Opinions & Interviews
Towards an Advanced Approach to Enterprise Risk Management
A recent position paper published by the Italian Association of Financial Industry Risk Managers (AIFIRM) in collaboration with PwC demonstrates the presence of an evolved best practice on the subject of Enterprise Risk Management (ERM) in non-financial companies, i.e. of a best practice strictly integrated with ESG policies (environmental, social, and governance factors), with the purpose and performance of businesses.
However, unfortunately, the indicators on the spread of that best practice are not comforting, and not only in Italy, to tell the truth. The spread certainly depends on the contribution of the Control and Risks Committee (CCR) and its characteristic function of support and stimulus for the BoD on these issues (the "challenge" function). This happens in particular in non-financial enterprises; unlike in banks, the chairman does not always play a constructive role on this point.
Looking forward, that situation could see a significant change in the right direction, especially thanks to the new self-regulation code (the "Code"), that starting thing year provides assistance to the CCR, stimulating the board to reflect on three important preconditions for the spread of best practices on the subject of ERM.
- The first precondition is as banal as it is important, and lies in the fact that the members of the CCR must have adequate skills, as well as true independence. It is in fact evident that if the CCR does not have an evolved culture it will not be able to contribute to spreading one. The Code intervenes appropriately on this aspect. Although true "fit and proper" requirements as exist for financial intermediaries are not proposed, Recommendation No. 35 suggests that the committee should have competences "functional to assessing risks." And to that end it requires that at least one member of the committee have adequate knowledge and experience on accounting and financial matters or risk management. This is evidently a step in the right direction, although it will not be simple to verify compliance with that recommendation.
- The second precondition regards the attention that corporate governance dedicates to the significant stakeholders. In fact, where governance is dominated by the shareholders (and sometimes by just some of them), they tend to maintain the risk management function, if nothing else to supervise an important strategic decision such as the allocation of enterprise risk among the stakeholders that bear it. This attempt at defending themselves, which is normal, is not compatible with ERM best practices, according to which the culture of risk management should permeate the entire organization, and above all, should consider the requests of the most significant stakeholders. The Code provides assistance on this second precondition as well, through the first Principle, that indicates the company purpose to the board, making it coincide with sustainable success, which "is realized in the creation of long-term value to the benefit of shareholders, taking into account the interests of the other significant stakeholders for the company." The broad scope of this principle is entirely evident; indeed it is also repeated in the Recommendations for 2021 sent by the chairman of the corporate governance committee to the chairmen and CEOs of companies, and the chairmen of boards of statutory auditors.
- The third, more than a precondition, is an operational tool that allows for promoting the spread of ERM best practices. That tool can be identified not only as the formalization of a Risk Appetite Framework (or also RAF), but above all, as the dialogue between the RAF and the strategic plan. That dialogue takes place through the connection between the KPIs (Key Performance Indicators) and the KRIs (Key Risk Indicators). These indicators, in addition to being linked to each other, should be planned by the board to be on the one hand declined at the various levels of the organization, and on the other, organized in relation to the specific interests of the significant stakeholders. In this case as well, the Code provides stimulus to the CCR through Recommendation 1c, which calls for "defining the nature and level of risk compatible with the company's strategic goals, including in its evaluations all of the elements that can take on importance from the standpoint of sustainable success." There are evidently many ways to adopt that recommendation. It is certain that the formalization of a RAF and its link with the strategic plan provide very effective support for it.
To summarize, the CCR can leverage the new Self-Regulation Code and raise the appropriate questions to promote reflection on those preconditions for an evolved ERM culture in the appropriate locations (for example in BoDs, committees within the board, the various phases of strategic planning, on the occasion of the drafting and approval of the corporate governance report, etc.).
The CCR could also pose additional questions taking its cues from what is known as the COSO Report, "Enterprise Risk Management. Integrating with Strategy and Performance" from 2017, and from the position paper already cited. It is sufficient to recall a couple of organizational/motivational ideas. The first: does a Chief Risk Officer (CRO) exist who guarantees the performance of so-called second level controls and serves as a link between the management and the board? The second: do the remuneration policies also include some KRIs that guide the management's conduct?
It is evident that the responses to all of these questions do not depend only on the presence of an evolved ERM best practice, nor on the stimulus supplied by the Code or the CCR to promote its spread. The responses ultimately depend on the more or less open and receptive attitude that will be demonstrated towards that stimulus by the dominant stakeholders, the CEO, and the top management of the single companies.
In any event, the times seem mature to introduce significant changes, although with the necessary gradualness and in respect for the criterion of proportionality.
Good management of risk in fact indicates good governance, and more in general, is the litmus test for true attention dedicated to ESG factors by the business, which in turn represents an increasingly decisive element in the evaluation of the behavior of customers, employees, investors, and in general, of all significant stakeholders.
Therefore, good management of enterprise risk is less and less a technical question of managerial efficiency, something which is "nice to have." Instead, it is increasingly a strategic element of differentiation with respect to competitors, and as such, an element that supports the pursuit of business performance, and more in general, of sustainable success.
Cesare Conti is the Director of the Master of Science in Finance at the Bocconi University.
 Italian Financial Industry Managers Association (AIFIRM), "Governance e strategia per la gestione dei rischi nelle imprese non finanziarie," Position Paper No. 24, 2020.
 See M.S. Beasley, B.C. Branson, B.V. Hancock, "ERM Professional Insights, The state of risk oversight, an overview of enterprise risk management practices," American Institute of Certified Public Accountant (AICPA), 2019.
 To summarize, the RAF can be defined as an approach – including policies, processes, controls and systems – aimed at identifying the risk propensity of a company in terms of types of risk that a company is willing to take on, and of the relative exposure desired, which is determined by taking into account the maximum exposure tolerated in the pursuit of the business goals.
 "Enterprise Risk Management. Integrating with Strategy and Performance (2017)" , The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2017.
 The system of risk control and management usually entails three types of controls, known as first, second, and third level. The first level controls are performed directly by the operational structures, to ensure the proper performance of the specific operations. The second level controls are performed by dedicated structures separate from operations, with the aim above all of ensuring the proper implementation of the ERM process, in respect for the operational limits set (risk management function) and the conformity of the company's operations to internal and external rules (compliance function). Finally, the third level controls are performed by a dedicated structure that is independent of the first and second ones (the internal auditing function), that has the task of verifying the completeness, functioning, and reliability of the internal control system and the information system.