business objectives set.

To develop a risk profile requires an understanding of:

(a) Strategy or relevant business objective
(b) Performance target and acceptable variations in performance
(c) Capacity and appetite for risk
(d) Severity of the risk to the achievement of the strategy and business objective.

Question 19

Interpret the following risk profiles. (First, a linear risk bell curve trending up. Second, a series of bars in a bar chart trending up)

Answer 19

There are several methods for depicting a risk profile. Every entity’s risk profile is different, depending on its unique strategy and business objectives. These samples plot performance on the x-axis and risk on the y-axis.

Sample Risk Profile A graphically illustrates the composite or aggregate amount of risk associated with different levels of an entity’s performance. In this risk curve, there is an upward trend; as performance increases, so does the risk level.

Sample Risk Profile B provides another illustration of a similar risk curve. This graph considers risk as a continuum of potential outcomes. Each bar represents the risk profile for a certain level of performance. The target level of performance illustrates the point at which the entity can balance the amount of risk to its desired performance.

Question 20

Explain the concept of “risk appetite” and its relationship to strategy setting.

Answer 20

“Risk appetite” means the type and amount of risk an entity is willing to accept in its pursuit of value. Knowing the risk appetite is essential to enterprise risk management.

There is no universal risk appetite that applies to all entities. The first expression of risk appetite boundaries are in an entity’s mission and vision statements. Developing a risk appetite statement is an exercise in finding a compromise between risks and opportunities. Risk appetite is not static; it may change over time in line with an entity’s changing capabilities for managing risk. The process of selecting strategy and developing risk appetite is not linear, with one always preceding the other. Many entities develop strategy and risk appetite in parallel, refining each throughout the strategy-setting process.

Question 21

Compare “risk capacity” to “risk appetite.”

Answer 21

“Risk capacity” is the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives. “Risk capacity” can be plotted on any depiction of risk profile. Risk capacity must be considered when setting risk appetite, since generally an entity strives to hold risk appetite within its capacity. It is not typical for an entity to set risk appetite above its risk capacity, but in rare situations an entity may accept the threat of insolvency and failure on a given strategic direction, with the understanding that success can create considerable value.

Question 22

Compare “acceptable variation in performance,” “risk appetite,” and “risk capacity” using the following risk profile.

Answer 22

This sample plots performance on the x-axis and risk on the y-axis. “Acceptable variation in performance” (sometimes referred to as “risk tolerance”) means the boundaries of acceptable outcomes relating to achieving business objectives. Acceptable variation in performance is depicted by the broken lines to the right and left of the target level of performance. It is more focused than risk appetite, illustrating both the boundary of exceeding the target level of performance and the boundary of trailing the target level of performance. Generally an entity strives to hold risk appetite within its risk capacity.

Question 23

Explain the premise of the COSO Framework.

Answer 23

The premise of the COSO Framework is that the entity’s mission, vision and core values drive the development of strategy and objectives, which in turn impact the entity’s performance. Enterprise risk management is integrated into strategy planning and day-to-day decision making in an iterative way. The COSO Framework consists of five interrelated components:

(1) Risk Governance and Culture
(2) Risk, Strategy and Objective Setting
(3) Risk in Execution
(4) Risk Information, Communication and Reporting
(5) Monitoring Enterprise Risk Management Performance.

Within these five components are a series of principles that represent the fundamental concepts and activities associated with each component. While these principles are universal and form part of any effective enterprise risk management practice, management must use judgment in applying them.

Question 24

Outline the five components of enterprise risk management.

Answer 24

(1) Risk Governance and Culture

(2) Risk, Strategy and Objective Setting

(3) Risk in Execution

(4) Risk Information, Communication and Reporting

(5) Monitoring Enterprise Risk Management Performance

Question 25

Outline criteria for assessing the overall effectiveness of enterprise risk management.

Answer 25

An entity should have a means to reliably provide to the stakeholders a reasonable expectation that it is able to manage risk associated with the strategy and business objectives to an acceptable level. It does this by assessing the enterprise risk management practices that are in place. Different approaches are available for assessing enterprise risk management. The entity may consider:

(a) Whether components and principles relating to enterprise risk management are present and functioning
(b) Whether components relating to enterprise risk management are operating together in an integrated manner
(c) Whether controls necessary to effect principles are present and functioning
(d) Whether components, relevant principles and controls to effect those principles that are present exist in the design and implementation of enterprise risk management to achieve strategy and business objectives
(e) Whether components, relevant principles and controls to effect those principles that are functioning continue to operate to achieve strategy and business objectives.

During an assessment, management may also review the suitability of those capabilities and practices, keeping in mind the entity’s complexity and the benefits the entity wants to attain through enterprise risk management. Factors that add to complexity may include, among other things, the entity’s geography, industry, nature, extent and frequency of internal change, historical performance and variation in performance, reliance on technology and the extent of regulatory oversight.

Question 26

Outline factors that impact the establishment of roles and accountability for enterprise risk management in an entity. Identify a specific example of a benefits industry model for risk management.

Answer 26

In any entity, everyone shares responsibility for enterprise risk management. The leader of the entity (i.e., chief executive officer or president) is ultimately responsible and should assume ownership for the achievement of the entity’s strategy and business objectives. That person should have a deep understanding of factors that may impede strategy achievement. Managers must ensure that their behaviours align with the culture. They are responsible for overseeing enterprise risk management, leveraging information systems tools and monitoring performance. Other employees are responsible for understanding and aligning to the cultural norms and behaviours, business objectives in their area and related enterprise risk management practices. The board of directors provides risk oversight to strategy achievement.

There is no one-size-fits-all approach to establishing an accountability model. The goal is to have an accountability model that offers an entity a balanced approach to managing risk and pursuing opportunities, all while enabling risk-based decision making that is free of bias.

The Office of the Superintendent of Financial Institutions (OSFI), the federal pension plan regulator, has identified a Risk Assessment Framework used in its oversight process. It offers specific guidance for implementing an accountability model, but entities must consider factors such as their size, strategy, business objectives, culture and external stakeholders. These factors within an entity’s business context may establish roles across any number of different lines of accountability with specific regulatory guidance and oversight. Some entities may refer to the board of directors as a line of accountability based on its specific roles, responsibilities and accountabilities for that entity. Regardless of the number of lines of accountability, however, the roles, responsibilities and accountabilities are defined to allow for the clear ownership of strategy and risk that fits within the governance structure, reporting lines and culture.

Question 27

Outline oversight practices for the Risk Governance and Culture component of the COSO Framework.

Answer 27

Board-level risk oversight practices for Risk Governance and Culture include:

(a) Assessing the appropriateness of the entity’s strategy; alignment to the mission, vision and core values; and the risk inherent in that strategy
(b) Defining the board risk governance role and structure, including subcommittees
(c) Engaging with management to define the suitability of enterprise risk management
(d) Overseeing evaluations of the culture and ensuring that management remediates any gaps
(e) Promoting a risk-aware mindset that aligns the maturity of the entity with its culture
(f) Overseeing the alignment of business performance, risk taking and incentives/ compensation to balance short-term and long-term strategy achievement
(g) Challenging the potential biases and tendencies of management and fulfilling its independent and unbiased oversight role
(h) Understanding the strategy, operating model, industry, and issues and challenges affecting the entity
(i) Understanding how risk is monitored by management.

Question 28

Outline oversight practices for the Risk, Strategy and Objective Setting component of the COSO Framework.

Answer 28

Board-level risk oversight practices for Risk, Strategy and Objective Setting include:

(a) Setting expectations for integrating enterprise risk management into the strategic management processes, including strategy planning, capital allocation, etc.
(b) Discussing and understanding the risk appetite and considering whether it aligns with its expectations
(c) Engaging in discussion with management to understand the changes to business context that may impact the strategy and its linkage to new, emerging or manifesting risks
(d) Encouraging management to think about the risks inherent in the strategy and underlying business assumptions
(e) Requiring management to demonstrate an understanding of the risk capacity of the entity to withstand large, unexpected events.

Question 29

Outline oversight practices for the Risk in Execution component of the COSO Framework.

Answer 29

Board-level risk oversight practices for Risk in Execution include:

(a) Reviewing the entity’s strategy and underlying assumptions against the portfolio view of risk
(b) Setting expectations for risk reporting, including the risk metrics reported to the board relative to the risk appetite of the entity and external enterprise risk reporting disclosures
(c) Understanding how management identifies and communicates the most severe risks
(d) Reviewing and understanding the most significant risks, including emerging risks and significant changes in the portfolio view of risk, specifically, what responses and actions management is taking
(e) Understanding the plausible scenarios that could change the portfolio view.

Question 30

Outline oversight practices for the Risk Information, Communication and Reporting component of the COSO Framework.

Answer 30

Board-level risk oversight practices for Risk Information, Communication and Reporting include:

(a) Establishing the information, underlying data and formats (graphs, charts, risk curves and other visuals) to execute board oversight
(b) Accessing internal and external information and insights conducive to effective risk oversight
(c) Obtaining input from internal audit, external auditors and other independent parties regarding management perceptions and assumptions.

Question 31

Outline oversight practices for the Monitoring Enterprise Risk Management Performance component of the COSO Framework.

Answer 31

Board-level risk oversight practices for Monitoring Enterprise Risk Management Performance include:

(a) Asking management about any risk manifesting in actual performance (both positive and negative)
(b) Asking management about the enterprise risk management processes and challenges and asking management to demonstrate the suitability and functioning of those processes.

Question 32

Describe the significance of the indicators used by the Office of the Superintendent of Financial Institutions (OSFI) to detect risks that impact federally regulated pension plans. Provide examples of each risk indicator.

Answer 32

(1) Tier 1 indicators
Detect issues that require immediate attention and may have a significant impact on both the current state and future risk within the plan. Examples include nonremittance of contributions, contribution holidays in excess of surplus or a plan sponsor facing serious financial issues.

(2) Tier 2 indicators Identify potential risks with the pension plan that may lead to more serious issues. Examples include investment returns that do not meet benchmarks, large changes in membership or a high proportion of liabilities pertaining to retired members.

(3) Tier 3 indicators Capture situations that may require greater diligence or controls on the part of the plan administrator but may not have significant impact on risk within the plan if properly managed. Examples include whether the plan provisions contain benefits that are subject to the plan administrator’s discretion (i.e., consent benefits) or if there has been a history of late filings for the plan.

Question 33

Describe the first step in the OSFI risk assessment process, and identify the components of the activities reviewed within that step in the process.

Answer 33

The OSFI risk assessment process begins with a review of significant activities within a pension plan. Significant activities are those essential operations that a pension plan administrator undertakes to administer the plan and the fund in compliance with professional standards and regulatory requirements. These include:

(a) Administration: Includes benefit calculations, benefit payments, payment of expenses, regulatory filings, recordkeeping, and collection and remittance of contributions to the custodian.

(b) Communication to members: Includes website management, notices, annual statements and member education.

(c) Asset management: Includes management of the plan’s fund, asset/liability management, preparation of special financial or risk management reports, and establishment of and adherence to a statement of investment policies and procedures (SIP&P).

(d) Actuarial (for defined benefit plans only): Includes the actuarial valuation of the plan assets and liabilities, as well as advice, analysis testing and special reports provided by the actuary at the request of the plan administrator.