Question

(2)

• Write objectives for an IT risk management plan.
• Write a scope statement for an IT risk management plan.
• Write the roles and responsibilities for an IT risk management plan.
• Use style and vocabulary generally appropriate to the message and intended audience.

Answer 1

The first step to defining risk management goals and risk management objectives is to define your organization's shared vision. Once the shared vision is articulated, overall risk management goals and objectives must be defined.

While a vision statement is often aspirational, the goals and objectives should ordinarily describe in simple terms what is to be accomplished. They should be actionable by the organization. They should be defined in the context of the organization’s business strategy.

For example, some common risk management objectives chosen by companies to frame their ERM approach include the following:

• Develop a common understanding of risk across multiple functions and business units so we can manage risk cost-effectively on an enterprisewide basis.
• Achieve a better understanding of risk for competitive advantage.
• Build safeguards against earnings-related surprises.
• Build and improve capabilities to respond effectively to low probability, critical, catastrophic risks.
• Achieve cost savings through better management of internal resources.
• Allocate capital more efficiently.

Risk management goals and objectives should be consistent with and supportive of the enterprise’s business objectives and strategies. Therefore, the organization’s business model provides an important context for risk management.

For example:

• It targets the markets and geographies in which the firm does business.
• It specifies the products and services it provides to those markets, the channels it uses to access those markets and the characteristics by which it differentiates its products and services in the eyes of the customer.
• It is built on many important elements: on the processes through which the entity converts materials and labor into products and services; on the employees the entity hires, trains and retains; on the suppliers and customers with which the organization does business; and on the shareholders and lenders that supply it capital.

Business risks are inherent in all of these elements. As the enterprise executes its strategy, it creates and increases its exposures to uncertainty. Therefore, business objectives and strategies provide the context for understanding the risks the enterprise desires to take. COSO affirmed this point by establishing “objective setting” as a component of the ERM framework.

When defining risk management goals and objectives, management should ask “tough questions,” such as those listed below:

• What are our business objectives and strategies? What are our financial targets, e.g., profitability, size and revenue growth? What values do we want to build and reinforce?
• What markets do we choose? What relative market position do we seek? What is our business model for winning in our chosen markets?
• What specific possible future events do we face? Are they related?
• How sensitive are our strategies, markets, earnings and cash flow to the occurrence of future events?
• How risky are our tangible and intangible assets for creating value? What are the loss drivers affecting those assets?
• Which specific future events could, if they occurred, affect our organization’s ability to achieve its objectives relating to quality, innovation, timeliness, safety, compliance, etc., and to execute its strategies successfully? Which events would affect our market share?
• How capable are we of responding to events beyond our control that may happen in the future?
• Do we know what our expected returns are, as adjusted for risk? Do risk-adjusted returns vary by business unit? By major product? By geography?
• Finally, if we decide to accept the exposures inherent in our business model that give rise to our existing risks, do we have sufficient capital to absorb significant unforeseen losses should they occur?

The above questions provide a powerful context for defining risk management goals and objectives. Following is an example of a statement of risk management vision, mission, goals and objectives:

Vision

Contribute to the creation, optimization and protection of enterprise value by managing our business risks as we create value in the marketplace.\

Mission

Create a comprehensive approach to anticipate, identify, prioritize, manage and monitor the portfolio of business risks impacting our organization. Put in place the policies, common processes, competencies, accountabilities, reporting and enabling technology to execute that approach successfully.

Goals and Objectives

(1) Design and execute a global business risk management process integrated with our strategic management process:

• Integrate business risk management with our strategy formulation and business planning processes;
• Articulate our strategies so that they are understood throughout our organization;
• Establish KPIs designed to drive behaviors consistent with our strategy; and
• Reward effective articulation and management of key risks.

(2) Ensure that process ownership questions are addressed with clarity so that roles, responsibilities and authorities are properly understood.

(3) Design and execute a global process to monitor and reassess the top quartile risk profile and identify gaps in the management of those risks, based upon changes in business objectives and in the external and internal operating environment.

(4) Define risk management strategies and clear accountabilities and action steps for building and executing risk management capabilities and improving them continuously.

(5) Continuously monitor the information provided to decision-makers in order to assist them as they manage key risks and protect the interests of shareholders