•  
  •  

Resources

Building An Effective Enterprise Risk Management Program

Do you know what Enterprise Risk Management (ERM) is? Does your company need to establish or implement an ERM program? Do you know what the COSO framework is? If you answered NO to any of these questions, we can help your organization identify and mitigate risks that could impact your profitability.

ERM is the process of identifying and analyzing relevant risk from an integrated, company-wide perspective. The concept is designed to identify potential events that may prevent your firm from achieving its operational, financial, and compliance objectives.

Using our services, we will help your organization answer the following critical questions:

  • Do you have clarity about those risks that will affect your company’s future performance and provide deep insight into the risks that matter most?
  • Do you understand which risks your company is competitively advantaged to fully address, and which you should seek to transfer or mitigate?
  • Are business decisions made with a clear view of the impact to your company’s risk profile and are core business processes consistent with your approach to risk?
  • Are there adequate Information Technology systems and infrastructure in place for you to monitor and manage risks that are being taken within your organization?

F.I.R.M. Consulting Services has the approach to meet your company’s needs. Our approach will balance risk, consequences, time and cost regardless of the scope of engagement your company chooses. Our assessment will contain three major risk categories:

  • Risk identification and assessment: We will work with your company to identify risks across your firm that threatens your mission. We will measure the intensity of the elements that drive each risk and assess your firm’s exposure to these elements.
  • Risk tolerance and analysis: We will then work with your organization to define the level of risk your organization can tolerate. Keeping in mind that risk, when managed can lead to opportunity.
  • Compliance and business practices: We will work with your company to make sure you are industry compliant. We will use the ERM framework provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We will also use benchmarks, controls and industry best practices in use at similar organizations to your company. This will provide you with a risk profile comparison of your practices to similar entities.

ERM - Where to start?

ERM can affect many areas within organizations. Consider the following for evaluation and appropriate mitigation.

Operations Risks

  • Strategic – Risk to achieving the organization’s mission, arising from poor business decisions or improper implementation of Strategic goals
  • Cycle Time – Failure to deliver goods/services in a timely manner
  • Productivity – Inefficient processes lead to member/customer dissatisfaction
  • Product Development – Failure to develop products/services that customers need or want; and inadequate pricing
  • Continuity – Failure to maintain critical business operations
  • Resource/Human Capital – Failure to provide adequate resources – both people and capital
  • Capacity – Failure to fully utilize resources – people and plant capacity
  • Performance – Failure to perform because of inferior practices and/or products/services
  • Organizational Structure – Organization is not appropriately structured to ensure achievement of corporate goals and objectives
  • Quality – Failure to utilize high quality resources in producing goods or services
  • Succession – Inadequate, comprehensive succession plan for key management positions within the organization

Business Environment Risks

  • Competition – Inability for the organization to compete with its closest peers or competitors
  • Legal/Regulatory – Inability for the company to comply with all applicable laws and regulations
  • Compliance – Non-compliance with applicable laws, rules and regulations; litigations, tax which could lead to unnecessary litigation, penalties and fines
  • Customer Preference – Failure to maintain and/or predict customer preferences for goods and services
  • Investor Confidence – Failure to establish or maintain investor confidence affecting the company’s ability to raise capital
  • Resource Availability – Shortage of funds and resources needed for investment, growth or other business opportunities
  • Political – Risk that an organization’s assets may be seized or manipulated by a foreign government

Integrity/Reputation Risks

  • Reputation –Organization’s public image will be tarnished due to improper actions on the part of officials, management and employees
  • Integrity – Organization’s integrity is compromised by employees committing illegal or immoral acts

Empowerment Risks

  • Authority/Limitation – Failure by Executive management and BOD to establish appropriate authority or establish not-to-exceed authority and/or limits for approving or initiating transactions
  • Management/Employee Fraud – Inability to detect/prevent employees from perpetrating fraud against the company or utilize company assets in unauthorized situations
  • Illegal Acts – Employees fail to comply with laws, regulations and organization standards concerning illegal acts, payments and undesirable behavior

Market Risks

  • Currency – Exposure related to volatility in exchange rates for transactions and conversion
  • Liquidity – Organization’s inability to liquidate assets quickly and with minimal loss in value, to meet its obligations
  • Growth – Failure to achieve revenue growth, revenue constraints, and ineffective management of concentration risks etc
  • Reserve Preservation – Failure to preserve sufficient reserves for future growth of company
  • Interest Rate/Market – Failure to react appropriately to volatility in the current market, increased risk from limited diversification, and sensitivity to price and interest rate changes

Information Technology Risks

  • Information Systems – Unexpected losses or expense to an organization due to inadequate systems, breaches in information technology security and stale business continuity plans
  • Data Integrity – Improper and unauthorized modifications to corporate data and data leakage

Are you in need of External Penetration Testing (EPT) or Internal Vulnerability Assessment (IVA)?

Ask your IT Team and 3rd party IT Support vendors if they can answer the following questions with certainty and relative confidence:

  1. Is your organization vulnerable to an Internet attack?
  2. How do you prevent a hacker from breaking/infiltrating your network?
  3. What does your company do to prevent a hacker attack /network breach?
  4. How robust/hardened is your network security?
  5. When was your company’s last EPT and/or IVA conducted? What were the results?
  6. Are your risk mitigation plans adequate?

If you cannot answer these questions confidently, your credit union could benefit from a network security assessment.