Mba 560 - Enterprise Risk Management

Introduction

In December of 2001, Enron Corporation filed for bankruptcy protection (Sloan, 2006). Earlier that same year, Enron was touted as one of Fortune 500 Magazines top companies, landing at number seven on the list in relationship to their 100-plus billion dollars in revenues (Fortune, 2001). The events that took place at Enron unfolded throughout the early 21st century. The media zoned in on the senior leadership at Enron, who were charged with various counts of fraud and misconduct, essentially leading to the downfall of the large company. Worldcom was also another company that was caught up in accounting fraud in the realm of $11 billion (Jeter, 2006). Both of these incidents have set the stage for the current focus on corporate governance and accountability in the 21st century.

Describe the Situation - Countrywide Financial

Countrywide Financial is a mortgage focused financial services company, and will be referred to as "CFC" throughout the remainder of this document. CFC is the number one loan originator in the United States, as well as the number two loan servicing company in the nation. This means that CFC handles a big piece of the money that flows through the economy of the world, and most specifically, within the United States. Having the designation of one of the biggest banks in the nation means that there are many responsibilities that CFC must take into consideration. CFC has been extremely aware of the regulatory environment, as well as the impact from SOX and other pieces of legislation that impact the business. The following report assumes that CFC does not currently have an Enterprise Risk Management framework in place, and is looking into ways of building an ERM framework and program. In reality, CFC already has in place an extensive Risk Management function, as well as supporting functions, such as Compliance, SOX Framework, and Strategic Planning.

Environment for CFC

CFC is a publicly traded company on the New York Stock Exchange, as well as a chartered bank of the Federal Reserve. These facts mean that CFC is audited by many external entities, but some of the more important include the Securities and Exchange Commission (SEC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC). Also, since CFC is publicly traded, the company must ensure that it reports its financials accurately, according to SEC guidelines. In this regard, CFC is no stranger to the regulatory environment introduced by legislation such as Sarbanes-Oxley and recommendations introduced by the Committee of Sponsoring Organizations of the Treadway Commission, otherwise known as COSO.

Frame the "Right" problem

Bringing together the Board of Directors, Senior Management, and Shareholders, CFC has an opportunity to implement governance controls that support the regulatory expectations as well as the corporate objectives. Enterprise Risk Management requires all levels of participation from the staff employees to the senior management, and even the Board of Directors (Chew & Gillan, 2005). At CFC, all aspects must come into play to leverage the necessary resources for an optimal solution to a regulated environment.

Overall, any objective to implement an ERM program at CFC requires controls. There are three major categories of controls in relationship to risk. The first control type is a preventative control. Preventative controls can be put in place to mitigate or stop a risk from being realized. Each risk that a company faces can potentially impact the value of the company, and preventative controls are strong by reducing or eliminating the chance that a risk will arise. The second type of control is the detective type. Detective controls focus on the identification of risks. Unlike preventative controls, detective controls do not prevent a risk from being realized, but rather, help to identify when it has occurred. Finally, corrective controls are used to mitigate the impact from a risk that has been realized. For example, if a company like CFC invested in a foreign country, and that foreign company had a civil war, the corrective control would be to liquidate the investment and capitalize on opportunities in another country. The corrective controls do not prevent risks from arising, but they help to mitigate those risks once realized. Our solutions will be focused on preventative controls for Enterprise Risk Management.

Describe End State Goals

CFC must obtain certain goals during the implementation of a governance program. The following 8 components are taken from COSO's Enterprise Risk Management - Integrated Framework (COSO, 2004) and must be considered in the end state goals of an Enterprise Risk Management program: 1) Internal Environment, 2) Objective Setting, 3) Event Identification, 4) Risk Assessment, 5) Risk Response, 6) Control Activities, 7) Information and Communication, and 8) Monitoring.

Internal Environment

The Internal Environment, in relationship to Enterprise Risk Management as defined by COSO, describes the tone of the organization in relationship to the tolerance of risk, risk management, risk philosophy, and other aspects related to the corporate mentality towards risk. This Internal Environment is important, as it is directly related to the culture of the organization, and also takes into account the business ethics that have been adopted by the organization. In every organization, culture can play a vital role in the overall control within the organization. If management and employees do not follow an ethical business path, the corporation is bound to wind up in violation of the regulatory expectations. The goal of the Internal Environment is to have well defined rules and policies surrounding how to identify risk, escalate the risk, and/or address the risk.

Objective Setting

The next step in the overall framework of Enterprise Risk Management is the ability to set objectives. According to the Enterprise Risk Assessment - Integrated Framework defined by COSO, "Objectives must exist before management can identify potential events affecting their achievement (COSO, 2004)". The goal of objective setting is to ensure that the strategic objectives of the company are in line with the overall mission, and is directly in correlation to the risk "appetite" that the board of directors and management has set.

Event Identification

After the objectives of the corporation have been set in relationship to a risk appetite, the organization must be able to recognize the internal and external events

...