THE ROLE AND ORGANISATION OF THE RISK MANAGEMENT …
156
THE ROLE AND ORGANISATION OF THE RISK MANAGEMENT FUNCTION IN BELGIAN ENTERPRISES Jonas de Sagher Student number: 01306922 Supervisor: Prof. Dr. Ir. Regine Slagmulder A dissertation submitted to Ghent University in partial fulfilment of the requirements for the degree of Master of Science in Business Administration Academic year: 2017 - 2018
Transcript of THE ROLE AND ORGANISATION OF THE RISK MANAGEMENT …
THE ROLE AND ORGANISATION OF
THE RISK MANAGEMENT FUNCTION
IN BELGIAN ENTERPRISES
Jonas de Sagher Student number: 01306922
Supervisor: Prof. Dr. Ir. Regine Slagmulder
A dissertation submitted to Ghent University in partial fulfilment of the requirements for the degree of Master of Science in Business Administration Academic year: 2017 - 2018
THE ROLE AND ORGANISATION OF
THE RISK MANAGEMENT FUNCTION
IN BELGIAN ENTERPRISES Word count: 24,045
Jonas de Sagher Student number: 01306922
Supervisor: Prof. Dr. Ir. Regine Slagmulder
A dissertation submitted to Ghent University in partial fulfilment of the requirements for the degree of Master of Science in Business Administration Academic year: 2017 - 2018
I
Confidentiality Agreement
PERMISSION
I declare that the content of this Master’s Dissertation may be consulted and/or reproduced,
provided that the source is referenced.
Name student :…………………………………………………………………………………
Signature
Jonas de Sagher
II
Abstract
Given the increased attention of regulators and other stakeholders regarding enterprise risk management
(ERM), many new roles, responsibilities and structures have been set up to tackle this relatively new core
management competency. An increasing volume and impact of risks has initiated corporate governance
structures to focus significantly on risk management. This Master thesis compares the organisational
structures, roles and reporting lines regarding risk in leading organisations (ca. 15; majority non-financial ).
It therefore aims to investigate how the risk management function is organised in Belgian enterprises.
Essential are the following three research questions: (i) who embodies the role of the risk management
function in Belgian enterprises and how is it organised?; (ii) how do the lines of assurance (overview of
roles, responsibilities and reporting lines) take shape in Belgian enterprises?; (iii) is there a positive relation
between the role and organisation of the risk management function and ERM Maturity?
Based on within-case and cross-case analysis of in-depth interviews and maturity assessments following
three associated main conclusions could be drawn: (i) the function can be organised through a separate risk
unit, but is mostly organised through a unit along with other management and control activities such as
compliance or finance. In less mature companies, the tasks and responsibilities are included as a part of
another individual role such as internal audit. Within the C-suite, unless a CRO position exists, the CFO
and CEO are most involved. Organisational structures vary significantly in the different observed
enterprises; (ii) there is a shift towards a more formal and direct reporting to the top of the organisation.
Fifty percent of the respondents use the three lines of defense model to address the risk governance
structure. The interaction between the second and third l ine is significantly increasing; (iii) there is no
significantly positive relation found regarding the most effective approach for maturing ERM in an
organisation since there is no one-size fits all approach. However, in general it is shown that a separate and
single elaborate organisational risk unit in the second line of defense along with support and involvement
of the top positively influence ERM maturity in Belgian public organisations.
III
Nederlandse samenvatting
De opkomst van risicobeheer vormt een van de belangrijkste organisatorische shifts van het laatste
decennium. Door de groeiende aandacht van regelgevers en andere belanghebbenden met
betrekking tot risicobeheer, zijn er vele nieuwe rollen, verantwoordelijkheden en structuren opgezet
om deze relatief nieuwe managementcompetentie aan te pakken. Het toegenomen volume risico’s
met de daaraan verbonden niet te onderschatten gevolgen, hebben corporate governance
structuren geïnitieerd die zich meer richten op risicobeheer. Deze studie laat toe om de
organisatiestructuren, de rollen en de rapporteringslijnen met betrekking tot de risico's van
verschillende organisaties te vergelijken en deze in verband te brengen met hun enterprise risk
management (ERM) maturiteit. Zij bekijkt hoe de risicobeheersfunctie in Belgische ondernemingen
is georganiseerd.
Allereerst wordt de aanwezigheid en ontwikkeling van risicobeheer en in het bijzonder van ERM
onderzocht. Vervolgens worden de rollen en verantwoordelijkheden van de verschillende
betrokken actoren bekeken, samen met de rapporteringslijnen. Tot slot wordt er onderzocht of er
een verband bestaat tussen het ERM-maturiteitsstadium in deze bedrijven en de organisatie van de
risicofunctie.
Door middel van diepte-interviews en maturiteitsbeoordelingen met leden van de raad van bestuur
en het management van twaalf niet-financiële en twee financiële beursgenoteerde ondernemingen,
werden interessante conclusies getrokken inzake enterprise risk management in Belgische bedrijven
met betrekking tot de vooropgestelde onderzoeksvragen. Zo werd er duidelijk in het kwalitatief
onderzoek dat in een significant aantal bedrijven diverse structuren worden opgezet om risk
management actiever te beheren, al worden ze nog vaak georganiseerd samen met andere
management- en controlemechanismen en verantwoordelijkheden. Er is ook een duidelijke
toename van formalisatie en een meer directe risicorapportering naar boven.
In het algemeen kunnen we concluderen dat een aparte risk unit in de tweede lijn een positieve
invloed heeft op de ERM maturiteit, maar dit resultaat is niet significant aangezien in andere
bedrijven een andere benadering effectiever zal werken, gelet op het feit dat dit afhankelijk is van
onder meer de sector en eigenschappen van de organisatie.
IV
Acknowledgements
Writing this Master thesis was a challenging yet rewarding project. I would like to express my
undying gratitude to all the people without whom this would not have been possible.
First, I want to thank my Professor Regine Slagmulder, who guided me throughout the process.
She gave me useful advice and input. Secondly, I would like to thank my parents for supporting
me from day one at Ghent University. Along with my girlfriend, they helped me through the usual
struggles that come along with writing a master’s dissertation. They were there for me every step
of the road. In addition, I would like to acknowledge the participants for their co-operation and
willingness to spend time for providing me with relevant insights for this study. Last but not least,
I want to give a big shout-out to my friends. I would not have been able to finish my master study
without their encouragement.
V
Table of Contents Confidentiality Agreement ......................................................................................................... I
Abstract ...................................................................................................................................... II
Nederlandse samenvatting ...................................................................................................... III
Acknowledgements ..................................................................................................................IV
List of Abbreviations ...............................................................................................................VIII
List of Figures ............................................................................................................................ IX
List of tables .............................................................................................................................. IX
1. Introduction ........................................................................................................................... 1
2. Risk and risk management .................................................................................................... 3
2.1 Key Definitions and Concepts........................................................................................... 3
2.1.1 Defining risk ............................................................................................................... 3
2.1.2 Risk appetite .............................................................................................................. 4
2.2 The rise of risk management ............................................................................................ 5
2.2.1 History ....................................................................................................................... 5
2.2.2 Introducing risk management ................................................................................... 6
2.2.3 Risk Management vs Internal Control ....................................................................... 7
2.3 Enterprise risk management ............................................................................................ 8
2.3.1 Introduction to ERM .................................................................................................. 8
2.3.2 Definition ERM .......................................................................................................... 9
2.3.3 ERM practices .......................................................................................................... 10
2.3.4 ERM Implementation .............................................................................................. 11
2.4 Risk Management Frameworks ...................................................................................... 12
2.4.1 COSO ........................................................................................................................ 13
2.4.2 ISO............................................................................................................................ 15
2.4.3 COSO ERM vs ISO 31000.......................................................................................... 16
2.5 The Risk Management Process....................................................................................... 17
2.5 Risk Management Maturity............................................................................................ 19
2.6 Risk Management in practice ......................................................................................... 20
3. Leadership in Risk Management ......................................................................................... 22
3.1 Risk governance and corporate structure ...................................................................... 25
3.2 The Board ....................................................................................................................... 28
3.2.1 Risk Committee ....................................................................................................... 30
3.2.2 Audit Committee ..................................................................................................... 31
3.3 Management .................................................................................................................. 32
VI
3.3.1 CRO .......................................................................................................................... 32
3.3.2 CEO .......................................................................................................................... 33
3.3.3 CFO .......................................................................................................................... 34
3.3.4 CIO ........................................................................................................................... 34
3.3.5 Compliance professional ......................................................................................... 35
3.3.6 Business unit Managers........................................................................................... 35
3.4 Internal audit – Chief Audit Executive (CAE) .................................................................. 36
3.5 Outsourcing the function ............................................................................................... 36
4. Empirical study..................................................................................................................... 37
4.1 Research Questions ........................................................................................................ 37
4.2 Goal................................................................................................................................. 37
4.3 Methodology .................................................................................................................. 37
4.4 Interview approach ........................................................................................................ 38
5. Analysis ................................................................................................................................ 40
5.1 Applied technique .......................................................................................................... 40
5.2 Within Case Analysis....................................................................................................... 40
5.2.1 Company A .............................................................................................................. 40
5.2.2 Company B............................................................................................................... 42
5.2.3 Company C............................................................................................................... 44
5.2.4 Company D .............................................................................................................. 46
5.2.5 Company E ............................................................................................................... 47
5.2.6 Company F ............................................................................................................... 49
5.2.7 Company G .............................................................................................................. 50
5.2.8 Company H .............................................................................................................. 51
5.2.9 Company I ................................................................................................................ 53
5.2.10 Company J ............................................................................................................. 55
5.3 Cross-case analysis ......................................................................................................... 56
5.3.1 Start and triggers of ERM ........................................................................................ 56
5.3.2 Organisation of enterprise risk management and risk appetite formation ............ 57
5.3.3 Further development and improvement of ERM.................................................... 57
5.3.4 People involved with and roles of the risk management function ......................... 57
5.3.5 Support of the board and senior management ...................................................... 59
5.3.6 Reporting lines, communication and awareness .................................................... 59
5.3.7 ERM maturity........................................................................................................... 60
6. Conclusion ............................................................................................................................ 61
VII
6.1 General Conclusions ....................................................................................................... 61
6.2 Research Limitations & Future Research ....................................................................... 63
7. Bibliography ........................................................................................................................... X
8. Attachments......................................................................................................................... 18
8.1 Interview Questions ....................................................................................................... 18
8.2 ERM maturity assessment .............................................................................................. 19
8.3 Interview Company A ..................................................................................................... 22
8.4 Interview Company B ..................................................................................................... 26
8.5 Interview Company C ..................................................................................................... 29
8.6 Interview Company D ..................................................................................................... 31
8.7 Interview Company E...................................................................................................... 34
8.8 Interview Company F...................................................................................................... 38
8.9 Interview Company G ..................................................................................................... 40
8.10 Interview Company H ................................................................................................... 42
8.11 Interview Company I .................................................................................................... 45
8.12 Interview Company J .................................................................................................... 50
8.13 Interview Company K ................................................................................................... 54
8.14 Interview Company L .................................................................................................... 58
8.15 Interview company M .................................................................................................. 62
8.16 Interview Company N ................................................................................................... 65
8.17 Within-case Analysis Company K ................................................................................. 69
8.18 Within-case Analysis Company L .................................................................................. 70
8.19 Within-case Analysis Company M ................................................................................ 71
8.20 Within-case Analysis Company N ................................................................................. 72
8.21 CASE/TOPIC MATRIX..................................................................................................... 74
8.22 Respondents list ........................................................................................................... 80
8.23 Strategy and value oversight ........................................................................................ 81
8.24 Milestones in the history of risk management ............................................................ 82
8.25 COSO Framework eight components ........................................................................... 83
8.26 ISO Standards regarding Risk Management ................................................................. 85
8.27 Risk Management Organisations.................................................................................. 85
8.28 ERM Information Systems ............................................................................................ 87
8.29 RIMS risk maturity model maturity levels, attributes and underlying competency
drivers ................................................................................................................................... 88
8.30 Roles & Responsibilities of a Risk Management Committee ....................................... 89
VIII
List of Abbreviations
3LoD Three Lines of Defense
BCG Boston Consulting Group
CAE Chief Audit Executive
CEO Chief Executive Officer
CFO Chief Financial Officer
COO Chief Operational Officer
COSO Committee of Sponsoring Organizations
CRA Credit Rating Agency
CRO Chief Risk Officer
ECB Europese Centrale Bank
ERM Enterprise Risk Management
FERMA Federation of European Risk Management Associations
GDPR General Data Protection Regulation
GRC Governance, Risk & Compliance
HBR Harvard Business Review
IA Internal Audit
IC Internal Control
IMA Institute of Management Accountants
ISO International Organisation for Standardization
KPI Key performance Indicators
KRI Key Risk Indicators
NACD National Association of Corporate Directors
NBB Nationale Bank België
NSZ Neutraal Syndicaat voor Zelfstandigen
PWC PriceWaterhouseCoopers
RM Risk Management
RMC Risk Management Committee
ROI Return on investment
S&P Standard and Poor’s
SME Small and medium-sized enterprises
SOx Sarbanes-Oxley
TRM Traditional Risk Management
IX
List of Figures
Figure 1: Elements of Risk Appetite (COSO–strengthening ERM for strategic advantage, 2009). 5
Figure 2: COSO Internal Control vs. COSO Enterprise Risk Management (McNally & Tophoff, 2014) . 14
Figure 3: The Risk Management Process (ISO) ............................................................................................. 18
Figure 4: Stages of Risk Management Maturity (Pergler, 2012) ................................................................ 19
Figure 5: Risk Maturity Levels and Components - RIMS (LogicManager, n.d.) ................................. 20
Figure 6: Organisational oversight structure (Protiviti Guide to ERM – FAQ, 2006) ...................... 26
Figure 7: Three Lines of defense model (IIA – guidelines (2017)............................................................ 27
)Figure 8: Strategy and Value Oversight (Risk oversight solutions Inc., 2018) .................................... 81
List of tables
Table 1: Milestones in the history of risk management by Dionne (2013) Risk Management:
History, Definition and Critique ......................................................................................................................... 82
Table 2:Risk Management organisations (ifrima, n.d.; intosia, n.d.; ferma, n.d.) ................................. 85
Table 3: Enterprise Risk Management Information Systems (rims, 2018) ............................................ 87
1
1. Introduction
The need for effective risk management has led to a shift from a traditional ‘siloed’ approach to a
more enterprise-wide approach, referred to as Enterprise Risk Management (ERM). Within this
approach, different risk and control specialists and professionals work together to manage the risks
their organisation is facing. Since the duties regarding risk management are increasingly divided
across different organisational levels and pressured by regulators, they must be clearly coordinated
to assure the operationality of the risk and control processes (IIA, 2013).
The importance, benefits and added value sound risk management can provide is increasingly
disclosed and causes enterprises to introduce uncertainty expert roles, such as organisational risk
units, structures, teams or individuals. The organisations assign responsibility for risk management
to them. However, in 2015, the RIMS & MARSH annual report uncovered that while risk
management functions are evolving, the value risk executives add to their company currently lacks
successful measurement methodologies. On the other hand, in the same year, the Journal of Risk
and Insurance published a research study, performed by Farrell & Gallagher in 2015, that measured
a twenty-five percent market valuation premium for firms who have reached a mature level of
ERM – based on the RIMS Risk Maturity Model.
This evolution towards mature ERM causes a greater number of tasks, roles and responsibilities
that should ensure the protection of value and improve decision-making. The roles and
responsibilities of several risk owners and control functions (e.g. internal audit, compliance and the
risk management function) need to be clearly understood throughout the company, help board and
senior management to manage in an objective-centric manner and assist line management in
communicating risk information to a higher organisational level.
Given this greater complexity, it is important for organisations to gain insights on the entities
involved in the process, the reporting lines and the overall organisation of ERM. Nottingham
(2014) points out defining the risk governance structure is key in an effective risk management
communication system. He argues a company should always ensure that the roles and
responsibilities are defined at board and management levels and clearly allocated.
2
Several risk management frameworks have been set out to guide enterprises in effectively
identifying and managing risk, but little attention has been paid to describing by what means
specific duties should be assigned and coordinated.
The management of uncertain events must take place at different organisational levels. If the
organisational structure supports the risk communication and dialogue between different internal
risk practitioners, the designed frameworks might significantly benefit. The application of the
Three Lines of Defense model is one way to address this lack of coordination. It enhances not only
the communication within the organisation, it also clarifies the duties and responsibilities of the
risk and control professionals. This can help an organisation in improving the effectiveness of their
risk management and control. However, there could be a need for updating the current model.
This master thesis presents a research on the role and organisation of the risk management function
in Belgian enterprises. In the first part, a literature study is conducted, outlining the different
relevant concepts and state of the art concerning ERM. It also delineates the different entities
embodying the risk management function and thus carrying risk management responsibilities and
leadership. The second part provides a qualitative study, based on in-depth interviews with
different risk professionals in leading Belgian companies. I analysed the obtained data individually
but also cross-cases. The results of the conducted interviews allowed for drawing conclusions that
will add to the current knowledge of the organisation of the risk management function.
3
2. Risk and risk management
2.1 Key Definitions and Concepts
2.1.1 Defining risk
Risk, hazard and uncertainty Rational decision-making requires a clear way of expressing risk. In this way, it can be properly
weighed, along with all other costs and benefits in the decision process, knows Kaplan. We should
not only define risk, but also acknowledge the difference between risk and uncertainty, as well as
between risk and hazard. The notion of risk involves both uncertainty and some kind of damage.
This received damage or loss distinguishes risk from uncertainty. Hazard is defined in the dictionary
as ‘a source of danger’. As an example, the ocean can be said to be a hazard. If we attempt to cross
it in a rowboat we undergo great risk. If we use a cruise ship, the risk is small. The cruise ship thus
is a device that we use to safeguard us against the hazard, resulting in small risk (Kaplan & Garrick,
1981). This comparison is of great help in understanding these crucial concepts, but modern
approaches disagree with this negative perception of risk.
Towards an accepted risk definition Risks affect the economic performance of organisations. Environmental, safety and societal
outcomes can be influenced, as well as their reputation (ISO, n.d.; Yilmaz & Flouris, 2017).
Therefore, in this world full of uncertainty it is important to understand what risk is and how to
define it properly. Twenty years ago, a committee of Australian Standards and New Zealand
Standards developed a standard for risk management, which defined risk as ‘the chance of
something happening that will have an impact on objectives.’ This worldwide accepted definition
leads to a global standard for risk management by ISO, only a couple of years later. Their definition
is ‘the effect of uncertainty on objectives’. There is a shift in emphasis between both definitions
from ‘the event’ to ‘the effect’. More specifically to ‘the effect on objectives’ (Broadleaf, 2012) . The
standards emphasize the fact these effects can both be positive or negative, unlike previous ways
of thinking wherein risk was automatically related to something bad. Managers generally associate
risk with negative outcomes (March & Shapira, 1987). Managing threats and opportunities with
uncertain outcomes in a rapidly changing environment improved the acceptance of risk
management as a strategic tool. Slagmulder (2012) showed this enlarged importance of risk in
strategic decision-making as she found the positive perception of board members towards risk has
increased, allowing for better turning risks into opportunities.
4
Typology and categorization of risk It is indispensable for professionals dealing with risk to have good knowledge about the different
types of risks that can occur and to be able to name the top risks their industry or company is
facing. They should spend enough time to get a clear view on risk exposures. This can serve as a
basis for risk management implementation. Also, categorization of risks makes it possible to assign
risk owners to a set of interrelated risks or at least a bundle of risks within the same field. Kaplan
& Mikes (2012) confirm this by stating an organisation should understand the different types of
risks they face for their risk management to be effective. They categorized organisational risks into
preventable risks, strategic risks and external risks.
The first category defines preventable internal risks that you want to avoid. This can be done by
monitoring the existing processes and aligning the behaviour of employees with the values and risk
appetite of the organisation through e.g. guidelines or codes of conduct. The second category,
strategy risks, differs from the first category because you need and want to take some risks to
increase value. For the last category, it is mostly not in our power to avoid these externally
originated risks, but through insurances and so on they can be managed. A recent report showed
cyber risks are currently top priority for a significant number of organisations, followed by
organisational risks such as the improvement of RM practices (RIMS, 2015).
2.1.2 Risk appetite
Risk management can’t be designed without defining the company’s risk appetite. Risk appetite is
the total exposed amount of risk an organisation wishes to undertake based on several risk-return
trade-offs (Crickette et al., 2012). It is linked with expected returns and can be expressed
quantitively or qualitatively (Kaplan & Garrick, 1981) However, some risks are impossible to
quantify. COSO (2004) states it is critical to define the acceptable level of risk in the pursuit of
value. ISO 31000 (2009) adds it is the level of risk which you cannot be bothered to mitigate any
further.
It may vary depending on organisational culture, industry and strategy. Based on evaluations, it
should be stated clearly who decides what acceptable level of risk can be taken. The board has
ultimate responsibility in setting out the risk appetite of the organisation. A study of COSO (2009)
provided a figure on the different elements in determining the risk appetite of the organisation,
along with a brief explanation of each element.
5
Figure 1: Elements of Risk Appetite (COSO – strengthening ERM for strategic advantage, 2009)
Risk tolerance Moeller (2007) states risk tolerances guide operating units as they implement risk appetite. It is the
risk exposure you are prepared (but not necessarily happy) to take in pursuit of your objectives. Risk
taking above the tolerance must be mitigated. Risk taking below the tolerance may be mitigated further
based on sound cost/benefit considerations (ISO, 2009). Lastly, literature adds it is the acceptable
variation of risk around individual objectives.
Risk tolerance vs risk appetite These are both critical components of an effective ERM program (Crickette et al., 2012). Without
a clear understanding of the overall attitude and tolerance of risk by the professionals in a firm, it
becomes nearly impossible to manage risk. A recent survey of Deloitte (2017) performed on over
2000 risk professionals noted that 77 % did not have a written, approved statement of risk appetite
at enterprise-level in their institution. Risk appetite limits the point beyond which further risk
should not be taken, while risk tolerances relate more to the degree of flexibility (Crickette et al.,
2012).
2.2 The rise of risk management
2.2.1 History
It is assumed corporate risk management became a career before the concept risk manager even
existed. In the 18th century, the first actuaries were already working in England. However, at any
point in history people managing businesses, countries or armies, there were people employed to
manage risks. In the last century, the main form of risk management was by purchasing insurance
against circumstances or events beyond the control of the entity (Cendrowski et al., 2009). Dionne
claims the topic began to be studied after World War II. He concludes the objective of a risk
6
manager/owner should be to maximize firm value via the reduction of costs associated with
different risks. He also stresses the need for integrated risk management, as described ut infra.
In the 70s, traditional risk management started to shape, being a risk approach with various
responsible departments and business units managing risk separately. This silo approach is
ineffective (Tonello, 2012). The development of risk management was basically a response to the
globalization (Cendrowski et al., 2009). Once the first modern standards for risk management, the
AS/NZS 4360: 1995, were published, Canada as well as England and Wales followed shortly. It
took until the financial scandals of the 2000s until the US accepted the need for standardization
and created the 2002 Sarbanes-Oxley Act (Cendrowski et al., 2009). In Appendix, a table is
presented with milestones in the history of risk management.
In 1993, James Lam, a well-known risk professional who contributes to substantial risk
management research and knowledge and invented the ERM model, introduced the term ‘’chief
risk officer’’. This created increased attention to this new management function which is still being
shaped, due to the changing scope of tasks. However, companies initiating or introducing risk
management should not start by creating a CRO. As instead, it might be better to delegate the
implementation to an existing position, such as a CAE or CFO.
2.2.2 Introducing risk management
Risk management has been around for a while but has come up to speed after the global financial
crisis. Praised researchers as Mikes (2009) and Power (2009) concluded defective and low-quality
risk management was one of the causes of this global catastrophe. In the last decade, risk
management has evolved from a departmentalized activity to a management competency.
Nonetheless, only firms that naturally own their risks can manage its exposures optimally (Gerken
et al., 2010). Firms should identify the risks they should keep and manage and transfer those they
should not (Buehler, K. et al., 2008). Natural risk ownership is based on the three lines of defense
model, which we will see and discuss further below.
Firms of all kinds often feel like the significant investments made in their risk-management systems
is money wasted, especially if they have still suffered big losses due to the crisis. These companies
struggle to decide if they should fix the failed risk management approach or redesign it from scratch
(Gerken et al., 2010). The traditional approach, according to which risk is a necessary evil which
must be removed, is no longer sufficient and that is why companies nowadays are forced to spend
significant resources to manage risks (Simona-Iulia, 2014). Companies where risk is approached as
7
a compliance issue with rule-based risk management and thus where the solution always lies in
setting up a whole bunch of rules to resolve risks, will fail to be effective, since some risk categories
can’t be approached in this manner (Kaplan & Mikes, 2012). In the first results of research to find
an answer on what went wrong, it appears the risk management per se is not to blame and the fault
may lie in the way certain companies executed certain risk practices (Gerken et al., 2010).
Nevertheless, sound risk management can provide organisations great benefits in terms of
eliminating surprises, understanding the magnitude of risk exposures and improving business
decisions, to name a few. It is an indispensable element of sound governance. Also, in
understanding and responding to the regulatory environment it should be supportive. This can be
accomplished by influencing the impact and likelihood of events, understanding the correlated
types of risk and monitoring the evolution and maturity of the risk profile (IIA, 2017).
The risk approaches companies are using, decide to what extent they are able to turn risks into
opportunities. Risks should be proactively dealt with. If not, different consequences can negatively
influence reputation and lead to internal and external dissatisfaction. A recently published diagram
distracted form the latest COSO update, illustrates two of the most common approaches in risk
management and can be found in Appendix.
Unfortunate operational and non-operational risk-events are affecting companies worldwide
(Pergler, 2012). Large, financial and public companies feel their risk oversight is more mature than
those of others. This does not mean they don’t have opportunities left to increase this maturity,
especially given the fact organisations agree the volume and complexity of risks they face continue
to increase over time. We can thus state increasing risk complexity outpaces ERM oversight
(Beasley et al., 2017; McDonald, 2017). AMRAE (2013) argues risk management should cover all
activities and concerns all the internal and external stakeholders in an organisation. These activities,
designed to treat uncertainty and events influencing goal-achievement, are systematic, pro-active
and coordinated (IIA, 2017).
2.2.3 Risk Management vs Internal Control
The concept risk management is often mixed with another concept: internal control. An American
foundation, COSO, studied both concepts carefully and published a framework to help understand
and implement them. The document on internal control was issued in 1992 and revised in 2013,
while the ERM framework was initiated in 2004 and has just been updated. To gain a clear view
on the similarities and differences, we have a glance at the definitions as provided by COSO.
8
“Internal control is a process, effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting and compliance.’’ (COSO, 2013)
“ERM is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of objectives.’’ (COSO, 2004)
We can conclude there is quite some overlap, but internal control is rather a consequence of risk
management and embodies only a part of the process.
2.3 Enterprise risk management
2.3.1 Introduction to ERM
Enterprise risk management gained a lot of attention, especially in the last decade. It has been wider
adopted due to different influences such as board accountability and disclosure requirements,
academic proof of longer-term benefits and the increased importance of ERM in the corporate
credit rating by CRAs (Minsky & Fox, 2015).
In 1995, the first modern standard for risk management was published by Standards Australia, the
AS/NZS 4360, with others following shortly. In the beginning of the 21st century, a new approach
was formed to tackle the shortcomings of former risk management programs: Enterprise Risk
Management. COSO was the first to issue a framework for this new concept in 2004.
ERM provides a global focus on various aspects of company risk management (Simona-Iulia,
2014).
The process is not radically changed but it serves as an improved version of the traditional risk
management approach, created by expanding its scope. The process is led by the board, audit
committee, senior management, the CFO, CRO, CEO or internal audit, whereas in traditional
approaches often only one single individual was responsible for RM. Back then, it was mainly
focused on financial risks and had less strategic influence. The interrelation of risks and interaction
between units and departments requires a centralized risk function to broaden the scope
immediately and ensure risk management leadership across the entire organisation. ERM serves as
a new paradigm in the control of the risks organisations face and enhances the improvement of
9
risk management and corporate governance by policy makers. It is a new concept that
revolutionizes the traditional approach and summarizes risk management in an integrated,
comprehensive and strategic system (Simona-Iulia, 2014). It should be faced as a core management
competency.
This holistic approach improves the traditional one since it evaluates risk appetite and strategy as
to a risk portfolio on an enterprise-wide basis. It is exercised across all organisational units and
functions, evaluating not only the downside of risk but also positive outcomes, and focusses on
the consequences for the whole entity. This balance between opportunities and threats will keep
risk at an acceptable level and can serve as a basis for decision-making. Related to this, the balance
between risk exposure and expected ROI should also be investigated by the responsible risk
management function and communicated to higher levels. Imbalance in this relation is referred to
as ‘risk gaps’. The concept is interrelated with governance because it can serve as a tool to ensure
the alignment and communication of the business’ objectives and goals with its processes and
controls (IIA, 2017).
2.3.2 Definition ERM
In the last decade enterprise risk management (ERM) has been defined by multiple organisations.
ERM is synonymous with integrated risk management (IRM), holistic risk management, enterprise-
wide risk management (EWRM), and strategic risk management (Hoyt & Liebenberg, 2011). In
this study, the acronym ERM is used.
The most widely used definition is the one of COSO, outlined in the section ‘risk and risk
management’. They recently updated this internationally accepted definition in their 2017 COSO
ERM framework, to focus more on the contribution of ERM in value creation.
“The culture, capabilities, and practices, integrated with strategy-setting and its execution,
that organisations rely on to manage risk in creating, preserving, and realizing value.”
(COSO, 2017)
John Hampton (2009) divided the broad offer of ERM definitions into three categories. First, the
strategic definitions define ERM in organisational objectives, focusing on results. Second, a
functional one expresses ERM in terms of activities reducing risk and last, a process definition
focuses on the actions to manage risks, as performed by management.
10
So, it is observed ERM is a process of planning, organising, leading, and controlling the activities
of an organisation to minimize the effects of risks on your capital or earnings. It is a technique to
plot a path and then to use tools and techniques to stay on that path, by holding key individuals
responsible.
2.3.3 ERM practices
NC State’s ERM Initiative releases an overview of ERM practices each year. The initiative, in
partnership with the American Institute of Certified Public Accountants (AICPA), is seen as one
of the top sources when it comes to ERM. Their latest issue of the state of risk oversight provides
quite some interesting findings in the evolution of ERM.
They found the complexity and volume of risks is increasing; significant operational losses are
increasingly occurring; the majority of respondents do not believe their processes are mature
enough to reflect an enterprise-wide risk management; Most organisations are struggling to
integrate risk management with strategic planning; The amount of organisations establishing
management-level risk committees and designating individuals to serve as a CRO or equivalent are
increasing with double digits and boards are asking for increased senior executive involvement
(Beasley et al., 2017).
The benefits of more sophisticated risk management practices among senior management were
highlighted during the financial crisis. It influenced the risk oversight capabilities of boards in a
positive manner, also because of the increased focus on their responsibilities in risk management.
Another aspect that arose is the executive compensation arrangements leading to the
encouragement of excessive risk-taking. Boards are now focusing more on finding a balance in
these compensation arrangements to give incentives to achieve KPIs, without exposing the
company to unwanted risks. Boards as well as the majority of senior management admit the
integration of strategy development with a better understanding of its associated risks requires to
be strengthened (COSO, 2009).
RIMS was founded in 1950 as an association of risk professionals. They periodically perform
research and surveys to search for trends and benchmarks within the risk industry. They recently
asked risk managers about obstacles to practicing ERM and the reasons for not having an ERM
program in their Benchmark survey. The managers listed some well-known hurdles, including
11
unclear ownership of the program and a need of business unit involvement, silo mentality due to
a lack of willingness to be transparent, lack of funding, staff and executive support (McDonald,
2017; RIMS, 2017). However, there are also transferrable good practices and although they might
be in the need of customization to the firm or sector, some of them can be immediately applied
without individual improvisation (Pergler, 2012).
2.3.4 ERM Implementation
Few, if any, companies can claim they fully implemented ERM, as assumed by COSO. They say it
is a continuous process, and thus never completed. The risk professionals/owners in the
companies also admit to this fact. ‘’Most executives feel their companies still have a long way to go
in building a risk-aware culture.’’(HBR, 2011) Only one tenth of respondents claim to already have
a “strong, efficient risk-aware culture”. Increased risk awareness allows better operational and
strategic decision making. A recent study of Beasley, Branson and Hancock with over 600
respondents, concluded one out of four companies claim to have a complete ERM process in
place.
Many firms start implementing ERM systems in their organisation. It mostly takes the form of a
framework, which describes methods and processes of managing risks. This process involves
identifying risks and opportunities by exploring circumstances and events relevant to the disclosed
objectives. The identified risks are assessed in terms of likelihood and magnitude of impact, which
allows for prioritization of the key risks in a given business. The next phase implies the
determination of a response strategy and monitoring the progress made.
This process seems easy on paper, but as the ERM practices have proven, in reality it is without
question very demanding. Therefore, several frameworks have been created to help companies and
their managers with this matter. The stage of ERM implementation is positively related to the
presence of a chief risk officer, board independence, CEO and CFO apparent support for ERM,
the presence of a Big Four auditor, entity size, and entities in the banking, education, and insurance
industries (Beasley et al., 2005; Choi et al., 2016). Identifying leaders throughout the organisation
and gaining their support is therefore critical to successful implementation (Protiviti Inc., 2006).
It has long been doubted whether ERM adds value to an organisation. After the struggles to
implement ERM, the concept can be very beneficial. Hoyt & Liebenberg (2011) state there is a lag
between ERM implementation and benefit realization, but also found there is added value after the
implementation, using Tobin’s Q as a proxy for firm value. However, their research was only
focused on the US insurance sector.
12
Some of the advantages of implementing ERM that COSO points out are:
• Assisting management with aligning risk appetite and strategy;
• enhancing risk response decisions;
• reducing operational surprises and losses;
• identifying and managing cross-enterprise risks;
• providing integrated responses to multiple risks;
• seizing opportunities;
• improving deployment of capital (Hayne & Free, 2014).
However, many researchers have investigated the benefits of implementation, and found a variety
of alike as well as different advantages, whereof the prior ones are included above. Further,
decreasing earnings and stock price volatility, reducing external capital costs, increasing capital
efficiency, and creating synergies between different risk management activities have been found to
be other positive consequences of implementing ERM (Miccolis and Shah, 2000; Cumming and
Hirtle, 2001; Lam, 2001; Meulbroek, 2002; Beasley, Pagach, and Warr, 2008; Hoyt & Liebenberg,
2011).
Not only consulting firms have established specialized ERM units to cope with its increased
importance, rating agencies have also begun to consider ERM in their ratings process and
acknowledge it is a critical management issue.
Somewhat all banks, insurance and public companies are evaluated by one of three major credit
rating agencies: Moody’s, Fitch or Standard & Poor’s(S&P). As ERM became a separate major
category of S&P’s rating analysis by the end of 2005, its significance was proven (Hoyt &
Liebenberg, 2011) They were the first agency to formalise ERM as a separate part of their credit
rating analysis (Baxter, R. et al., 2013).
In the beginning only for financial and insurance institutions, by 2013, all management and
governance assessments included a formal evaluation of ERM. S&P’s four major components in
the ERM evaluation of a company are (a) risk management culture and governance, (b) risk
controls, (c) emerging risk preparation and (d) strategic risk management. Of course, the fact S&P
addresses ERM separately, doesn’t mean the other CRAs don’t pay attention to it.
2.4 Risk Management Frameworks Designing a framework can be extremely beneficial for risk managers and other actors involved
with risk management. First, it brings clarity on their role and the role of others, as well as how
they should interact. Second, the description of principles, guidelines and a code of practice will
facilitate several tasks, outline the boundaries of one’s responsibilities and create an overall
13
understanding of key risk concepts. Finally, authorities and accountabilities will be clear and the
model will serve as a way to assess the organisation regarding their risk management.
A risk management framework normally includes:
• Identification of events influencing the achievement of objectives;
• determination of the policy and appetite concerning risk;
• the organisation and design of the risk management function;
• internal and external reporting and communication structures;
• resource allocation to the function (IIA, 2017).
Recent studies of PWC concluded the majority of respondents did not use any standard for the
implementation of risk management and internal control. However, using a standard allows to
compare and get in line with best practices and introduces a common risk and control language.
Although these frameworks often remain silent about the positioning of the risk management
function, due to the fact this is dependent on the characteristics of the organisation and there is no
one-size-fits-all approach, they do often recommend the function must report directly to executive
management (IIA, 2017). In this section, I will describe and compare two internationally accepted
risk management frameworks, namely COSO and ISO, which can add to the understanding and
organisation of ERM. In appendix, other models and standards can be consulted.
2.4.1 COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint
initiative brought to life in 1985 by five private sector organisations:
- American Accounting Association (AAA)
- American Institute of Certified Public Accountants (AICPA)
- Financial Executives International (FEI)
- Institute of Management Accountants (IMA)
- The Institute of Internal Auditors (IIA) (COSO, 2004)
After having a look at the founders of COSO above, It is seen risk management and internal control
has importance for financial professionals, auditors and accountants, among others. Still, enterprise
risk management should be embedded in the whole firm and break through the boundaries of the
finance & accounting department. It should find its origin at the top of the organisation and be
present in its culture from top to bottom. Every member should be somehow involved and actively
care about creating an environment where risks are embraced instead of ignored. COSO develops
frameworks and provides guidance on ERM, internal control and fraud deterrence. They analyse
14
the extent to which firms have implemented or executed ERM programs. The effects and
determinants of ERM as well as its value was modelled. After assessing their value before and after,
they found a positive correlation between the use of ERM and the firm’s value. (COSO, 2004)
In 2004, COSO published the ERM—Integrated Framework to help organisations to assess and
improve their internal control system. It is arguably the most used framework concerning risk
management worldwide (Hayne & Free, 2014). Momentarily they issued two revised versions, one
in 2013: COSO Internal Control – Integrated Framework and the latest update in 2017: COSO Enterprise
Risk Management - Integrating with Strategy and Performance.
In the well-known COSO IC & COSO ERM cubes, as issued by the IMA, not only the number of
components changed, COSO ERM has a more future philosophy-oriented approach and
emphasizes new best practices, such as the integration of ERM in the strategy of the business. A
brief overview of the eight components of the 2013 version is given in Appendix.
Figure 2: COSO Internal Control vs. COSO Enterprise Risk Management (McNally & Tophoff, 2014)
The 2013 revised version defines four types of objectives at the top of the cube. Strategic
objectives, set out through a governance structure and in line with the mission and vision.
Operational ones, mostly concerning their efficiency and effectiveness. They can both be
influenced by the external environment. The reporting and compliance objectives are more
internally based, but still depend on regulators.
At the front side we have the eight interrelated components needed to meet the objectives on the
top of the cube. They cannot be perceived as being a serial process, but as iterative. About any
component can and will influence another and thus communication throughout the process
15
between those involved in risk management is crucial. This statement is substantiated, as the latest
ISO 31000: 2018 also stresses this idea. The elements should bring consistent and formalised
terminology and approaches to be used to help achieve the objectives.
The third and final dimension of the cube cuts the organisation into different levels. This is to
focus your mind on each part of the company, as well as the whole, from HQ to individual
subsidiary levels, to stress that each component applies from the global board all the way to the
individual units. In order to be successful, it is very important each level is managed and operated
properly.
The new 2017 update highlights the importance of considering risk in both the strategy-setting
process and in driving performance. In the first part, current and evolving concepts of ERM are
given, while the second part consists of the framework with an explanation of all 5 of the
framework’s interrelated components, broken up into 20 different principles. These principles are
generally applicable, regardless of size, type or sector. They can be of great use for an organisation
in understanding the risks that come with pursuing objectives in a world with enlarged business
complexity. The framework should enhance decision-making and strategies (COSO, 2017).
The COSO ERM 2017 executive summary points out this update enhances the previous version
in showing the value of ERM, at most in understanding the impact of risk on performance. They
witnessed the advantages of a tailored approach across geographies for markets and operations.
The changing technological environment and the possibilities of data and analytics in decision-
making convinced C-suites that the use of data and analytics can improve risk identification and
mitigation (RIMS, 2015). Future and current risk professionals will benefit from evolving
techniques and tools, such as automation and artificial intelligence.
2.4.2 ISO
The International Organisation for Standardization is an independent organisation and develops
standards that support innovation. In 2009, ISO 31000 was adopted, providing solutions to global
challenges. It is initiated by Australia, New Zealand and Japan and based on the AS/NZ 4360. It
is a family of risk management standards that provide structured principles and guidelines. It mainly
focusses on the implementation of risk management, instead of really supporting the risk
management process.
16
ISO 31000:2009 – Risk Management – Principles and Guidelines describes principles through a five-part
framework1 and a six-part process2 for managing risk and building an ERM program. It can be
used by any organisation regardless of activity, size or sector. Using ISO 31000 can help
organisations increase the likelihood of achieving objectives. It improves opportunity and threat
identification and effectively allocates resources for risk treatment. ISO 31000 cannot be used for
certification purposes. It provides guidance for internal or external audit programs. Organisations
using it can compare the sound principles for effective risk management and corporate governance
to their risk management practices. The principles describe eleven characteristics of risk
management. (Kelemen et al., 2016)
Shortly after, ISO Guide 73 and IEC3 31010 were written. IEC 31010 focusses on risk assessment
techniques, while Guide 73 collects and defines an oversight of risk management vocabulary (ISO,
n.d.). In 2018, ISO 31000 issued a new version of their 2009 Standards, to respond to the evolutions
in the risk management field. It simplified the language that was too technical to increase
accessibility and updated its principles to create and protect value and to improve performance. In
particular, they emphasize the need for management to act as leaders in risk management, as well
as the integration of risk management into all organisational activities, processes and decision-
making. An overview of all published ISO standards regarding risk management and those still in
development is given in the Appendix.
2.4.3 COSO ERM vs ISO 31000
An educated risk practitioner you should have read COSO as well as ISO. Both documents serve
as a guide and may let you come up an idea to implement in your organisation. Be as it may, the
revised versions did not publish anything fundamentally new. Of course, there is a great difference
in the corpulence of both documents. It helps risk managers in convincing board and management
of the relevance of risk management.
One difference between the documents lies in the perception of events. In COSO, only events
with negative consequences are considered as risk. Events with positive consequences are seen as
opportunities and are not included in the risk assessment and further steps. This can lead to risk
1 Mandate and Commitment, design of framework for managing risk, implementing risk management, monitoring and review of the framework, and continual improvement of the framework 2 Establishing if context, risk identification, risk analysis, risk evaluation, risk treatment and monitoring and review 3 International Electrotechnical Commission
17
owners to manage controls instead of risks. Consequently, COSO lacks in taking or increasing risk,
while ISO does cover this and serves a broader spectrum of risk responses and risk management
vocabulary. On the other hand, ISO does not cover inherent risk analysis and solely focusses on
residual risk analysis. Further, in ISO 31000 risk identification is part of the risk assessment process,
while in COSO these are two distinct processes.
Last, the most significant difference relates to analysis of likelihood. In COSO, this is performed
at the event level, while in ISO this is done at the consequence level. Regardless of the differences,
there is still a considerable amount of common topics and thus they can both be beneficial as a
guidance to organisations.
2.5 The Risk Management Process The processes undertaken by employees and management to deal with risks should also be
structured to offer risk professionals a clear view on the different steps that should be followed,
from the moment the risk is identified until the risk response and monitoring element of this
ongoing, iterative process. Organisations design risk assessments, risk management frameworks,
risk appetite statements and risk profiles to document and measure risks. However, Risk
management is not only about dealing with risks, risk management is about helping companies
achieve their objectives and make better decisions. This can be achieved by integrating ERM into
processes and decision-making (Risk academy, 2017). The process or strategy is often based on
three crucial elements: identification, assessment and response. Step two, three and four in the
illustrated risk management process below can be seen as the risk assessment. It is one of the most
often used RM process, with a brief explanation of each element. The steps in the process as
described by the COSO framework are also attached in Appendix. To date, increased possibilities
of software, platforms and other information systems exist to facilitate this process. In Appendix,
an overview of existing ERM information systems is provided.
18
Figure 3: The Risk Management Process (ISO)
Establishment
Define what you want to achieve and attempt to understand the internal and external factors that
may influence your succes in achieving objectives. Identify the stakeholders and their objectives.
This is a continuous activity througout the RM process.
Identification
This is a systematic process, wherein you identify causes of the risks. This element is crucial to the
risk treatment. Existing methods/controls that aim to modify the consequences or their likelyhood
should also be identified.
Analysis
In this step, you analyse the effectiveness of these controls and derive the level of risk as it is at
present.
Evaluation
In the evaluation, a level of priority is assigned and a cost benefit analysis allows to see whether
risk treatment is worthwhile.
Treatment
In this phase risk practitioners are changing risk after understanding how it’s caused and influenced.
This can be achieved by improving existing controls or developing and implementing new ones. It
often involves changing the likelihood, type and magnitude of the consequences of risks. If every
step in the process is followed, the treatment should be done with confidence.
The traditional view delineated a transfer of risk. The term ‘risk transfer’ was adapted to ‘risk
sharing’, since a risk cannot be completely abandoned. The risks can be reduced, but there will
always be other risks involved.
Monitoring and review
Since environmental changes, as well internally as externally, come along with new emerging risks
and changes in existing risks, the organisation’s context should be periodically reviewed.
19
2.5 Risk Management Maturity Standardized risk assessments and clearly defined mitigation and monitoring techniques will
increase the firm’s risk intelligence. Risk managers should be able to communicate this information
to a higher level. Further, there should also be a balance between presenting a summary of the top
risks the organisation is facing and a report presenting also the underlying data and the specific
context regarding these identified risks, often of poor quality given the overkill on information.
Usually, management is responsible for risk management and internal control. However, in a large
amount of companies, the only people assessing and reporting the state of risk upwards are internal
audit and risk specialists, while this responsibility should be driven by management.
These shortcomings can affect the risk oversight of the board. Only when the roles and reporting
lines are clearly defined, the maturity and effectiveness of risk management can increase. Below, an
illustration is given on the different stages of maturity, as perceived and published by McKinsey.
Figure 4: Stages of Risk Management Maturity (Pergler, 2012)
In the past five years, the level of risk management maturity in non-financial companies has grown
significantly (Righi & Fox, 2017). A consequence of this increased attention is that the demand for
risk management experts is also growing. The RIMS has shown evidence in their 2017 benchmark
survey organisations need to mature their ERM processes to a higher level. The majority of
respondents declared on every attribute of the RIMS Risk Maturity Model, improvement is
possible.
The RIMS risk maturity model is the most widely used assessment tool for executives and others
charged with risk management responsibilities. It is free of charge and aims to develop and improve
ERM programs. It is beneficial for assurance purposes and for recommendations to mature an
20
existing ERM program through a roadmap for improvement. Through the model It helps in better
understanding the organisation’s risk management requirements and to develop a strategy for
reaching the targeted maturity and a sustainable ERM program. Research has shown a positive
correlation between firm value and the greater effectiveness of more mature ERM programs
(Minsky & Fox, 2015).
Figure 5: Risk Maturity Levels and Components - RIMS (LogicManager, n.d.)
Above, an illustration of the RIMS RM Maturity process is provided. It is a tool to find out to what
extent the ERM program in an organisation is mature. First, a survey should be filled in, assessing
different attributes such as risk appetite and performance management, ERM process management
and so on. Also, the ERM program the company is using should be scored based on the presented
competency drivers and their underlying key readiness indicators. After this step, a score on the
current maturity levels and a personalized report will be provided. This report can easily be
compared to the model with guidelines and action plans to reach a higher maturity level. It will
highlight areas in need of extra focus and also the ones that have improved. It is advised to provide
a maturity report on ERM to your board or senior management at least twice a year. This tool has
been of great help to risk professionals and their respective internal auditors. In Appendix, more
information on the maturity levels and competency drivers is given.
2.6 Risk Management in practice
While new principles for corporate risk management continue to advance, empirical studies still
too often fail to prove practice is consistent with theory. This is due to a lack of meaningful data.
What was once a concern primarily on senior executives in the financial sector, has now become a
top-management priority in nearly every industry. The financial sector is providing sufficient
frameworks and methodologies including risk management practices, especially related to financial
21
and market risks. Although all sectors might get inspiration from them, they aren’t sufficient and
none of them is fitting for all. They need to be broadened to provide an overall RM framework,
but corporate decision makers – from line managers to board members - often perceive this subject
as bureaucratic, ineffective and unclearly scoped (Pergler, 2012).
Corporations used to disclose only minimal details of their risk management programs, and, as a
result, most empirical analyses had to rely on surveys and relatively coarse data (Tufano, 1996).
This is changing rapidly because of regulatory requirements. As this is not the core of this study,
the current regulation is not broadly portrayed.
Recent studies show an increase in use of RM programs. In the financial industry, the number of
organisations that had a fully or partially integrated RM program rose from 61 % in 2013 to 92 %
in 2017. Comparatively, 73% of the total respondents across 14 industries said they now have
either a fully or partially integrated ERM program, up from 63% in 2013 (C. McDonald, 2017; B.
Righi & C. Fox, 2017).
In the Harvard Business Review survey of 2011, wherein almost 1500 C-suite executives
participated, almost seventy percent claimed risk management has significantly gained importance
in the past three years. Another survey by Boston Consulting Group (BCG) published in the CFO
magazine showed seventy-two percent of the respondents’ companies increased the resources and
time devoted to risk management (Pudin et al., 2017).
The National Association of Corporate Directors (NACD) 2014 public company survey shows
both directors and executives are not yet satisfied when it comes to risk communication. Over 50
percent feel like improvements are still needed, while 30 percent of directors stated they have spent
a great amount of their time to risk issues. The Federation of European Risk Management
Associations (FERMA) conducted the 8th European Risk and Insurance survey in 2016. They
showed there is rising concern among risk managers about economic conditions and business
continuity disruption since the previous FERMA survey in 2014. Together with political and
country instability, these are regarded as the three top risks to businesses. Digital risks – cyber-
attack/data privacy and IT systems – also gained importance in 2016.
22
3. Leadership in Risk Management
This section describes the key roles in participating and supporting the risk management process.
Their responsibilities and duties, as well as success factors should be set out to define the role and
purpose of the risk management function. This may help organisations in creating and developing
a risk management function. Especially within financial services, enterprise risk management has
gained a significant role and has been studied in 21st century literature. This led to an improved
approach of executives towards risk management and the role of boards in risk oversight.
Consequently, the risk management function is rapidly evolving. The industry is a determining
factor in this increased need for risk professionals. Multiple entities are occupied with risk
management, although the organisation of this function can take different forms. Some
organisations appoint a separate unit, while others positioned the function along with further
control and risk functions e.g. the CFO or a compliance professional. Mostly, some kind of CRO
is present and responsible for risk management, but they often do not refer to them as CROs like
it is in banks. In this case, the role is often embodied by an audit function or the CFO for example.
The organisation of the risk function and company growth Risk managers should coordinate, educate and communicate risks. Their profile is dependent on
the organisational structure and the field in which their actions will apply (FERMA, 2018). Not
much is known about the significance of the organisation of ERM in non-financial industries. The
roles of the individuals responsible for managing the risks a company faces and their boundaries
of responsibilities start to take shape, while the communication and dialogue between different
members of the firm responsible for ERM are needing extra attention. Although there is evidence
that mainly large companies are more likely to use ERM programs (Beasley et al, 2005), all
businesses face risk.
In the last couple of years, we faced great economic growth and projections of future growth show
a slight increase for the following couple of years (IMF, 2017). This growth goes along with a lot
of business creation, but also with a lot of bankruptcies. Data of Graydon and UNIZO showed
the number of start-ups in 2016 in Belgium rose to around ninety thousand, a raise of almost nine
percent (De Tijd, 2017). However, the number of bankruptcies reached an amount of over ten
thousand. The website of the NBB states this is a fall of 5 % in comparison to 2015 , which is a lot
higher rate compared to the 2016 NSZ data for Germany and the Netherlands. Since 80 to 90
percent of the lost jobs due to insolvent companies come from SMEs, it is clear even in a small
23
company, there must be somebody taking responsibility for risk management, to prevent being
surprised by different kinds of events.
Also, company growth comes along with great risks. The basic risk management solution has to be
transformed into an ERM framework. This becomes indispensable as quantity of data increases.
When an enterprise finally managed to successfully grow, there are still on-going risks it must cope
with. After reaching a certain size, a risk manager will be needed. The growing stage at which a risk
manager is needed depends on the types of risk, regulations and quantity of data the company owns
(Rhodes, 2017).
Because of the continuing low interest rate environment, which creates pressure on margins and
returns, especially in the banking and insurance industry, corporations are looking into other areas
for growth. In order for the business to respond to the current competitive threats, the risk function
should be more involved in its evolution (Accenture, 2015). Their study also found that
digitalization is playing an important role in growth. This is a risk that rises in accordance with the
growth of the company, since startups often have fewer IT- and cyberrisks.
Communication and awareness The shift in risk approach from a traditional, siloed bottom-up approach, without interaction
between different risks and departments, to a top-down approach, wherein integrated enterprise
risk management gained significant importance in the risk management processes, comes along
with a greater need of communication and risk awareness. Appointing an individual or a committee
in the firm to improve risk thinking can put the topic on the agenda. When someone is held
accountable for a particular risk, it should clearly improve the awareness and communication
concerning this specific risk (National Research Council, 1989). The person, team or unit
responsible for managing a certain part of the risk the enterprise faces, is often referred to as risk
owner. ISO 31000 defines the risk owner as the person or entity that has been given the authority
to manage a particular risk and is accountable for doing so (ISO, 2009).
Effective risk communication between the board of directors and the C-Suite is indispensable in
the current uncertain business environment (Nottingham, 2014). Many enterprises see senior
management and executive support as the most important thing to have in their evolution of ERM.
This commitment is critical and can be done by consistent communications and actions. Also, a
high level of interest of the board of directors helps in making ERM work. If the board and the C-
24
suites see ERM as an integral part in the achievement of business objectives, they are more likely
to develop mature enterprise-wide risk management frameworks.
Increasing risk awareness (through management and or board risk dialogue, risk thinking, the
implementation of a framework or hiring a risk manager) might seem unnecessary or even
obstructionist in the short term, but my belief is that it can certainly pay off in the long run. It is
also sector-specific. Senior management should be aware of the riskiness of the business they’re in.
Not solely senior management, but everyone who matters within an organisation should contribute
in the risk management process. Decision-makers at the top carry the final responsibilities of ERM,
but the process can only succeed when all managers of the organisation participate. European risk
managers are increasingly gaining access to top management and the board, which enables fulfilling
a more strategic role in the organisation (FERMA, 2016). The managers with the greatest
responsibilities for ERM are mostly the chief risk officer, the chief audit executive, the chief legal
officer and of course the CFO. The managers of the organisation should be participating in the
entity’s risk management mentality. Also, risk officers should understand and communicate
strategic uncertainties to other business lines (Mikes, 2008).
This is how ERM should be considered, as a management philosophy and a holistic management
system, keeping in mind the organisational behaviour and affecting corporate culture, strategy and
style of leadership (Yilmaz & Flouris, 2017). COSO (2004) also states managers should enhance
compliance with given regulation and risk appetite. Some entities create new roles as a response to
emerging risks (e.g. CRO) but changing the organisational chart alone will not be sufficient to
manage risks effectively (COSO, 2009).
25
3.1 Risk governance and corporate structure
Risk management is present at various organisational levels. Depending on the focus, different risk
management perspectives can be separated. The IIA (2017) concluded in their guidelines three
perspectives can be distinct: ERM and task risk management, both focusing on the consequences
for the organisation as a whole, and personal risk management, concentrating on the potential
impact for the individual. The organisational positioning of the risk management function depends
on its characteristics and ERM maturity.
In Europe, different corporate structures and board systems can occur. Some companies use a
two-tier or Dual board system. This consists mostly of an executive board and a supervisory board.
This second supervisory board is brought to life and composed by the shareholders for supervisory
and control of the executive board by non-executives. The executive board deals with the day-to-
day business of the company. In a one-tier system there is only one board, consisting of executive
and non-executive members. In the US, the distinction is often referred to as board of directors
and executive committee, which implies they have only one board.
Organising different departments or units can be challenging, but a well-developed corporate
structure binds members together and gives them clear guidelines on how to proceed (Corporate
Finance Institute, n.d.). A structure could improve effective communication within and between
departments and thus improve efficient decision-making. It should be initiated at an early stage of
development but can change as a company grows (Community toolbox Kansas University, 2018).
Four types of structures can be separated. Functional structures, where groups of employees are
formed based on their tasks, skill sets and accountabilities. Divisional ones, in which teams are
created to produce similar products and business activities are organised into market, product,
service or customer groups. In literature, this structure is sometimes also referred to as geographical
or product structure, since this can form the base of the structure. Finally, both Matrix & Hybrid
structures occur. They combine both the functional and the divisional structure.
Advantages of the Matrix structure is the decentralized decision-making process and more
interaction between different departments. Some downsides might occur as well, since costs of this
structure are mostly higher and conflicts between vertical positions are more likely to happen. The
Hybrid structure is an often-used structure in which activities are divided into departments. These
26
departments can be functional or divisional and thus in each function resources and knowledge
can be utilized, while in different divisions product specialization is maintained. Getting to know
the structure of a company is essential in the formation of a risk management framework. It
influences the communication, roles, autonomy and decision-making process within a firm. A
widely-used way to visualize this structure is to form an organisational chart, which is described
below.
Organisational chart An organisational chart offers a graphical representation of the different positions and hierarchical
levels in the organisation. The chart, aging from the 19th century, was firstly used by Brinton in 1919.
Haskell & Breaznell (1922) were the first to define the term, saying it graphically showed the relation
of one official to another, or others. It is thus a way to visualize a complete and complex organisation,
the functions and their relationships in this specific enterprise. It does however not specify the degree
of authority and responsibility. (Venkatesh, n.d.) It allows for gaining a clear view on how the network
of positions and roles within a company takes form. The chart depends on the size of the organisation
and its structure, but usually has a tree structure or flowchart. Organisation chart and organogram are
synonyms widely used to refer to this type of chart.
Three different types of charts can be shown: vertical or top to bottom, horizontal or left to right and
circular charts. It specifies authority and responsibility of every position and helps new entrants to
understand these different levels. It can help in the decision-making process but has its limitations since
it only points out the formal organisational relationship and might cause a superior-inferior feeling.
Below an illustrative example of a baseline internal organisational risk oversight structure:
Figure 6: Organisational oversight structure (Protiviti Guide to ERM – FAQ, 2006)
27
Three lines of defense model(3LoD) New theories, principles, guidelines and models are constantly invented and optimized to help
professionals increase their performance. The three lines of defense model is an organisational
structure and was introduced within corporate risk governance and compliance in the nineties. It
is a tool that helps in clearly defining the roles and information sharing of all organisational
functions and their positioning in the organisation (IIA, 2017). The first line describes risk-taking
units e.g. front-office business units responsible for revenue and business decisions, as well as the
control and support functions that can influence the firm’s risk profile. It consists of functions
owning and managing risk. The people in the second line exercise risk oversight and monitor the
actions of the risk-taking individuals in the first line. Finally, the last line of defense consists
of internal auditors reviewing the processes of the first and second line. This line of defense
provides independent assurance to senior management and the board. Individuals in the first and
second line should also communicate with a higher organisational level. The model is illustrated
below.
Figure 7: Three Lines of defense model (IIA – guidelines for the risk management function)
3LoD in Practice Regulators as well as RM associations and consulting firms have legislated and promoted this model
for years. PWC claims it adds value to the risk culture and creates a central foundation for effective
risk governance. The Basel Committee mentioned the concept in their 2011 PSMOR document as
being a common industry practice. However, it does not argue it is a required approach in risk
management. Further, the OSFI Canada suggests making it a core principle in risk management
and broadly describes the different roles present within the model. Other financial regulators are
following. At the same time, risk and assurance experts increasingly criticize the model for being
28
outdated. They believe the philosophy is based on traditional approaches and too simple in the
current complex business environment. Further, risk pioneers such as Tim Leech and Norman
Marks argue the model is not responding to emerging expectations of different stakeholders to
have a CEO and/or board that actively participates in the risk governance framework and keeps
risk oversight. This caused the need for a formal debate to discuss the fit of the model in
organisations. The use of the term ‘defense’ is wrong, since it stresses the negative perception on
risk, while risk management is about taking the right risks and informed decisions, which relies
more to offense. (Marks, 2014) To tackle the limitations of the 3LoD, a new model, ‘the Five Lines
of Assurance’, was issued.
3.2 The Board
Board of directors
The board is the highest administrative body within an organisation. Its biggest duty is to keep an
oversight on the activities and their continuity and ensure decent internal controls and risk
management systems. It is a group of people that jointly govern a corporation and its management
and should provide ‘added value’ to the both. In Belgium their formation is restricted by several
factors. The Belgian Corporate Governance Code (2009) sets out a few requirements regarding
these corporate values, corporate social responsibility and ethical guidelines. Also, the kind of
enterprise, management model and shareholdership, play a role in its composition. Good
governance starts by selecting the right people and making sure they can make better decisions as
a group than individually. A diverse and independent board leadership plays an important role in
focusing companies on the long term. The board carries responsibility to the stockholders,
although less conservative theories broaden this to stakeholders. A stakeholder can be anyone who
is interested in and/or affected by the organisation. The directors must govern the corporation,
they are legally responsible for it as well. One of their duties lies in appointing a CEO.
Also, risk oversight is a major duty for the board. During times things aren’t going as expected,
such as the recent crisis, boards are under increased focus. In this risk oversight process, the board
gains an understanding of the critical risks inherent in the corporate strategy and also - if
responsible for monitoring execution - whether they are managed effectively. When creating
enterprise value, a mutual understanding between board and management of these risks is necessary
(Tonello, 2012). Some companies use a committee, such as a risk or audit committee, to address
risk oversight in their specific areas. This risk oversight is thus a task that can also be assigned to
29
such a committee, to be able to focus more on strategy in the full board meetings (Protiviti Inc.,
2006). A study of COSO found four areas in need of extra attention to enhance the board’s risk
oversight capabilities. First, the risk management philosophy and risk appetite should be discussed
to achieve a shared understanding in accomplishing objectives. Second, in this pursuit of objectives,
it is key to understand the risk management practices to gain a complete view on top risk exposures.
Third, senior management should understand the entity’s portfolio of risks and make sure they are
in line with the stakeholder’s risk appetite. Last, all relevant risk exposure information should be
provided to the board for review on a timely basis. In order to make sure management provides all
relevant information to the board, appropriate measures should be in place to position them to
identify, assess and respond to risk (Nottingham, 2014). COSO suggests adding KRIs to the KPIs
provided to the board by senior executives (COSO, 2009). The board of directors is mostly
responsible for the implementation but plays a more supervising role in the execution of ERM.
Not only in for-profit organisations, but also in not-for-profit businesses and governmental
agencies, such a body is needed. Their structure is often regulated by the government and the
company itself. Having a well‐designed board structure with appropriate sub‐committees will
enhance organisational accountability and performance (Ruigrok et al., 2007). However, having too
many members and sub-committees can also negatively affect the board (Subramaniam, 2009).
Finding a balance in this structure to optimize the board is necessary.
A great interest in ERM is needed at the top to improve risk management maturity. It helps in the
evolution of ERM if the board shows its importance and communicates its risk attitude, appetite,
tolerance and risk-taking approach throughout the firm. Aligning the board and C-suite concerning
risk communication is critical for effective risk communication. It is advised the head of risk
management has access to report directly to the board or to one of the sub-committees e.g. the
risk or audit committee. This will be of added value in outperforming the competition and is today
demanded by regulators, investors and credit rating agencies. Nottingham (2014) has set out four
components essential for a risk communication system that meets these requirements, being
defined risk governance roles, a shared view of risk, concise risk appetite statement and focused
risk reporting and dialogue.
30
3.2.1 Risk Committee
The RM committee is – when present in a company – often compiled by the board. The board can
delegate some risk oversight responsibilities to this separate risk committee and appoint the serving
members accordingly. It is a sub‐committee of the board of directors that provides education at
board-level for enterprise risk management. It helps in establishing the risk appetite and risk
strategy. They are in particular accountable for risk management oversight by the board and are
often the first to review board-level risk reports (KPMG, 2017). Mostly, the audit committee is
accredited with the risk management duties. When a company calls a separate risk committee to
life, they most often manage the non-financial risks, while the audit committee handles the financial
and reporting risks. Day-to-day risks will still be owned by other managers of the different business
units. The RM committee identifies potential risks impacting the company and ensures duly
management of the risks according to its risk-taking approach. It assesses and reviews the
procedures and results of management regarding risk management. It is therefore beneficial for
some C-suite members to attend their meetings, which are mostly held a couple of times each year.
An example of the roles and responsibilities of the risk management committee as stated by the
organisation is found in Appendix.
As a response to a 2009 G20-agreement to improve transparency and accountability by financial
regulatory processes to limit risk after the financial crisis, the Dodd-Frank Act was enacted in the
US in 2010, requiring different financial and bank holding companies to appoint a separate risk
committee to promote sound risk management practices (Dodd-Frank Act Section 165, 2010).
This is yet another example of regulatory requirements or industry evolutions in the financial sector
that might be initiated in non-financial companies as well. The Dodd-Frank Act adds it should
include at least one risk management expert. It functions as a support mechanism in the oversight
of an organisation’s risk management strategies, policies and processes (Subramaniam et al., 2009).
Its members can also be members of the board, but executives have a negative impact on the
committee since they are the ones being assessed and thus they are biased and reduce objectivity.
Therefore, independent directors must be appointed by the board.
Whether or not the board should have a separate risk committee that can effectively oversee risk
and risk management, depends on several factors, such as the number of independent directors,
the quality of the input, insights by external sources and so on. It should also be assessed to what
extent risks are already dealt with by the standing committees. Some examples of standing
committees in large organisations, each facing their area-related risks are: audit, governance,
31
compensation, strategy & finance committees. If these committees are all overseeing a specific risk
area, the added value of a separate risk committee will be minor or could even negatively impact
the boards risk oversight (Tonello, 2012). The ultimate responsibility for RM still rests with the full
board (Subramaniam et al., 2009).
3.2.2 Audit Committee
An audit committee can also be part of the board of directors. They oversee the entire internal
audit department, including risk management. Their major concerns are financial reporting risks
and certain compliance-related risks that can have financial reporting implications (Tonello, 2012) .
The conditions that decide in Belgium whether a company should appoint an audit committee are
delineated in the Belgian Company Code (art. 526bis §2). Companies listed on the NYSE are also
required having an audit committee. The committee must consist of at least three members and
should discuss risk management and risk assessment policies, even if the board sees fit to set up a
separate risk committee. They must be independent, financially literate and a member of the board
of directors. They are obligated to have an Audit Charter. This document should point out its
purpose, which is at least to assist board oversight and to prepare a report for the annual proxy
statement. It also includes an evaluation and review of their performance and the performance of
the appointed auditors. Finally, it sets forth their duties and responsibilities. The Charter also
discusses several financial information and policies regarding risk management.
Given an organisation in which an audit committee is mandatory, the board still must decide
whether to appoint its risk oversight responsibilities to them by expanding its role, initiate a separate
risk committee or keep risk oversight responsibilities accountable for the full board. The board
should bear in mind before designating this responsibility to the audit committee whether they
have the time, skills and support to perform this extra duty with care, since they already have many
responsibilities regarding financial reporting and are the last line of defense concerning the risks
that come along with this reporting duty. The AC can be of huge support to the board in its risk
responsibilities. The consequences of these risks can be huge, when dealing with complex financial
reporting issues (Tonello, 2012).
32
3.3 Management
3.3.1 CRO
In the past, managers were not eager to talk about potential losses, risks or obstacles. Therefore,
there should be a risk owner within the top management – either the CEO or another senior
corporate executive – to communicate risks and their projected consequences (Pudin et al., 2017).
The risk manager’s profession keeps evolving and is facing enormous changes. It is necessary to
gain insights in their required skills and performed tasks to understand the contributions they bring.
Ward (2001) was a pioneer in exploring the activities of corporate risk managers. He identified a
broad and significant variance in the scope of work due by these individuals (Ward, 2001). In
general, the main responsibility of the chief risk officer is to make sure the firm functions as should
and preventable disasters do not occur (Atkinson, n.d.). Ward (2001) also found the extent and
direction of this work is depending on different circumstantial factors, i.e. top management
influence, external influences, the nature of the business, corporate developments, and
characteristics of the risk management department.
As a response to this necessity of greater insights in risk managers’ skills and tasks, AMRAE (2017)
introduced the first Risk Manager’s Core Competencies set. It helps in understanding their input
to creating added value in an organisation. They divided the skills risk managers should possess
into seven categories: organisation; management; curiosity and scepticism; communication;
creativity and adaptability; culture and awareness of what is at stake and stress-management. These
are fundamental competencies risk professionals should be able to perform to execute their
function properly. For further understanding of the requirements to successfully accomplish their
different activities, I refer to the Risk Manager’s Core Competencies set.
A study performed by PWC in 2014 showed risk management in organisations that appointed a
CRO performs better than if it is one of the many tasks other directors should execute. (Ruizendaal
et al., 2014) Large companies often appoint a chief risk officer to emphasize risk management is
seen as a high-priority topic. In 2011, 42% of companies with 10,000 or more employees reported
they have a chief risk officer, compared with only 11% in 2008 (HBR, 2011).
The strategic risks cover the risks a company faces in reaching their long-term objectives. It is
important senior risk officers communicate strategic risks to different business line managers and
33
senior management. The findings of Mikes (2008) showed the majority of CROs are nowadays
regularly involved in firm-level strategic decisions and thus it is shown their role expanded
dramatically.
A couple of critical topics risk managers or risk management teams should consider adding to their
knowledge when performing a risk-based profession is risk psychology and perception, helping
them to make quality decisions under uncertainty, corporate finance related information, and lastly
a good understanding of the industry they are in (IRM, 2014).
3.3.2 CEO
The position of the CEO comes along with great responsibilities. They carry overall operational
responsibility for risk management and should make sure all managers perform well concerning
internal control and risk management in their daily tasks. Their mandate should be made clear by
his or her supervising body. Their involvement is indispensable to the success of ERM and keeps
the focus on strategic and reputational risks. CEOs are also faced with constant change and need
to clearly respond to these changes. They should capitalize on emerging opportunities and invest
the scarce resources of the company in promising business activities (Tonello, 2012). Therefore,
their major concerns should be whether unknown exposures to events exist and how the
organisation can respond to these risks or prevent them from happening with as little resources as
possible.
In the attempt of a structural reorganisation, CEOs should evaluate their current organisational
maturity, align their new design with business strategies, and clearly define how work is to be
accomplished under the new organisational structure (Wight, 2018). PriceWaterhouseCoopers'
Eight Annual Global CEO Survey (2005) revealed that CEOs worldwide consider governance, risk
management and compliance as value drivers and a source of competitive advantage. This
consideration does not take away the fact CEOs still struggle with its implementation. COSO states
the CEO is ''ultimately responsible and should assume ownership'' over the implementation of
ERM. However, one major objective of ERM is to incorporate the management of risk into the
organisation’s agenda and decision-making processes, so actually, every manager is responsible.
Executive management needs a set of scenarios to be developed with impact and alternative action
statements, when making decisions under a high level of risk. He or she plays a critical role and
should be actively involved in supporting an open and positive environment, crucial for an effective
34
ERM process and open risk culture, by helping line managers to report and communicate relevant
risk information to the board and other higher organisational levels. Often, another critical
responsibility of the CEO is to raise awareness and focus of risk management to a strategic level.
ERM enhances the CEOs ability to find answers on questions regarding emerging risk exposures,
risk events and to tackle soft spots in the business plan.
3.3.3 CFO
Risk management is often driven by a financial function. Righi & Fox (2017) recently found this is
still so. In this case, there is no employee solely dealing with risk management. Many organisations
perceive risk management as a standard task of the CFO. They also perceive the CFO as the main
risk leader of the company. The problem that can occur is that the focus is not enough on the
strategic risks, but more on financial risks.
Risk management can provide organisational value, but when the CFO focuses too much on costs
and other finance related issues, this can reduce this added value. However, a shift is visible to
more business related or strategic functions. This is in line with the integration of risk management
in the strategy of the company. Even when a CRO is present, it is often the CFO to whom he is
reporting. The CFO himself usually reports to the board. KPMG (2017) issued a paper with the
main challenges CFOs will face and what the CEOs expect of them in the future.
Their results point out CEOs rely on them to support growth, change the regulatory burden into
a competitive advantage, strengthen the alignment of strategy with financial planning, implement
new technologies and IT solutions and lastly, investing in the maintenance and acquisition of talent.
3.3.4 CIO
By the end of last century, the position of Chief Information Officer was created. It helped in
making information technology a higher-level agenda item (Atkinson, n.d.). Only a few years later,
the same has happened to risk and thus it is interesting to have a glance at the rise of this function
as well.
Most techniques and tools used in finding ERM solutions, are influenced by technology.
Informational tools like software and risk measurement systems can be of great value, especially in
managing nonfinancial risks (Protiviti, 2006). Today, the generation of data, artificial intelligence,
automation and other IT-services are evolving and have an impact on the strategy and risk
35
management of an organisation (COSO, 2009). In companies where these IT-systems carry
strategic value and are complex, a Chief Information Officer can be key to successfully surpass the
transition in this evolution. He or she will manage and evaluate IT risks and controls or makes sure
business unit managers or other process, application or data owners understand how to manage
them. The CIO is responsible for the performance regarding information security, IT planning
and budgeting (Stoneburner et al., 2002).
Recent events such as the increased amount of cyber risk threats, the renewed European privacy
regulation (GDPR) and implementation of new technologies are challenging CIOs and makes the
organisation more reliable on them. A recent study by Marsh & RIMS (2015) showed cyber risks
are perceived as the prior risks that should be managed in upcoming years. The function of CIO
can help in responding to these risks and collaborate with the CRO for example to tackle these risk
issues.
3.3.5 Compliance professional
Due to increased regulation some companies initiated a separate compliance function. Compliance
professionals are in many cases overworked and under-equipped, facing a growing burden.
However, recent technology innovations help analysing data and automate several of their previous
tasks. This evolution of AI and automation is especially beneficial in the banking and finance sector
in reducing their time spent on repetitive tasks (Brotherton, 2017). The tasks of these professionals
lie in protecting of the internal control and supporting regulatory requirements and compliance
culture, to name a few. They usually report directly to the executive management – as most
frameworks recommend - and are in close collaboration with the risk management function,
especially concerning monitoring tasks, legal and reputational risk (IIA, 2017).
3.3.6 Business unit Managers
Business unit and functional managers carry the responsibility and authority for making the day-
to-day decisions and keeping their unit operational. They should oversee the different components
of the Porter-model. Furthermore, they are responsible for specific objectives, markets, customers
and products. They should see risk as a top-of mind issue and usually report to the executive
committee and the CEO.
36
3.4 Internal audit – Chief Audit Executive (CAE)
The internal auditor evaluates the risk management, governance and controls of the organisation
and suggests ways to improve their effectiveness. The Institute of Internal Auditors (2009) issued
a position statement that found the effectiveness of internal accounting can be increased by ERM.
Since the audit has to be performed in a broad amount of areas, the auditor needs to possess a
wide skill-set and on-going training to assure an appropriate level of control, provide useful advice
for improvement and create added value (AMRAE, 2013). They have some overlap with the
required knowledge base of risk managers, both with their own specializations and restraints.
Therefore, the auditor’s function is often described as an independent and objective assurance role.
There is no method of their role that fits for all (Walker et al., 2002). It was also found in this study,
the internal audit and especially the CAE plays an important leadership role in ERM. They bring
assurance on the effectiveness of ERM to the board or a sub-committee, i.e. assuring prioritized
risks and risk management processes are being evaluated and managed correctly and the framework
is operating as should (IIA, 2009). Their role also lies in some consulting activities concerning
ERM, to an extent dependent on the maturity of the company and other resources available to
board. Thus, the involvement of internal audit in ERM varies considerably. He or she can provide
some advisory services, but cannot be held responsible or have a role in the actual management of
risks. This would stand in the way of the necessary independence and objectivity. Lastly, I would
like to emphasis Beasley et al. (2006) studied the impact of ERM on the internal audit function and
found ERM impacts several auditing activities, depending on associated organisational factors e.g.
the CAE’s tenure. He also found a close interaction between the CRO and internal audit.
3.5 Outsourcing the function Managers must realize that the effects of outsourcing on the firm’s immediate bottom line may not
always be consistent with the effects on the long-term well-being of the firm (Shi, 2007). Further,
legislation often restricts the possibility of outsourcing. If management or board nevertheless
decide to outsource all or part of the risk management function, they should consider the
requirements the function carries are ensured and safeguarded by employing methodologies (IIA,
2017). Lack of methodologies is partly the reason why managers are often disappointed with the
results of outsourcing the function. (Lonsdale, 1999) Though, outsourcing the risk management
function can reduce costs and the quality of your program (RMA, 2014). It may also lend access to
a high level of technical expertise (Hood & Young, 2003). Outsourcing risk management usually
occurs when a firm is still in an embryonal stage of ERM establishment or implementation.
37
4. Empirical study
4.1 Research Questions
• Who embodies the role of the risk management function in Belgian enterprises
and how is it organised?
• How does the lines of assurance (overview of roles, responsibilities and reporting
lines) take shape in Belgian enterprises?
• Is there a positive relation between the role and organisation of the risk
management function and ERM Maturity?
4.2 Goal
The main objective is to gain insights on the entities responsible for the risk management function
and their role in the organisation. Further, it will be analysed how the organisation of ERM in the
Belgian firms - reporting and communication lines as well as organisational structure - influences
the risk management maturity of the company. Another aspect is to investigate at what maturity
level Belgian enterprises find themselves to date. The study will indispensably provide different
insights for the risk management profession. The study is performed on a qualitative manner. This
allows for better understanding the perception of the responding risk professionals on enterprise
risk management as a whole and the risk management function in particular. Given the little
attention that has been paid to find an answer on how the risk management function is organised
and coordinated, the study will lead to new meaningful empirical data to add to current literature.
4.3 Methodology
The research was conducted through a qualitative study, by gathering information from different
roles in the organisation. One effective method to research the roles and responsibilities of the risk
management function is to perform case studies through in-depth interviews. This research
methodology was stipulated by Eisenhardt (1989) as most relevant for new topics, which is what
we are currently dealing with. The in-depth interview method not only gives the possibility to be
more profound during the interview, but it also provides specific information and creates a better
understanding of the answers and mind-set of the interviewees. After each interview, the
38
participants were also asked to fill in an assessment on the current state of ERM maturity at their
company. The content of the interview and assessment is set out in the interview approach.
The target group in this study is focused on members of Belgian companies with currently an ERM
process/system partially or completely in place. They should also carry some responsibilities
regarding risk management to ensure they understand to what extent and in what way the risk
management and risk management function is organised in their company. Out of the literature
study and the revision of annual reports of Belgian firms, it was observed the companies that
completely or partially adopted ERM-based oversight processes appear to be most often bigger
firms, financial firms and publicly listed firms. Their processes are significantly more mature than
in other companies, since they are often more regulated due to their nature (Beasley, Branson &
Hancock, 2014).
For this study, the focus was on publicly listed non-financial firms, with expansion of two financial
ones to make comparison possible. There was no further focus on a specific industry. In the search
for possible interviewees, information out of the annual reports of publicly listed firms was
collected, since they must disclose several aspects of their risk management. In the search for
possible organisations to interview, I shortlisted the firms traded on the Euronext Brussels and
other Belgian stock indexes. Private enterprises without a substantial size often don’t have a
complicated ERM system in place and are thus left out of the target group.
An overview of the selected firms and interview participants can be found in Appendix 8.22.
Transcripts of each interview are attached starting from Appendix 8.3.
4.4 Interview approach
The interviews were conducted in the most suitable language for the interviewee. Depending on
his or her mother tongue or preferred language, the questions were posed in Dutch, English or
French. This allows for the interviewee to clearly understand the question and makes it easier to
answer them as clear as possible, without the constraints of language barriers. Through the open
questions and in-depth interview, with a possibility to ask for specific clarification, extra
information and a reflection on the provided answer was made possible. Out of the list of potential
enterprises to study, I tried to get in touch with a company member active in the risk management
of the organisation. The interviewees are preferably members of the board or senior management.
Also, members of the second line of defense in an organisation, embodying the risk management
39
function, were appropriate candidates. The literature study showed these individuals are most
involved in ERM (IIA, 2017). The interview questions cover the different goals that were set up
for this study.
The interview consists of three parts. First, the presence, adoption and development of ERM is
questioned. Then, I set up questions to gain insights on the leadership in risk management and the
way in which the three lines of defense model takes shape. This outlines the different roles,
responsibilities and coordination of the risk management function. Further, the reporting lines and
information sharing between different process and risk owners at different lines and organisational
levels become visible. These first two parts of the interview are mainly based on open questions.
In the third part, I try to picture the stage of ERM maturity. In this last part, I have used questions
based on a Likert scale (1932) reaching from one to four, in order to give interviewees the
possibility to indicate their perception on the maturity of ERM for different categories of risk
management. The first seven questions are based on the attributes of the RIMS Risk Maturity
Model, while the last seven questions are formed through a maturity model build up out of the
current literature and other maturity models, based on three core areas, namely:
• RM framework and processes
• People, roles, structures and interaction
• RM information system
By combining this information with the collected information out of the open questions, a clear
view was given on the maturity of their current ERM approach. An overview of a typical set of
questions is provided in Appendix 8.1.
40
5. Analysis
5.1 Applied technique
Miles & Huberman (1994) outline different techniques and approaches of analysing qualitative
data. In the updated version, Qualitative Data Analysis; an expanded sourcebook (1994), the authors
delineate several relevant ideas to analyse the collected data. This performed analysis was also of a
qualitative basis, with data collection through in-depth interviews and maturity assessments based
on a Likert scale. The most appropriate way to analyse the data distracted from the case studies is
to perform a within case analysis, followed by a cross-case analysis. In the first part, the interviews
will be analysed individually. Hereby, the findings of the interview will be separated into different
parts, matching the different interview topics. This will be performed in a structured manner, so it
will be easier to compare different interviews with each other in the second part of the analysis, the
cross-case analysis. This technique will result in a case/topic matrix. The matrix can be found in
Appendix 8.21.
5.2 Within Case Analysis
This type of analysis gave me the opportunity to look at the cases individually. This grants a better
understanding regarding the actual situation in the specific companies, making it easier to compare
the interviewed organisations to each other. In the first part, the company is described, along with
the role of the interviewee. The second part analyses different topics, whereof the first two, ‘ERM
presence & development’ and ‘Leadership in risk management’ are gathered through interviews,
while the last part, ‘ERM maturity’, was gathered through an ERM maturity assessment, as
perceived by the interviewee, as well as an overall analysis of the current state of ERM at the
specific company. The analyses of the first 10 respondents are disclosed, the others can be found
in Appendix separately as well as combined in the case/topic matrix.
5.2.1 Company A
Company description
Company A is a publicly traded technology company active in the electrical equipment and
manufacturing sector. Their core markets are Enterprise, Entertainment and Healthcare, providing
them with visualization and collaborating solutions. Their headquarters are based in Belgium. With
a turnover reaching over 1 billion, they are one of the largest companies in Belgium. The
41
interviewee has been working for this organisation for 20 years. He served over a decade as quality
director and has been the Risk and Compliance Manager of the organisation for 7 years now. The
interview was conducted at their HQ on the 7th of June.
Analysis
ERM presence & development
Start and triggers of enterprise risk management: Risk management has been actively present
in the organisation for a long time, starting with insurance, health and safety. Step by step new
departments e.g. supply were introduced. 20 years ago, a fire showed the need to develop risk
management. Also, the insurance department was demanding a more active approach. ERM was
initiated about 4 years ago.
Organisation of ERM and risk appetite formation: A great part of all risks the company faces
are processed in a structured manner. There is an annual ERM exercise as well as a tri-annual one,
both based on COSO and ISO. In this procedure company-wide risks are identified and mapped,
while current risks and action plans are analysed and evaluated. The risk appetite is formed by
aligning different opinions of the company leaders and communicating them to other levels. This
is not formally documented, unlike roles, responsibilities and methodologies. These are all
accessible on their online platform.
Further development and improvement of ERM: Especially regarding the creation of risk
awareness and communication, further steps should be taken. The current system needs to be
broadened in order to better integrate it at all levels of the organisation.
Leadership in risk management
People involved with and roles of the risk management function: There is no overarching
department dealing with risks, but there is a Risk & Compliance department which includes a quite
elaborate risk management function. In this team 12 risk managers are occupied with different
areas of risk e.g. GDPR. In the ERM exercise managers out of different areas are involved and the
audit function supports in this process. There is a well-developed second line of defense. The risk
& compliance manager serves mainly as a facilitator and coordinator.
Support of the board and senior management: Within the board, especially the Audit
Committee tackles the risk oversight responsibility. There has been a great evolution in the interest
and support of the AC in ERM in the last couple of years. Their focus used to be on financial risks,
while now other areas of risk are experiencing increased attention.
Reporting lines, communication and awareness: There has been a lot of improvement in the
reporting of risk. Since the General Counsel is part of the chief leadership team (senior
management) there is a direct reporting line to the top of the organisation. He used to report to
42
the CFO, before it reached the rest of senior management. This allows for quicker and more
objective communication to the top. There are only few initiatives to communicate risks bottom-
up. This has been a conscious choice since they believe employees need to be educated to rationally
manage risks.
ERM maturity
The current ERM system is working effectively, with a fairly mature risk culture proactively dealing
with risks. To improve this maturity ERM should be more embedded in the decision-making.
Strategic risks form their greatest challenge and the integration of ERM could be of great help to
manage them. A lot of steps have been taken to improve risk communication and awareness, but
improvement and optimization is still possible.
5.2.2 Company B
Company description
Company B is a technology company performing pharmaceutical research. The organisation is
rapidly growing. Their ambition is to better the world by developing medicines and to become a
global leader in their industry. They are listed on the Euronext and NASDAQ. The interviewee is
a director Internal Control. He is responsible for the effectiveness of the control system, drives the
internal and external audit function and deals with risk. He has a broad experience in finance,
accounting, controlling, audit and assurance. He was responsible for the development and
implementation of a formalised IC system. Before, he worked for several years as an assurance
manager in the USA.
Analysis
ERM presence and development
Start and triggers of ERM: The company momentarily does not have a formalised risk
management system. Different departments of the second line of defense are present and deal with
risks, but there is no overarching risk department. In this way, their approach is closer to a silo
approach, then an actual ERM approach. The listing on NASDAQ implying SOx-compliance
triggered management to develop certain risk management techniques.
Organisation of enterprise risk management and risk appetite formation: After establishing
a formalised Internal Control system, some ERM projects were initiated on the sideline. However,
this is not one of the core tasks. The risk appetite is not documented throughout the company. It
is discussed in particular at the level of the Executive Committee. The industry of the business
does however not allow for a risk-averse appetite. When it comes to risk philosophy and appetite,
they are in a risky business. However, there is no statement in place that defines it. Middle
43
management is given the authority to decide on emerging and existing risks. As instead, significant
questions concerning risk-taking impacting the entire organisation go to the Executive Committee.
The riskiest decisions are taken by the CEO.
Further development and improvement of ERM: The organisation plans to develop ERM
naturally, along with the growth of the organisation. Given the rather early phase the company
finds itself in, they don't feel the need to have a formalised ERM system. If the board demands it,
the company will be ready to develop ERM fairly quick and effective.
Leadership in risk management
People involved with and roles of the risk management function: As far as ERM is dealt with,
the interviewee, as a director Internal Control, is mainly occupied with it, in a rather facilitating
role. Within ExCo, the CEO and CFO are mainly involved with the topic. There are different
second line of defense departments such as Health, Safety, Compliance in place, but no overarching
risk department embodies the risk management function. There is no function branded with the
name ‘CRO’, but he believes this role isn’t present that often yet here in Belgium in non-financial
organisations.
Support of the board and senior management
While the director IC is mainly responsible to manage ERM, the Audit Committee provides
oversight. All information regarding risk is provided to the AC and validated by the complete board
afterwards. There is no lack of support perceived, since there is no need for a further formalised
approach, due to the size of the organisation.
Reporting lines, communication and awareness
The director internal control accounts for the second line of defense, as well as coordinating the
third line, representing the audit function, which is outsourced. After gathering all this information,
he reports to the CFO regularly. The CFO then reports to the Executive Committee. The director
internal control and CFO attend audit meetings at least quarterly. For daily operations, it is the
senior management who collects the relevant information concerning risk identification and
analysis. Monthly reports are provided to them, and their results are presented to ExCo, to assist
them in decision-making.
ERM maturity
For ERM, quite some maturity can still be gained, but the added value might be minor given the
current size and industry of the organisation. They have an Audit Committee such as any listed
company is required to in Belgium. This is the part of the board with substantial finance &
accounting knowledge. Their main task is to oversee the effectiveness of the control system. They
44
oversee risks but not through an implemented RM system. He does have some risk projects to
develop ERM, but it is not his main task. Especially at this early stage, there is no need for it yet.
He does believe there will come a time soon where his role, covering control and risk as well as
driving internal and external audit, will have to be split up to cope with the growth of the firm.
5.2.3 Company C
Company description
This company is a publicly traded 151 years strong food retailer. Until June 2015, their headquarters
were based in Belgium. Since their merge, they are headquartered in the Netherlands. They are
active in 10 countries and 3 continents, with over 6500 stores and almost 370.000 people world-
wide. They are in the top 5 supermarket concerns in Europe as well as in the USA. The interviewee
has been working for the organisation since 2005. She started out as an internal auditor and recently
got promoted to director Risk & Control(R&C) Europe. Within her Risk & Control function, as
part of the Business Services Finance department, she is responsible for the development and
management of the R&C.
Analysis
ERM presence and development
Start and triggers of ERM: The company started with enterprise risk management 3 years ago.
Since then they have a formalised risk management system in place. For the initiation of an ERM
framework they have used COSO 2013. A main trigger for implementing ERM was regulation,
more specific the Sarbanes-Oxley act. COSO complies with this act.
Organisation of enterprise risk management and risk appetite formation: The organisational
structure and control framework regarding risk management is conform the three lines of defense
model, which is in place and disclosed in their annual report. At group level, the same structure is
in place as is in local brands. The Governance, Risk and Compliance Committee structure at local
brand level was implemented in 2017. At both levels, this is the leading authority for risk
management, or at least should be. A formal ERM exercise is performed twice a year. There is a
statement in place concerning the risk philosophy and appetite of the company, but it is not mature
yet.
Further development and improvement of ERM: The development of ERM is decided by the
leaders at group level. Since the interviewee is only responsible for Europe, she had no vision on
current action plans to further improve ERM. However, improvements in many aspects of ERM
is still possible. It is indicated ERM could provide even more added value, as to date the main
45
incentives for the implementation of ERM is regulation and reporting purposes. Also, the
processes could be improved and gain effectiveness.
Leadership in risk management
People involved with and roles of the risk management function: At group level, there is a
clear leader within the top management of the organisation, embodying the role of CRO. At local
brands, there are different second line departments in place, with the Risk & Control and
Compliance department leading the pack for risk management. At both group and local brand
level, there is a GRC Committee to keep risk oversight.
Support of the board and senior management: ERM should be implemented with more
support from the top. They should not actively manage risks solely because it is obliged and should
stand out more as a leading authority when it comes to ERM. Also, the corporate risk culture, as
well as the methodologies regarding ERM, lack maturity.
Reporting lines, communication and awareness
There is quarterly reporting to the GRC Committee, while for ERM there is formally based
reporting twice a year. This company-wide ERM exercise is performed together with the local
Executive Committee and the results are communicated to the board. The second line manages
the residual risks after the mitigation actions of the first line. Their cooperation with the third line
is especially present when a new project is initiated. If needed, ad-hoc communication of risks to
the top is performed. Given the risk management that is currently present in the organisation,
awareness is considered as visible, but it could still be improved when the system would gain
maturity.
ERM maturity
The systems for managing enterprise risk are in place but lack maturity. Of course, they are still in
early stages of development, but if top management does not increase interest it will face quite
some struggles in further developing them. It seems as if the ERM exercise is performed due to
the US stock listing instead of added value incentives. Leadership should step up and mature their
risk philosophy, appetite and culture in order to increase effectiveness, proactivity and thus
maturity of ERM.
46
5.2.4 Company D
Company description
Company D is a major independent ICT expert. With over twelve hundred employees serving over
one thousand clients in the Benelux, they are one of the biggest in their industry in this geographical
area. They provide strategic, tactical and operational ICT solutions. One of their major forces is
the ability to align business with IT. They used to be part of the Colruyt group and currently still
have board member presence of the Colruyt directors. The interview was conducted on the 5th of
June. The interviewee is the Internal Auditor of the organisation.
Analysis
ERM presence and development
Start and triggers of ERM: Risk has been managed in their project business since 2005. ERM
has been introduced 4 years ago. This has been triggered by regulation and governance. The
Euronext-listing as well as competition also played a role in this development. 5 years ago,
management asked to list the top risks the business is facing.
Organisation of enterprise risk management and risk appetite formation: There is no
formalised approach regarding ERM. There is a structured procedure for GRC, but also not
company-wide or formalised. Especially for the project business of the company risks are actively
managed, since this is the business carrying most of the risks, together with data management. The
organisation is catching up to systematically approach several risks, but the task is perceived by
management as very administratively challenging. Different risk processes have been documented,
all in the context of ISO, but mainly due to a recent merge. Currently ERM is organised in a rather
pragmatic way. Different risk appetites of managers have to be aligned during meetings.
Further development and improvement of ERM: The audit function has initiated several
attempts to perform company-wide risk assessments. Two years ago, a company-wide assessment
was performed, which allowed for gaining insights on risks as well as the perception on risk at
different levels of the organisation. This assessment currently serves as a good starting point to
further improve and develop ERM.
Leadership in risk management
People involved with and roles of the risk management function: In fact, the leaders at all
levels of the organisation are responsible for risk management. Within management, especially the
Legal department, together with Compliance, are participating. The financial department is also
supportive, through the review of the ERM exercise, directed by the CFO. Internal audit is also
involved and could for ERM be appointed as leader, since this function performed the first
company-wide assessment independently and looks at the risks of the different business processes.
47
Of course, the Audit Committee and the CEO are taking part as well, but more in the context of
entrepreneurship.
Support of the board and senior management: The Audit Committee shows increased interest
in ERM in the last couple of years. Different meetings together with the audit function and the
CFO are set up. However, they do not feel a formalised ERM approach could provide added value.
The AC is not the requesting party to further develop ERM, since they believe the company will
not benefit from it.
Reporting lines, communication and awareness: There is reporting to all involved
management levels monthly, while Audit Committee is reported to quarterly. The internal auditor
meets with the CEO on a monthly basis to report on different topics, including risk. He reports
quarterly to the AC. In this way, direct reporting to the top is assured. Yearly, the Executive
management discusses risk. Regulatory issues are discussed with the compliance officer on a regular
basis.
ERM maturity
ERM at this organisation is not mature yet, but has already taken some great steps in the last 5
years. It will be hard for the enterprise to mature their company-wide risk management systems as
long as the board does not feel the need to formalise them. However, it is not proven it will provide
added value in their specific industry, so we can’t prove them wrong either. The major maturity
areas of improvement lie in the proactivity of dealing with risks, along with risk appetite
management and the risk assessment quality. At last, an ICT tool to document the risk management
system online throughout the company could also mature the current system significantly.
5.2.5 Company E
Company description
This corporation is a Belgian family company that has been around for about 80 years and is
currently owning several brands, performing a variety of activities, mostly retail chains. The
organisation is currently present in three countries. They are innovative and give great care about
sustainability, as well as risk. The interview was conducted on the 5th of June. The interviewee is
Head of the Risk Management department at group level.
Analysis
ERM presence and development
Start and triggers of ERM: The company started with ERM 10 years ago. The initiation was
triggered by management, mainly by the risk-minded CEO. He insists on the presence of an actively
48
managed risk system. This system is currently implemented and integrated throughout the entire
organisation. The implementation had its struggles, but is currently in place at all levels.
Organisation of enterprise risk management and risk appetite formation: Every 3 years a
new company-wide strategic risk exercise is performed. The risk management cell is of great
importance in this exercise. Every activity of the company has its own cycle. The process is
consistently organised and implemented throughout the company. The appetite and tolerance
levels, as well as roles and responsibilities are clearly stated.
Further development and improvement of ERM: Improvement is still possible in the reporting
to the top. It is planned to create a more dynamic reporting, eventually by implementing a new
software to facilitate a more actively managed reporting to the top. Also, some steps can still be
taken in the cooperation of risk with the audit function, to achieve a more mature risk-based
auditing. Last year, the first steps for this objective have been made. Nonetheless, the current
system is already well-developed.
Leadership in risk management
People involved with and roles of the risk management function: The risk management cell
consists of three parts. First, they have the risk management branch. Second, there is compliance
(e.g. price fixing) Recently, GDPR also became part of this area. The third and last branch deals
with everything regarding internal audit. This cell shares responsibility with the other managers.
The RM cell provides guidance and has a more facilitating role. Within every operating unit there
is a risk coordinator. They coordinate the unit managers and are directed by the RM cell.
Support of the board and senior management: There is great support of the board and
management regarding ERM. The majority is very risk-minded and supports the development of
the risk management system. The Audit Committee assures risk oversight, while within
management, the CEO, CFO and COO are mainly involved and assisting in the process.
Reporting lines, communication and awareness
The risk reports provided to the AC at least quarterly are also instantly provided to the CEO and
COO. To define a time frame in which risk reporting is provided is kind of hard, since every
operating unit has its own cycle and reporting is dependent on the director in charge. It can be
monthly, quarterly, twice a year, … One thing is for certain, every three year a new strategic plan
must be developed for every activity. This is always followed by a risk analysis. Regarding
communication it stands out from now on reports will include a non-financial information section,
concerning social factors (e.g. child labour) and corruption. Different trainings are provided to
increase awareness amongst employees.
49
ERM maturity
The current ERM system is mature and fully integrated at all levels. Risks are proactively and
effectively managed. The system, roles and responsibilities are clear, but as always, areas of
improvement can still be acknowledged. The reporting to the board is too static and could be
improved by implementing software. Also, the interaction between the second and third line of
defense could be increased to assure ERM-based processes and ERM-based auditing.
5.2.6 Company F
Company description
This organisation performs activities in two business lines: Civil Engineering and Construction &
Property. In Belgium they are one of the leading construction companies. They also perform
public-private partnerships. Their roots lie in the 19th century. Since reaching the age of 125 –
almost twenty-five years ago – they have the right to be announced as ‘royal’ group. The interview
was conducted on the 31st of May. The interviewee is the company’s Risk & Insurance Manager.
Analysis
ERM presence and development
Start and triggers of ERM: The company introduced enterprise risk management in 2011. It was
triggered by the second line of defense, in particular by the risk & insurance manager. It took 4
years before the formalised program was entirely in place.
Organisation of enterprise risk management and risk appetite formation: Whenever a new
project is initiated, different risk methodologies are in place to identify and analyse risks. They are
performed in the tendering phase. The appetite is clearly stated. For every project it is clear to what
extent risks can be taken.
Further development and improvement of ERM: Risk processes are in place and working
effectively, but more efforts should be taken to embed risk management in the strategy and
decision-making of the organisation. ERM is growing in a natural way. A certain awareness of the
need for risk management is developing amongst different risk owners.
Leadership in risk management
People involved with and roles of the risk management function: At group level, there is a
CRO in charge of risk, backed by a risk team. He delegates the tasks in cooperation with the board.
At national level, the main participants are the CEO, CFO and the risk council. The focus of the
CEO is on strategy, the CFO focusses on finance. Operational risks are mainly tackled by the risk
and insurance manager, along with the legal counsel. Last, the quality and compliance manager
deals with controlling and compliance. For every segment, there is a second line department in
place.
50
Support of the board and senior management: Since there is a CRO in place at group level,
support at the top is guaranteed. Still it was the risk & insurance manager who initiated ERM, so
either there was a lack of information at the top, or this manager was simply an early adopter of
ERM. It does however show input from different levels is heard.
Reporting lines, communication and awareness: Through a Microsoft Office CRM system,
risks are easily reported and communicated throughout the organisation. The Executive
Committee collects risk information. The CRO collects information of the different members of
the ExCo, all regarding their own areas of risk. Afterwards he provides reporting to the board.
Since the ERM system is in place, risk awareness and communication grows naturally.
ERM maturity
Across all departments and levels of the organisation, responsibilities are clear and risks are
managed proactively. The current system, with risk management always initiated at tendering,
works effectively.
5.2.7 Company G
Company description
This organisation is one of the largest capital goods companies in the world, building all kinds of
machines, mainly in agriculture and construction equipment. They employ over sixty-thousand
people with presence in 180 countries. The interviewee is a country Finance Manager and the
Finance director of the organisation. Before, he served as Managing director. He is skilled in
Business Planning, Corporate Finance, Controlling and Accounting. The interview was conducted
by phone on the 6th of June.
Analysis
ERM presence and development
Start and triggers of ERM: The company started with ERM years ago. The initiation was
triggered by regulation and market demand. Risk management is indispensable in our
industry/company.
Organisation of enterprise risk management and risk appetite formation: The ERM system
is currently partly implemented, but needs improvement. RM processes are executed effectively,
but should be less product-oriented. In each domain risks are assessed. Different policies describe
the roles and accountabilities of different risk owners. This also creates a shared view on the risk
appetite.
51
Further development and improvement of ERM: The current system needs to be continuously
further developed to cope with the increased complexity and greater consequences of risks. ERM
should be more embedded in the strategy of the company. ERM is clearly gaining importance. The
company is trying to keep up with this pace in their ERM development as well.
Leadership in risk management
People involved with and roles of the risk management function: The leading body in risk
management is the Group Executive Council (GEC) as well as the Audit Committee of the board.
The GEC is the operational decision-making body, consisting of the CEO and 4 main groups of
company leaders. They are accountable when things go wrong. Different second line of defense
departments aid in challenging the operational managers. The audit function is responsible for the
follow-up.
Support of the board and senior management: The company has been dealing with risks for a
long time and enough resources are devoted to further develop risk management. The GEC
accounts for the operational and strategic decision-making. This translates throughout the entire
organisation.
Reporting lines, communication and awareness: The GEC reports to the board directly. The
main results of their risk reports are translated and communicated at all levels of the organisation.
The time basis of reporting depends on the impact of the consequences that might occur in a
specific risk area. There is also a yearly as well as a tri-annual risk exercise.
ERM maturity
There is a fairly mature ERM system in place. Due to the early adoption, the teething problems
have already been overcome. However, the current system struggles to find its way to influence the
decision-making of the business. Also, the system is translated at all levels, but clear differences in
maturity can be seen at lower levels of the organisation.
5.2.8 Company H
Company description
This is an electric utility company and a leading global energy and services group. Their core
activities lie in low-carbon power generation, global networks and customer solutions. They are
active in natural gas, oil, nuclear as well as renewable energy and electricity. Their last-year revenue
amounts to 65 billion euros. They try to perform their activities in a sustainable way. They have a
separate energy trading and risk management department – the largest trading floor in the country
- in order to reduce market risks. The interview was conducted on the 8th of June. The interviewee
is Head of the Operational & Transversal Risk department.
52
Analysis
ERM presence and development
Start and triggers of ERM: Risk management has been part of the business for almost 20 years
now. It was triggered by the ENRON scandal, which had led to an increased attention for corporate
governance and indirectly increased the regulatory requirements. Another factor is competition,
who is also forcing us to keep developing our risk management systems. They feel actively
managing risks is first of all a matter of common sense.
Organisation of enterprise risk management and risk appetite formation: For ERM, there is
a yearly company-wide exercise, mainly based on interviews with managers. This also leads to a
listing of the top risks the organisation faces. The greatest efforts to manage risks in this company
are based on the transfer between market-, liquidity and credit risk. A team of risk managers is
occupied with this management based on trading, in order to reduce the possibility of surprises
regarding prices and revenue. For them, the risk appetite and tolerance levels, as well as roles and
boundaries of responsibilities are very clear. They are documented in different RM policies.
Further development and improvement of ERM: The current ERM exercise is rather static,
while it should be implemented in daily operations, as it is for the trading department. Further, they
plan to invest more in the digitalization and automation of certain risk systems, using data to
support effective development.
Leadership in risk management
People involved with and roles of the risk management function: The risk department
consists of 100 members, with the CRO in charge. He is the leading individual for risk
management. There is also a Risk Committee meeting once or twice a month. They provide
oversight, while the Executive Committee carries responsibility.
Support of the board and senior management: It is hard to define the support of the top, since
every activity of the organisation has its board and senior management. The group Risk Committee
ensures the topic is present on the agenda of the board and senior management and discusses risk
at least monthly. They have the largest trading floor of the country so for that part of risk, enough
resources are provided.
Reporting lines, communication and awareness: Every board and respective Audit Committee
has to be informed about risk on a regular time basis. Reporting to the group is provided by the
group Risk Committee. Recently, there has been a focus to digitalize several reporting lines, which
enabled risk owners to gain insights on their current level of risk. It increased communication and
awareness and is thus a factor in which they will invest more in the future.
53
ERM maturity
ERM is to date at a mature level, but improvements are still possible in the identification of risks.
Also, the quality of data distracted out of the risk assessments can be increased. Further, some
individuals are too risk-averse and should look at risk management as an enabler of opportunities
as well. Last, they plan to increase the supporting technologies for ERM and believe maturity will
be gained after their implementation.
5.2.9 Company I
Company description
Company I is a cable broadband provider in Belgium. After a recent structural reorganisation, they
are now owned by a multinational telecommunications company for 58%. They offer different
internet, television and mobile services. They are listed on Euronext since 2005. The interview was
conducted on the 15th of June in cooperation with the Director Risk & Compliance(R&Com) and
the ERM and Audit Liaison Manager.
Analysis
ERM presence and development
Start and triggers of ERM: Several attempts to introduce ERM have been made by the Risk &
Compliance department, with at last a succeeding attempt in 2018. Leadership was of great
importance in this initiation, as well as a recent merge. Before the official introduction of an ERM-
program, ERM was only dealt with on the sideline.
Organisation of enterprise risk management and risk appetite formation: The ERM system
is not formalised yet, but the organisation is actively working on it. Risk management is currently
split up in four departments: Sarbanes-Oxley, Revenue Assurance, Fraud and Security and ERM.
The risk appetite is currently not documented, but clearly discussed and communicated throughout
the company. The second line is supporting the formalisation of this process and working on it in
a pragmatic manner.
Further development and improvement of ERM: They plan to increase efforts to embed ERM
in day-to-day business and risk reports to the board. Their goal is to shift ERM from an obligated
risk exercise to an integrated part of daily decision-making. To achieve more support from the top,
they want to persuade senior management of the added value a formalised ERM system can
provide.
54
Leadership in risk management
People involved with and roles of the risk management function: At the top, the people most
involved with risk management are the Audit Committee, the CEO and CFO. The CEO carries
responsibility for the day-to-day management of the entire organisation, while the CFO plays an
important role in communicating the results to the Senior Leadership Team. Different second line
of defense departments are standing to embody and support the risk management function, namely
Health & Safety, Business Continuity, Privacy and last but not least the Risk and Control
department. Within this department, the R&Com director is leading the pack, while for ERM the
ERM manager carries the most responsibilities.
Support of the board and senior management: Increased support of the board and senior
management is needed to gain maturity in ERM. On the other hand, great steps have been taken
regarding ERM in last years. First, the Audit Committee gave a new mandate, which introduced
the ERM and Audit Liaison manager. He can devote more time to ERM now instead of working
on the topic on the side, which will allow for better results, creating more interest and support
from senior management. This also results in a better interaction between the third line (audit) and
management. Second, the R&Com department is very motivated to further develop ERM across
all levels of the organisation.
Reporting lines, communication and awareness: The first line identifies and analyses risks.
Their results and those of all second line of defense departments, as well as internal audit, are
incorporated in the results of the Risk & Control department. All branches of this department
report to the R&Com director. He reports to the CFO, who is responsible for communicating the
results to the Senior Leadership Team. In this way, the results reach the CEO, who reports directly
to the board.
ERM maturity
The shifting support for ERM allows the risk department to devote a significant amount of time
to maturing ERM. Since the ERM mandate was given last year, great steps have been taken.
Nonetheless, the path is still long to reach a mature ERM system. In fact, this path is never ending.
It can take years to fully implement the system, but given the motivation and previous attempts of
Risk & Control to initiate ERM, the pace at which it will be developed lies higher than in a company
that must start from scratch and will therefore move ahead rapidly.
55
5.2.10 Company J
Company description
This multinational is the world’s leading steel manufacturing and mining corporation. Since the
merger in 2006 they are the largest steel producer worldwide. Safety and sustainability are serving
as their core values. The interview was conducted on the 6th of June. The interviewee is the Risk
Manager of the Northern Business Division.
Analysis
ERM presence and development
Start and triggers of ERM: The company issued its first RM Handbook in 2009. Triggers for the
initiation were the increase of risks and their complexity in the environment, regulatory purposes
and even the demand of credit rating agencies.
Organisation of enterprise risk management and risk appetite formation: ERM is
implemented in the daily activities of the firm. The different management activities are supported
with different process cycles to manage the risks and support decision-making. The risk appetite is
integrated in the culture of the company, with clearly delineated policies and methods to improve
effectiveness. It is assured risk management is present in meeting agenda’s at different levels of the
organisation.
Further development and improvement of ERM: Developments of ERM are always initiated
by the group management board. Several developments have been executed in the past decade.
The ERM system is in place and already pretty advanced. Currently, the interviewee was not aware
of plans to further develop ERM in his division.
Leadership in risk management
People involved with and roles of the risk management function: Risk Management falls
under the leadership of the General Management Board. Here, the group RM Committee and the
CEO are the main characters involved with RM, together with the group Risk Officer. Next, there
are several more operational roles embodying the function, with different risk officers (mostly the
CFO), as well as risk owners, managers and coordinators facilitating the processes.
Support of the board and senior management: Through the presence of different committees
in charge of RM, the support at the top is assured. Especially non-financial risks have gained
attention in the last decade.
Reporting lines, communication and awareness: Different tools and methods are in place to
assure a risk-aware culture, such as self-assessments and peer reviews. The risk communication
runs smoothly through an online tool, including the risk register. This share point is updated on a
56
regular basis. Risk reports are crossing different levels of the organisation. They are provided to
the board quarterly.
ERM maturity
The company’s enterprise risk management program is significantly more mature than those of
most other non-financial enterprises. The riskiness of their business or industry plays a role in this,
along with other triggers as mentioned above. Also, their risk management policies and annual
report show a set of mature methods, procedures and corporate governance.
5.3 Cross-case analysis This part of the analysis allows for comparing the different assessed companies of the study. It is
a critical part as it gives a lot of insights in the risk management profession and the organisation of
Enterprise Risk Management. The cross-case analysis will be the most interesting part of the
empirical research, as multiple correlations as well as differences can be witnessed after the data
was compared. Again, the analysis is divided into the different topics as described in the within-
case analysis.
5.3.1 Start and triggers of ERM
The majority of the interviewed companies indicate ERM has been initiated in the last five years.
Some respondents state it was initiated over 5 years ago, but none of them indicated ERM was
present over 10 years ago. This shows the increased attention that was given to the topic in the last
decade. However, a lot of Belgian companies still have a long way in implementing this integrated
approach in their risk procedures. They also indicate it takes years before ERM is fully implemented
and it is a continuous process. The main trigger for the introduction of risk management was
regulation. Publicly listed companies are required to share their risk management with their
stakeholders, especially in response to the Belgian Corporate Governance Code. It is also notable
increased attention is paid to ERM if a company tries or must comply with the Sarbanes-Oxley Act
due to a foreign listing. Next, management also plays a great role in triggering ERM development.
In the performed study, there is no consensus on the individual most responsible for triggering
ERM initiation and development. Different roles are disclosed such as audit & risk committees, C-
suites (CEOs, CFOs and CROs in particular), insurance, internal audit, as well as different roles of
the risk management function in the second line of defense.
57
5.3.2 Organisation of enterprise risk management and risk appetite formation
Only two of the respondents stated there was no plan to initiate a formalised ERM framework. In
most of the studied enterprises, ERM was present at least through a yearly company-wide risk
exercise. In a more formalised ERM system, different cycles are set up for every business activity,
with an overarching department to perform cross-silo analysis. In a less formalised ERM system,
certain projects are initiated on the sideline, mostly by the second line of defense or internal audit.
This is a more pragmatic organisation of ERM. It was confirmed most frameworks were based on
COSO and ISO. (Gjerdrum & Peter, 2011) The organisation of ERM is also very industry specific.
For example, some industries, such as construction and real estate, face most risks when initiating
a new project, and thus most methodologies take place at the starting phase. Also, the riskiness of
the business plays a great role in the need for a formalised approach.
The risk appetite was formally documented in half of the observed companies. In others, it was
solely formed by dialogue and discussions with top management. However, differences were visible
in the attention to risk management and the way in which different appetites of the board and
management were aligned. Some firms devoted a considerable amount of time to meetings in which
the risk appetite was formed, along with the entire top management. In the worst case, the risk
appetite was determined by a selected amount of people at the top, without a lot of dialogue.
5.3.3 Further development and improvement of ERM
The organisation and thoughts of further development and improvements of ERM were
depending a lot on the state of maturity the ERM system was in. In half of the interviews, ERM
was perceived as too static, lacking sufficient follow-up procedures. Three firms indicated they
want to develop ERM naturally, along with the growth of the organisation. Five others want to see
more incorporation and integration of risk management in the daily running of the company.
Another point of improvement that was expressed by different respondents is the initiation or
update of a risk management information system, to better report and communicate risks
throughout the organisation. Last, some companies believe ERM could gain a lot of maturity if the
leadership devoted more interest for the topic, for example by giving mandates granting more time
for ERM.
5.3.4 People involved with and roles of the risk management function
In Belgium, it is rather rare to find a non-financial firm with an individual branded with the function
of CRO, but the role is rapidly growing. In this study, four of the companies had a CRO at the
highest level of the organisation, along with both investigated financial institutions, where this
function has become almost indispensable given the riskiness of their business. Since all companies
58
that were involved with the research are publicly listed, every single firm has a mandatory audit
committee in place. Only two of the non-financial companies have a separate risk committee to
assure the risk oversight function. Some companies have branded their audit committee as audit &
risk committee, while in company C there also is a Governance, Risk and Compliance committee
at different organisational levels to manage risks. In the assessed financial firms, risk committees
are present at different levels of the organisation to address risk.
Furthermore, within the C-suite, the main characters that were mentioned to be mainly involved
with risk management were the CEO and CFO. Only once, the COO was specifically indicated,
while in one other firm, the CLO was mainly involved with ERM. Of course, theoretically, every
manager at this level of the organisation carries responsibilities regarding risk management. This
was confirmed by the interviewees.
Concerning the specific risk function, often referred to as the second line of defense, multiple
organisations had different ways to embody this function. The main role of this function is to
facilitate, challenge and support the development and implementation of effective risk
management. (IIA, 2013; IIA, 2017) This is the role as it is found in literature, but also many of the
respondents as well as their annual reports confirmed this description suits the role of the RM
function. In some firms, different departments in the second line of defense were set up, each to
tackle a specific area of risk, e.g. Finance, Legal, Supply, ... . However, five of the non-financial
companies had a specific department set up for risk, often along with internal control or
compliance.
A fairly recent trend that manifests in the interviews as well as in the analysis of the annual reports
lies in the fact that in a lot of companies, the increased complexity and volume of risks has resulted
in the separation of the tasks of the second line of defense across different individuals as well as
teams or departments. For example, a lot of companies have initiated a more elaborate compliance
or internal control function, while these tasks were used to be performed by the same person or
department embodying the pure risk management function. As a result, more time can be focused
on risk management and more specifically ERM.
The same trend is visible within audit. Where some directors used to manage risks as well as
coordinate the audit function, nowadays new mandates are given and extra human resources are
provided to split-up these roles or expand their size. This implies a greater need for effective risk
59
communication across different risk owners and facilitators, which can be reached through a
company-wide ERM system.
In this context, another remarkable fact was shown. In two of the interviewed non-financial
organisations, former financial risk professionals were hired to inspire and systemize the current
ERM system and to help in further maturing or developing the risk management function. This
was also indicated by Pergler (2012). However, it is very important for these professionals to
acknowledge the differences in ERM approaches between corporates and financial institutions, as
well as the importance of getting to know the industry the new risk manager serves in.
5.3.5 Support of the board and senior management
Corporate leaders in four of the interviewed companies perceived the formalisation of their ERM
process as bureaucratic and unnecessary. As a consequence, the risk management function often
initiates ERM projects on the sideline, proving its added value in a pragmatic way. On the other
hand, a great part of respondents indicated risk management has been given increased attention in
recent years, especially non-financial risks. More interest is shown by audit committees, while
boards and top management are more and more persuaded of the positive effect of ERM in long-
term value creation.
All respondents with a separate risk committee present in their firm acknowledged this assured
support of the board. Three respondents indicated the ERM procedures are often performed just
before the budget planning, which makes it possible to devote extra resources were needed.
However, others mentioned extra involvement and resources should be provided, especially in the
form of human resources, given the lack of time to initiate and implement ERM.
There is momentarily not enough robust statistical evidence better performance will be reached
with a more mature RM system in place. However, in 2012, Ernst & Young found a close
relationship between the maturity level in risk management and the financial performance of
organisations in a global survey with over five hundred interviews (EY, 2012).
5.3.6 Reporting lines, communication and awareness
It is clearly visible there is more direct and formal risk reporting to the board than before ERM
emerged to manage risks. Evolving risk governance structures create an internal risk environment
wherein a more risk-based decision-making by the leadership of the enterprise is possible. Although
Belgian non-financial companies still have a long way in the never-ending process of integrating
60
risk management at all levels, in three of the companies, a seat at the table was granted in the last
five years to increase effective risk reporting. These respondents confirmed it led to a more
objective reporting to the top, without the need to convince another member of the firm about the
identified emerging risks and its possible consequences.
It was also disclosed, the implementation of a software or other RM information system increased
the communication and awareness of risk across different levels of the organisation. The initiation,
implementation or optimization of this kind of reporting tools could significantly mature the ERM
systems in the organisations. Last, the study found the Three Lines of Defense model is present in
half of the observed enterprises and can be found in most of their annual reports. It is not perceived
of great added value for the risk management processes. However, it is indicated delineating these
governance structures can be helpful in the context of a merge or acquisition e.g. to expand or
initiate the second line of defense. Also when hiring a new member, it provides oversight on the
roles, responsibilities and information sharing across different levels of the organisation.
5.3.7 ERM maturity
The stage of ERM maturity in Belgian companies has come up to speed in last five years. Some
seventy-five percent of observed companies have reached a new stage of maturity in the last five
years. With the disclosed further developments on their agendas, the same will be true for the
upcoming five years. It was very remarkable the perception of ERM maturity differed significantly
across different types of organisations. Companies that had a non-formalised early-stage ERM
program sometimes perceived their maturity at the same level as in organisations where it has been
present for years.
Through the assessments, different factors have come up that currently stand in the way of reaching
a higher level of maturity. The ones that were mentioned most often were ERM process
management, information technology tools and support and involvement of leadership.
Apparently, a lot of enterprises are still having trouble to adopt risk management processes and
methodologies in their business culture and decision-making. Also, they feel information systems
could further develop ERM maturity. In the study, fifty percent of non-financial companies had
no risk management information system envisaged. Leadership should be more involved and
supporting its improvement, instead of having compliance as their main driver. Last, some
organisations pointed out their risk management is not integrated at all levels of the organisation
and too static. If leadership would focus even more on the upside of risks and the ability to turn
them into opportunities, a greater maturity would be inaugurated.
61
6. Conclusion
6.1 General Conclusions After the qualitative study was performed by in-depth interviews and maturity assessments,
conducted in the second quarter of 2018 at listed organisations, several conclusions could be
drawn. In general, it is found the role and organisation of the risk management function is rapidly
evolving, especially regarding ERM. To date it is most often organised along with other
management and control activities, but there is a shift towards a separation of the function, allowing
it to spend more time and resources to mature enterprise risk management. Through second line
of defense departments or individuals, a proactive risk-culture for effective risk management is
facilitated. Expansion of the role of the risk function is tackled by launching new entities, separate
functions and mandates, significantly assisting in the progress to develop towards mature ERM.
Some companies struggle to reach a strategy and performance based approach instead of some
current check-box approaches. Enterprises lacking of a second line of defense to deal with risk
management, organise the function through internal audit or as part of the role of an executive
director. Different ERM frameworks, policies and standards are being set up along with greater
risk appetite determination to increase risk-based thinking, mostly based on COSO and ISO.
Despite that several relevant findings regarding the current state of ERM are highlighted, there is
no significant link found between the organisation of ERM and its stage of maturity. After analysing
different approaches, based on both the maturity assessments as perceived by the respondents as
well as the answers provided in the conducted interviews, there is no approach witnessed as best
practice to significantly improve the stage of ERM maturity. This confirms the theoretical
postulations of Walker (2002), Mikes & Kaplan (2015) and the IIA (2017) stating there is no one-
size-fits-all approach for integrating risk management in the strategy of the business. The best
approach varies along with the characteristics of the firm and their industry, whereas in general it
is shown companies positioning a centralized separate risk unit in the second line of defense along
with support and involvement of the top, strongly facilitate and positively influence ERM maturity
in Belgian public organisations. This support often takes shape through an allocation of extra
resources, human capital or mandates, in order to reach organisational effectiveness. In early-stage
ERM, the aid of risk consultants or financial professionals experienced with risk is often demanded
to develop the framework.
62
It was observed the majority of the respondents initiated or implemented ERM in the last decade
and reached a new stage of maturity in the last 5 years. Also, increased board interest and focus on
non-financial and intrinsic risks, with special attention to e.g. GDPR, is clearly leading to a more
elaborate risk function in the last couple of years, especially in operations. The focus used to be
mostly on loss prevention. Only two of the respondents did not yet actively manage risk, due to
the early-stage of company development or the limited riskiness of the business. The need for a
formalised approach is very industry-specific. In some sectors, the formalisation is embraced and
perceived as indispensable, while others perceive it as unnecessary or even obstructionist.
The organisation of risk management is often triggered by regulation requirements. The launch of
different risk management processes and functions is therefore to date often compliance-driven.
In this context, the obligation of publicly listed companies to acquire a separate audit committee is
of great help in the risk oversight role. More mature companies have developed a separate risk
committee to deal with oversight. In addition, within the board and senior management, the
presence of a CRO is positively related to the maturity of ERM.In Belgian non-financial companies,
this role is rather exceptional and often embodied by the role of the CEO, CFO, COO or CLO.
Further, after analysing the reporting lines in these companies, there is a significant increase in
dynamic communication and follow-up through development of risk management information
systems. The initiation of these supporting tools and technologies have proven to increase
effectiveness, but in half of the non-financials no such tool for risk management is envisioned.
Regarding the three lines of defense model – specifically present and disclosed in half of the
observed enterprises – it is found the so-called risk experts, mostly part of the second and third
line of defense, are often having roles in both lines and thus they might become quite blurry in
some organisations. The risk function is maturing towards a joint effort of the second and third
line, allowing for better risk communication and information flow, as well as improved risk-based
auditing and decision-making. Concerning the first line, training and expertise of managers might
be needed to improve risk identification. In three of the analysed firms, lacking of a second line
department for risk management, the third line - presenting internal audit - served as the leader for
enterprise risk management. Furthermore, the risk function is evolving through a more direct
reporting to the top, which increases the possibilities to embed risk management in the strategy of
the firm. The Executive Committees play an important role in this process.
63
Finally, it is demonstrated that in the examined companies the more mature ones had more
background knowledge to put forward when it comes to improving and developing risk
management. This points out two findings. First, it became clear that in companies with an
elaborate and or centralized risk function, there is a better view on opportunities and risks. This
does not indicate every organisation needs a centralized function, but it does imply communication
is key in organisational effectiveness regarding risk management and seems to be more challenging
in a decentralized approach. Second, it shows a further formalisation is by some organisations not
perceived as an enabler for long-term value creation.
6.2 Research Limitations & Future Research
A limitation of the study could be that the results are not generalisable for other companies in
Belgium. However, the results offer significant relevant insights in the concept of ERM in Belgian
companies as well as in the role and organisation of the risk function. It can also serve as a basis
for further research. In this context, it might be interesting to perform a comparative study between
private and non-private companies, as well as including governmental and non-profit companies
to envision the differences in approach. In this study, only publicly traded non-financial and
financial companies were analysed. Including the other types of organisations Furthermore, a
comparative study between European and American companies could be relevant, as well as an
industry-specific study, allowing for the development of best practices.
While I tried not to be prejudiced, another possible disadvantage is the researcher bias that might
be present in this qualitative study. Also, the maturity assessments performed by the interviewee
might lack complete objectivity. Next, some of the interviewees stated there is great influence of
regulatory documents such as the Belgian Corporate Governance Code and Sarbanes-Oxley as well
as frameworks and guidelines such as COSO and ISO. A research to map their influence on the
evolution and maturity of risk management might be interesting.
Last, I would like to point out the limited timeframe in which the study needed to be performed.
This did not give me the opportunity to analyse the complete evolution of this clearly rapidly
evolving topic. Also, because of the substantial amount of data that had to be processed, a greater
number of respondents would not have been beneficial for the quality of the research. The
case/topic matrix helped in comparing the findings at different organisations and through this
matrix I was able to discover sufficient differences as well as similarities.
X
7. Bibliography
Accenture (2015) Global Risk Management Survey
AON, (2010). AON 2010 Global Enterprise Risk Management Survey, retrieved from aon.com
Atkinson, W. (n.d.). A View from the Top: The Growing Role of the Chief Risk Officer, retrieved
from http://cf.rims.org/Magazine/PrintTemplate.cfm?AID=3470
Australian/New Zealand Standard AS/NZS 4360:1995. Risk management, Standards
Australia/Standards New Zealand.
Baxter, R., Bedard, J. C., Hoitash, R., & Yezegel, A. (2013). Enterprise risk management program
quality: Determinants, value relevance, and the financial crisis. Contemporary Accounting
Research, 30(4), 1264-1295.
Beasley, M. S., Clune, R., & Hermanson, D. (2006). The impact of enterprise risk management on the
internal audit function. Kennesaw, GA: DigitalCommons at Kennesaw State University.
Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical
analysis of factors associated with the extent of implementation. Journal of accounting and public
policy, 24(6), 521-531.
Beasley, M., Branson, B., & Hancock, B. (2017). Report on the current state of enterprise risk
oversight: Update on trends and opportunities. Research conducted by the ERM Initiative at North
Carolina State University on behalf of the American Institute of CPAs Business, Industry & Government Team,
12.
Beasley, M., Pagach, D., & Warr, R. (2008). Information conveyed in hiring announcements of
senior executives overseeing enterprise-wide risk management processes. Journal of Accounting,
Auditing & Finance, 23(3), 311-332.
Bekaert (n.d) Corporate Governance Charter, retrieved from Bekaert.com
Bodnar, G., Hayt, G., Marston, R., & Smithson, C. (1995). Wharton Survey of Derivatives Usage
by U.S. Non-Financial Firms. Financial Management, 24(2), 104-114. Retrieved from
http://www.jstor.org/stable/3665538
Brinton, Willard Cope.(1919) Graphic methods for presenting facts. The Engineering magazine
company
XI
Broadleaf, (2012). Managing risk in organisations – a simple guide to risk and its management.
Brotherton, M. 2017. Automation will set compliance officers free. ICSA: The Governance Institute
retrieved from https://bit.ly/2wxgk3v
Buehler, K., Freeman, A., & Hulme, R. (2008). Owning the right risks. Harvard Business
Review, 86(9), 102-110.
CBOK (2015), Common Body of Knowledge in Internal Auditing Data Base, The Institute of
Internal Auditors Research Foundation
CBOK, Douglas, A. (2015). Relationships and Risk: Insights from Stakeholders in North America. The
Institute of Internal Auditors
Cendrowski, H., & Mair, W. C. (2009). Enterprise risk management and COSO: A guide for directors,
executives and practitioners. John Wiley & Sons.
Choi, Y., Ye, X., Zhao, L., & Luo, A. C. (2016). Optimizing enterprise risk management: a literature
review and critical analysis of the work of Wu and Olson. Annals of Operations Research, 237(1-2),
281-300.
Committee of Sponsoring Organizations of the Treadway Commission (2009). Strengthening
Enterprise Risk Management for Strategic Advantage, New York
Committee of Sponsoring Organizations of the Treadway Commission, (2004). COSO Enterprise
Risk Management – Integrated Framework. New York
Committee of Sponsoring Organizations of the Treadway Commission, (2013). COSO Internal
Control – Integrated Framework. New York
Committee of Sponsoring Organizations of the Treadway Commission, (2017). COSO Enterprise
Risk Management – Integrating with strategy and performance. New York
Crickette, G., Demian, R., Fox, C., Hach, J., Mokamaski, J., Mazumdar, R., & McGuire, R. (2012).
Exploring Risk Appetite and Risk Tolerance. Risk and Insurance Management Society:
https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tol
erance_0412. pdf.
Cumming, C., & Hirtle, B. (2001). The challenges of risk management in diversified financial
companies.
XII
De Smyter, G. (2017). 2016 absoluut topjaar met 89.777 starters in België. Retrieved from
https://graydon.be
De Tijd. (2017) Nooit méér starters dan vorig jaar, retrieved from https://www.tijd.be/politiek-
economie/belgie/economie/nooit-meer-starters-dan-vorig-jaar/9848837.html
Deloitte (2017). Global Risk Management Survey. Enterprise Risk Management-Concepts and Cases, 1.
Dictionary, C. (2008). Cambridge Advanced Learner’s Dictionary.
Dictionary, O. E. (1989). Oxford English dictionary. Simpson, JA & Weiner, ESC.
Dionne, G. (2013). Risk management: History, definition, and critique. Risk Management and Insurance
Review, 16(2), 147-166.
Dodd-Frank Wall Street Reform and Consumer Protection Act. (2010) , Pub. L. No. 111-203, §
165
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of management
review, 14(4), 532-550.
EY, (2012). Turning risk into results. Ernst & Young, retrieved from https://go.ey.com/2B7RYAV
EY, (2013). Board Insights II - De samenstelling van de raad van bestuur bij beursgenoteerde ondernemingen
– VBO, GUBERNA, EY
Farrell, M., & Gallagher, R. (2015). The valuation implications of enterprise risk management
maturity. Journal of Risk and Insurance, 82(3), 625-657.
FERMA (2016) European risk and insurance report, retrieved from
https://www.ferma.eu/blog/2016/10/risk-managers-developing-strategic-role-wider-view-risks-
survey-finds
FERMA, (n.d.) Our vision and mission, retrieved from http://www.ferma.eu/about/our-vision-
and-mission
GCM Capital advisors ltd., (n.d.). Roles & Responsibilities of Risk Management Committee,
retrieved from http://www.gcmcap.com/
Gerken, A., Hoffmann, N., Kremer, A., Stegemann, U., & Vigo, G. (2010). Getting risk ownership
right. McKinsey Working Papers on Risk, 23: 1-13.
XIII
Gjerdrum, D., & Peter, M. (2011). The new international standard on the practice of risk
management–A comparison of ISO 31000: 2009 and the COSO ERM framework. Risk management,
31(2), 8-13.
Hampton, J. J. (2009). Fundamentals of enterprise risk management: How top companies assess risk, manage
exposure, and seize opportunity. AMACOM Div American Mgmt Assn.
Härle, P., Havas, A., Kremer, A., Rona, D., Samandari, H., (2016). The Future of Bank Risk
Management. McKinsey & Company Working Papers on Risk, retrieved from
https://www.mckinsey.com/business-functions/risk/our-insights/the-future-of-bank-risk-
management
Haskell, A. C., & Breaznell, J. G. (1922). Graphic charts in business: How to make and use them. Codex
Book Company, Incorporated.
Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and
the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), 309-330.
Hood, J., & Young, P. C. (2003). The risk management implications of outsourcing claims
management services in local government. Risk Management, 5(3), 7-17.
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. Journal of risk
and insurance, 78(4), 795-822.
Hürlimann, T. (2011) Risk Management in a Time of Global Uncertainty, Harvard Business Review
Analytics Services, retrieved from
https://hbr.org/resources/pdfs/tools/17036_HBR_Zurich_Report_final_Dec2011.pdf
Institute of Internal Auditors. (2009). The role of internal auditing in enterprise-wide risk
management.
Institute of Internal Auditors. (2013). The three lines of defense in effective risk management and
control. Position paper.
Institute of Internal Auditors. (2017) Guidance for the risk management function.
International Monetary Fund. (2017) A shifting Global Economic Landscape, retrieved from
https://bit.ly/2KPthZP
IRM (2014) The risk profession. Retrieved from www.theirm.org
XIV
ISO (2009) ISO 31000:2009, Risk Management—Principles and Guidelines. Geneva : International
Standards Organisation
ISO (2018) ISO 31000. International Standards Organization
ISTAT. (2017). Guidelines on risk practices in statistical organisations – 4th draft. UNECE
Kansas University. (2018) Community toolbox
Kaplan, R. S., & Mikes, A. (2012). Managing risks: a new framework
Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk analysis, 1(1), 11-27.
Kelemen, R., Biškup, M., & Ređep, N. B. (2016) The conceptual Risk Management Model—A case
study of Varazdin County. In Information and Communication Technology, Electronics and Microelectronics
(MIPRO), 2016 39th International Convention on (pp. 1539-1545). IEEE.
Kocherlakota, N. R. (1996). Implications of efficient risk sharing without commitment. The Review of
Economic Studies, 63(4), 595-609.
KPMG (2017) Five main challenges CFOs face, retrieved from
https://home.kpmg.com/ke/en/home/media/press-releases/2017/01/five-mail-challenges-
faced-by-cfo.html
Lam, J. (2001). The CRO is here to stay. Risk Management, 48(4), 16.
Likert, R. (1932). A technique for the measurement of attitudes. Archives of psychology.
Lonsdale, C. (1999). Effectively managing vertical supply relationships: a risk management model
for outsourcing. Supply chain management: An international journal, 4(4), 176-183.
March, J. G., & Shapira, Z. (1987). Managerial perspectives on risk and risk taking. Management
science, 33(11), 1404-1418.
Marks, N. , (2014). Risk management is not about defense. Norman Marks on governance, risk
management and audit (blog)
McDonald, C. , (2017). ERM Benchmarks, The Risk Management Society.
McNally, J. S., & Tophoff, V. (2014). Leveraging Effective Risk Management and Internal
Control. Strategic Finance, 95(April), 29-36.
Meulbroek, L. (2002). Integrated risk management for the firm: a senior manager's guide.
Miccolis, J., & Shah, S. (2000). Enterprise risk management: An analytic approach.
XV
Mikes, A. (2008). Chief risk officers at crunch time: Compliance champions or business
partners?. Journal of Risk Management in Financial Institutions, 2(1), 7-25.
Mikes, A. (2009): Risk management and calculative cultures, Management Accounting Research, 20, pp
18 - 40
Mikes, A., & Kaplan, R. S. (2015). When one size doesn't fit all: Evolving directions in the research
and practice of enterprise risk management. Journal of Applied Corporate Finance, 27(1), 37-40.
Miles, M. B., Huberman, A. M., Huberman, M. A., & Huberman, M. (1994). Qualitative data analysis:
An expanded sourcebook. sage.
Minsky, S., & Fox, C., (2015). RIMS Executive report – About the RIMS Risk Maturity Model.
RIMS
Moeller, R. R. (2007). COSO enterprise risk management: understanding the new integrated ERM framework.
John Wiley & Sons.
n.n., (n.d.) What is Corporate Structure? Retrieved from https://bit.ly/2KSSzGm
NACD (2014), Public Company Governance Survey, National Association of Corporate Directors
National Research Council (Ed.). (1989). Improving risk communication. National Academies.
Nordal et al. (2017). Guidelines for the risk management function. Association of Internal Auditors
Norway
Nottingham, L. (2014). Risk in the C-Suite: Aligning Risk Communication Between the Board and
Management, Oliver Wyman Risk Journal, Volume 3, 2014
Olson, D. L., & Wu, D. (Eds.). (2008). New frontiers in enterprise risk management. Springer Science &
Business Media, 39-40.
Paisley, (2008). 2008 Enterprise Risk Management Survey, retrieved from treasuryandrisk.com
Pergler, M. (2012). Enterprise risk management: what’s different in the corporate world and why.
McKinsey Working Papers on Risk, 40, 1-17.
Poitras, G., (2002). Risk Management, Speculation, and Derivative Securities, Academic Press
Power, M. (2009): The risk management of nothing, Accounting, Organisations and Society, 34,
pp 849 - 855
Protiviti Inc. (Ed.). (2006). Guide to Enterprise Risk Management. Retrieved November 11, 2017,
from https://www.protiviti.com/sites/default/files/protivitierm_faqguide.pdf
XVI
Pudin et al., 2017. The Art of Risk Management. BCG CFO Excellence Series, retrieved from
https://on.bcg.com/2w4V82Q
Rhodes, A.. (2017). From Start-up to Corporate – How Risk Management Changes in a Growing
Company. Retrieved from https://bit.ly/2KWvpPy
Righi, B., Fox, C. (2017). RIMS 2017 Enterprise Risk Management Benchmark Survey. Risk
Management Society
RIMS & MARSH. (2015) Excellence in Risk Management XI — Risk Management and
Organisational Alignment: A Strategic Focus. Retrieved from https://bit.ly/2P4pAmp
Risk Management Association. (2014). The 8 stages of the outsourcing process. Retrieved from
https://www.rmahq.org/WorkArea/DownloadAsset.aspx?id=5999
Risk manager – Tasks and competencies. (2013) The Risk Manager's Professional Reference Tool.
Association pour le Management des Risques et des Assurances de l’Entreprise (AMRAE)
Ruigrok W., Peck S., Tacheva S. (2007), "Nationality and Gender Diversity on Swiss Corporate
Boards’’ Corporate Governance: An International Review, 15(4), 546-557
Ruizendaal, C. et al., (2014). Hoeveel zijn we opgeschoten na de crisis? NBA Amsterdam, PwC
Amsterdam, Nyenrode Breukelen, Rijksuniversiteit Groningen
Shenkir, W. G., & Walker, P. L. (2007). Enterprise risk management: Tools and techniques for
effective implementation. Institute of Management Accountants, 1-31.
Shi, Y. (2007). Today's solution and tomorrow's problem: the business process outsourcing risk
management puzzle. California Management Review, 49(3), 27-44.
Simona-Iulia, C. (2014). Comparative study between traditional and enterprise risk management–a
theoretical approach. The Annals of the University of Oradea, 274.
Slagmulder, R. (2012). Integrating risk into performance. Reporting to the Board of Directors.
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for
information technology systems.
Subramaniam, N., McManus, L., & Zhang, J. (2009). Corporate governance, firm characteristics
and risk management committee formation in Australian companies. Managerial Auditing
Journal, 24(4), 316-339.
XVII
Tonello, M. (2012) Should your board have a separate risk committee? Protiviti
Tufano, P., (1996). Who Manages Risk? An Empirical Examination of Risk Management Practices
in the Gold Mining Industry, The Journal of Finance, Volume 51, Issue 4, Pages 1097–1137
Venkatesh, S. (N.d.). Organisation Charts: Types, Principles, Advantages and Limitations.
Retrieved from http://www.yourarticlelibrary.com/organisation/charts/organisation-charts-
types-principles-advantages-and-limitations/53238
Von Solms, S. H., & Solms, R. V. (2008). Information security governance. Springer Publishing
Company, Incorporated.
Barton, T. L., Shenkir, W. G., & Walker, P. L. (2002). Making enterprise risk management pay off. FT
Press.
Ward, S., (2001). Exploring the Role of the Corporate Risk Manager. Palgrave Macmillan Journals, 7-
25
Weller, N. (2015). COSO ERM Framework. Retrieved from
http://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-
resources/p1/technical-articles/coso-enterprise-risk-management-framework-part-1.html
Wight, O. (2008). Designing and developing the organisation. Retrieved from
https://www.oliverwight-americas.com/system/files/public/resources/minerich-designing-
organisation.pdf
Willkie Farr & Gallagher LLP. (2003). New NYSE rules for audit committees of listed companies.
Wyman, O. (2014) AFP Risk Survey 2014, Associations of Financial Professionals
Yilmaz, A. K., & Flouris, T. (2017). Enterprise risk management in terms of organisational culture
and its leadership and strategic management. In Corporate risk management for international
business (pp. 65-112). Springer, Singapore.
18
8. Attachments
8.1 Interview Questions ERM aanwezigheid en ontwikkeling
• Heeft uw organisatie een geformaliseerd ERM-programma om risico's te beheersen?
• Wanneer begon uw bedrijf met Enterprise Risk Management?
• Wie/ Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en
uitbreiding van uw ERM-programma?
• Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van risico’s?
• Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
• Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere
woorden, is er een beschrijving die aangeeft in welke mate risico's kunnen worden
genomen om doelstellingen te bereiken?
• Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Leiderschap in risicomanagement/ risicobeheerstructuur
• Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie?
Wat zijn de belangrijkste taken?
• Welke RvB- en C-suite leden hebben een rol in het risicobeheer van de organisatie?
Wat is hun rol?
• Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele
risicogroepen, financiën, juridische zaken, milieu, veiligheid, ...) bestaan er om te helpen
bij de ontwikkeling van ERM?
• Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele
managers of business unit managers?
• Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement, samen met de auditfunctie?
• Zijn er verder nog functies, die ERM ondersteunen?
• Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw
bedrijf? (Welke gegevens (rapporten/ bestanden/ info) worden aan welke interne groepen
(RvB, senior management, hele organisatie) op welke tijdsbasis gerapporteerd?)
• Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of
ander comité aanwezig in de organisatie?
a/ Wat zijn hun belangrijkste taken?
b/ Beschouwt u haar als de leidende autoriteit van ERM?
c/ Welke informatie/ rapporten worden aan het bestuur verstrekt?
d/ Hoe vaak?
• Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
19
8.2 ERM maturity assessment
At what level of maturity is risk management in your company? Scale the following areas
taking into account these criteria Effectiveness: are assessments completed periodically or ad-hoc?
Proactivity: Does the organisation wait until an adverse event occurs to mitigate risk or is there some kind of scenario planning?
Coverage: Does responsibility span across all departments and all vertical levels of the organisation?
o ERM-based process: To what degree is there executive or board-level support for
ERM and how mature is the corporate risk culture?
1 2 3 4
o ERM Process Management: To what extent is ERM Methodology (ERM methods and processes) adopted throughout the business culture and decision-making?
1 2 3 4
o Risk appetite management: Is your organisation effectively closing the gap between potential and actual risks and what about the accountability for risk within
leadership?
1 2 3 4
o Root cause discipline: To what extent are events identified by its origin – the root cause from which they stem - rather than by its symptoms?
1 2 3 4
o Uncovering risks: How mature would you define the quality of your risk
assessments to document risks and opportunities?
1 2 3 4
o Performance management: How mature is the planning, communication and
measurement of enterprise goals with a risk-based process. What is the degree to which an organisation executes on its vision and strategy? (Is progress in line with
expectations?)
1 2 3 4
o Business resiliency and sustainability: Are continuity, operational planning and
other sustainability activities approached with risk-based methods?
1 2 3 4
Source: RIMS Risk Maturity Model
20
RM framework and processes o Attitude towards uncertainties (RM philosophy)
Not proactive. Reactions to risk issues after they occur. No differentiation between positive and negative risk
Risk perceived as static and approach focused on past events
Consistent definition of risk, applied throughout the organisation, but focus on avoiding unexpected large losses
Proactive approach to risk considering threats and opportunities. Risk-based approach used at all levels
1 2 3 4
o Mandate4
The board does not feel the need to manage risk
As a consequence of external demand (stakeholder, government, regulator,..)
By the board By a strongly supportive board
1 2 3 4
o Management leadership and commitment
Management is not committed to establishing RM and has not assumed a leadership role in implementing it
Some RM activities supported by top management on ad hoc basis across the organisation
Senior managers take the lead to ensure risk approaches are developed and implemented in all key areas
Leadership for RM embedded at all levels, RM is a formal and regular senior management activity. Senior managers involved in RM practices/initiatives
1 2 3 4
People, roles, structures and interactions (RM culture) o RM internal culture
Reactive focus. Emphasis on protecting physical and financial assets.
People are quite risk averse. Emphasis on risk avoidance.
Rm is done proactively. Culture of control.
Synchronized individual and organisational expectations for RM. Focus on opportunities. Culture of continuous learning and participation. Highly committed staff.
1 2 3 4
4 A mandate in risk management expresses itself through an official statement/document, that clearly indicates the risk management strategy and objectives, the people accountable for them at all levels, and authorize such people to use proper resources for achieving their assigned objectives. Defining and communicating this statement testifies an organisation’s commitment to implement a risk management system.(ISTAT, 2017)
21
o Ethics and value
No ethics policy, statements of shared values or guidelines in place.
Philosophy mainly reflects legal and political considerations. Written policies applied inconsistently.
Ethics and values understood by staff. RM approach aligned with them
Ethics and values consistently reflected in RM organisation practices and actions. Regular surveys on risk. Organisational climate of mutual trust.
1 2 3 4
Risk Management Information system: supporting technologies o ICT tools
No RM information system envisaged.
A pilot RM information system is implemented as part of another information system.
Generic software used to support management in tracking relevant process areas.
Each stage of RM process tracked in a web-based tool and integrated in other corporate information systems.
1 2 3 4
o Document management
Record management supporting activities focused on physical and financial assets. Organisation does not document info about risk.
A document management system, focused on past events, to comply with regulatory requirements and to record info concerning some stand-alone processes.
Document system to support management in recording key and relevant process areas.
Information about risks recorded in a consistent and secure way. Structured Information Management Plan. Each step of the risk management process is recorded appropriately.
1 2 3 4
22
8.3 Interview Company A
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Een groot aantal risico’s wordt al op gestructureerde wijze geëvalueerd en beheerd. Eerst en vooral is er
jaarlijks een grote ERM-oefening die wordt uitgevoerd in samenwerking met verschillende risk owners.
Daarenboven wordt er driejaarlijks een uitgebreidere oefening gemaakt waarbij de risico’s in kaart worden
gebracht en waarbij tevens de actueel bestaande risico’s en actieplannen geanalyseerd en geëvalueerd worden
als onderdeel van het globaal Profit plan. Bij elke ontwikkeling van een nieuw product wordt al bij de opstart
van dit project systematisch risicomanagement ingebouwd. Binnen Finance is er een geformaliseerd systeem
in place. Tot slot werd er in 2011 een tool uitgewerkt, die behulpzaam is om stelselmatig risico’s op te lijsten,
te analyseren, te evalueren en bij te sturen. Deze tool werd geïnitieerd door Insurance, die aandrong om de
risico’s beter in kaart te brengen. Compliance verzorgde een meer systematische aanpak. Vooral op het vlak
van export was het noodzakelijk enkele mankementen aan te pakken. Bij dit alles was de Risk & Compliance
manager vooral gefocust op de financiële, strategische en ethische risico’s.
Wanneer begon uw bedrijf met enterprise risk management?
Een precieze begindatum kan daarop niet geprikt worden. Volgens mij zijn wij al geruime tijd actief begaan
met Risk Management. Dit begon met verzekeringen, gezondheid, veiligheid enzovoort. Stap per stap werd
dit in de verschillende departementen - zoals onder meer Supply - bijgebouwd.
Wij zouden kunnen stellen dat er specifiek voor ERM 4 jaar geleden een opstart is gebeurd met een oefening
die company-wide risico’s beheert. Daarvoor baseerden wij ons op COSO en ISO. In feite is het dus geen
zuiver ERM-systeem waarmee een overkoepelend orgaan zich bezighoudt. Toch is er jaarlijks een oefening
over het gehele bedrijf (wereldwijd) en omtrent de ad-hoc benadering. Zelfs indien het geen puur ERM-
systeem betreft, mag gezegd worden dat de huidige aanpak goed functioneert. Het systeem is in lijn met de
huidige Corporate Governance Code van 2009.
Wie/ Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Hiervoor kan geen specifieke aanleiding worden opgegeven, het is immers veroorzaakt door een samenloop
van diverse factoren. Eerst en vooral was er 20 jaar geleden een brand die een deel van een productielijn
compleet vernielde, met zware gevolgen. Toen werd de nood aan een betere beheersing van de verschillende
risico’s in het bedrijf duidelijk. Dit geschiedde mede op vraag van de verzekeraar maar is vrij snel
geëvolueerd naar andere afdelingen. Dit alles lag aan de basis voor het opstarten van een risk functie, die
stelselmatig is uitgegroeid.
Toen er zich op een bepaald tijdstip problemen met export voordeden heeft men ongeveer 6 jaar geleden
als reactie de Risk functie nog meer uitgebreid tot de Risk & Compliance functie. Vanaf dan is deze rol dus
echt wel gegroeid.
23
Een tweede punt is de snel wijzigende omgeving en globalisering. Vroeger was het als kleine speler moeilijker
om tot onze markt toe te treden, terwijl vandaag start-ups via Cloud software en andere nieuwe toepassingen
voor ons een grote bedreiging kunnen vormen.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
De strategische risico’s zijn het moeilijkst te beheersen. De vele externe factoren en de snel veranderende
omgeving vormt de grootste uitdaging.
Op operationeel niveau is er een vrij goed risicobeheerssysteem in place.
De financiële risico’s worden opgevolgd door het team van de CFO, die deze vrij goed onder controle
hebben. Wanneer er een specifiek issue opduikt of wanneer hierover een objectieve analyse wenselijk is, dan
word ik hier ook bij betrokken. Er wordt heel sterk ingezet op compliance risks, die degelijk worden
aangepakt en onder controle zijn.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
De toegevoegde waarde binnen decision-making en control is duidelijk. Wanneer de impact van een risico
onder controle is, komt dit in handen van het Chief Leadership Team(CLT) en blijft het daarna vaak een
tijd stil rond dit type risico. Nu is er door ERM een continue dialoog met het leadership team om
bedrijfsbrede risico’s aan te pakken via een iteratief proces, waarbij domein per domein wordt onderzocht.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden ,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Verschillende instructies en methodieken, die de rol en verantwoordelijkheid van diverse personen
weergeven, zijn gedocumenteerd in ons online informatiesysteem. Het leadership team is verantwoordelijk
om tot een risk appetite te komen. Op de verschillende meetings worden deze risk appetites van de leaders
gealigneerd door middel van een gezonde discussie, waarbij wordt vastgelegd in welke mate risico kan
genomen worden. Voor risico’s met een impact op menselijk vlak blijft er weinig discussiemogelijkheid
open, omdat wij voor health & safety zeer strikt zijn. Door deze risico-filosofie duidelijk te communiceren
creëren wij een risk awareness en cultuur.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Een en ander kan verder uitgebouwd worden. Een nog betere integratie, communicatie en awareness
moeten mogelijk zijn.
Leiderschap in risicomanagement/ risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie?
Wat zijn de belangrijkste taken?
Persoonlijk ben ik verantwoordelijk voor bepaalde domeinen. Een collega risicomanager staat in voor
welbepaalde andere domeinen. Het is dus geen geheel overkoepelende functie. Dit werkt al een paar jaar
efficiënt binnen ons bedrijf.
24
Mijn verantwoordelijkheden en professionele omgeving zijn wel enorm gewijzigd. Vroeger kwam ik als
quality director hoofdzakelijk in contact met ingenieurs en dergelijke, terwijl mijn functie als Risk &
Compliance manager zich nu meer binnen een legal environment situeert.
De bestaande risk management functie is ongeveer 6 jaar geleden grondig uitgebreid. Dit was het ideale
moment omdat de bestaande manager toen de pensioenleeftijd bereikte. Sindsdien worden alle risico’s
intensiever onderzocht, terwijl vroeger de focus meer op het financiële lag.
Het CLT is verantwoordelijk voor het RM proces in zijn geheel. Ik ben meer een facilitator en heb vooral
een analyserende, coördinerende en begeleidende rol. Tijdens mijn periode als quality director deed ik veel
ervaring op met de bedrijfsspecifieke risico’s, maar nu ligt de nadruk meer op compliance en verzekeringen.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Binnen de RvB houdt vooral het Audit Comité de zaken in het oog. Het is opvallend dat de interesse voor
ERM binnen het Audit Comité(AC) sterk groeit. Nu is men daarmee duidelijk begaan, want terwijl vroeger
het financiële aspect voorrang kreeg, worden er vandaag meer vragen gesteld over verschillende soorten
risico’s.
Dit is een duidelijke shift in de evolutie van ERM binnen ons bedrijf.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan er om te helpen bij de ontwikkeling van
ERM?
Het Risk & Compliance departement zorgt voor coördinatie en opvolging van de RM activiteiten. Het
bestaat uit 12 werknemers onder leiding van de General Counsel(GC), waarvan één persoon zich voltijds
toespitst op GDPR.
Het pure risicomanagement zit wel bij mij. De jaarlijkse ERM-oefening geschiedt op basis van interviews
en assessments, in samenwerking met de interne audit functie. Zij doet deze interviews met alle leadership
members. Ik ga vooral deze met de legal entiteiten wereldwijd bijwonen of afnemen.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers?
Daarvoor sta ik persoonlijk in, samen met de audit functie.
Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement, samen met de auditfunctie?
Voor het risico-identificatieproces werk ik heel nauw samen met interne audit, die een groot deel van de
interviews voor de ERM-oefening verzorgt. Daarnaast werken wij samen bij compliance issues en bij
specifieke risico issues. Bijvoorbeeld vraag ik hen, wanneer ik een risico in gedachten heb, om dit te auditeren
of om daaraan extra aandacht te besteden.
Er is dus regelmatig contact met de interne audit: wij zitten in elkaars buurt en zien elkaar regelmatig. Zij
controleren de systemen en hebben ook wel een adviserende functie.
Zijn er verder nog functies, die ERM ondersteunen?
Bij de jaarlijkse bedrijfsbrede risicobeoordeling en de compliance gap analyse zijn er telkens verschillende
partijen betrokken, met name een groot deel van het management team, evenals andere functies zoals onder
25
meer het hoofd van het R&D departement, de operationele managers, evenals de financiële-, insurance-,
HR- en facility managers. Op basis van interviews verzamel ik informatie met het oog op een analyse binnen
het kader van risico management. Ik vermijd daarbij te veel in detail te gaan om de anonimiteit van de
geïnterviewden te verzekeren. Dit bevordert de openheid in hun antwoorden. Afhankelijk van de grootte
van de unit die geëvalueerd wordt, ga ik al dan niet ter plaatse.
Risk Control is een hoofdtaak van het leadership team, waarbinnen ook een aantal functies nog niet vermeld
zijn. Dit leadership team bestaat uit de CEO, de CFO, de General Counsel, de vice-president IT &
Operations en de vice-president van de verschillende regio’s (Europa, USA, China,…).
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten/ bestanden/ info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
Bepaalde risico’s en resultaten van mijn analyses worden niet aan de hele organisatie gecommuniceerd.
Dit gebeurt deels bewust omdat weinigen een risico correct kunnen inschatten. Spijtig genoeg hebben wij
onvoldoende reikwijdte om op dit vlak de passende opleiding te geven. Andere risico’s, zoals bijvoorbeeld
alles rond privacy en GDPR, worden dan wel over de hele organisatie gecommuniceerd.
Nu is er een betere rapportering naar boven. Vroeger ging onze informatie naar de General Counsel, die op
zijn beurt aan de CFO rapporteerde. Dit zorgde voor een snellere, objectievere communicatie aangezien de
CFO niet meer moest overtuigd worden van een gevonden risico en zijn mogelijke gevolgen.
Het Management control and Reporting System bestaat nu ongeveer tien jaar en daarbij gaat relevante
informatie en communicatie regelmatig (maandelijks) naar het management. Elke oefening begint met een
identificatie door Risk & Compliance en met een interne audit. De resultaten worden verzameld door het
CLT, dat het inherent risico en het residuele risico bepaalt in functie van de te volgen strategie. De risk
response moet het actieplan voor de te verbeteren risico’s opstellen, waarvoor de CEO verantwoordelijk is.
De te monitoren risico’s worden altijd door een lid van het leadership team gedragen en de accepteerbare
en te optimaliseren risico’s krijgen steeds een specifieke beheerder toegewezen.
Dit proces wordt door mij ondersteund, gefaciliteerd en gecoördineerd.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
a/ Wat zijn hun belangrijkste taken?
Het audit comité moet hoofdzakelijk toezien op het hele proces.
Het voornaamste luik blijft het financiële, maar het Risk management is eveneens belangrijk.
Rechtstreekse rapportering naar de raad van bestuur via de General Counsel of Interne Audit,
minstens 1 maal per jaar, soms meer wanneer er acute risico’s of significante vragen zijn.
Drie jaar geleden zat de General Counsel nog niet in het leadership team. Alles verliep van Interne
audit of GC over de CFO naar het leadership team en de RvB. Nu geschiedt dit rechtstreeks van
de GC, wat beter is. Er zijn afzonderlijke interviews apart door het Leadership Team en door de
Legal & Compliance managers. Daardoor kwamen risico’s dikwijls slechts in één van deze
groepen naar boven. De rechtstreekse communicatie heeft daaraan verholpen.
26
Vorig jaar was het opmerkelijk hoe - na een wijziging van de CEO - de nieuwe accenten bij de
volgende interviews direct zichtbaar werden binnen het leadership team, terwijl de Legal &
Compliance managers hierdoor nog niet beïnvloed waren. Een jaar later was van deze invloed
echter nog weinig te merken.
b/ Beschouwt u haar als de leidende autoriteit van ERM?
Ja!
c/ Welke informatie/ rapporten worden aan het bestuur verstrekt?
Zeer uitgebreide management en risk informatie
d/ Hoe vaak?
Op kwartaal basis.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Nee.
Kent u 3LoD?
Ik ken dit maar het wordt niet onder die term of dat model gebruikt.
Zal misschien wel ergens terug te vinden zijn, maar wordt niet actief van gebruik gemaakt.
8.4 Interview Company B
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Het bedrijf beschikt momenteel niet over een geformaliseerd risicobeheersysteem. Verschillende afdelingen
zoals Kwaliteit, Gezondheid en Veiligheid, Compliance, ... zijn wel aanwezig en beheren risico's, maar er is
geen overkoepelende afdeling.
Wij kunnen dus spreken van een benadering in silo’s, waardoor onze aanpak verschilt van het eigenlijke
ERM. Wij hebben daarentegen uiteraard wel een audit comité, zoals elk beursgenoteerd bedrijf in België.
Dit comité bestaat uit leden van de raad van bestuur met aanzienlijke financiële en boekhoudkundige kennis.
Hun hoofdtaak bestaat erin toezicht te houden op de efficiëntie van het controlesysteem. Zij houden de
risico's in de gaten, maar niet via een geïmplementeerd RM-systeem.
Zelf rapporteer ik als director interne controle regelmatig aan de CFO. In die hoedanigheid neem ik ten
minste elk kwartaal deel aan de auditvergaderingen.
Een specifieke functie onder de noemer 'CRO' is er niet, maar mijns inziens is dit een rol die in België niet
vaak voorkomt.
Wanneer begon uw bedrijf met enterprise risk management?
Vorig jaar, nadat er door mij een geformaliseerd systeem voor Interne Controle werd ontwikkeld, heb ik
tevens enkele projecten rond risicomanagement opgestart. ERM behoort echter niet tot mijn
hoofdtakenpakket. Vooral in dit vroege stadium van ons bedrijf is er nog geen echte noodzaak voor.
27
Nochtans meen ik dat er vlug een tijd zal aanbreken, waarin mijn rol noodzakelijk zal moeten opgesplitst
worden.
Wie/ Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Aangezien wij niet alleen in België, maar ook op een Amerikaanse beurs genoteerd zijn, dienen wij te
voldoen aan de SOx-wetgeving. Dit impliceert ook een aantal aanbevelingen en richtlijnen rond
risicomanagement. Dit heeft wel degelijk het bestuur getriggerd om hier toch wat meer aandacht aan te
besteden.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
De financiële risico’s worden centraal beheerd. Het audit comité houdt toezicht op de financiële toestand
van het bedrijf. Ook de andere risico-types worden geanalyseerd, weliswaar niet zo formeel.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Risk appetite is niet gedocumenteerd, al kunnen wij - gezien onze sector - nooit een risico-avers bedrijf
worden. Zo kost de ontwikkeling van een nieuw medicijn gigantisch veel geld en heb je automatisch een
grote exposure. Er zijn ook veel zaken in onze industrie waar niks aan het toeval kan overgelaten worden
qua risico’s. Dan heb ik het over ethische zaken, de gezondheid van onze werknemers , enzomeer.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Op een natuurlijke manier. Van zodra wij groeien en er vraag naar komt, zal dit vrij snel doelgericht
gebeuren, maar tot vandaag was daar nog geen grote behoefte aan.
Het bedrijf is wel Control minded, maar nog niet in compliance met SOx. Dit moet nog scherper gesteld
worden en gedocumenteerd. Er bestaan zeker goede controlesystemen maar die worden nog niet
uitdrukkelijk naar voor geschoven.
Leiderschap in risicomanagement/ risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie?
Voor zover er aan ERM gedaan wordt ben ik dit.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Binnen de RvB is dit het Audit Comité. Dit comité heeft een controlerende rol, komt meermaals per jaar
samen en houdt toezicht op IC en RM. Zij interpelleert het management. De CFO is hier binnen het C-
suite samen met de CEO het meest bij betrokken. Ik rapporteer aan de CFO. Er is geen CRO.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
28
Verschillende departementen, zoals quality, compliance, zijn aanwezig, maar er is geen overkoepelend
orgaan.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers?
Niet echt. Het senior management verzamelt die informatie voor de daily operations. Maandelijks wordt
aan hen gerapporteerd. De resultaten hiervan gaan naar het Executive Committee. De geïdentificeerde en
geanalyseerde zaken en risico’s komen bij het Executive Committee, dat de belangrijkste beslissingen neemt.
Ook belangrijke vragen, problemen, de bepaling van de risk appetite enzovoort.
Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement, samen met de auditfunctie?
Audit functie niet echt formeel, ik speel beide partijen een beetje. Ik stuur ook de externe auditors aan.
Zowel de statutaire auditor als een externe auditor die de interne audit functie op zich neemt.
Ik ben verantwoordelijk voor IC en Compliance. Omdat alle auditors extern zijn heb ik dus geen mensen
onder mij. Ikzelf ben ook met ERM bezig, evenwel niet dagelijks. Ik rapporteer naar CFO maar heb ook
contact met het Audit comité. Rapporteringen passeren eerst langs audit comité om daarna gevalideerd te
worden door de board.
Zijn er verder nog functies die ERM ondersteunen?
Niet echt. Ooit zal de risk functie nog moeten uitgebreid worden, maar dit is momenteel nog niet aan de
orde.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke rapporten/ bestanden / info worden aan welke interne groepen (RvB, senior management,
hele organisatie op welke tijdsbasis gerapporteerd?)
Als Director Internal Control sta ik zelf in voor de tweede line of defense, alsook de coördinatie van de
derde lijn, uitgevoerd door een externe audit firma. Ik breng verslag uit aan de CFO, die op zijn beurt naar
het Executive Committee rapporteert. Alle info passeert ook het audit comité en wordt dan gevalideerd
door de board. We merken dat de rapporteringslijnen langer worden. Recent werden ze beter
geformaliseerd.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
a) Wat zijn hun belangrijkste taken?
Voor ERM gaan zij vooral via specifieke vragen en risk oversight een rol hebben.
b) Beschouw je ze als de leidende autoriteit van ERM?
Gedeeld, ik doe het ERM management, het audit comité zorgt voor toezicht.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Heel wat informatie van mij en vooral van het audit comité. Veel financiële informatie ook.
d) Hoe vaak?
Minstens elk kwartaal, vorig jaar 5 keer.
e) Genoeg onafhankelijke externe leden RvB?
29
Absoluut, gehele RvB is onafhankelijk. Op één na, de CEO.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
De externe adviseur Statutaire auditor, Deloitte; dit hebben we niet te kiezen. Zij doen de Externe audit.
Dan is er nog Interne audit. Zelf sta ik in voor de coördinatie van beide audits.
PWC wordt voor de interne audit door mij aangestuurd. Ik zorg voor IC systeemimplementatie en
anderzijds laat ik de interne audit verschillende check-ups doen.
8.5 Interview Company C
ERM presence and development
Does your organisation have a formalised ERM or GRC program to manage risks?
Yes.
When did your company start with enterprise risk management?
We started with ERM three years ago.
Who / What was responsible for triggering the initiation, implementation and
extension of your ERM program?
The new COSO Framework under SOX Compliance triggered management to introduce ERM in our
organisation.
How (effectively) is your company dealing with ERM processes?
Each stage of the risk management process is completed. Pretty effective, but improvement is possible.
Do you feel that ERM offers added value? How?
Not enough yet, it is still performed mostly for reporting purposes. More dedication is needed if we want it
to provide greater added value.
Is the risk philosophy or risk appetite in your company clearly stated? In other words, is there a
description that indicates to what extent risks can be taken to achieve objectives?
We started formalising a lot of policies regarding our risk philosophy, but to date it is not mature yet.
How do you plan to further develop ERM and grow it in your organisation?
It is the leaders of the group’s task to further develop ERM. Personally, I can’t develop it any further. My
department is following the rules given by our group.
Leadership in risk management/risk governance structure
Is there a leader in risk management in your organisation?
At group level there is, but in local brands we have a Risk & Control department and a Compliance
department leading the pack. There is also a GRC committee to provide risk oversight.
Which board and C-suite members have roles in the organisation’s risk management?
The complete Governance, Risk and Compliance department, including Finance, HR and legal.
30
Which specialist units (ERM support units, operational risk groups, finance, legal, environment,
safety, …) stand in place to help in ERM development?
The Risk and Control department (R&C - my department).
Is there a centralized group or person collecting information (e.g. residual risks) from operational
managers or business unit leaders?
All second lines of defense (R&C, ISO, Compliance, Health & Safety/Wellbeing, Product Integrity, store
audit).
How closely do the people in your organisation who are most responsible for risk management
work together with the audit function?
R&C is mainly coordinating with Audit when they start a mission
Can you indicate if there are further any functions involved?
Not really.
How are the reporting lines regarding risk management organised in your company? (Information
flow, time base, which reports / files / info).
There is reporting to the GRC quarterly and ad-hoc if needed. Specifically, for ERM we have two formal
reporting times with the local Executive Committee, afterwards they report the results to the group.
At board level, who evaluates the reports on ERM? Is there a risk, audit and / or other committee
present in the organisation?
The GRC Committee, in cooperation with the local Executive Committee. At group level the same structure
is in place.
a)What are their main tasks?
Create visibility/reports on risks for the company and understand residual risks considering
mitigating actions taken by 1st line management.
b)Do you consider them as the leading authority of ERM?
They should, yes.
c)What information / reports are provided to the board?
There is reporting for ERM through the company-wide exercise.
d)How often?
For ERM twice a year.
Is there outsourcing of any ERM activity, role or responsibility?
No.
31
8.6 Interview Company D
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd enterprise risk management programma om risico's te
beheersen?
Een echt ERM programma, waar risico’s company-wide mee worden beheerd, is er niet, nee. Niet wat
betreft ERM. GRC is wel aanwezig. Dit moet ook, want wij zijn beursgenoteerd.
De uitgetekende governance structuur en ook Compliance worden bekeken en uitgevoerd, maar opnieuw
niet company-wide, noch formeel.
Dit betekent niet dat er niks gebeurt. Wat wij wel al jaren doen op vlak van risk management, zijn de
processen op de afdelingen project business en data control, die het meest risicogevoelig zijn. Andere
activiteiten zijn minder risicogevoelig. Wij zijn een IT firma: als wij iemand bij een klant sturen op
detachering is het risico beperkt. Daar is het vooral de kwaliteit van de personen die telt. Ook binnen onze
product business zijn de risico’s eerder beperkt.
Daarentegen bestaan er binnen de sector project business wel veel risico’s. Wanneer er een bepaald product
bij de klant moet komen waarvan deze de kwaliteit zal nagaan, is het belangrijk dat aan alles gedacht is opdat
de klant tevreden zou zijn. Op dit meer risico dragend vlak wordt er dus wel op een systematische manier
aan risk management gedaan. Daar gebeurt het formeel, hoofdzakelijk voor de takken pre -sale en project
management.
Ook in data center beheer, waar sinds een drietal jaar met GDPR rekening moet gehouden worden, is er
sprake van risicobeheer. Zulke policies formaliseren is een administratief zware taak.
Momenteel doen wij dus een inhaalbeweging in verschillende departementen om onze informele aanpak te
systematiseren.
Wanneer begon uw bedrijf met enterprise risk management?
ERM zo’n vier jaar geleden. In de project business zijn wij zeker al 10 jaar met risicobeheer bezig.
Wij zijn hiermee gestart in 2005.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Regelgeving speelde hierbij zeker een rol, maar misschien eerder nog de corporate governance.
De RVB wil namelijk informatie over de risico’s om te implementeren bij hun besluitvorming.
Ook de beursnotering is hier een factor in. De concurrentie vraagt het ook wel. Vb. health companies, hier
is de markt duidelijk vragende partij door de gevoelige data die beheerd moet worden.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Op strategisch vlak wordt dit proces hoofdzakelijk overzien door de RvB, hoewel dit geen vast item is op
hun agenda. Bij het audit comité is dat wel zo. De huidige overname leidde natuurlijk wel tot verschillende
32
risicoanalyses. Het zou onaanvaardbaar zijn daarbij de risico’s niet te bekijken. Ik doe heel wat operationele
controles, het Legal departement doet Compliance en het CFO uiteraard het financiële.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Ja deze toegevoegde waarde is zeker aanwezig, vooral op het vlak van de project business. Het kan veel
onzekerheden inzake imago en reputatie wegnemen of aanpakken. Het is eveneens van belang om bepaalde
certificaten te krijgen of om te voldoen aan de gestelde eisen. Dit imago is echt belangrijk, zo moet
bijvoorbeeld databeheer bewaakt worden. Het is ondenkbaar dat er in de pers zou bericht worden dat er op
dit vlak fouten zijn gebeurd. Zo wil je niet in de krant komen. Alles systematisch gaan benaderen zou wellicht
een te grote administratieve rompslomp worden. Het management ziet dit alleszins zo.
Verschillende bottom-up systemen zouden leiden tot te veel input en zouden misschien weinig extra value
bieden. Voor een nieuwe business case is er wel steeds een assessment, maar voor activiteiten waar er nog
niet veel events zijn voorgevallen, zal er nog geen systematische aanpak komen.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
In het kader van de recente fusie dienden de processen uitgeschreven te worden. Daarbij wordt er steeds
een proces owner voorzien, die het proces opvolgt. Deze is tevens risicobeheerder.
Vaak gebeurden ook formuleringen binnen het kader van ISO. De procesbeschrijvingen gebeurden vooral
na de fusie, nu minder. De structuur verandert snel, de mensen veranderen, en het is dus moeilijk om steeds
process owners aan te duiden doorheen de organisatie. Iedereen heeft ook zijn eigen manier van werken.
Process owner is dus de risk owner, het is de meest competente en bereidwillige persoon. Hij of zij betrekt
anderen om te rapporteren. Ik als auditor capteer alle verslagen (ISO) en bekijk wat wel en niet is
gerealiseerd. ISO vraagt ook expliciet om aan RM te doen. Het moet uiteraard voor ons wel toegevoegde
waarde hebben voor wij beslissen iets te implementeren.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Ik heb company-wide assessment gedaan in 2016 met een 30-tal assessments op diverse niveaus.
Dit gaf mij een beeld van de perceptie van verschillende businessverantwoordelijken op risico’s en
problemen. Het liet ook toe hun visie daarop te vergelijken met de visie van het management.
Naar aanleiding van deze oefening is, voor alle sectoren waarbinnen we actief zijn, een procedure opgestart
om grote risico’s te ontdekken. Ik heb voorgesteld om dit company-wide te doen. Het management vroeg
vijf jaar geleden om de toprisico’s op te lijsten. Het is meer ad hoc, dit jaar werken we wel op die assessments
voort, maar het is niet steeds proactief, noch systematisch. Het is eerder een pragmatische aanpak.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie?
Wat zijn de belangrijkste taken?
In het management is dit voor de Legal Council binnen risicomanagement het meest formeel uitgesproken.
Dit uit zich vooral in Compliance en contractuele verbindingen. Daarnaast is er ook een vorm van interne
33
audit, die ik uitoefen. Ik durf poneren dat ik zelf de taak van ERM het meest behartig, formeel gezien, om
risico’s bij processen en dergelijke te bekijken. Uiteraard hebben het audit comité en de CEO hierbij ook
een belangrijke taak, maar deze doen meer aan ondernemen dan aan systematisch uitvoeren van ERM
programma’s. Zo heb ik het initiatief genomen in 2016 een company-wide assessment te doen.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Formeel binnen het C-suite vooral de Legal Council. Operationeel bewaak ik vooral dit aspect. Ik rapporteer
maandelijks rechtstreeks aan de CEO en bespreek met hem tevens het audit rapport, waarna dit elk kwartaal
in mijn bijzijn aan het audit comité wordt voorgelegd.
Om de 6 maand is er ook een financiële rapportering door Deloitte, onze bedrijfsrevisor.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Er is een financiële afdeling, die ERM mee opvolgt en dus ook wel ondersteunt.
Daarnaast geeft de Legal Council binnen zijn sector eveneens ondersteuning, maar de facto behoort dit ook
ook tot mijn takenpakket, weze het dan wel slechts een klein deel.
Is er een gecentraliseerde groep of persoon, die informatie verzamelt van operationele managers
of business unit managers?
Er zijn twee kanalen. De externe audit behartigt voornamelijk de financiële processen en systemen, evenals
het ERP. De interne audit, die alles wat operationeel is omvat, wordt door mij verzorgd.
Alle processen worden geëvalueerd en krijgen een kleur. De kleur weerspiegelt de graad van het risico (High
Medium Low). Voor de projecten business, presale en datacenterbeheer geschiedt deze evaluatie continu.
Voor de andere projecten gebeurt dit eerder wanneer de nood zich voordoet.
Het budget speelt daarbij een belangrijke rol. Hoe meer middelen er voor worden vrijgemaakt, hoe beter
het risicomanagement kan aangepakt worden.
Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement, samen met de auditfunctie?
Omdat ik maandelijks rechtstreeks aan de CEO rapporteer en steeds verschillende zaken met hem bespreek,
kan er wel van een nauwe samenwerking gesproken worden. Bovendien neem ik deel aan de vergaderingen
van de Audit comités. Er bestaat evenwel geen specifieke risk manager. Voor de audit moet ik wel
onafhankelijk blijven en mij niet laten beïnvloeden door de CEO.
Zijn er verder nog functies die ERM ondersteunen?
Elke manager heeft een bepaalde verantwoordelijkheid en zijn eigen vorm van risk appetite. Elke manager
beheert zijn eigen risk portfolio, wat op een weinig formele manier gebeurt, onder toezicht van het
management. Legal, Finance en Interne audit ondersteunen ook.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
34
Interne audit rapporteert op kwartaalbasis aan het Audit comité en maandelijks aan de algemeen directeur.
Het risicobeheer wordt besproken met het Executive Committee en regelgeving issues met de compliance
officer. Elk jaar zijn er tevens afzonderlijke gesprekken over de RM systems met het Executive Management.
Daarvan worden verslagen bezorgd aan het Bestuur, het hoofd externe audit en de head internal audit. Het
Audit comité hoort éénmaal per jaar tijdens de maand augustus of september in besloten kring de interne
auditor, de externe auditor en de CFO, zonder aanwezigheid van andere leden van het management of de
uitvoerende bestuurder. De interne auditor rapporteert maandelijks naar de CEO en om de drie maand aan
het audit comité.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
Dit gebeurt door het audit comité.
a) Wat zijn hun belangrijkste taken?
Zie boven
b) Beschouw je ze als de leidende autoriteit van ERM?
“Leidend” is een groot woord, interesse is er wel. Kritische vragen zijn er ook, maar zij zijn niet
diegene die gaan vragen daarop verder in te gaan. Volgens dit orgaan is er geen nood aan company-
wide risk assessments op formele wijze.
b)Welke informatie / rapporten worden aan het bestuur verstrekt?
Zie boven
d) Hoe vaak?
Elk kwartaal.
e) Genoeg onafhankelijke externe leden RvB?
Er is een ruime vertegenwoordiging van externe leden.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Er is niet echt sprake van een uitbesteding op dit vlak.
8.7 Interview Company E
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Ja, er is een ERM systeem, dat reeds volledig geïmplementeerd en geïntegreerd is. Persoonlijk ben ik ervan
overtuigd dat ons bedrijf, in vergelijking met andere Belgische bedrijven, reeds een eind verder is
geëvolueerd en dat wij een redelijk compleet systeem hebben.
Wanneer begon uw bedrijf met enterprise risk management?
Tien jaar geleden al, waardoor de implementatie inmiddels voltooid is. Het was een lange weg en zeker niet
eenvoudig, want ook op dit vlak hadden wij te kampen met kinderziektes.
35
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Zelf was ik 10 jaar geleden nog geen betrokken partij. Ik veronderstel dat het management destijds
verantwoordelijk was voor de initiatie van het risk management, onder leiding van de CEO, die altijd al risk-
minded was. Vandaag valt dit alles onder de verantwoordelijkheid van mijn departement risicobeheer. Nog
steeds vindt onze CEO het primordiaal dat risk management duidelijk aanwezig is.
Omdat onze activiteiten zich verder uitstrekken dan de bij het grote publiek bekende winkels , is een degelijke
controle van de activiteiten een vereiste. Hiervoor was een dergelijk systeem noodzakelijk.
Ik rapporteer nu naar de CEO en naar het audit comité, maar ook de COO leest dit audit rapport.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Iedere activiteit wordt gemanaged en heeft zijn eigen cyclus. Daarnaast is er om de drie jaar een strategische
risico-oefening. Het RM proces is tamelijk goed en consequent doorheen de gehele organisatie
geïmplementeerd. Verschillende personen en afdelingen zijn verplicht bepaalde zaken te rapporteren en
staan onder toezicht van het management en het audit comité.
De rapporten worden effectief bekeken, opgevolgd en beheerd.
De cel risicomanagement omvat 3 delen: ten eerste het risicobeheer, ten tweede compliance (enerzijds alles
wat met compliance mededinging te maken heeft zoals prijsafspraken en dergelijke , en anderzijds GDPR,
dat recent is bijgevoegd). Waarschijnlijk zal de BPO office functie de blijvende compliance met GDPR nu
sinds de inwerkingtreding opvolgen. Het derde luik wordt gevormd door de interne audit.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Zeker en vast. De toegevoegde waarde berust op de visie die de onderneming heeft op het geheel van zijn
activiteiten. De focus blijft evenwel enorm commercieel en klantgericht, dit kan niet anders, omzet moet nu
eenmaal zijn. Wij hebben nochtans ook oog voor wat er moet weerhouden worden om ons doel te bereiken.
Deze scherpstelling kan van grote waarde zijn en vormt de basis voor een lange termijn visie.
Ons blijven afvragen waar wij naartoe willen, hoe wij dit willen en welke maatregelen daarvoor moeten
genomen worden, blijft een gezonde benadering.
Daardoor merk je dat Colruyt ver staat en uitgesproken is.
Deze visie op risicobeheer is te vergelijken met de kijk op sustainability.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Er is een responsibility table en decision matrix, die verschillende rollen en dergelijke weergeven. Het is zeer
belangrijk dat je weet dat wij binnen onze afdeling nooit gaan interveniëren. Wij concluderen en adviseren,
maar het is steeds aan de units zelf om deze adviezen al dan niet toe te passen of te implementeren.
Binnen risicobeheer zijn wij ook vooral facilitators en geven wij actiepunten.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
36
Voor mij bestaat het plan erin om meer dynamiek te krijgen in de rapportering naar boven toe en de
eventuele creatie van nieuwe software om dit alles actiever te beheren. Daarnaast wil ik een grotere connectie
met onze interne audit en met het risicobeheer om aan meer risk-based auditing te doen in plaats van ad
hoc.
Wij staan al ver in vergelijking met anderen, maar er kan nog een grotere meerwaarde bekomen worden.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ?
Er is een gedeelde verantwoordelijkheid tussen mijn departement en de managers.
Maar wij zijn geen eigenaars van de actieplannen of implementatie.
Wij faciliteren en brengen actieplannen duidelijk over. Daarbij zorgen wij voor samenwerking om effectief
op risico’s te laten werken. Voor de risico’s in se zijn wij niet verantwoordelijk, maar voor de risico-
rapportering wordt wel naar ons gekeken en hier dragen wij wel verantwoordelijkheden.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ?
Dat zijn wij (RM cel) samen met een risico coördinator binnen iedere operating unit.
Zij coördineren en worden aangestuurd door ons.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
Intern audit en RM zaten vroeger niet zo vaak samen. Vanaf dit jaar proberen wij echt aan risk-based
auditing te doen en linken wij geïdentificeerde risico’s met de audit om effectiever op risico’s te auditeren.
Extern vooral system audit EY. Wij gaan ze wel mee begeleiden maar EY zelf doet de audit.
Nieuw is ook de Non financial info, die zal moeten gerapporteerd worden. Dit alles in verband met corruptie
en aankopen in het buitenland, waarbij het een en ander gelinkt wordt aan sociale factoren (kinderarbeid,
milieu,…). Hierbij assisteren wij sinds kort om te onderzoeken of wij de juiste controlemechanismen
bezitten.
Zijn er verder nog functies die ERM ondersteunen ?
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
Iedere rapportering naar het audit comité gaat ook minstens om de drie maanden naar de CEO en naar de
COO. Verder is het afhankelijk van de cyclusfase waarin de operating unit zich bevindt. Iedere commerciële
activiteit doorloopt een eigen cyclus. De operating units moeten om de drie jaar een nieuw strategisch plan
37
opstellen, waarin onder meer de doelstellingen worden bepaald. Daarop volgt dan steeds een nieuwe
risicoanalyse oefening.
Het resultaat van de identificatie en van de analyse wordt tussentijds gerapporteerd en intern
gecommuniceerd aan de business unit. Daarna wordt regelmatig nagegaan hoe op de opgestelde
actieplannen geanticipeerd werd.
Alles hangt tevens af van de soort operating unit. Bij de grootste unit, die een overkoepelende directie en 5
afzonderlijke subdirecties (vb. Aankoop, Verkoop, Logistiek,…) omvat, worden de risico’s om de zes
maanden besproken. Binnen de Retail is dan weer maandelijks een directievergadering.
Veel hangt af van de insteek van de directeur, maar als vaste regel is er de 3-jarige cyclus en de
kwartaalrapportering naar het audit comité.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
a) Wat zijn hun belangrijkste taken?
Toezicht is uiteraard een grote verantwoordelijkheid voor hen als deel van de RvB.
Hierbinnen zijn zij bevoegd voor het aftekenen van de financiële rapportering en het jaarverslag.
Zij waarborgen het bestaan van een goede controle en risicomaatregelen binnen de onderneming.
b) Beschouw je ze als de leidende autoriteit van ERM? Ja.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Hun vergaderingen bevatten steeds 3 vaste agendapunten. Vooreerst de bespreking van de
kwartaalcijfers, vervolgens de bespreking van het activiteitenverslag van risicobeheer. Dit bestaat
uit het rapport activiteiten RM zelf (wie staat waar in het traject? ), uit het verslag van de interne
audit en uit het resultaat van de compliance maatregelen. Als laatste punt is er de vraag naar de
consolidatie met betrekking tot onder meer IFRS, de bedrijfsstructuur enz..
d) Hoe vaak? Per kwartaal.
e) Genoeg onafhankelijke externe leden RvB?
Het is een familieonderneming. Volgens corporate governance zal dit aantal waarschijnlijk niet hoog
genoeg liggen (2 op 9). It is what it is.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Nee op zich niet. Alleen zijn er wel mensen ingeschakeld om de software te helpen ontwikkelen en de IT
audit wordt bijvoorbeeld ook uitbesteed, maar verder niks met betrekking tot ERM.
38
8.8 Interview Company F
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Ja, er is een ERM programma aanwezig.
Wanneer begon uw bedrijf met enterprise risk management?
In 2011.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Daarvoor was ik persoonlijk verantwoordelijk als Risk & Insurance manager.
Ik heb deze initiatie getriggerd.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Alle risicoprocessen verlopen efficiënt. Het moeilijkste deeltje van het proces ligt erin om risicobeheer
ingebed te krijgen in de strategie en besluitvorming van de organisatie.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
ERM is zeker binnen ons bedrijf onmisbaar geworden. Het toont zijn waarde wanneer er veranderingen en
problemen worden vastgesteld of wanneer hierop moet geanticipeerd worden.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Er is een zeer duidelijke beschrijving van de risico’s die kunnen genomen worden en de risico’s die aanwezig
zijn. Dit gebeurt voor elk bouw- of civiel project, steeds vanaf de tendering(=aanbestedingsprocedure).
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Sinds het geformaliseerd programma in 2015 compleet in place was, groeit het automatisch en op een
natuurlijke manier. Het wordt voor de verschillende risico-eigenaars een normale zaak en er ontstaat een
bepaald ‘’bewustzijn’’ van de nood aan risicobeheer.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie?
Op groepsniveau is dit de CRO. Hij verdeelt samen met de Board de verschillende taken.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Zoals ik reeds aangaf is dit op groepsniveau de CRO en zijn team.
Op nationaal niveau zijn hierbij hoofdzakelijk de CEO, CFO en Risk Council betrokken.
De CEO en CFO focussen zich op de strategische en op de financiële risico’s.
Operationele risico’s worden door mij (Risk & Insurance manager) in samenwerking met de Legal Council
beheerd. Bij de controlling en compliance zijn vooral de Quality & Compliance manager betrokken.
39
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Verschillende departementen in de tweede lijn zoals Legal, Quality, Compliance, Operationeel,… met als
hoofdverantwoordelijken de personen vermeld bij de vorige vraag.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ?
Ja, het Executive Committee.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
Er is weinig samenwerking met de auditfunctie.
Zijn er verder nog functies die ERM ondersteunen ?
Iedereen moet een bepaalde awareness hebben en kan zo ERM ondersteunen.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke rapporten / bestanden / info worden aan welke interne groepen (RvB, senior management,
hele organisatie op welke tijdsbasis gerapporteerd?)
Alles is georganiseerd in ons CRM systeem op Office 365.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
Dit is in functie van de graad van de risico’s. De raad van bestuur op groepsniveau. Op nationaal niveau of
per filiaal het uitvoerend bestuur.
a) Wat zijn hun belangrijkste taken?
Vragen beantwoorden en verschillende zaken evalueren.
Zij doen ook steeds een risk matrix check (uit peer to peer sessies).
b) Beschouw je ze als de leidende autoriteit van ERM? Ja
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Algemene management info, een legal en insurance review en de risk matrix.
d) Hoe vaak? Voor alle tenders.
e) Genoeg onafhankelijke externe leden RvB? Ja.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
In geen geval.
40
8.9 Interview Company G
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM-programma om risico's te beheersen?
Ja, er is een geformaliseerde aanpak. Deze is echter wel voor verbetering vatbaar, maar is toch grotendeels
geïmplementeerd.
Wanneer begon uw bedrijf met enterprise risk management?
Dit was jaren geleden, maar een juist jaartal kan ik daar niet aan verbinden.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Eigenlijk was dit een gecombineerd gevolg van de gewijzigde regelgeving en anderzijds van de markt, als
vragende partij.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Het huidige stadium van het proces zou ik voor verschillende niveaus reeds als behoorlijk effectief durven
bestempelen. Weliswaar is er vooral op strategisch vlak nog wat verbetering mogelijk. Hier wordt namelijk
niet altijd voldoende back up gedaan. Het proces is vooral productiegericht.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Het biedt niet alleen toegevoegde waarde, ik zie het ook als een absolute noodzaak. De risico’s zijn zeer
groot en complex geworden. Zij hebben ook grotere gevolgen, dus past de ERM binnen een logische
ontwikkeling. Ik kan daar geen grootorde voor bepalen.
De risico’s moeten domein per domein volgens hun belang gerangschikt worden. Productiestilstanden,
milieuproblemen, sustainability risks ten aanzien van werknemers, … zijn evenwaardige risico’s, die allemaal
even belangrijk zijn.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Er zijn policies die de verschillende rollen en hun verantwoordelijkheden aangeven. Elk geaffecteerd domein
heeft een degelijke omschrijving van de risico’s, de rollen en verantwoordelijkheden, bij voorbeeld met
betrekking tot milieu, voorzieningen, …
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
ERM zal blijvend in belang toenemen. Kijk maar naar de actuele gewijzigde regelgeving met betrekking tot
GDPR en de gevolgen die dit meebrengt voor een organisatie. De huidige evolutie toont aan dat ERM
belangrijker wordt.
41
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ?
Het General Executive Council. Dit orgaan heeft een grote eindverantwoordelijkheid voor als het misloopt.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Binnen het GEC is iedere functie vertegenwoordigd. Zij adviseren ook de raad van bestuur.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan er om te helpen bij de ontwikkeling van
ERM?
Is er een gecentraliseerde groep of persoon, die informatie verzamelt van operationele managers
of business unit managers ?
Het GEC is hierin het sturend orgaan, dat strategische en operationele beslissingen neemt. Dat orgaan
brengt verslag uit aan de RvB op de algemene vergadering. Dit vertaalt zich tot op het laagste niveau. Wij
hebben binnen onze organisatie vier niveaus: Groep, Nationaal, Regionaal en Locatie.
Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement, samen met de auditfunctie?
Wij hebben verschillende ISO certificaten, die door hen worden opgevolgd. Zij gaan de efficiëntie na van
de bedrijfsprocessen en gaan zoeken naar te verbeteren punten.
Zijn er verder nog functies die ERM ondersteunen ?
Interne audit, het treasury department, Environment Health and Safety, productie, …
Ieder aspect is vertegenwoordigd. Wij gaan daar redelijk ver in.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd en gecommuniceerd?)
De rapportering gebeurt vaak in functie van de mogelijke gevolgen. Bepaalde zaken worden per kwartaal
gerapporteerd, zoals ook mijn financiële afdeling. Daarnaast zijn er andere zaken die slechts jaarlijks
gerapporteerd worden, bijvoorbeeld met betrekking tot de Productie.
Tot slot zijn er ook oefeningen, die slechts om de zoveel jaar gedaan worden.
Op bestuursniveau, wie evalueert de rapporten over ERM?
Is er een risico-, audit- en / of ander comité aanwezig in de organisatie?
a) Wat zijn hun belangrijkste taken?
Ik maak deel uit van de RvB, dus eigenlijk slechts gedeeltelijk.
Ten aanzien van de RvB evalueer ik vooral financieel. Geen vaste kalender.
Dus op groepsniveau wel, lokaal niet. Er is een duidelijk onderscheid..
b) Beschouw je ze als de leidende autoriteit van ERM?
Het GEC en audit comité moeten samen beschouwd worden als leidende autoriteit van ERM.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Risk analysis, Herevaluatie van bepaalde documenten.
42
Dit om een jaarlijkse update toe te laten.
d) Hoe vaak?
Ik denk per kwartaal
e) Genoeg onafhankelijke externe leden RvB? Ja
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Voor risk management is er geen sprake van een uitbesteding, wel is er bij de opstart van het programma
in-house consulting gevraagd.
8.10 Interview Company H
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Als rechtstreeks gevolg van onze beursnotering zijn wij verplicht een ERM oefening te doen.
Hier worden de top 10 risico’s geïdentificeerd en per divisie geconsolideerd voor de verschillende entiteiten
van de groep. Interviews met de grotere managers van het bedrijf geven een beeld van deze risico’s.
Iemand in mijn team coördineert alles. De grootste risico’s worden onder meer geïdentificeerd op basis van
hun waarschijnlijkheid en impact. Dan worden de mogelijkheden onderzocht om, wanneer nodig, die
risico’s te beperken. Er worden ook actieplannen opgesteld. Wij moeten dit steeds aligneren met het
beschikbaar budget. Deze oefening is eerder statisch en gebeurt jaarlijks.
Voor mij persoonlijk is ERM meer dynamisch, zoals wij binnen ons departement ook gebruikelijk de risico’s
beheersen. Ik zal dit wat meer toelichten. ERM gebruikt de input van ons dagdagelijks framework. Wij zijn
een utility organisatie. Wij hebben lange termijn posities op verschillende zaken zoals gas, elektriciteit en
nucleair (GEN). Wij beheren dus vooral het marktrisico. Wij traden dus echt om dit risico te beperken in
samenspraak met de andere business units. Via financiële instrumenten creëren wij een stabiliteit rond de
opbrengsten. Dit helpt voor kredieten en voor het vertrouwen van veel andere stakeholders. Zowel de
internal als de external business risks worden gemanaged en geoptimaliseerd. Key risk-takers maken scans,
zij updaten en aligneren met het budget. ERM wordt zo gebruikt binnen die oefening. Wat wij doen is veel
meer dynamisch. Wij zijn actief op financiële markten om dit te plaatsen. Om stabiliteit te creëren, ook
terwijl de prijzen veranderen. De concurrentie heeft hierop ook een invloed. Wij werken hiervoor samen
met eligible counterparties en dus niet met particulieren.
Wanneer begon uw bedrijf met enterprise risk management?
Bijna 20 jaar actief risicobeheer, ERM ook al heel lang. Wij hebben binnen risk, wat toch een jonge sector
is, veel jonge mensen en het is dan ook een jong gebeuren.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Sound Risk Management practices worden eerst en vooral door common sense getriggerd. Risico’s moeten
actief beheerd worden. Het top management wil daar bepaalde zekerheden over. Wij gaan marktrisico
43
transfereren naar kredietrisico. Kopen en verkopen o.b.v. hedging . Open posities vermijden. Bij ons
transformeren we markt- naar liquiditeit- en kredietrisico’s. Dit gebeurt via margin calls, met name het
uitwisselen van cash om het liquiditeitsrisico te beheren. Het is als het ware een triangel tussen die drie. Het
ENRON schandaal is voor ons risk management een grote trigger geweest. Regulation speelt ook een rol.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Sinds kort is er een nieuwe strategie. Hierbij mag niet meer dan 15 procent onderhevig zijn aan het
marktrisico. Je kan dus wel stellen dat we actief met risk processen bezig zijn. We proberen de volatiliteit te
beheren.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Uiteraard. Door een betere risicobeheersing aan te tonen, genieten wij onder meer een hogere
kredietwaardigheid.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Wij krijgen mandaten. Uiteraard kan het risico nooit nul zijn. Die mandaten zijn in mijn departement vaak
uitgedrukt in termen van variantie. Zij geven duidelijk de boundaries, roles and responsibilities aan. Deze
policies moeten te allen tijde gerespecteerd worden. Wij gaan ook limieten op verschillende niveaus graderen
om te zorgen dat we binnen die appetite blijven.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Vooral via digitalisatie en het lanceren van apps enz. Momenteel zijn er teveel recurrente en manuele taken.
Cijfers en andere data moeten nog beter geanalyseerd worden. We willen vooral aansturen op automatisatie
en digitalisatie. Dit gaan we doen door te investeren in bepaalde systemen. Dat is de huidige
ontwikkelingstendens.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ?
Alles samen is er hier een entiteit van 800 medewerkers, waarvan in het risk departement een dikke 100
personen. Aan het hoofd staat de CRO. Hieronder zijn er verschillende departementen en ploegen. Er is
bijvoorbeeld ook een afdeling credit risk, die zich vooral met due diligence bezighoudt. Een 20-tal credit
analisten werken hierop, net als bij banken. Er is ook een tweede ploeg voor de marktrisico’s. Zij doen aan
hedging en beheersen de variantie. Een derde ploeg gaat de methodologische pricing models maken. Nog
een ander team zorgt voor de integratie producten en project implementation. Hierbij hoort vooral strategic
business analysis. En dan is er mijn departement: operational en transversal risks. Bij mij is iedereen risk
manager. Deze afdelingen vallen allemaal onder de verantwoordelijkheid van de CRO.
De taken van de CRO bestaan vooral uit het monitoren van alle departementen en ervoor te zorgen dat
alles en iedereen binnen zijn mandaat blijft. Zowel proactief als reactief zijn. Hij moet ook vaak limieten
44
stellen. Bij operational is dit meer een controlerende en adviserende functie (meer voor deals, bekijken of
we bankgarantie of hedging nodig hebben).
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie?
Dit is complex omwille van de verschillende entiteiten. Bepaalde takken hebben elk hun eigen RvB en Audit
Comité. Ook EXCO is verantwoordelijk. Daarnaast is er ook een apart Risk Commitee die om de twee à
vier weken samenkomt. Dit comité gaat alle risico’s bespreken van EXCO en bestaat uit ongeveer 20 leden,
occasioneel bijgestaan door enkele relevante genodigden. Zij hebben een controlende functie voor de
frameworks en de mandaten. De voorzitter (CEO) heeft de moeilijke taak verschillende visies te aligneren.
Vooral bij grote deals is er meer discussie.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM? Zie boven.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ? Niet echt.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
In principe wordt er onafhankelijk gewerkt. Het woord “samenwerking” is overdreven, toch zijn wij daar
bij betrokken en helpen om hun info op te stellen. 1x per jaar komen wij samen om de identificatie van de
risico’s te onderzoeken en te bepalen welke beter moeten bekeken worden. Meermaals per jaar wordt hier
naar gekeken maar dan die ene keer zeer gestructureerd. Bij foute boekingen wordt er meestal een audit
gedaan.
Zijn er verder nog functies die ERM ondersteunen ? zie boven
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
Sowieso moeten de board, waaronder het audit comité, alsook het senior management op regelmatige basis
informatie krijgen. Op groepsniveau ook. Voor risk gebeurt dit via het risk comité, afhankelijk van het
niveau bekijken zij deze informatie in detail. Digitale rapportering zowel voor het comité als individueel
krijgen, is nu wel de trend. Op die manier heeft bij voorbeeld een trader te allen tijde een goed zicht op de
genomen risico’s en zijn limieten. Vooral traders weten dit goed, om te zien waar zij staan, en zeker de
mandaten te respecteren. Operationele mensen hebben zicht op hun risks, maar naar boven hieromtrent
weinig communicatie, dit is dan ook weinig van belang. Globale communicatie kan misschien nodig zijn
maar vergt veel inspanning. We moeten ook steeds zorgen dat de concurrentie niet op de hoogte is.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie? Zie boven
a) Wat zijn hun belangrijkste taken?
b) Beschouw je ze als de leidende autoriteit van ERM?
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
45
d) Hoe vaak?
e) Genoeg onafhankelijke externe leden RvB?
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Nee
Is het de organisatie zelf die u als financieel profiel aangetrokken heeft om hun risk management
op te trekken?
Klopt. Ik deed Capital Management rond reguliere topics. Er was toen al een operationele risico-entiteit, die
aan regulering zoals BASEL moet voldoen. Via headhunting zijn zij dan bij mij terecht gekomen omdat ik
hier een bepaalde expertise in bezit. Ook in dit bedrijf is mijn functie zeer financieel gericht.
8.11 Interview Company I
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Er is geen document in sé, maar recent zijn wij hier wel echt actief mee bezig.
Het Risk & Compliance departement, onder leiding van de R&Com Director, behandelde Risk Management
opgesplitst in 4 gebieden, namelijk SOx (hoofdzakelijk met betrekking tot Financiële rapportage), Revenu
Assurance (zij zorgen er onder meer voor dat alle inkomsten door verbruik in het buitenland gecapteerd
worden), Fraude en Beveiliging (met als taak alle geïdentificeerde data te beveiligen).
Het beheer van cyberrisico’s valt hier echter niet onder, dit wordt gemanaged door een ander departement,
verantwoordelijk voor IT. Dit departement is een pure tweedelijnsfunctie binnen het 3LoD model en heeft
dus geen operationele verantwoordelijkheden. Binnen dit departement bestond tot voor kort geen specifiek
ERM mandaat. Enkel bij vragen van het audit comité werd dit behandeld. Dus de support is minimaal .
Ook bij ons is dit niet goed uitgewerkt wegens een gebrek aan tijd.
Wanneer begon uw bedrijf met enterprise risk management?
Een eerste poging om binnen ons bedrijf ERM te initiëren kwam er in 2014. Dit initiatief is echter snel
uitgedoofd. In 2016 deden we binnen ons departement en nieuwe, ambitieuze poging om ERM op te
starten, alweer zonder succes. Begin dit jaar slaagden wij er dan toch in een soort officieel ERM-programma
op te stellen. Momenteel bevinden wij ons in de eerste fase van de opgestelde road map, de implementatie
is dus zeker nog niet helemaal in place.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
De triggering voor het opstarten van ERM binnen het bedrijf kwam van het leadership, meer bepaald het
Senior Leadership Team. Voldoende support van bovenaf om ERM te implementeren is van groot belang!
Toch zijn zij daar zelf niet (of te weinig) mee bezig. Het bestuur moet echt overtuigd worden van de
meerwaarde die ERM kan bieden. Het audit comité was echter wel al actiever met risicobeheer bezig en had
46
vorig jaar een mandaat ontworpen om deze topic aan te pakken. Dit betekende een grote steun voor ons
departement om het SLT te triggeren en hen te overtuigen van het belang van ERM.
Bovendien was er na de overname door de nieuwe hoofdaandeelhouder en audit een grotere interesse om
ERM op te starten. Er kwam dan ook een specifieke ERM & Audit Liaison manager, die hier meer tijd aan
kan besteden en ERM als hoofdtaak heeft. Voordien werd ERM enkel langs de zijlijn behandeld, bovenop
het ander werk, en hierdoor ontbraken zowel de overtuigingskracht als de brede basis om daarmee naar het
SLT te stappen. SLT toont nu wel interesse, je voelt dat dit nu duidelijk in de meetings naar boven komt.
De gegroeide interesse is een rechtstreeks gevolg van het feit dat wij daar nu zelf meer aandacht kunnen aan
besteden.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Al deze gebieden worden reeds behoorlijk aangepakt, maar binnen het kader van ERM duidelijk nog
onvoldoende. Het R&C departement is hier wel actief mee bezig. Recent hebben wij, in samenspraak met
andere departementen, maar hoofdzakelijk door ons, een methodologie uitgewerkt om dit proces vlotter en
beter gestructureerd te laten verlopen. Enerzijds hadden wij de bedoeling gemeenschappelijke definities
vast te bepalen, anderzijds wilden wij de verschillende parameters waarmee rekening moet gehouden worden
en andere guidance tools vastleggen (vb. impact/likelihood, op welk niveau wordt er gedocumenteerd,…),
die een effectievere methodologie in de hand werken. Het is telkens aan het specifieke departement om te
bepalen of zij deze methodologie al dan niet gaan toepassen.
Strategisch: op strategisch vlak zijn het uiteraard de RvB en het SLT die de doelstellingen op korte en lange
termijn uitstippelen. Het is aan de verschillende Lines of defense een bijdrage te leveren om deze te behalen.
Financieel: Hiervoor is er een o.a. het SOx departement, dat ernaar streeft op één lijn te zitten met de
Sarbanes-Oxley wetgeving, die gebaseerd is op heel wat financial reporting principes. Hierdoor hebben wij
een voorsprong op bedrijven, die deze wet niet toepassen binnen hun organisatie.
Compliance: Sinds 2016 is er een specifieke compliance function opgericht. Dit heeft de pro-activiteit
binnen dit gebied vooruit geholpen. Daarvoor was er eerder een ad-hoc approach. Sinds de recente
reorganisatie is er enerzijds een Compliance en anderzijds een ERM mandaat opgericht. Compliance was er
al, maar niet zo uitgebreid en proactief.
Operationeel: bij ons geschieden de risico-identificatie, risicoanalyses en control mapping. Control gaps
worden ontdekt en actieplannen opgezet, o.a. voor fraude. Andere domeinen, zoals health & safety, privacy
(information security) en business continuity, voeren momenteel nog elk hun eigen procedures voor deze
oefening.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Wij zijn er binnen ons departement steevast van overtuigd dat ERM meerwaarde kan bieden. Het is nu aan
ons om dat te bewijzen. Momenteel werken wij bijvoorbeeld aan een holistische benadering om top risks
binnen de gehele organisatie te identificeren, te beoordelen en te rapporteren aan het SLT. Dit gebeurt elk
kwartaal. Wij streven er ook naar onze benadering af te stemmen op hun rapporteringswijze. Het moet
47
namelijk deel uitmaken van het geheel, dit is vooral makkelijk voor rapportering naar het audit comité, maar
moet binnen de vennootschap ook gedragen worden.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Het wordt uiteraard besproken en ook wel gecommuniceerd, maar er is geen statement waarnaar kan
worden teruggegrepen. Ik sta volledig achter de formalisatie van ERM, maar wij moeten vrij pragmatisch te
werk gaan en gaan vaak eerst bepaalde programma’s of geformaliseerde systemen op een eerder verdoken
manier implementeren, zonder hierbij het Senior Management te betrekken. Hiermee bedoel ik dat wij dit
vooraf niet expliciet gaan benoemen of hier niet te veel vragen rond stellen, maar eerder in samenwerking
met de andere teams uit de 2de lijn implementeren en dan naar het SLT rapporteren. Wij willen de resultaten
zien. Met die teams uit de tweede lijn loopt de communicatie vlotter, met het senior management kan je
daarover niet spreken. Om die reden moet het anders worden aangepakt: eerst implementeren en dan pas
tonen wat gebeurd is. Deze eerder pragmatische manier werkt beter dan het expliciet benoemen en bevragen
bij het senior management.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Het is een grote uitdaging om ERM in de day-to-day business ingebed te krijgen. Indien wij ERM echt
positief willen laten evolueren en een toegevoegde waarde laten zijn, dan moet dit ook een integraal deel
kunnen uitmaken van de rapporteringen van bovenaf. Wij zijn hier momenteel volop mee bezig. Het is
vooral belangrijk dat de perceptie verandert van een verplichte periodieke oefening naar de integratie bij de
dagelijkse beslissingsvorming. Met de verschillende teams kan er veel beter gecommuniceerd worden, met
het SLT moet je hierrond niet te veel discussiëren, zij zijn vooral geïnteresseerd in de resultaten.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ?
Ik zou de R&C director als primaire verantwoordelijke kunnen aanduiden, maar in de praktijk is het specifiek
voor de nieuwe ERM-poot de ERM & audit liaison manager die verantwoordelijk is.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
De grootste rollen zijn hierin weggelegd voor de CEO en de CFO. De CEO is verantwoordelijk voor het
dagelijks bestuur van de gehele onderneming en dus automatisch ook voor de risico’s die zijn onderneming
draagt. De CFO heeft hierin dan weer een grote rol gezien de resultaten van de 3LoD door de R&C director
aan hem worden gerapporteerd. Hij staat in voor het communiceren van deze resultaten aan het Senior
Management (SLT) en dus ook de CEO, die op zijn beurt rapporteert aan de Raad van Bestuur.
Desalniettemin moet elk lid van het SLT bepaalde risico’s melden aan de rest van het SLT als ze zich
voordoen(ad-hoc).
48
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Verschillende groepen in de tweede lijn, zoals gezondheid & veiligheid, bedrijfscontinuïteit en privacy,
ondersteunen de ontwikkeling van risk management. Wanneer wij echter specifiek over ERM spreken, dan
is het vooral het Risk & Control departement, waaronder in het bijzonder de ERM & Audit Liaison
Manager, die deze ontwikkeling bevordert. Deze functie is slechts recent opgericht, niet door een geheel
nieuwe functie of entiteit te ontwikkelen, wel door een mandaat uit te schrijven dat zich hiermee bezig
houdt. Binnen enkele maanden zal hij ook door een fulltime medewerker worden bijgestaan in het vervullen
van zijn rol en verantwoordelijkheden.
Is er een gecentraliseerde groep of persoon, die informatie verzamelt van operationele managers
of business unit managers ?
De informatie uit de eerste lijn wordt door de verschillende afdelingen uit de tweede lijn verzameld, maar
er is daarvoor geen gecentraliseerde eenheid opgericht.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
Er bestaat een heel nauwe wisselwerking. De ERM & liaison audit manager hebben momenteel een dubbele
functie, namelijk ERM enerzijds en anderzijds de Interne Audit functie afstemmen met de tweede lijn en
het senior management. Gezien de interne audit uitbesteed wordt moet er iemand zijn die deze personen
coördineert in hun taken. Voordien was dit de taak van de director Risk and Compliance, nu is er een extra
persoon gemandateerd om de verbinding tussen audit en management te vormen. Dit dubbel mandaat is
challenging maar niet onmogelijk. Er is ook assistentie op komst om een deel van de taken over te nemen
of hierin bij te staan.
Zijn er verder nog functies die ERM ondersteunen ?
Wij hebben het nog niet gehad over de Regulatory en Controlling afdeling, waar bijvoorbeeld recent een
functie voor de nieuwe GDPR regulering is opgericht. Ook zij zijn op een bepaalde manier met risico’s
bezig.
Hoe zijn de rapporteringslijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
In de eerste lijn worden verschillende risico’s geïdentificeerd en geanalyseerd. De desbetreffende resultaten
zitten eveneens in de onze (tweede lijn) verwerkt. Wij zijn verantwoordelijk voor de monitoring en evaluatie.
Binnen ons R&C departement zijn er 3 afdelingen te onderscheiden. De ERM poot, een Compliance poot
en een derde poot, namelijk revenu en fraude. Deze drie rapporteren aan de director van ons team. Dit wat
betreft de 2de lijn. Uiteraard speelt ook de Interne Audit hierin een rol. Hier wordt dan ook nauw mee
samengewerkt. Wij maken de rapporteringen aan, de director licht ze toe voor het Senior Management. Dit
is hoofdzakelijk de CFO, maar het kan ook de hele entiteit zijn. Via de CFO of het SLT komt het dus ook
terecht bij de CEO, die op zijn beurt rapporteert aan de raad van bestuur, alsmede het audit comité.
49
Is het 3LoD model gekend en duidelijk voor de verschillende risk owners binnen het bedrijf?
Binnen de hele tweede en derde lijn is dit vaak gekend, in de eerste lijn is dit verschil minder duidelijk.
Dit omwille van het feit dat de managers op operationeel niveau daar minder mee in aanraking komen. Het
SLT wordt door ons gewezen op het verschil tussen de diverse lijnen, maar is daar duidelijk minder actief
mee bezig en verwart ons tijdens de rapportage zelfs soms met Interne Audit.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie? In eerste instantie het audit comité.
a) Wat zijn hun belangrijkste taken? Binnen het risk management is hun hoofdtaak de bespreking
van het risicoprofiel en de risicoappetijt van het bedrijf. In samenwerking met de rest van de RvB
hebben zij vooral een toezicht functie. De CFO staat hen vaak bij in vergaderingen. De vorige CEO
woonde deze meestal bij, de huidige niet meer.
b) Beschouw je ze als de leidende autoriteit van ERM? Ja.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Op kwartaalbasis worden de risico’s en uitgevoerde actieplannen en dergelijke aan hen gerapporteerd.
d) Hoe vaak? Vier à vijf keer per jaar.
e) Genoeg onafhankelijke externe leden RvB? Zeker, enkel CEO niet.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Ja, Interne Audit wordt sinds een paar jaar uitbesteed aan onze hoofdaandeelhouder, voordien werd de audit
uitgevoerd door de Big 4.
Het voordeel hiervan is dat door de interne audit functie van de gehele holding te belichamen, best practices
sneller naar boven komen en toegepast worden in de andere units.
Het nadeel is dat deze mensen minder voeling hebben met het bedrijf. Om dit probleem aan te pakken werd
een specifieke audit liaison functie geïnitieerd. Deze functie volgt intern alle audits op, bepaalt mee de scope
van het audit plan enz.. Zij doen dan weer al het veldwerk. Wanneer zij bij voorbeeld met draft issues komen,
ben ik er altijd bij om hen te challengen. Dit vormt ook de brug tussen het senior management en de derde
lijn. Sinds april gebeurt ook de opvolging door ons. Wij kunnen aanbevelen dat een issue kan gesloten
worden, maar zij sluiten het issue en blijven hiervoor verantwoordelijk. Wij zijn eveneens verantwoordelijk
voor de bepaling van het audit plan. Eind dit jaar krijg ik steun van een nieuwe fulltime collega die zich dus
ook met ERM en Audit zal bezighouden. Nu is mijn takenpakket uitdagend, maar niet onoverkomeli jk.
50
8.12 Interview Company J
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Yes. We have a formalised ERM system in place. The risk management framework is based on different
international risk management frameworks, such as ISO, COSO and others that can be found in the
documentation on RM (AS/NSZ 4360, British and South African Corporate governance reports and
FERMA’s RM standard). Our framework is in line with our mission and the objectives that have been set
out. Having a framework based on a lot of leading documents as well as recommendations of consulting
firms, allows the application of best practices.
Wanneer begon uw bedrijf met enterprise risk management?
The first ArcelorMittal Risk Management Handbook was issued in 2009, so Enterprise risk management
started at least 10 years ago.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
The implementation of an ERM-program was initiated from the ArcelorMittal Group Management Board.
Our current environment is becoming more and more volatile and uncertain. It is our vision that an effective
risk management system well understood and applied will help us to deal with uncertainty more efficiently.
Such a system can only work when it is part of the ArcelorMittal culture and of our DNA. Our risk activities
are not separated from the daily management tasks, but they are embedded within the business and the
decision-making processes. Also, more and more regulations worldwide require an ERM-program. Even
some Credit Rating Agencies include in their ratings an ERM review.
Hoe (effectief) is uw bedrijf bezig met ERM-processen?
The purpose is to increase the chances of achieving our objectives, by reducing the numerous risks that
affect the results of our business. Therefore, we have a process as part of management activities. All activities
of the process cycle (identification, analysis & assessment, response and monitoring) are completed and
each aspect is necessary for an effective RM. This cycle is in our organisation also referred to as Plan-Do-
Check-Adjust-cycle. In the risk identification we look at what could happen, both positively and negatively,
and the results of this step is listed in the risk register. In the assessment we look at the potential impact and
likelihood of identified risks and the interrelation between them. In the next step - the risk response - we
see whether the assessed risk should be accepted, reduced, terminated or transferred. The monitoring phase
is a follow up of the risks. This cycle is integrated in our daily activities.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Yes of course it has added value. It helps in maximising opportunities and in minimising uncertainty.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
51
The risk management policy is clearly stated, yes. Not only is it widely documented and formalised, it is
integrated and very effective. Different methods to reach this effectiveness are in place. We assure
management is placing RM on the meeting agendas, there are self-assessments and peer reviews, and so on.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
ERM at our company is today already quite advanced. I am not aware of any plans for expansions. If these
would come, they would be initiated from the Group Management Board.
Leiderschap in risicobeheer / risicobeheerstructuur
Mission of Corporate Group Risk Management: “The risk management function, under the leadership of
the General Management Board (GMB), facilitates the process, proposes the risk management framework
and an adequate organisation structure and prepares the reporting documentation.
Is er een leider in risicobeheer in uw organisatie?
This is the Risk Management Committee of the Board of Directors. They support the board in monitoring
and reviewing the RM framework and process. They also help to achieve their oversight and governance
responsibilities. They are responsible for reviewing and outlining recommendations on different issues
regarding the RM framework, process, audit et cetera.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie?
First of all, we have the Management Board, consisting of:
• CEO: is ultimately responsible for putting in place an effective Risk Management system within the
organisation.
• Group Management Board
• Group Risk Officer (GRO)
• Group Risk Management Committee (GRMC)
Further, there are different Business Units, Segments and Corporate functions with an operational role:
• CEOs and Management Committees
• Risk Officers (typically the CFO, but not necessarily). They should be appointed by the segment
CEO
• Risk Owners: a risk owner is the person with the authority and accountability to take decisions
about the risk response: take, mitigate, transfer or avoid the risk;
• Each manager within her/his area of responsibility
• Risk Management Correspondents/Coordinators (so-called Managers of the Risk Management
process)
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Different teams, such as the Group Risk Management, Group Treasury, Asset Risks Management and Risk
and Insurances Management teams support ERM development. However, all risk management activities in
other departments such as Health and Safety, Operational Risk Management, Corporate Responsibility,
52
Environment, Human Resources, Insurances, IT, Legal Affairs, Mergers & Acquisitions, Marketing,
Operations, Procurement, Projects, Tax and Treasury are also supportive and play a role in the process.
Is er een gecentraliseerde groep of persoon die informatie verzamelt (bijvoorbeeld restrisico's) van
operationele managers of business unit managers?
For this role we have the risk management function. He facilitates the RM process, prepares the reporting
documentation and supports a good structure and framework.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicobeheer samen met de auditfunctie?
Before I was appointed as Risk Manager of the Business Division North, I was the Head of Internal Audit.
The role of the auditor is to provide independent assurance that different processes and systems are
functioning as intended. There are several discussions between both our roles to assure risk-based auditing.
Kunt u aangeven of er nog risico- / proceseigenaren zijn toegewezen en hoe de juiste risico-
eigenaar wordt aangesteld voor een bepaalde risicocategorie of -type?
The segments and corporate functions are responsible to operate a risk management system consistent with
the Group risk management process, to develop appropriate risk management guidelines for their respective
businesses and providing adequate information.
At least once per quarter the Cluster Risk Manager has a risk meeting with each head of department. During
this meeting the existing risks are updated, and cluster risk managers facilitate the process of identification
of new risks (e.g. incidents that happened at other clusters, points raised in audit reports of the cluster or in
other clusters, …). When a new risk is identified, a risk owner is immediately appointed. The risk owner is
generally appointed by the concerned head of department.
Hoe zijn de rapportagelijnen met betrekking tot risicobeheer georganiseerd in uw bedrijf?
To achieve this objective, we adhere to the following core principles:
Effective risk management process: The Board has overall responsibility for ensuring that we maintain an
effective risk management process.
Everyone’s commitment: Each manager must operate a risk management system consistent with the
corporate requirements within the organisation he/she runs.
Proactive leadership: Risk identification (including identification of the risk of lost opportunities), risk
assessment, risk response and risk monitoring are ongoing activities and form an integral part of the daily
operations, management and decision-making processes.
Risk Culture: Informed consistent risk-related decisions are taken; non-compliant behaviors are not
tolerated, and risk management is dealt with professionally.
53
Transparency & compliance: Regular reports about the risk management activities, the most significant risks
and the material failures in mitigation measures are escalated through the reporting line to the relevant levels
of Group management structures.
Risk management is a continuous process and the risk register, which is stored on a secured SharePoint, is
updated continuously. Each cluster risk report is presented to the cluster management committee on a
quarterly basis. The cluster management committee approves this quarterly risk report. After this approval ,
there is a consolidation at Business Division Level, with a formal approval of the CEO of the business
division. Then there is a further consolidation at the level of the Segments and afterwards to Group level.
The Group risk report is presented also quarterly to the Group Management Board.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
Internal Audit (part of Internal Assurance) provides a continuous assurance on Risk Management
effectiveness, therefore they perform internal audits on the ERM.
There is also the Risk Management Committee of the Board of Directors
The Risk Management Committee of the Board supports the Board of Directors in fulfilling its corporate
governance and oversight responsibilities with the monitoring and review of the risk management
framework and process of the Group.
a) Wat zijn hun belangrijkste taken?
The main purpose of Internal Audit - with respect to risk management - is to provide continuous
assurance on the effectiveness of the ERM. For this they perform internal audits on the risk
management functions in the different clusters.
b) Beschouw je ze als de leidende autoriteit van ERM?
The leading authority is the Risk Management Committee of the Board of Directors.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
Quarterly risk reports.
d) Hoe vaak?
Once per quarter.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
The actual risk management is internal.
Of course, some of the inputs come from external parties, such as:
- external auditors;
- risk engineering surveys led by Group Insurance Department, in cooperation with insurance companies;
- results from ISO audits;
- …
54
8.13 Interview Company K
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Van een geformaliseerd systeem zou ik niet durven spreken. Er is wel een bepaald systeem aanwezig, maar
dit is niet super geformaliseerd. Er is een duidelijke groei van ERM binnen ons bedrijf, maar momenteel is
het eerder een light versie.
Wanneer begon uw bedrijf met enterprise risk management?
2 à 3 jaar geleden mee begonnen. Jaar na jaar wordt hier meer aandacht aan besteed en wordt dit uitgebreid.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
Dit was een combinatie van verschillende factoren. Het Audit & Risk Comité was hierin zeker een
belangrijke trigger. Daarnaast, vanuit mijn perspectief als Global Audit Manager, was er ook een bepaalde
triggering. Het is namelijk noodzakelijk voor een risk-based audit planning dat de grootste risico’s binnen
het bedrijf gekend zijn. Zonder deze identificatie is het niet mogelijk om dit binnen een audit tot stand te
brengen. Tenslotte denk ik dat regelgeving ook een trigger is geweest. ERM is (vooral binnen corporate
governance) een begrip dat de laatste drie jaar duidelijk in opmars is. Naar aanleiding hiervan zijn veel
bedrijven erop gesprongen. Er kwam ook meer vraag van verschillende stakeholders waarover wij, gezien
onze reputatie als beursgenoteerd bedrijf, toch op een bepaalde manier moeten kunnen informeren.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Het hele proces is nu aanwezig. Identificatie gebeurt op basis van interviews en andere bottom-up methodes.
Voor de analyse gaan wij vaak een scoring doen om de risico’s naar belang te schatten. Ook via andere
analyses gaan wij de geïdentificeerde risico’s analyseren. Voor de beheersing wordt bekeken welke
actieplannen er al zijn en of er bijkomende maatregelen nodig zijn. Er is ook een risk map die steeds als
leidraad dient.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
ERM helpt om juiste prioriteiten te stellen, in die zin dat er een aantal projecten naar aanleiding van de grote
risico-oefening zijn opgezet of toch meer naar voor zijn geschoven in de agenda.
Er is ook een groter budget voor vrijgemaakt. Als er een groot risico wordt geïdentificeerd en wij merken
dat hierrond nog (te) weinig wordt gedaan, kunnen extra middelen worden toegewezen. In dit kader is het
ook belangrijk dat deze oefening steeds gebeurt net voor de budget oefening. Op die manier biedt ERM
dus zeker toegevoegde waarde. Risico’s worden door elkeen op een andere manier bekeken. Ook binnen
ons senior management zijn er individuen risico-avers en anderen misschien helemaal niet. Door ERM op
de agenda te plaatsen en deze verschillende risk appetite profielen binnen de onderneming op dezelfde
golflengte te brengen, is het nodig om via dialoog de inherente risico’s en de algehele appetite te bespreken.
Dergelijke sessies brengen iedereen op dezelfde lijn.
55
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Bij ons is er eerder een identificatie, die dan via discussie met het gehele senior management wordt
besproken om de risk appetite in samenspraak te bekomen. Er is dus een bepaalde beschrijving v an de
grootste risico’s en enkele rollen zijn gedocumenteerd, maar ons ERM proces is niet in die mate gevorderd
dat ook de risk appetite op papier staat. De risk appetite formation mist nog enige maturiteit. De risico’s
worden geïdentificeerd op de verschillende niveaus (groep, divisie, lokaal) en het is uiteindelijk aan het senior
management om te bespreken of deze al dan niet geaccepteerd worden.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Een opvolgingstool of software zou zeker de ontwikkeling van ERM kunnen bevorderen. Voorlopig
gebeurt dit vooral in Excel en PowerPoint. Dit zou de opvolging van de actiepunten en de link tussen deze
actiepunten en de gedane risicoanalyse enorm verbeteren. Momenteel is er nog geen terugkoppeling naar
bepaalde lokale niveaus, noch een rapportering naar de hele organisatie. Iemand die niet bij de actiepunten
betrokken is, zal ook niet op de hoogte zijn. Daaraan moet gewerkt worden. Op jaarbasis besteed ik slechts
10% van mijn tijd aan ERM. Verder doen wij wat mogelijk is, maar niemand anders heeft tijd om daar meer
mee bezig te zijn. Een extra functie zou hier een grote hulp in zijn, maar ik denk dat iedereen wel extra
assistentie zou kunnen gebruiken, dus dit is normaal.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ?
Voor het proces zelf ben ik als Global Audit Manager het meest verantwoordelijk. Mijn functie is tweeledig:
ik ben verantwoordelijk voor IA en voor de leiding van dat team, maar ik ben ook verantwoordelijk voor
het risicobeheer. Sinds wij ermee begonnen, zijn er steeds meer betrokkenen. Ik sta in voor de opvolging
en controle van het proces, maar ben geen eigenlijke risk owner. In 2015 is er een specifieke Interne Controle
functie opgericht. Dit behoorde hiervoor tot mijn takenpakket, maar het was niet meer bol te werken. Ook
voor de Compliance functie is er een steering committee opgericht. De functie wordt dus belichaamd door
de Local Compliance Coordinators, Head of Compliance, Legal Compliance Manager en een Compliance
Steering committee, bestaande uit
-CFO,
-COO,
-Group HR director,
-Group General Counsel and
-Head of Compliance Manager.
Zij komen regelmatig samen en rapporteren rechtstreeks aan de RvB.
56
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Audit & Risicocomité is er om RM oversight te leveren. Van de C-suite zijn er meetings, waarin ieder lid
aanwezig is en daarin geeft iedereen een scoring. Zo komen wij tot een finale scoring en bespreken wij de
top risks om actieplannen op te zetten.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Legal, Finance en Compliance helpen ook binnen de analyse en mitigatie van risico’s.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ?
Dit is via Quality Managers. Voor hun ISO certificering moeten alle plants een SWOT analyse doen waar
het risico uit gehaald wordt. Zo verzamelen wij relevante zaken die van waarde zijn voor de hele organisatie.
Ook materiële risico’s op groepsniveau worden geïdentificeerd.
Hoe nauw werken de mensen in uw organisatie, die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
Wij hebben frequent contact. Zo is de compliance functie een van de groepen die bij die risk oefening
geïnterviewd wordt. Verder verzamelen wij met audit informatie bij belangrijke events. Ook zij zijn nauw
betrokken bij de jaarlijkse oefening.
Zijn er verder nog functies die ERM ondersteunen ?
Iedereen is van nature uit met risico’s bezig. Het hele management doet wel op een bepaalde manier aan
risicoanalyse. Iedereen stelt toch preventief een aantal ‘wat als’-scenario’s op, zonder dat dit formeel
gedocumenteerd wordt of beschreven als scenario planning als zijnde een tool, die vele risk owners
toepassen.
Hoe zijn de rapporteringslijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
In de grote ERM oefening is hoofdzakelijk het senior management verantwoordelijk. Zij gaan de hele
oefening mee doorlopen en zijn enorm betrokken. Aan het Audit en Risk Comité wordt twee keer per jaar
gerapporteerd. Een eerste maal net na de risico-oefening, een tweede maal 6 maand later om de status van
de opgestelde actieplannen te bekijken. Op vlak van terugkoppeling of communicatie van de
analyseresultaten naar de gehele organisatie, kunnen er ook nog stappen gezet worden.
Ik heb een 3LoD model georganiseerd en ontwikkeld toen ik hier begon. Vooral om te beschrijven en
communiceren hoe er naar risico’s wordt gekeken. Dit is echter niet iets dat kan uitgerold worden, maar
heeft anderzijds wel zijn nut al bewezen. Zo was er bijvoorbeeld een tijdje geleden een overname van een
bedrijf met een minder uitgewerkte second line. Hier was het vier jaar geleden uitgeschreven 3LoD model
wel handig, vooral om meer duidelijkheid te scheppen.
57
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
Er is een Audit & Risk comité, met de Corporate Finance Director als secretaris.
a) Wat zijn hun belangrijkste taken?
Nazicht van de betrokkenen en hun verantwoordelijkheden binnen RM. Verder zie vorige.
b) Beschouw je ze als de leidende autoriteit van ERM? Ja.
c) Welke informatie / rapporten worden aan het bestuur verstrekt? Zie vorige.
d) Hoe vaak? Tweemaal rond risico-oefening formeel ( vb. actieplannen), maar iedere sessie (min.
4 per jaar) over risico’s ad hoc. Mijn rapportering van audit is ook een vorm van risk identificatie.
Het gaat elke vergadering wel op een bepaalde manier over risico’s .
e) Genoeg onafhankelijke externe leden RvB?
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Nee.
58
8.14 Interview Company L
ERM aanwezigheid en ontwikkeling
Ik zal even kort de structuur en activiteiten binnen onze organisatie toelichten alvorens we de vragenlijst
behandelen. Op het hoogste niveau hebben we de Raad van Bestuur. Onze raad is zeer divers, wat ook wel
belangrijk is om tot verschillende inzichten te bekomen.
Hierbinnen is er - gezien onze verplichte beursnotering - een audit en remuneratiecomité.
In het audit comité zitten de number crushers . De RvB krijgt zeer uitgebreide management informatie, ook
met betrekking tot risico’s. Er wordt 4 à 5 keer per jaar formeel aan hen gerapporteerd, net zoals naar het
Audit Comité. Op management level is er bij ons geen geformaliseerd ExCo.
Met het management komen wij wekelijks samen. Ook hier komen strategische en bedrijfsbrede risico’s aan
bod. Audit is er eveneens , maar zowel de statutaire auditor als de interne audit wordt uitbesteed.
Wij zijn een projectontwikkelaar. Wij hebben een snelgroeiend bedrijf, zoals blijkt uit de uitbreiding in
andere geografische regio’s. Wij gaan binnenkort projecten starten in twee nieuwe landen, waardoor wij dan
in 8 landen actief zullen zijn. Wij hebben 65 personeelsleden in ons bedrijf, wat voor een projectontwikkelaar
al tamelijk veel is. Het is een lean en mean sector, veel zaken worden uitbesteed, daarom hebben we geen
1000 medewerkers in onze organisatie.
Als projectontwikkelaar hebben wij vooral te maken met commerciële risico’s. Wij beginnen aan een project
en hierbinnen moet alles verkocht geraken, anders worden de kosten niet gedekt. Wij kunnen ons hierin dus
niet vergissen en moeten het succes van een project steeds goed inschatten.
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
Ik zou ons programma momenteel niet als compleet geformaliseerd durven benoemen, maar gezien onze
structuur en business is dit ook niet nodig. Als projectontwikkelaar zijn wij door uitbesteding van onder
meer een groot deel van de uitvoerfase van een project, verlost van heel wat risico’s. Daartegenover staat
dat wij wel steeds een groot commercieel risico dragen. Wij moeten op voorhand proberen via projecties en
dergelijke aan te voelen of een project al dan niet succesvol wordt. Met 65 personen in dienst zijn wij al een
grote speler op de markt. Toch is dit niet te vergelijken met een bedrijf waar duizenden werknemers in
dienst zijn. Daar is veel meer nood aan dergelijke programma’s.
Wanneer begon uw bedrijf met enterprise risk management?
In 2009 werd risicobeheer actiever opgevolgd en kwam er een beter gestructureerde benadering. Zo is er
bijvoorbeeld sindsdien een apart document bij de rapportering gevoegd met als doel de Raad van Bestuur
een beter zicht te geven op de huidige company-wide risico’s. Ook toont dit document aan hoe wij deze
risico’s willen aanpakken en zorgt het ervoor dat de RvB automatisch meer met de risico’s rekening houdt.
Wij hebben ons daarbij laten inspireren door de COSO 2013. Bij emissie en prospectus is er altijd een risk
debat.
Worden hier in dit debat dan ook bepaalde risk owners aangeduid?
59
Ja, maar niet per risico. Binnen het management is er iemand die deze toewijzing op zich neemt. Dit
impliceert niet dat andere betrokken leden hierbij geen verantwoordelijkheden hebben of moeten opnemen.
Ook de RvB wordt hier soms van op de hoogte gebracht. De CFO is ‘risico-eigenaar’ wat betreft correctheid
naar publicatie.
Een ander voorbeeld is het wisselkoersrisico. Hiervoor kan je moeilijk een echte owner aanduiden maar er
zijn wel mogelijkheden tot hedging. Deze functie wordt vervuld door de CFO.
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma?
De publicatie van de Corporate Governance Code in 2009 heeft dit grotendeels getriggerd. Deze bevatte
enkele aanbevelingen m.b.t. risk management en dit heeft ons aangezet om deze toe te passen. Ik geloof dat
de update van de CGC met de nieuwste ontwikkelingen er binnenkort aankomt. Deze zal opnieuw zorgen
voor nieuwe inzichten en kan leiden tot een reflectie van de huidige benadering.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Ik geloof dat wij al op een goede manier met risico’s bezig zijn. Het document waar in alle geïdentificeerde
risico’s zouden moeten zijn uitgestippeld, speelt hierbij een belangrijke rol. Er kan steeds naar worden
teruggegrepen. Uiteraard zal dit document niet elk jaar fundamenteel wijzigen. Bepaalde risico’s zijn namelijk
sector-eigen en aanwezig voor iedereen in onze business. Bij ondernemings- of markteigen risico’s, zijn er
uiteraard meer wijzigingen. Als CLO verzorg ik de actualisatie van dit document in samenwerking met de
CEO en CFO. Daarnaast dragen de Raad van Bestuur en hun Audit comité wel mee de
eindverantwoordelijkheid en is er ook een participatie van Interne Audit. Voor de RvB zijn vooral de risk
assessments belangrijk. Deze beïnvloeden hun besluitvorming en ondersteunen ze tegelijkertijd. Elk nieuw
project moet door dit orgaan worden goedgekeurd.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Bedrijfswijde risicobeheersing biedt ongetwijfeld een toegevoegde waarde. Wij spraken net over het
document dat de risico’s oplijst die de organisatie draagt. Het lijkt mij een noodzaak deze oplijsting concreet
te materialiseren, maar dit is pas het begin. Eens dit gebeurd is, kan er worden gefinetuned. Het is als het
ware een spiegel voorhouden en kijken waar het beter kan, of in dit geval, waar er meer of minder risico
moet genomen worden. Deze risk-return offset moet in evenwicht zijn zodat enerzijds de risico’s onder
controle zijn, maar er anderzijds genoeg risico’s worden genomen om het vooropgestelde doel en de targets
te behalen. Hiertussen bestaat geen rechtlijnig verband, maar er is toch wel een link. Het document werkt
enorm ondersteunend. ERM zet het topic risk ook regelmatig op de agenda, wat een belangrijke meerwaarde
is. Het helpt om in dit kader gestructureerd te denken en helderheid in die structuur te ontwikkelen.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken?
Voor elk project wordt een haalbaarheidsstudie opgesteld. Die gaat na of het project al dan niet een succes
zal zijn door regelmatig kwantitatieve projecties op te stellen om zicht te krijgen op de mogelijke kosten en
60
opbrengsten. Hierbij worden alle basic risico’s gekaderd. Uiteraard zijn dit steeds slechts inschattingen van
de realiteit. Hierna moet worden beslist of er wordt doorgegaan met het project. De aankoop van de grond
is vaak de point of no return. Eens deze aankoop volbracht, is er al veel geld in gestoken en wordt het duur
wanneer er niet met het project wordt doorgegaan. Het is steeds de RvB die de uiteindelijke
beslissingsbevoegdheid heeft om projecten al dan niet goed te keuren. Zij bepalen dus de appetite en
tolerance levels. Het grote voordeel bij onze organisatie is dat wij een heel stabiele structuur hebben. Zowel
de aandeelhoudersstructuur, de RvB alsook het management zijn zeer stabiel en er is weinig
personeelsverloop. Dit is een groot voordeel omdat zo de risk philosophy, appetite en tolerance duidelijk
en gekend zijn voor alle leden. Door de nauwe en langdurige samenwerking is er een bepaalde cultuur
gecreëerd, waarbij iedereen op de hoogte is van de riskiness van onze business. Er is dus een bepaalde
awareness gecreëerd binnen het bestuur en management. Ikzelf ben als secretaris van de Raad van Bestuur,
net als andere leden van het management, vaak aanwezig op bestuursvergaderingen. Dit is nodig want als
een nieuw project wordt voorgesteld of een update moet worden gegeven over de gemaakte vorderingen,
kan je niet heel die feel voor een project op papier zetten. Bij meetings is dit zeer nuttig om hierover te
kunnen debatteren. Op deze manier is het voor de RvB ook duidelijker en kan die beter inschatten of het
project binnen risk appetite valt.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Hoe groter wij worden, hoe meer structuur nodig zal zijn. Dit zal leiden tot de initiatie van een duidelijke
omkadering en controles. Zeker de notering op de beurs zorgt ervoor dat we aan dit topic extra aandacht
moeten besteden, want RM beïnvloedt de koers. Grote risk issues zijn belangrijk, alleen is het belang hiervan
pas duidelijk eens ze zich manifesteren. Enerzijds is het dus beter om bepaalde risico’s uit de spotlights te
houden, anderzijds moet aangetoond worden dat risico’s actief beheerd worden om een bepaalde reputatie
en vertrouwen van de aandeelhouders te verkrijgen. Uitschuivers dienen vermeden te worden. Deze
mentaliteit moet in het DNA van de onderneming zitten. Evoluties in regelgeving creëren discussie en
zorgen voor permanente dialoog. We gaan in de laatste twee jaar veel internationaler, wat een bepaalde
dynamiek van de risico’s creëert. Hierdoor zal extra personeel nodig zijn, wat zal zorgen voor extra risico’s
en nood aan duidelijke richtlijnen die bijvoorbeeld bepalen wie wat mag ondertekenen en dergelijke zaken.
Op dit moment verloopt het goed. Er is wel nood aan een verder continue challenge van de managers. Aan
de hand van het audit programma speelt interne audit hierin ook een grote rol. Zij zorgen per risk topic
voor challenges die de genomen risico’s finetunen.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ? Finaal is steeds de Raad van Bestuur verantwoordelijk. Zij nemen de moeilijke
beslissingen, geven groen licht voor projecten, houden toezicht op de activiteiten van het management en
bepalen de doelstellingen. Door de samenwerking op lange termijn voelt het management vaak zelf aan of
een project al dan niet zal worden goedgekeurd.
61
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Hoofdzakelijk de CEO, CFO en CLO. Met betrekking tot risicobeheer heb ik misschien wel de meeste
taken of verantwoordelijkheden, al zijn zo’n zaken meestal in samenspraak met CEO en CFO. We zitten
dan ook wekelijks samen om te discussiëren. Dit zijn vaak debatten waarin risico’s moeten ingeschat worden.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM?
Hiervoor zijn wij te klein lijkt me. Bepaalde operationele managers ondersteunen verschillende
risicobeheersingsactiviteiten wel, maar in onze business zijn deze teams weinig aanwezig.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ?
Dit gebeurt door het eigenlijke ExCo. Ook hierbinnen voornamelijk de CLO, CEO & CFO.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie?
De samenwerking met Externe Audit is vooral weggelegd voor de CFO. Bij de Interne Audit zijn er
meerdere partijen uit het management, die hiermee samenwerken. Binnen risicomanagement is IA ook een
adviserend orgaan, naast de ondersteuning die zij bieden in hun controlerende functie.
Zijn er verder nog functies die ERM ondersteunen ?
Kan niet meteen iemand vernoemen die hier actief bij betrokken is.
Dit is weinig van toepassing binnen de projectontwikkeling.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
Wekelijks zit het management samen. Per project wordt via een assessment gekeken welke vorderingen
gemaakt zijn en welke stappen noodzakelijk zijn om de doelstelling te bereiken. Project managers helpen
hierbij, gezien hun inzichten op de werkvloer. Tijdens deze vergaderingen worden de risico’s en
opportuniteiten besproken. Daarnaast rapporteren de project managers ook ad hoc wanneer er zich een
risico manifesteert dat dringend beheerd moet worden.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
a) Wat zijn hun belangrijkste taken?
Het audit comité verzorgt de financiële rapportering en de opvolging van het risk management, het
audit plan zowel intern als extern. Hun takenpakket verschilt in dat opzicht niet van andere audit
comités binnen beursgenoteerde bedrijven.
b)Beschouw je ze als de leidende autoriteit van ERM?
Ja, het audit comité is meer gericht op het risk aspect op het niveau van de RvB. Die RvB in zijn
totaliteit behandelt eerder de meer strategische en operationele zaken.
c) Welke informatie / rapporten worden aan het bestuur verstrekt?
62
Een zeer uitgebreid document met management info, dat alle relevante zaken zou moeten bevatten
waarmee zij rekening dienen te houden. Heel wat info wordt door het management zelf toegelicht,
omdat je een bepaalde feeling bij een project niet op papier kan zetten. Vb. onderhandelingen, hoe
deze verlopen kan je beter face-to-face toelichten.
d)Hoe vaak?
4 à 5 keer per jaar.
e) Genoeg onafhankelijke externe leden RvB?
Er zijn 3 onafhankelijke externe leden. Gezien elk van hen een zeer actieve rol vervult, acht ik dit
voldoende.
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Ja. De interne audit wordt uitbesteed. Ik heb hiervan nog geen nadeel ondervonden. Integendeel, door hun
ervaring binnen verschillende bedrijven en klanten biedt een extern kantoor een frisse kijk op onze
processen en dergelijke.
8.15 Interview company M
ERM aanwezigheid en ontwikkeling
Heeft uw organisatie een geformaliseerd ERM- of GRC-programma om risico's te beheersen?
De term ERM wordt niet gebruikt, maar er zijn wel verschillende frameworks aanwezig. Dit is sinds de
financiële crisis ook overkoepelend. Hiervoor was er per type of per silo een framework. Uitwerkingen
hiervan staan steeds beschreven. De bouwblokken waren er al, na de crisis zijn we gegaan voor een meer
cross-silo of geïntegreerde aanpak.
Wanneer begon uw bedrijf met enterprise risk management?
Risk management is er al heel lang, al is er wel een versnelling hoger geschakeld na de financiële crisis. Zoals
u weet kregen wij na de crisis overheidssteun, dewelke inmiddels is afbetaald. Er was te weinig communicatie
tussen de verschillende zuilen en daardoor zijn we na de crisis op een meer geïntegreerde manier te werk
gegaan, wat meer linkt aan wat met ERM bedoeld wordt.
Worden hier in dit debat dan ook bepaalde risk owners aangeduid?
Wie / Wat was verantwoordelijk voor het triggeren van de initiatie, implementatie en uitbreiding
van uw ERM-programma? Enerzijds de crisis, anderzijds ook regelgeving. Ook binnen het management
wordt hier meer aandacht aan gegeven. We hebben niet op regelgeving gewacht, maar zijn vanuit eigen
geloof vertrokken.
Hoe (effectief) is uw bedrijf bezig met de identificatie – analyse – beheersing van de verschillende
risicocategorieën?
Er zijn allerhande processen aanwezig voor de identificatie. Er is jaarlijks een grote risico-oefening met
interviews en andere bottom-up methodes. Hier kijken we waar onze werknemers van wakker liggen.
Daarnaast scannen we ook de externe omgeving. Er zijn diverse assessments en analyses om bij te sturen
63
waar nodig. Dit alles gebeurt heel breed en uitgebreid en is tevens ingebed in onze strategie. Ik geloof dat
wij reeds op een goede manier met risico’s omgaan.
Heb je het gevoel dat ERM toegevoegde waarde biedt? Hoe?
Sowieso heeft dit een toegevoegde waarde. Linken worden gelegd waar dit vroeger niet mogelijk was.
Bedrijfswijde risicobeheersing biedt ongetwijfeld een toegevoegde waarde. Dit helpt bij de strategische
planning bij voorbeeld.
Wordt de risicofilosofie of risicobereidheid in uw bedrijf duidelijk vermeld? Met andere woorden,
is er een beschrijving die aangeeft in welke mate risico's kunnen worden genomen om
doelstellingen te bereiken? Deze wordt samen met de organisatie bepaald en niet enkel door het risk
departement. Ze is volledig ingebed in het strategisch proces. We kijken binnen welk speelveld wij risico’s
mogen nemen. De limieten zijn duidelijk vertaald in dit statement. Het geeft aan hoeveel risico je mag
nemen. Measures en limieten worden gecommuniceerd op verschillende niveaus.
Hoe bent u van plan om ERM verder te ontwikkelen en te laten groeien in uw organisatie?
Regulatoren zoals externe audit en de ECB helpen om pijnpunten naar boven te brengen. Er is een continue
aanpassing van de frameworks. Zo wordt bij voorbeeld de digitale transformatie actief ontwikkeld
momenteel. Dit zal nooit optimaal zijn, maar ik geloof niet dat er zware tekortkomingen zijn. Herbekijken
en herevalueren is hier noodzakelijk.
Leiderschap in risicomanagement / risicobeheerstructuur
Wie is de leider/primaire verantwoordelijke voor risicomanagement in uw organisatie? Wat zijn de
belangrijkste taken ? Business unit managers voor de echte beheersing. Finaal is steeds de Raad van
Bestuur verantwoordelijk. Zij maken de moeilijke beslissingen. Tweede lijn gaat de frameworks opzetten en
dergelijke.
Welke RvB- en C-suite-leden hebben een rol in het risicobeheer van de organisatie? Wat is hun rol?
Elk heeft zijn eigen verantwoordelijkheid. Er is wel de specifieke Chief Risk Officer. Hij moet binnen het
directiecomité continu alles in vraag stellen. De RvB heeft een Risk comité en audit comité. Ook het
directiecomité heeft risk comités. Maar uiteindelijk moet iedereen hiermee bezig zijn. Allemaal komen ze in
contact met risico’s. Binnen het eigenlijke ExCo is het voornamelijk CLO CEO & CFO die erbij betrokken
zijn.
Welke gespecialiseerde eenheden (ERM-ondersteuningseenheden, operationele risicogroepen,
financiën, juridische zaken, milieu, veiligheid, ...) bestaan om te helpen bij de ontwikkeling van
ERM? Er zijn teams die op lokaal niveau risk management behandelen. Ook op groepsniveau. Er is group
risk , group compliance , group legal. Deze zijn met heel veel, Group Risk alleen bestaat uit meer dan 100
FTE. Wij hebben geen zicht op die samenstelling. Zij behoren tot de 1e en 2e lijn.
Is er een gecentraliseerde groep of persoon die informatie verzamelt van operationele managers of
business unit managers ?
64
Lokaal in de business is er een local Risk manager. Dit is tussen 1e en 2e lijn. Lokale risicofunctie zal deze
informatie verzamelen en wordt bijgewoond door de lokale CRO. Je kan niet een bepaalde entiteit
aanduiden, heel veel mensen en teams zijn hierbij betrokken.
Hoe nauw werken de mensen in uw organisatie die het meest verantwoordelijk zijn voor
risicomanagement samen met de auditfunctie? Er is een externe audit functie, waarvan de
onafhankelijkheid steeds moet bewaard en bewaakt worden. Zij zorgen voor controle, geven advies en
checken of we geen dubbel werk verrichten, wat ons verzekert dat mensen niet nodeloos extra worden
lastiggevallen. Er worden vanuit risk bepaalde signalen doorgegeven aan audit, maar zij kiezen wat ze
aanpakken. Ook zien zij wat wij doen in een online tool en kunnen hierop inspelen. Hun aanpak is risk-
based. Interne audit is een intern team en wordt niet uitbesteedt.
Zijn er verder nog functies die ERM ondersteunen ?
Nee.
Hoe zijn de rapportagelijnen met betrekking tot risicomanagement georganiseerd in uw bedrijf?
(Welke gegevens (rapporten / bestanden / info) worden aan welke interne groepen (RvB, senior
management, hele organisatie) op welke tijdsbasis gerapporteerd?)
Er zijn lokale processen en processen op groepsniveau. Op lokaal niveau is dit gekopieerd van de processen
op groepsniveau. Al de informatie wordt in een rapport samengevat en nadat deze op lokaal niveau
besproken is in een directiecomité en op niveau van het departement, komen de bevindingen daaruit ook
bij ons op groepsniveau terecht. Hiervoor hebben wij dan onze eigen measurement en analysetools. Hiervan
maken wij opnieuw een rapport. Deze rapporten worden zowel aan het ExCo, het risicocomité als de raad
van bestuur bezorgd. In die volgorde. Naast de recurrente rapportering zijn er de periodieke processen.
Maar dingen als risk appetite en risk scans worden mede besproken op alle niveaus. Maandelijks zijn er
verschillende topics m.b.t. risico’s. Er kan ook heel snel gecommuniceerd worden bij urgente problemen.
Deze dringende zaken linken vaak aan een deel van het framework en zijn niet echt ad hoc. De
rapportagetermijn van processen zijn verschillend.
Op bestuursniveau, wie evalueert de rapporten over ERM? Is er een risico-, audit- en / of ander
comité aanwezig in de organisatie?
a) Wat zijn hun belangrijkste taken? Er is zowel een audit als een risk comité. Voor risk heeft
het risk comité een oversight functie, om te verzekeren dat RM adequaat en goed uitgevoerd wordt.
Zij adviseren de RvB na evaluatie van de risicofunctie. Daarnaast bekijken ze ook de strategie voor
risico door de limieten en tolerance levels te verifiëren. Uiteindelijk beslist de RvB. Het audit comité
verzorgt hoofdzakelijk de financiële rapportage, opvolging van het risk management en zowel het
intern als extern audit plan. Hun takenpakket verschilt in dat opzicht niet van andere audit comités
binnen beursgenoteerde bedrijven.
b) Beschouw je ze als de leidende autoriteit van ERM? Ja, het audit comité is meer gericht op
het risk aspect op niveau van de RvB. Die RvB in zijn totaliteit behandelt eerder de meer strategische
en operationele zaken.
c) Welke informatie / rapporten worden aan het bestuur verstrekt? Zie boven
65
d) Hoe vaak? Sommige maandelijks, andere per kwartaal, andere jaarlijks.
e) Genoeg onafhankelijke externe leden RvB? Ja
Is er sprake van uitbesteding van enige ERM-activiteit, rol of verantwoordelijkheid?
Niet structureel. Consultants waren er na de crisis even wel, maar wij trokken de kaart om werkgelegenheid
te garanderen. Daardoor werken we weinig met externe consultants, enkel voor specifieke governance
issues. Het moet steeds voor een specifieke taak of activiteit zijn. Bij voorbeeld i.k.v. aanbevelingen van de
ECB. Outsourcing is dus eerder uitzonderlijk en meestal vooral om de tijdelijke nood aan extra resources
op te vangen.
8.16 Interview Company N
Présence et développement d'ERM
Est-ce-que votre organisation utilise un programme ERM ou GRC formalisé pour gérer les
risques ?
Ja, er is een ERM programma. GRC nog niet. In 2014 geïnitieerd in België, 2009 Nederland.
Quand votre entreprise a-t-elle commencé avec la gestion des risques d’entreprise ?
In België zijn we hier in 2014 mee begonnen. In Nederland reeds in 2009.
Qu'est-ce qui a déclenché l'initiation, la mise en œuvre et extension de votre programme ERM ?
SOx door beursnotering. Ook uit eigen belang om de risico’s onder controle te houden.
De quelle manière votre entreprise est-elle engagée dans l'identification, l’Analyse et la gestion de
risques ? Qui est responsable ?
a) Stratégique : Exco.
b) Opérationnel Operational and Compliance Risk department.
c) Financier Credit risk.
d) Conformité Legal and Compliance.
Pensez-vous que ERM offre une valeur ajoutée ? Comment?
Wij zien dat er meer en meer een link ontstaat tussen de strategie van het bedrijf met onze doelstellingen en
met het risk management. Vroeger gebeurde dit enkel in het kader van de Sarbanes-Oxley regelgeving,
waardoor het eigenlijk niet voldoende besproken werd op niveau van het senior management. ERM levert
hier een grote bijdrage.
La philosophie de risque ou le risk appetite de votre entreprise est-elle clairement énoncée ? En
d'autres termes, existe-t-il une description qui indique dans quelle mesure les risques peuvent être
pris pour atteindre les objectifs ?
Er is een grondige beschrijving van de appetite, filosofie en policies met betrekking tot risico’s. Wij zijn
verplicht dit jaarlijks te herzien. Dit is gesteund op onze strategie. Naast de algemene bank risk appetite
statement is er ook per level of entity een risk appetite statement. Alle entiteiten hebben dus een statement
voor hun specifieke entiteit. Bij ons is er een opdeling in vier levels of risk: Low, Medium, Eye en Critical .
66
Kwantitatief mag het risico nooit boven 2,4 gaan. Bijvoorbeeld binnen de lease afdeling doet zich een
diefstal voor van een dure leasingwagen. Er mogen zich slechts een paar events met zulke verliezen
voordoen. Boven een bepaald level of risk moeten direct mitigating actions opgezet worden. Ook bij
kredietkaarten zijn er steeds gekwantificeerde budgetten bepaald, waarboven de verliezen niet mogen gaan.
Er moet ook steeds worden aangetoond dat er gepaste maatregelen getroffen werden. Hiervoor worden
verschillende tools zoals Scenario analysis en stress testing toegepast. Wij moeten bewijzen dat wij alle
maatregelen genomen hebben om dit bedrag niet te overschrijden.
Comment envisagez-vous de développer et croître la gestion des risques d'entreprise dans votre
organisation ?
In juni 2018 ging ERM 2.0 van start. In dit verband had ik deze week nog een vergadering. Al de processen
zullen hierbij worden vertaald in een product proces framework. Via de ARIS-tool wordt er voor elk proces
een soort flowchart opgesteld. Daarnaast worden de policies, minimum standards en de verplichte key
controls, die uitgevoerd moeten worden, beschreven. Sommige controles zijn maandelijks, andere om de
zes maanden. Dit gebeurt eerst globaal, maar door de verschillende wetgeving en dergelijke kunnen er
daarnaast ook op lokaal niveau verschillende controles opgezet worden, om de nodige
documenten/rapporten te kunnen voorleggen. Wij maken maandelijks een overzicht van de resultaten en
rapporteren dit naar boven. De bespreking van de nodige controls gebeurt per business.
La structure et le leadership/autorité de gestion des risques
Qui est le leader / principal responsable de la gestion des risques dans votre organisation ? Quelles
sont ses tâches les plus importantes?
De leider is de CRO op niveau N. Hij is lid van het Executive Committee en is verantwoordelijk voor de
externe audit, de NBB en ECB. Daarnaast hebben wij meerdere directors ORM (operational risk
management)/IRM (integrity risk management) op niveau N-1. Zij staan in voor operational en inegrity risk
management, compliance en legal. Hier zit dus ook de Interne controle. Op niveau N-2 zijn er de managers.
Quels membres du Direction, management et C-Suite ont un rôle dans la gestion des risques de
l’organisation ? Quel est leur rôle?
Wij hebben om de zes weken samenkomst van het non financial risk comité, waarbij onder meer de CFO
en COO zitten. Hier stellen wij een officieel rapport op met de bespreking van de risk status van de
verschillende geïdentificeerde eye en critical risks van de hele groep, maar ook van de diverse entiteiten. Dit
neemt steeds een volledige dag in beslag. Hierbij kunnen bepaalde managers van level N-1 worden
opgeroepen om uitleg te geven. Daarnaast hebben wij steeds een ad-hoc bespreking, wanneer zich dringende
zaken voordoen.
Quels unités spécialisées (unités de soutien ERM, le risque opérationnel, les finances, les affaires
juridiques, environnement, sécurité, ...) existent pour aider dans le développement de la ERM ?
De afdelingen uit de tweede lijn.
67
Existe-t-il un groupe ou une personne centralisée collectant des informations auprès des
responsables opérationnels ou des responsables des unités commerciales ?
Ja, dit is duidelijk zichtbaar in onze three lines of defense(3LoD). In de eerste lijn zit is er voor elke entiteit
telkens een Safe Business Officer, verantwoordelijk voor het risk management van zijn entiteit. Hij
rapporteert aan N-1. In de tweede lijn zitten wij er binnen Operational risk Management om de eerste lijn
te challengen.
Comment les gens qui sont les plus responsables pour la gestion des risques collaborent avec la
fonction d’audit ?
Van Corporate Audit krijgen wij een audit jaarplanning. Wij gaan in het begin van het jaar de eerste lijn
challengen en kijken of hun risico’s in orde zijn en op dezelfde lijn zitten met de geplande audit. Na de audit
bespreken wij de resultaten samen met de verschillende lijnen. Dit is voor Interne audit. Voor externe audit,
in ons geval KPMG, zitten de director en het management er steeds bij. De meeting met de regelgever,
NBB, wordt georganiseerd samen met EXCO en de directors. Door de herstructurering geschiedt dit
momenteel maandelijks. Wij worden gevolgd en in de gaten gehouden…!
Normaal is dit per kwartaal. Wij moeten ook verplicht jaarlijks een zeer uitgebreid officieel rapport aan de
regulator bezorgen. Dit is een gigantisch werk, zeker gezien de huidige veranderingen.
Existe-t-il d'autres fonctions qui prennent ERM en charge ?
Nee, dit zit enkel bij Non Financial risk. In de eerste lijn SBO en bij ons in de tweede ORM, waarbinnen
ERM, compliance en ORM zit. Er is uiteraard een credit risk afdeling bij voorbeeld, maar dit valt niet echt
in ERM.
Comment les hiérarchies liées à la gestion des risques sont-elles organisées dans votre entreprise ?
(Qui rapporte quelles données (rapports / fichiers / informations) au management et la direction
sur quelle base de temps ?) Wij werken met een aantal risk area’s: Controls – Processing – Internal Fraud
– External Fraud – IT – Compliance – Business Continuity – Employment Practices – Unauthorized
activity.Er wordt dus per entiteit gekeken of het risk level in lijn is met de opgestelde risk appetite. Voor
elke area wordt er een score tussen 1 en 4 bepaald. Zit deze score boven 2.4, dan moet dit doorgegeven
worden aan het ExCo level. Mijn team moet objectief en beredeneerd de juiste cijfers vinden.
Dit is mijn verantwoordelijkheid.
Elke maand is er een REM (Risk Evaluation Meeting), georganiseerd door 1LoD (SBO). Deze meeting
gebeurt samen met het management uit de eerste lijn, ORM en de SBO. Op aanvraag kunnen er ook andere
functies bijzitten. Dus maximum 4 personen bespreken de ris ico’s van 1 entiteit, tenzij andere functies erbij
worden geroepen. De agenda ziet er als volgt uit: incidents – events – ongoing projects + status - risk
mitigations of open risk – risk closure request.
Daarnaast wordt er een NFRD (Non Financial Risk Dashboard) opgesteld. Dit is een rapportering door
2LoD, die elk kwartaal uitgevoerd wordt. Dit dashboard wordt voor een grotere regio opgesteld en
gerapporteerd aan het ExCo en de directors/management uit 1 & 2 LoD. Ook door de tweede lijn wordt
minstens jaarlijks een Trendanalyse gemaakt met rapportering over de incidenten. Tevens is er maandelijks
een project rapportage, opnieuw door ons uitgevoerd. Dit zijn er een 600-tal. Vb. ItsMe-App.
68
Door de herstructurering zijn er heel veel ongoing projecten. Wij zijn met 11 mensen, dit betekent ongeveer
50 projecten per persoon. Wij moeten steeds aangeven of wij hiermee akkoord gaan. Wij hebben daar veto
over. Er is ook een Quarterly Business Review, gaande over dit en het volgend kwartaal (Q + (Q+1)),
gebaseerd op de agile way of working.
Minutes van de REM-meeting moeten dus gevalideerd worden om te zien of deze in lijn zijn met de appetite.
Samenvattend kunnen wij dus zeggen dat er maandelijks de REM-meeting is. Elk kwartaal wordt hiermee
een NFRD opgesteld per entiteit. Dit wordt allemaal verzameld en samengevat om te komen tot een BeLux
NFRD, die naar het ExCo gaat. Mijn baas, de CRO, wordt ook om de twee weken ingelicht over de recente
stand van zaken. Alles komt in de tool en er is een team dat deze rapportering controleert.
Au niveau du conseil d'administration, qui évalue les rapports ERM ? Y a-t-il un comité de risque,
audit ou un autre comité présent dans l’organisation ?
a) Quelles sont leurs tâches principales ?
CRO en CEO zijn verantwoordelijk voor de aftekening van de frameworks aan het eind van het
jaar. Dus IC framework en product control framework voor alle entiteiten worden gevalideerd.
f) Les considérez-vous comme l'autorité principale de la gestion globale des risques ?
100%! Op dit ogenblik zit ook KPMG aan tafel, door NYSE-notering enorme hoeveelheid SOx-
richtlijnen. Hiervoor is er een tussentijdse aftekening. Dus samen met de CFO en voorzitter zitten
wij daarvoor rond tafel. Alle controles zijn ook beschreven en upgeload in IRISK.
Dit is de test of design plus test of effectiveness of test of design. vb. alle structuren SOx in deze
tool. Zij zijn ook allemaal direct beschikbaar voor vb. externe audit. Voor alle incidenten is er
verplichte rapportering in IRISK. Wij maken ook een lessons learned analysis en de nodige
mitigating actions. De Senior manager (risk owner) is steeds de accountabl e person voor een
bepaald risico, eventueel met onder zich een proces owner. Wij als 2nd LOD evalueren en geven
een deadline voor Eye of Critical risks. In de tool wordt steeds een niet te wijzigen deadline
opgegeven, welke enkel en uitzonderlijk veranderd worden door de CFO. Wanneer een deadline
niet gehaald wordt, moet de proces owner dit verantwoorden aan het ExCo.
In 5 jaar tijd is dit 2 keer gebeurd. Er was evenwel telkens een valabele reden waarom de deadline
niet gehaald werd., bijvoorbeeld door wetswijzigingen. Voor mijn departement heb ik daarover ook
een KPI, ik moet zorgen dat alle issues in IRISK tijdig gerespecteerd worden. Dit geeft met de tool
een goed beeld van de bank en ook onze rapportering is daarop gesteund.
g) Quels renseignements / rapports sont fournis au conseil ?
Non Financial Risk Dashboard.
h) Combien de fois ?
Om de 6 weken.
i) Assez de membres externes indépendants du Conseil d’administration ?
Ja.
Existe-t-il une externalisation d’une activité, rôle ou responsabilité de GRE ?
Nee.
69
8.17 Within-case Analysis Company K Company description
This organisation was launched in Belgium 35 years ago. They are active in the personal hygiene
business with different brands for baby- and adult care. They are currently active all over the world
with a broad international network.
The interview was conducted on the 7th of June. The interviewee is the global audit manager.
Analysis
ERM presence and development
Start and triggers of ERM: ERM was initiated 3 years ago and is yearly extended. The main
trigger was the Audit & Risk Committee. Next, the Global Audit manager also demanded an
introduction of ERM as this was necessary to reach risk-based auditing. Last, regulation served as
a trigger for its implementation.
Organisation of enterprise risk management and risk appetite formation: The current ERM
system is in place but just slightly formalised, with documentation of top risks and key roles. The
risks are identified through interviews and other bottom-up methods. In the analysis they are
scored and quantified. For managing them, the action plans are evaluated to see if further measures
are needed. The risk appetite is formed through dialogue and discussions with the entire senior
management.
Further development and improvement of ERM: A major improvement could be reached by
implementing a software allowing for better follow-up and a more dynamic and continuous risk
process. Also, extra mandates and more involvement could further develop and mature the system
as it is at present.
Leadership in risk management
People involved with and roles of the risk management function: The global audit manager
carries most responsibilities to develop the ERM process. The introduction of an Internal Control
manager as well as the expansion of the compliance function allows him to devote more time to
ERM. The entire C-suite scores the identified risks and helps setting up action plans. Different
teams such as Finance, Legal and Compliance support the risk management function.
Support of the board and senior management: Senior management is sufficiently involved in
the yearly company-wide risk exercise. The Audit & Risk Committee provides oversight and
evaluates this exercise twice a year. The topic is on their agenda regularly, but extra resources could
increase the maturity of the system.
70
Reporting lines, communication and awareness: The board receives a risk report regarding the
exercise twice a year. The communication and reporting between different departments and to the
top is going efficiently, but communication towards the entire organisation could be improved.
This would increase awareness as well.
ERM maturity
The current ERM system is in an early-stage. The main points of attention are in embedding
leadership in risk management at all levels and introducing a web-based tool to support consistent
methodologies, reporting and communication.
8.18 Within-case Analysis Company L Company description
This company is a real estate project developer. They have been active is the development sector
for over 25 years, creating qualitative, large-scale, urban projects on top locations. They are
momentarily active in six countries and are planning to expand their geographical presence to eight
countries. The interview was conducted on the 19th of June. The interviewee is Chief Legal Officer
and secretary of the board.
Analysis
ERM presence and development
Start and triggers of ERM: There has been a more active approach to risk management after the
Belgian Corporate Governance Code was issued in 2009. Since then, the system has a better
structure. The actual system is inspired by the 2013 COSO framework. Also, the recent
developments in documentation of risk management create increased attention of the board
towards ERM.
Organisation of enterprise risk management and risk appetite formation: There is no
completely formalised system in place. As instead, risk is a topic that is regularly communicated in
meetings. Also, the risk appetite is mainly set out by discussion and dialogue.
Further development and improvement of ERM: The structure and methodologies will have
to grow along with growth of the firm. Due to the industry of real estate development, in which a
lot of activities are outsourced and the company mainly faces commercial risks. To date a further
formalisation is not necessary. However, the stock listing requires updating shareholders on risk
management. The internationalization also requires increased attention for risk management. The
update of the governance code will serve as a good time to reflect on the present system and to
further develop it.
71
-Leadership in risk management
People involved with and roles of the risk management function: The board has final
accountability, but the roles with major involvement with risk management are the CLO, along
with the CEO and CFO. Given the low number of members, nu further teams or entities are
needed. The audit function also plays a role, but is outsourced as well.
Support of the board and senior management: The lack of a very structured and formalised
ERM system does not reflect a lack of support at the top. It is just perceived as unnecessary, which
can be comprehensible given the fact the number of fulltime members is very low compared to
other industries.
Reporting lines, communication and awareness: The reporting is organised informally but on
a regular basis. The management of the firm meets once or twice every week, which allows for
closely observing the risks and reacting rapidly. These regular meetings positively influence the risk
communication and awareness.
ERM maturity
The firm has some major differences with big enterprises regarding ERM, but often uses
entrepreneurship and common sense as a way to address risks. They need risk management
especially in the starting phase of a new project, since a lot of risks are transferred by outsourcing
them. A major point of attention could be to use more supporting technologies to increase
communication and follow-up even further.
8.19 Within-case Analysis Company M Company description
Company M is an international financial institution with the majority of their banking and insurance
activities based in Belgium. They are present in 6 core markets with a very customer centric model.
The interview was conducted on the 10th of July. The interviewee is a Risk Expert at the Group
Risk Management department and is assisted by an Integrated Risk Advisor.
Analysis
ERM presence and development
Start and triggers of ERM: Risks have been actively managed for decades, but RM came up to
speed after the financial crisis. At first through a well-developed and formalised silo approach,
recently in a more integrated, cross-silo manner. Increased regulation after the crisis plays a role,
but management also develops ERM out of their own beliefs, without waiting for regulation.
Organisation of enterprise risk management and risk appetite formation: The organisation
of risk management is embedded in the strategic processes. There is a yearly ERM risk exercise in
72
which risks as perceived by members of the firm are identified bottom-up. Different scans of the
risk environment are performed as well. For the assessment and review, different frameworks also
allow for a systematic approach at all levels. Everybody knows their limits and boundaries when it
comes to risk. Different statements aid in this risk appetite formation.
Further development and improvement of ERM: Inspection of regulators provide input and
advise on how to improve the system and frameworks. Also, internally the frameworks are being
reviewed periodically. For example, digital transformation is a key factor that must continuously
improve and is very challenging nowadays. The integrated framework will never be perfect and it
is a continuous process of development and improvement.
Leadership in risk management
People involved with and roles of the risk management function: Different CROs are present
at different levels of the organisation to assure the RM is well executed. The first line is challenged
by the second line, which is assisted by internal audit. The risk function comprises the group CRO,
local CROs, local risk functions and the group risk function.
Support of the board and senior management: The board and management develops ERM not
solely as a consequence of changing regulation, but also out of their own beliefs. The risk function
is present at all levels of the organisation, along with Risk Committees to support the development
of RM.
Reporting lines, communication and awareness: All information of risk-aware business people
out of the first line is collected and discussed in local risk departments and challenged by the local
risk function. This information is reported to the Executive Committee before reaching the Risk
& Compliance Committee. After their review of the reports, they communicate the results to the
board. They are in charge of setting the tone for further improvements and actions.
ERM maturity: The risk management system is integrated in the strategy of the organisation at all
levels through a well-developed risk function. The processes are formalised and an overarching
framework ensures cross-silo communication.
8.20 Within-case Analysis Company N Company description
This corporation is a multinational provider of banking and financial services in Europe, Asia and
America. They are active in over 40 countries. Their shares are listed in Brussels, Amsterdam and
New York. The interview was conducted on the 9th of June. The interviewee is Head of the
Benelux Non-Financial Risk Management department.
73
Analysis
ERM presence and development
Start and triggers of ERM: The company started with ERM in 2014. This is the case for Belgium,
in the Netherlands they started in 2009. It was initially triggered by common sense, since the
organisation wanted to have their risks under control. Another trigger was Sarbanes-Oxley. To
comply with this act, which is required because of the listing in the United States, risk management
must be present.
Organisation of enterprise risk management and risk appetite formation: In June 2018 ERM
2.0 kicked off. Hereby, all processes will be translated in a product process framework. Different
tools and techniques will help in setting up flowcharts, policies, minimum standards and key
controls for every single process. The risk appetite is thoroughly described in this organisation.
This statement is yearly reviewed and in line with the strategy of the business. Even per level of
entity there is a risk appetite statement in place.
Further development and improvement of ERM: The implementation of ERM 2.0 will be a
great step in further improving and developing ERM. Also, the interaction between risk
management and the strategy and goals of the company are becoming more visible.
Leadership in risk management
People involved with and roles of the risk management function: At the highest level, the
leader is the CRO. One level lower, the directors of the operational and integrity risk management
are the leaders of their teams. They challenge the managers at business unit level, each with a Safe
Business Officer responsible for the risk management of their unit.
Support of the board and senior management: Different members of the C-suite such as the
CRO, CFO, CEO and COO are involved with risk management and thus support its presence and
development. There is also a non-financial RM Committee supporting and evaluating the risk
management of the group.
Reporting lines, communication and awareness: Through the presence of different tools,
individuals and teams in charge of RM, as well as the communication, awareness and reporting
lines, are clearly well-structured and running smoothly.
ERM maturity
The organisation has a mature ERM system in place. However, after implementing the updated
system with a framework for each process, maturity will certainly be increased. There is a significant
difference with non-financial organisations.
74
8.21 CASE/TOPIC MATRIX
75
TOPIC/COMPANY A B C D E F Start and triggers of risk
management
• RM was introduced 20
years ago, ERM 4 years.
•Insurance department was
the main trigger.
• Active risk management
processes were firstly
launched short after a fire
had occurred.
• There is no formalised
ERM system yet.
• The listing on NASDAQ
implying SOx-compliance
triggered management to
develop certain risk
management techniques/
procedures.
• ERM was initiated 3 years ago.
• Regulation (Sarbanes-Oxley)
was the main trigger.
• COSO 2013 served as a starting
point.
• RM present introduced in
project business branch in
2005.
• ERM introduced 4 years
ago.
• Main triggers:
• Regulation due to stock
listing
• Governance
• Competition
• The company started with ERM 10
years ago.
• The initiation was triggered by
management, mainly the CEO.
• The company introduced ERM in
2011.
• The ERM program was
implemented by 2015.
• It was triggered by the second line of
defense, the risk & insurance manager
in particular.
Organisation of enterprise risk
management and risk appetite formation
• Different procedures are
in place to manage risks.
• The yearly and tri-annual
ERM exercises are
organised to manage the
company-wide risks.
•''different opinions of
leadership are aligned to
form the company risk
appetite. “
•After establishing a
formalised Internal Control
system, some •ERM
projects were initiated on
the sideline. •The risk
appetite is not documented,
but discussed by all ExCo
members.
•The organisational structure and
control framework regarding risk
management is conform the
three lines of defense model.
• A formal ERM exercise is
performed twice a year.
•There is an early-stage risk
appetite statement.
• ERM is present, but not
formalised or integrated at
all levels.
• There is a structured
procedure for GRC, but
also not company-wide.
• Different risk appetites of
managers must be aligned
during meetings.
• Every 3 years a new company-wide
strategic risk exercise is performed.
• Every business activity has its own
cycle.
• The appetite and tolerance levels, as
well as roles and responsibilities are
clearly stated.
• Whenever a new project is initiated,
different risk methodologies are in
place to identify and analyze risks.
• There is a risk appetite statement for
every project. he appetite is clearly
stated.
Further development and improvement of
ERM
• Integration and
communication of risks at
all levels of the
organisation.
• Naturally grow risk
management and ERM,
along with the growth of
the organisation.
• In the future, extra
mandates and people
might be necessary.
• The development of ERM is
decided by the leaders at group
level. Increased input could be
beneficial.
• To date, regulation is the main
purpose of performing ERM.
• The processes could be
improved and gain effectiveness.
• The first company-wide
assessment - performed by
the audit function - is
currently serves as a good
starting point to further
improve and develop
ERM.
• “An ICT tool involving
risk management could
also provide maturity.”
• The reporting to the top should be
less static.
• A new software could facilitate a
more actively managed reporting to
the top.
• The interaction between the second
and third line of defense should
improve as well.
• Imbed risk management in the
strategy and decision-making of the
organisation.
• ERM is growing in a natural way,
along with the growth of the
company.
People involved with and roles of the risk
management function
• Different departments
have been set up in the
second line of defense to
tackle certain risks.
• In particular
the Risk & Compliance
department, where 12 risk
managers each cover a
specific area of risk. (e.g.
GDPR)
• There is no centralized
risk function.
• The director Internal
Control embodies the risk
management function and
serves as a facilitator.
• Besides risk and internal
control, he also
coordinates the audit
function.
• Different second line
departments are in place,
but there is no overarching
department.
• Within ExCo, the CEO
and CFO are mainly
involved with the topic.
• At group level, the role of CRO
leads the risk function.
• At local brands, there are
different second line departments
in place, with the Risk & Control
and the Compliance department
leading the pack for risk
management.
• At both group and local brand
level, there is a GRC Committee
to keep risk oversight.
• The company-wide ERM
exercise is performed together
with the local ExCo.
• In the second line of
defense, especially the
Legal department, together
with Compliance, is
involved.
• Within management, the
CFO, CEO and COO are
mainly responsible.
• Internal audit is could for
ERM be appointed as
leader, since this function
performed the first
company-wide assessment
independently.
• The risk management cell is of great
importance for ERM. It consists of
three parts: Risk, Compliance and
Audit.
• They have a guidance and facilitating
role.
• Within every operating unit there is
a risk coordinator. They coordinate
the unit managers and are directed by
the RM cell.
• At group level, there is the CRO
and his team.
• At national level, the main
participants are the CEO, CFO and
the risk counsel.
• The risk & insurance manager is
responsible for the operational risks,
along with the legal counsel.
• Last, the quality and compliance
manager has risk responsibilities.
76
Support of the board and senior management
• The General Counsel has
recently become part of
senior management.
• “The communication
from the R&C department
to the top has become a lot
quicker and more
objective.”
• The director IC is mainly
responsible to manage
ERM
• Especially the Audit
Committee is involved and
provides oversight.
• There is no lack of
support perceived, since
there is no need for a
further formalised
approach, due to the size of
the organisation.
• ERM should be implemented
with more support from the top.
• The current approach is very
compliance-driven.
• Leadership should step up as a
leading authority in the creation
of their risk philosophy, appetite
and culture in order to increase
effectiveness, proactivity and
thus maturity of ERM.
• The Audit Committee
shows increased interest in
ERM in the last couple of
years.
• The AC is not yet
persuaded a formalised
ERM approach could
provide added value.
• There is great support of the board
and management regarding ERM. The
majority is very risk-minded.
• The Audit Committee assures risk
oversight.
• Within management, the CEO,
CFO and COO are mainly involved
and assisting in the process.
• Since there is a CRO in place at
group level, support at the top is now
guaranteed.
• It was the risk & insurance manager
who initiated ERM. This does show
input from different levels is heard
but could indicate lack of
involvement.
Reporting lines, communication and
awareness
• With the General
Counsel as part of the
chief leadership team there
is a direct reporting line to
the top of the organisation.
• He used to report to the
CFO, before it reached the
rest of senior management.
• There are only few
initiatives to communicate
risks bottom-up.
• The director internal
control accounts for
reporting the information
of the second and third line
to the CFO regularly.
• The CFO reports to the
Executive Committee.
• The director internal
control and CFO attend
audit meetings at least
quarterly.
• There is quarterly reporting to
the GRC Committee.
• For ERM, there is formally
based reporting twice a year and
the results are communicated to
the board.
• The three lines of defense work
together to actively manage risks
and also ad-hoc risks are reported
to the top.
• Risk awareness is becoming
visible.
• The corporate risk culture, as
well as the methodologies
regarding ERM, lack maturity.
• The internal auditor
reports risk to the CEO
monthly to assure direct
independent risk reporting.
• The Audit Committee is
reported to quarterly.
• Yearly, the Executive
management formally
discusses risk.
• Regulatory issues are
discussed with the
compliance officer on a
regular basis. •
Communication is going
smoothly.
• Risk awareness is only
taken care of in the riskiest
business activities.
• The risk reports are provided to the
AC at least quarterly.
• The CEO and COO also receives all
provided risk reports.
• Every business activity and operating
unit has his own cycle and thus the
time frame to report risks differs.
• Every three year a new strategic plan
has to be developed for every activity,
followed by a risk analysis.
• An updated software could facilitate
the communication and awareness
process.
• Through a Microsoft Office CRM
system, risks are easily reported and
communicated throughout the
organisation.
• The Executive Committee collects
relevant risk information.
• The CRO collects a report with
information of the different members
of the ExCo, all regarding their own
areas of risk.
• The CRO provides reporting to the
board.
• Since the ERM system is in place,
risk awareness and communication
grows naturally.
ERM Maturity • The current ERM system
with formalised processes is
working effectively.
• A fairly mature risk
culture allows proactive risk
management.
• To improve maturity
ERM should be more
embedded in the strategy
and decision-making.
• For ERM, the
organisation is current ly
dependent on a few
initiatives on the sideline.
• Early-stage, not only for
ERM but as a whole.
• The introduction of
formal processes could
bring them to a higher level
of maturity.
• At this stage, there might
be no need for a formalised
approach yet.
• The ERM system is for the
greater part in place, but lack of
maturity.
• Implementation stage nearly
finished, currently early stages of
development.
• Less compliance-driven
approach could avoid certain
struggles in development.
• Stakeholder information-
sharing instead of added value
incentives.
• Professionalization of the
frameworks and data governance
will allow for embedding ERM in
their strategy.
• ERM maturity at this
organisation is at an early-
stage.
• Board needs to be
persuaded by added value
to mature their company-
wide risk management
systems.
• The major maturity areas
of improvement lie in the
proactivity of dealing with
risks, along with risk
appetite management and
the risk assessment quality.
• The current ERM system is mature
and integrated at all levels.
• Risks are proactively and effectively
managed and the processes are being
reviewed.
• The system, roles and responsibilities
are clear, but as always, areas of
improvement can still be
acknowledged.
• The reporting to the board is too
static
• Maturity could be improved by
implementing software and more
interaction between the second and
third line of defense.
• Across all departments and levels of
the organisation, responsibilities are
clear and risks are managed
proactively.
• The current system, with risk
management always initiated at
tendering, works effectively.
• ERM processes work consistently
and are completely implemented.
77
TOPIC/COMPANY G H I J K L Start and triggers of
risk management
• The company started with
ERM several years ago.
• Triggered by regulation and
market demand.
• The system is based on
COSO.
• RM indispensable in their
industry.
• “actively managing risks is
first of all a matter of
common sense and has been
around for almost 20 years.”
• ERM has been implemented
for a substantial amount of
time.
• Triggered by the ENRON
scandal. Other factors are
regulation and competition.
• ERM was introduced in 2018,
after a couple of failed
attempts.
• Leadership was of great
importance in this initiation, as
well as a recent merge.
• Before, ERM was only dealt
with on the sideline.
• The first formalised RM
framework was introduced in
2009.
• Triggers for the initiation were
the increase of risks and their
complexity in the environment,
regulatory purposes and also the
demand of credit rating agencies.
• ERM was initiated 3 years ago
and is yearly extended.
• The demand to introduce ERM
came from the Audit & Risk
Committee.
• The Global Audit Manager
guides towards risk-based
auditing.
• Regulation served as a trigger
for ERM implementation.
• Risks were more actively managed in
a more structured approach after the
Belgian Company Governance Code
was issued in 2009.
• RM is inspired by the 2013 COSO
framework.
Organisation of enterprise risk
management and risk appetite formation
• The ERM system is to date
only partly implemented.
• RM processes are executed
effectively,
• In each domain risks are
assessed.
• Different policies describe
the roles and accountabilities
of different risk owners. This
also creates a shared view on
the risk appetite.
• For ERM, there is a yearly
company-wide exercise.
• They produce a listing of
the top risks the organisation
faces, based on interviews.
• The risk appetite and
tolerance levels, as well as
roles and boundaries of
responsibilities are very clear.
They are documented in
different RM policies.
• The ERM system is not
formalised yet, but the
organisation is actively working
on it.
• Risk management is current ly
split up in four departments:
Sarbanes-Oxley, Revenue
Assurance, Fraud and Security
and ERM.
• The risk appetite is current ly
not documented, but clearly
discussed and communicated
throughout the company.
• ERM is implemented in the
daily activities of the firm.
• Different process cycles are in
place to manage risks and
support decision-making.
• The risk appetite is integrated
in the culture of the company,
with clearly delineated policies
and methods.
• The current ERM system is
slightly formalised, describing
top risks and key roles.
• Risk-identification through
different bottom-up methods.
• Risk analysis through risk
scoring and quantifying by
management. In the evaluation,
action plans are reviewed.
• The risk appetite is formed in
meetings with the entire senior
management.
• There is no completely formalised
system in place.
• Risk is a topic that is regularly
communicated in meetings.
• The risk appetite is mainly set out by
discussion and dialogue, instead of
formal statements.
Further development and improvement of
ERM
• Processes should be less
product-oriented.
• The current system is
gaining importance, but
needs to be further developed
to cope with the increased
complexity and greater
consequences of risks.
• ERM should be more
embedded in the strategy of
the company.
• The current ERM exercise is
too static.
• It should be implemented in
daily operations, as it is for
the trading department.
• They plan to invest more in
the digitalization of certain
risk systems, using data to
support effect ive
development.
• They plan to increase efforts
to embed ERM in day-to-day
business and risk reporting to
the board.
• Their goal is to shift ERM
from an obligated risk exercise
to an integrated part of daily
decision-making, by showing
its added value to senior
management.
• Developments of ERM are
always initiated by the group
management board.
• The ERM system is in place
and already pretty advanced.
• The delineated policies and
methods improve effectiveness
at all levels.
• Currently, the interviewee was
not aware of plans to further
develop ERM in his division.
• A major improvement could be
reached by implementing a
software allowing for better
follow-up.
• A more dynamic and
continuous risk process.
• Extra mandates and more
involvement could further
develop and mature the system as
is.
• The methodologies will have to
grow along with growth of the firm.
• To date a further formalisation is not
necessary, due to the industry.
• The stock listing and
internationalization requires increased
attention for risk management.
• The 2020 update of the governance
code will serve as a good time to
reflect on the present system and to
further develop it.
People involved with and roles of the risk
management function
• The leading body in risk
management is the Group
Executive Council (GEC) as
well as the Audit Committee.
• The GEC is the operational
decision-making body,
consisting of the CEO and 4
main groups of company
leaders. They are accountab le
when things go wrong.
• The risk department
consists of over one hundred
members, with the CRO in
charge. He is the leading
individual for risk
management.
• There is a Risk Committee
meeting once or twice a
month. They provide
oversight, while the ExCo
carries responsibility.
• At the top, the people most
involved with risk management
are the Audit Committee, the
CEO and CFO.
• The risk management
function is embodied by the
Risk&Control department, led
by the R&C director.
• For ERM, the ERM Audit
Liaison manager carries the
most responsibilities.
• RM is led by the General
Management Board.
• The group RM committee and
the CEO are the main characters ,
together with the group Risk
Officer.
• Operational risk officers
(mostly the CFO), as well as risk
owners, managers and
coordinators are facilitating the
processes.
• The global audit manager
develops the ERM process.
• Through expansion of the
Internal Control and Compliance
function, he can devote more
time to ERM.
• The entire C-suite scores the
identified risks and helps setting
up action plans.
• Finance, Legal and Compliance
support the RM function.
• The board has final accountability,
but the roles with major involvement
with risk management are the CLO,
along with the CEO and CFO.
• Given the low number of members,
no further teams or entities are
needed.
• The audit function also plays a role.
• The entire audit function is
outsourced.
78
Support of the board and senior
management
• The company has been
dealing with risks for a long
time.
• Enough resources are
devoted to further develop
risk management.
• The GEC accounts for the
operational and strategic
decision-making.
• It is hard to define the
support of the top, since
every activity of the
organisation has its board and
senior management.
• The group Risk Committee
ensures the topic is present
on the agenda of the board
and senior management.
• Risk is discussed at least
monthly.
• Increased support of the
board and senior management
is needed to gain maturity in
ERM.
• Great steps have been taken
regarding ERM in the last
couple of years.
• Recently, the Audit
Committee gave a new
mandate, which introduced the
ERM and Audit Liaison
manager.
• The CFO plays an important
role in communicating the
results to the SLT
• Through the presence of
different committees in charge of
RM, the support at the top is
assured.
• Especially non-financial risks
have gained attention in the last
decade.
• Senior management is
sufficiently involved in the yearly
company-wide risk exercise.
• The Audit & Risk Committee
provides oversight and evaluates
this exercise twice a year.
• The topic is on their agenda
regularly.
• Extra resources could increase
the maturity of the system.
• The lack of a formalised ERM
system does not reflect a lack of
support at the top.
• Further structuration is perceived as
obstructionist and unnecessary.
• A lot of outsourcing activities leave
a low number of fulltime members
and risks compared to other
industries.
• Recent developments in
documentation of risk management
create increased attention of the board
towards ERM.
Reporting lines, communication and
awareness
• The GEC reports directly to
the board.
• There is a yearly as well as a
tri-annual risk exercise.
• The main results of the risk
reports are translated and
communicated at all levels of
the organisation.
• The time basis of reporting
depends on the impact of the
consequences that might
occur in a specific risk area.
• Reporting to the group is
provided by the group Risk
Committee.
• Recently, there has been a
focus to digitalize several
reporting lines, which
enabled risk owners to gain
insights on their current level
of risk.
• The digitalization of
processes increased
communication and
awareness.
• The first line identifies and
analyzes risks.
• The results of the three lines
of defense are incorporated in
the results of the Risk &
Control department.
• All branches of the second
and third line report to the
R&C director.
The R&C director reports to
the CFO, who is responsible
for communicating the results
to the Senior Leadership Team.
• After the results reached the
CEO, he reports them to the
board.
• Different tools and methods are
in place to assure a risk-aware
culture, such as self-assessments
and peer reviews.
• The risk communication runs
smoothly through an online tool,
including the risk register.
• The share point is updated on a
regular basis.
• Risk reports are crossing
different levels of the
organisation. They are provided
to the board quarterly.
• The board receives a risk report
regarding the exercise twice a
year.
• The communication and
reporting between different
departments and to the top is
going efficiently.
• Communication towards the
entire organisation could be
improved. This would increase
awareness as well.
• The reporting is organised
informally but on a regular basis.
• Management of the firm meets once
or twice every week, which allows for
closely observing the risks and
reacting rapidly.
• Regular meetings positively
influence the risk communication and
awareness.
ERM Maturity • There is a fairly mature
ERM system in place.
• Due to the early adoption,
the teething problems have
already been overcome.
• The current system
struggles to find its way to
influence the decision-
making of the business.
• Processes are integrated at
all levels, but clear differences
in maturity can be seen at
lower levels of the
organisation.
• Although ERM is to date at
a mature level, improvements
are still possible in the
identification of risks.
• The quality of data
distracted out of the risk
assessments can be increased .
• Some individuals are too
risk-averse and should look at
risk management as an
enabler of opportunities.
• Implementing extra
supporting technologies for
ERM will mature active RM.
• The shifting support for
ERM allows the risk
department to devote a
significant amount of time to
maturing ERM.
• Since the ERM mandate was
given last year, great steps have
been taken.
• The path is still long to reach
a mature ERM system.
• It can take years to fully
implement the system, but
given the fact they don’t have
to start from scratch and are
very motivated, they will move
ahead rapidly.
• The company’s enterprise risk
management program is
significantly more mature than
those of other non-financial
enterprises.
• The riskiness of their business
or industry plays a great role,
along with other triggers as
mentioned above.
• Their risk management policies
and annual report show a set of
mature methods, procedures and
corporate governance.
• The current ERM system is in
an early-stage.
• Points of attention:
-Start embedding leadership in
risk management at all levels.
-Introducing a web-based tool to
support consistent
methodologies, reporting and
communication.
• The firm has some major
differences with big enterprises
regarding ERM.
• Entrepreneurship and common
sense are key in their risk
management.
• They need risk management
especially in the starting phase of a
new project, since a lot of risks are
transferred by outsourcing.
79
TOPIC/COMPANY M N
Start and triggers of risk management
• Risks have been actively managed for decades, but RM came up to
speed after the financial crisis.
• A well-developed and formalised silo approach has been in place for
a long time.
• At present, a better integrated, cross-silo approach is in place.
• Increased regulation after the crisis was a trigger, but management
also develops ERM out of their own beliefs, without waiting for
regulation.
• The company initiated ERM in Belgium in 2014.
• It was triggered by common sense, since they wanted to have their
risks under control.
• Another trigger was Sarbanes-Oxley. To comply with this act, risk
management has to be present.
Organisation of enterprise risk management and risk appetite formation
• The organisation of RM is embedded in the strategic processes.
• There is a yearly ERM risk exercise in which risks as perceived by
members of the firm are identified bottom-up. Different scans of the
risk environment are performed as well.
• For the assessment and review, different frameworks allow for a
systematic approach at all levels.
• Everybody knows their limits and boundaries when it comes to risk.
• In June 2018, an update of the existing ERM system (ERM 2.0)
kicked off.
• All processes will be translated in a product process framework.
• The risk appetite is thoroughly described. Per level of entity there
is a risk appetite statement in place, which is yearly reviewed and in
line with the strategy of the business.
Further development and improvement of ERM
• The integrated frameworks are being reviewed periodically and have
a continuous process of development.
• Digital transformation is a key factor that has to continuously
improve and is very challenging nowadays.
• Inspection of regulators provides input for improvement.
• The implementation of ERM 2.0 will be a great step in further
improving and developing ERM.
• The interaction between risk management and the strategy and
goals of the company are becoming more visible.
People involved with and roles of the risk management function
• Different CROs are present at different levels of the organisation to
assure the RM is well executed.
• The first line is challenged by the second line, which is assisted by
internal audit.
• The risk function comprises the group CRO, local CROs, local risk
functions and the group risk function.
• At the highest level, the leader is the CRO.
• Below, we find the directors of the operational and integrity risk
management (ORM/IRM) as leaders of their teams.
• ORM and IRM challenge the managers at business unit level, each
with a Safe Business Officer responsible for the RM of their unit.
Support of the board and senior management
• The board and management develop ERM not solely because of
changing regulation, but also out of their own beliefs. • The risk
function is present at all levels of the organisation, along with different
risk committees to support RM.
• Different members of the C-suite such as the CRO, CFO, CEO
and COO are involved with risk management and thus support its
presence and development.
• There is also a non-financial RM Committee supporting RM.
Reporting lines, communication and awareness
• All information of risk-aware business people out of the first line is
collected and discussed and challenged in local risk departments.
• They report to the Executive Committee, who report to the Risk &
Compliance Committee.
•After their review, the results are communicated to the board.
• Different tools, individuals and teams take charge of RM for
effective risk reporting.
• The communication, awareness and reporting lines are clearly well-
structured and running smoothly.
ERM Maturity • The risk management system is integrated in the strategy of the
organisation at all levels through a well-developed risk function.
• The processes are formalised and an overarching framework ensures
cross-silo communication.
• The implementation of ERM 2.0 will significantly mature the
maturity of ERM.
• Best practices of other countries were ERM was earlier adopted
will lead to an effective approach.
80
8.22 Respondents list
Company Function Revenue (millions) Sector/Industry Employees Countries
Company A Risk & Compliance Manager 1100 Technology 3500 90
Company B Director Internal Control 150 Biotechnology 600 6
Company C Risk & Control director 62000 Retail 375000 11
Company D Internal Auditor 225 Informatics services and software 1200 3
Company E Head of Risk Management Department 9500 Distribution/retail 29250 5
Company F Risk & Insurance Manager 7000 Construction 21000 30 Company G Director Finance 27000 Machine Construction 63000 180
Company H Head of Operational & Transversal Risk department 66000 Utility 150000 70
Company I Director Risk & Compliance/ERM & Audit Liaison Manager 2500 Telecommunication 3300 2
Company J Risk Manager Business Division North 57000 Steel manufacturing 110000 27
Company K Global Audit Manager 2300 Consumer Products 11000 110
Company L Chief Legal Officer 210 Real Estate Development 26 5 Company M Group Risk Management Expert/Integrated Risk Advisor 7200 Financial services 42000 6
Company N Head of Non-Financial Risk Management Benelux 17800 Financial services 54000 40
81
8.23 Strategy and value oversight
Figure 8: Strategy and Value Oversight (Risk oversight solutions Inc., 2018)
This is one of the key diagrams in the executive summary of the latest COSO ERM 2017 –
Integrating with strategy and performance. COSO as well as ISO 31000 2018 call for the integration of "Strategy, business objectives and performance". Companies often use risk
registers/risk lists as a foundation of their ERM framework. This in particular can be a major reason for not excelling at this. In a recent research of FERMA (2016), not even half of respondents
considered their approach to enterprise risk management (ERM) as an integrated process that involves the board and business and functional leaders at all levels of the organisation. Powerful
institutional investors want CEOs to explain their long-term value creation strategy/objectives and assess risks to those strategies/objectives. Next, they should also be given the assurance boards are
overseeing the process. To lessen the burden at business-unit level, integration of disparate silos is needed. It will give business-units more time to devote to their growth and in providing added
value. The diagram above illustrates how objective-centric ERM and internal audit can accomplish what COSO ERM 2017 calls for. The approach should enhance meeting the needs of institutional
investors and boards and increase the value add from spending on risk specialists and internal audit.
82
8.24 Milestones in the history of risk management
Table 1: Milestones in the history of risk management by Dionne (2013) Risk Management: History, Definition and Critique
83
8.25 COSO Framework eight components Source: Weller (2015) & COSO (2004)
1. Internal Environment : This is about setting the tone of the organisation. It influences risk
appetite, attitude towards risk management and ethical values. In this way this first step provides
an organisation with two outputs, namely a risk management philosophy and risk appetite. Since
this step serves as a starting point and is crucial for an effective ERM system, I discussed the
different elements determining the success of this component below.
Elements in understanding the internal environment, derived from COSO's framework:
• RM philosophy: set of shared attitudes and beliefs of how the organisation considers risk
• Risk appetite: amount of risk an organisation is willing to accept in the pursuit of its
objectives
• Board of director’s attitude: they play an important role in overseeing and guiding the risk
environment
• Integrity and ethical values: To achieve an enterprise-wide understanding of ethical values
and a great integrity, a strong code of conduct is not enough. Strong integrity and standards
of behavior for members of the company, a strong corporate culture and a clear mission
statement is needed.
• Commitment to competence: This element provides knowledge and skills necessary to
perform assigned tasks(competence). senior management needs to not only plan but make
strong positive efforts to achieve goals. (commitment)
• Organisational structure: clear lines of authority and responsibility needed for reporting
and to plan, execute, control and monitor activities
• Assignments of authority and responsibility: extent or degree to which authority and
responsibility is assigned or delegated in an organisation via strong code of conduct wherein
is stated how all employees their actions are interrelated to the overall obj of the org
• HR standards: strong set of standards needed, no gray area
• Compliance and RM standards, corporate governance, Audit and compliance committee
(makes sure organisation meets its obligations in relation to financial integrity, legal
compliance and business risks). A Compliance committee can output an effective and
efficient systems for managing risk, legal and regulatory compliance)
2. Objective Setting: The organisation should have a clear vision, and the board then must set
objectives and support that vision. They must be consistent with the risk appetite. To set
objectives effectively, it needs to be aware of the risk s arising and should have a clear view on
84
the amount of risk it is willing to accept. It should cascade through the different levels of the
organisation.
3. Event Identification: The internal as well as the external events that influence achievement of
its objectives should be identified and well-defined. Negative impacts represent risks, positive
impacts represent opportunities.
Common techniques used to perform this step of the framework are interviews, brainstorming
sessions, SWOT and scenario analysis, surveys and workshops. Also, a greater use of information
technology and the firm’s intranet is visible. (IMA, 2007)
4. Risk Assessment: In this element the likelihood and impact of individual risks are assessed as
a basis for determining risk management. Qualitative and quantitative methods are used.
Companies use qualitative methods such as risk identification and risk mapping techniques for
this step. Quantitative methods used to assess the impact and likelihood of identified events are
cash flow-, earnings or value at risk and probabilistic techniques. (IMA, 2007) The organisation
should pay attention to the interrelation of individual risks.
5. Risk Response: In this stage, management selects appropriate actions to align risks with risk
tolerance and risk appetite. It means choosing a response to manage the risks to a level that is
acceptable. The risk response is chosen must be realistic and acknowledge the cost of responding
as well as the impact on risk. The risks can’t be seen in isolation, but from an organisation’s
perspective.
6. Control Activities: Policies and procedures should be designed and need to operate properly in
the different departments of the company. Examples are authorizations and approvals.
7. Information and Communication: Information systems should ensure that data is identified,
captured and communicated in a format and time frame that enables management and staff to
carry out their responsibilities. The information provided to management needs to be relevant
and must cover all the objectives on top of the cube. Communication with staff members is an
important way of embedding risk awareness in staff’s thinking.
8. Monitoring: The effectiveness of the management system should be monitored and modified
if necessary. This fase is often performed through separate temporary evaluations. Also, the use
of Key Risk Indicators can be of great help in this feature. These KRIs enhance the proactivity
of identifying risks, while Key Performance Indicators lacked this proactivity and only identified
certain risks after they occurred. It is the task of every participant in the organisation to keep
these risk indicators up-to-date. However, a study of Beasley, Branson and Hancock (2017)
found KRIs can provide a dishonest feeling of safety within a firm.
85
8.26 ISO Standards regarding Risk Management Published standards about risk management
• ISO 31000:2009, Risk management - Principles and guidelines
• ISO Guide 73:2009, Risk management – Vocabulary (terms and definitions)
• IEC 31010:2009, Risk management - Risk assessment techniques
• ISO 31000: 2018
Standards in development
• ISO/DIS 31000 Risk management – Principles and guidelines
• IEC/DIS 31010 Risk management – Risk assessment techniques
• ISO/AWI 31022 Guidelines for Implementation of Enterprise Legal Risk
Management
Source: nbn.be
8.27 Risk Management Organisations
Table 2:Risk Management organisations (ifrima, n.d.; intosia, n.d.; ferma, n.d.)
RISK AND INSURANCE
IRM The Institute of Risk Management
IFRIMA International federation of Risk and Insurance Management
Associations
PARIMA Pan-Asia Risk and Insurance Management Association
RMIA Risk Management Institution of Australia
ARM Association of Risk Management
RMCA Risk Managers and Consultants Association of Japan
MARIM Malaysian Association of Risk and Insurance Management
RIMAS Risk and Insurance Management Association of Singapore
EUROPE
FERMA Federation of European Risk Management Associations
BELRIM Belgian Risk Management Association
AMRAE Association pour le Management des Risques et des Assurances
de l’Entreprise
86
ANRA Associazione Nazionale Risk Managers e Responsabili
Assicurazioni Aziendali
RusRisk Russian Risk Management Society
AGERS Asociacion Espanola de Gerencia de Riesgos y Seguros
IGREA
AIRMIC The Association of Insurance and Risk Managers
GVNW Gesamtverband de versicherungsnehmenden Wirtschaft
NARIM
Nederlandse Associatie van Risk & Insurance Managers
ERMA Turkey
BRIMA Bulgary
ASPAR CZ Czech Republic
DARIM Denmark
FINNRIMA Finland
MARM Malta
NORIMA Norway
SWERMA Sweden
SIRM Switserland
APOGERIS Portugal
LATIN AMERICA
ALARIS Asociacion Latinoamericana de Administradores de Riesgos y
Seguros
ADARA Asociacion de Administradores de Riesgos de la Republica
Argentina
ABGR Associacao Brasileira de Gerencia de Riscos
NORTH AMERICA(US, CANADA, MEXICO)
PRIMA Public Risk Management Association
RIMS Risk and Insurance Management Society, Inc.
AFRICA
IRMSA The Institute of Risk Management South Africa
AUDIT
INTOSAI
International Organization of Supreme Audit Institutions
87
OLACEFS Organization of Latin American and Caribbean Supreme Audit
Institutions
AFROSAI African Organization of Supreme Audit Institutions
ARABOSAI Arab Organization of Supreme Audit Institutions
ASOSAI Asian Organization of Supreme Audit Institutions
PASAI Pacific Association of Supreme Audit Institutions
CAROSAI Caribbean Organization of Supreme Audit Institutions
EUROSAI European Organization of Supreme Audit Institutions
ECIIA European Confederation of Institutes of Internal Auditing
8.28 ERM Information Systems Table 3: Enterprise Risk Management Information Systems (rims.org, 2018)
COMPANY PRODUCT
Algorithmics Algo Op Vantage, Algo Risk
Asparity Decision Solutions Protiva J-Port
Compliance 360 Enterprise GRC Platform
CorProfit Systems KnowRisk
Cura Software Solutions Cura Assessor
Horwath Software Services Magique
Istria Istria Risk & Issue Support (IRIS)
Keane Business Risk Management Solutions Keane SCORE
LogicManager LogicERM
Methodware Enterprise Risk Assessor
Open Pages OpenPages Governance Suite
Paisley Consulting Risk Navigator
Pentana Pentana Audit Work System (PAWS)
RCS Risk Management Concept Systems OpRIsk Suite
Resolver Inc. Resolver*Risk
Risk Management Technologies First Priority
Riskonnect Riskonnect
SAP GRC Risk Management
SAS SAS OpRisk
Strategic thought Active Risk Manager
Vanguard Software Decision Pro
88
8.29 RIMS risk maturity model maturity levels, attributes and underlying competency drivers Maturity Levels
Source: RIMS.org
Attributes and competency drivers
o Adoption of ERM-based process
- Business process definition and risk ownership
- Frontline and support process owner participation
- Far-sighted Risk Management vision
- Executive ERM support
o Uncovering risks:
- Risk ownership by business area
- Formalised Risk indicators and measures
- Follow-up reporting
- Adverse events as opportunities
o ERM process management:
- ERM program oversight
- ERM process steps
89
- Risk culture, Accountability and communication
- Risk management reporting
- Repeatability and scalability
o Risk appetite management:
- Risk portfolio view
- Risk-reward tradeoffs
o Root cause discipline:
- Root cause consideration
- Risk and opportunity information collection
- Information classification
- Dependencies and consequences
o Business resiliency and sustainability:
- Risk-based planning
- Understanding consequences
- Resiliency and operational planning
o Performance management:
- Communicating goals
- ERM information and planning
- ERM process goals and activities
Source: LogicManager RIMS risk maturity model assessment
8.30 Roles & Responsibilities of a Risk Management
Committee ROLES:
• To assess the Company’s risk profile and key areas of risk in particular.
• To recommend the Board and adoption of risk assessment and rating procedures.
• To articulate the Company’s policy for the oversight and management of business risks.
• To examine and determine the sufficiency of the Company’s internal processes for
reporting on and managing key risk areas.
• To assess and recommend the Board acceptable levels of risk.
• To develop and implement a risk management framework and internal control system.
• To review the nature and level of insurance coverage.
• To have special investigations into areas of corporate risk and break-downs in internal
control.
• To review management’s response to the Company’s auditors’ recommendations those
are adopted.
• To report the trends on the Company’s risk profile, reports on specific risks and the
status of the risk management process. RESPONSIBILITIES:
90
• To define the risk appetite of the organisation.
• To exercise oversight of management’s responsibilities, and review the risk profile of
the organisation to ensure that risk is not higher than the risk appetite determined by
the board.
• To ensure that the Company is taking appropriate measures to achieve prudent balance
between risk and reward in both ongoing and new business activities.
• To assist the Board in setting risk strategies, policies, frameworks, models and
procedures in liaison with management and in the discharge of its duties relating to corporate accountability and associated risk in terms of management assurance and
reporting.
• To review and assess the quality, integrity and effectiveness of the risk management systems and ensure that the risk policies and strategies are effectively managed.
• To review and assess the nature, role, responsibility and authority of the risk
management function within the Company and outline the scope of risk management
work.
• To ensure that the Company has implemented an effective ongoing process to identify
risk, to measure its potential impact against a broad set of assumptions and then to activate what is necessary to pro-actively manage these risks, and to decide the
• Company’s appetite or tolerance for risk.
• To ensure that a systematic, documented assessment of the processes and outcomes surrounding key risks is undertaken at least annually for the purpose of making its
public statement on risk management including internal control.
• To oversee formal reviews of activities associated with the effectiveness of risk
management and internal control processes. A comprehensive system of control should be established to ensure that risks are mitigated and that the Company’s
objectives are attained.
• To review processes and procedures to ensure the effectiveness of internal systems of
control so that decision-making capability and accuracy of reporting and financial results are always maintained at an optimal level.
• To monitor external developments relating to the practice of corporate accountability
and the reporting of specifically associated risk, including emerging and prospective
impacts.
• To provide an independent and objective oversight and view of the information presented by the management on corporate accountability and specifically associated
risk, also taking account of reports by the Audit Committee to the Board on all categories of identified risks facing by the Company.
• To review the risk bearing capacity of the Company in light of its reserves, insurance
coverage, guarantee funds or other such financial structures.
• To fulfill its statutory, fiduciary and regulatory responsibilities.
• To ensure that the risk awareness culture is pervasive throughout the organisation.
• To review issues raised by Internal Audit that impact the risk management framework.
• To ensure that infrastructure, resources and systems are in place for risk management
is adequate to maintain a satisfactory level of risk management discipline.
• The Board shall review the performance of the risk management committee annually.
• Perform other activities related to risk management as requested by the Board of
• Directors or to address issues related to any significant subject within its term of
reference. Source: GMC Capital advisors, www.gmccap.com
