This paper, authored by Stephanie Maziol, notes how taking risks is a vital part of business; however, managing risks effectively is becoming increasingly critical as well. The recent economic crisis is encouraging companies to take a deeper look at their risk management practices and implement a formalized framework to identify and respond to risks. Organizations such as the PCAOB and Standards & Poor’s (S&P) are also promoting the use of risk management. The PCAOB is directing auditors to adjust audit plans and increase monitoring of high-risk behavior, while S&P is expanding its risk management and credit worthiness evaluation to all public companies.
A great deal of research has found that organizations can improve business results and reduce share price volatility by establishing a risk management framework, yet only fifty-two percent of CFOs surveyed by IBM attest to having a prescribed risk management program within their company. Several factors contribute to this immaturity of risk management within organizations, including the lack of executive commitment to risk management and fragmented risk management activities. In addition, many companies do not have the capacity or intelligence tools in place to predict and prepare for future risks. Lastly, there is a lack of alignment among corporate strategy, strategic planning, and risk management, making it difficult for companies to achieve the business value associated with an effective risk management program.
In implementing a risk management program, there are three common goals corresponding to the steps needed to develop an effective approach. These goals are as follows: protect against downside risks, manage volatility around business and financial results, and optimize risk and returns. The combination of these three goals comprises Enterprise Risk Management (ERM), which is a formalized risk management program. As a part of this program, companies should also define their risk tolerance, or how much risk is acceptable within the organization. This aspect is critical because a difference in the perception of risk appetite within a company can lead to underrated risks being ignored and overrated risks consuming excessive resources.
After an organization has defined their risk tolerance, risk assessments should be conducted to continually monitor risk exposure. This continuous approach also has a beneficial impact on internal audit plans, operational visibility and performance, better decision-making, and improved strategy execution. However, risks assessments can only be as effective as the reporting mechanisms providing information regarding these risks. Without the relevant information, the organization cannot anticipate or respond to risks in a timely manner.
Oracle has recently developed a comprehensive platform for risk management to maximize opportunities while mitigating and avoiding threats. This framework encompasses Enterprise Performance Management (EPM) and Governance, Risk, and Compliance (GRC). EPM focuses on identifying how opportunities can be translated into sustainable success, while GRC identifies and develops responses to existing or looming opportunities and threats.
Oracle has also developed the Strategy-to-Success (S2S) framework, which is an extension of Michael Porter’s concept of defining an organization’s value chain across its business process. The S2S framework consists of the following six steps:
- Understand the Stakeholder Environment
- Create a Market Model
- Develop the Business Model
- Create the Business Plan
- Monitor Business Operations
- Deliver Business Results and Provide Feedback to Other Processes
In implementing the S2S framework, Oracle suggests integrating each step with GRC processes in order to ensure the integrity of business operations. Among other things, this can help ensure that operational risks are clearly identified and internal controls appropriately expose exceptions. As a whole, Oracle’s approach to risk management provides a single platform that contributes to the achievement of business objectives by ensuring transparency in business operations.
Click below to read the full article.