Moving towards enterprise risk management __________________ By Reginald C. Nery
What keeps you up at night? How well are you in managing your risks? Are you achieving an acceptable return on the risks you take? Have you identified and assessed all your risks? What are your top 10 or 20 risks? Are you still into the traditional or “silo” risk management? Or, have you adopted the new, better and integrated approach to risk management? Do you have a fully integrated risk management program to assess and manage risks on a more integrated basis, across all lines of business and activities of the company? These questions are just a few concerns that somehow pepper the thoughts of senior management and boards of directors in numerous organizations, especially publicly-listed companies. Ensuring good corporate governance requires a broader, a more integrated and enterprise-wide approach to risk management – the approach called enterprise risk management or ERM. What risk management is and is not? Risk management is not aimed at reducing the organization’s risk to zero. Without risk, there is no return. Rather, it is to ensure the enterprise is well compensated for the risk that it takes provided that the risks taken are within the organization’s risk tolerance or risk appetite. According to the 1997 Group of Thirty (G30) landmark report Global Institutions, National Supervision and Systemic Risk, “there is no way to eliminate risk or failure completely. The business of market intervention is to accept an appropriate amount of risk and manage it effectively. A financial system that attempts to eliminate risk rather than managing it well would be costly and inefficient.” Indeed, companies cannot eradicate all risks without greatly hampering their operations and financial performance. Risk management is not just about using financial securities or derivatives (such as options, futures, swaps, etc.) to manage financial risk – it is about adopting a portfolio approach to manage a full range of risks faced by organizations. Risk management is not just about setting the right control policies, standards, systems, and processes – it is also about having the right people and the right culture. Risk management is not just about reducing downside potential or the likelihood of pains – it is also about increasing upside opportunity or the prospects of gains. What is important therefore is for the organization to have a risk management strategy, organization, culture, policy, tools (that is, software, models, analytics, and metrics), and process in place to: identify, analyze, prioritize, assign accountability to, monitor and report risks; determine whether controls are in place to address the risks; and ensure that the residual risks or exposures are acceptable (that is, within tolerable level) and, if not, are properly managed (that is, monitored, mitigated or transferred, and reported). Practical approach to ERM According to a material published by KPMG International entitled “Enterprise Risk Managemen: Complacency Is No Longer an Option, But a Practical Start Is,” recent trends in globalization, electronic commerce, mergers and acquisitions, corporate governance, changing market structures, increasing regulations, and rating agencies are drawing attention towards the urgent need to establish an effective ERM program. In response to external pressures, many board members are expecting their management teams to implement an effective ERM program. The same material explains that consequently, many leaders are seeking guidance in developing a practical approach to ERM—an approach that is tailored to their culture and structure, aligned with their business strategy, embedded in their business processes, and focused on their most critical risks. Getting started with a clear and practical vision is critical, and a few key steps can enable leaders to build on existing risk assessments and get an ERM effort under way. Leaders who have successfully pioneered ERM tend to embrace several important practices, which may help others meet regulatory demands and add business value. Described below, these leading practices can provide the means of overcoming old barriers, achieving new buy-in, and ultimately realizing ERM’s potential for enabling organizations to add business value and achieve competitive advantage. 1. Gain buy-in from those running the business. Often in the past, ERM was a finance department “bolt-on” project, the champions of which likely had little broad support or leverage. As a result, ERM’s potential value to the business was never fully realized. A key step now is to establish a risk management council or a management risk committee that is charged with obtaining buy-in for the ERM program across the organization. With a lead/sponsor reporting to the CEO, the risk management council will include individuals who lead key areas within operations and support, such as legal, HR, compliance, finance, operations, strategy/corporate development, and IT. The management risk committee is a subcommittee of the Risk Management Committee (board committee) The risk management council: Assists in educating and training employees and coordinating development of the risk profile (i.e., prioritized assessment of key risks); Confirms and approves the organization’s risk “language” and parameters (e.g., the point at which, for example, something would be considered a catastrophic risk, based on reduced cash flow, loss of operations, loss of reputation, and so forth); Sponsors and participates in reviewing the key risks and debating the risk profile, risk priorities, and important risk causes and consequences; Evaluates emerging risks, discusses and reviews the risk reports, and reports frequently to the CEO and the board; and Facilitates process of keeping risk profile current and relevant. Having obtained consensus, the risk management council is in a position to steer the ERM execution effort. The following discussion is mostly taken from a material published by KPMG International entitled “Enterprise Risk Management Complacency Is No Longer an Option, But a Practical Start Is” 2. Identify and prioritize top risks — and explore how well you manage them. A successful ERM endeavor begins with a focus on two fundamentals: content and process. “Content” refers to key risks, and “process” indicates how the program for managing them is sustained across the business. The risk council’s first goal is to facilitate the identification and prioritization of an organization’s key risk — those that may prevent it from meeting its corporate strategic goals. This list can be based on the likelihood of the risks occurring and the potential consequences to the organization should they occur. Leaders would identify risks that they believe threaten the business model, the organization’s strategy, and the organization’s existence. Members of management within the risk management council would examine carefully and critically these risks, develop an enterprise risk profile, and then identify priority risks (e.g., the top 10 to 20 risks). The risk management council’s second goal is to explore how well the business prevents and/or manages the key risks today and what changes may be necessary to improve that effort. This process provides details about the effectiveness of the organization’s approach to managing risk and an assessment of vulnerabilities that could threaten the organization’s overall business strategy. This process can also assist leadership in critical decision making. For example, if an organization is planning to buy another company, the relevant risk information could help illuminate whether the potential acquisition could have a negative impact on the company’s current top risks. So much business information is historical; risk information needs to be current and supported by a sustainable process to help enable a future focus. 3. Assign accountability: Turning the corner from risk assessment to risk management. Identifying key risks will help the organization understand accountability — who owns the risks, how effectively they are currently being managed, and whether the risks are being monitored. Internal audit or compliance departments may be in charge of monitoring certain risks, but often, because organizations are organized by function or geography and not risk, the highest risks may not have designated risk owners or risk monitors. Indeed, some risks may not be formally identified (for example, strategic risk is often not identified, and thus can be the source of some unwelcomed surprises). Assigning formal accountability for identified risks to the right people helps create a greater level of assurance for the board and the audit committee and a greater level of confidence in the organization’s governance framework. 4. Begin working toward a single view of risk. Many organizations have already invested in a variety of risk processes and functions, but these mechanisms often lack a unifying vision and clear objectives. Consequently, the potential benefits are unrealized. The effective implementation of ERM is the much needed “glue” that delivers a performance-based focus on risk management and, thus, a reward for the risk management investment. Implementing a single ERM approach allows leaders to replace the “siloed” approach to risk management with a single view of risk that is articulated across the organization. 5. Consider your current position within an ERM framework. The risk management council can then build consensus on where the organization wants to go next, based on its risk profile. With a single view of risk identified and an ERM framework (i.e., a construct of common language and approach/methodology for risk management) in place, an organization can begin the critical work of articulating its own vision for ERM and ERM’s role in the organization. That vision will help determine the organization’s ERM approach and will likely be a call to more immediate action as leaders gain an appreciation of the gaps in their current efforts and can see a way forward. Leaders take varying approaches to ERM, depending on the needs of the organization and its risks. ERM approaches can be plotted along a “maturity continuum” (that is, from Basic or “Compliance” through Mature or “Managed” to Advance or “Strategic” level). An organization’s approach, and the choices it reflects, affects the extent to which it makes ERM part of its governance and business operations. The way forward ERM has evolved from a largely theoretical construct to a highly practical performance tool. Now, many leaders are beginning to recognize ERM’s value and practical applicability as a means of responding to business or governance changes and stakeholder demands, improving the management of identified risks, and ultimately creating a sustainable process for gaining competitive advantage. Organizations that embrace ERM and build it into the core of their enterprises can anticipate the benefits that are possible when: Risks (the “content”) are assessed, evaluated, and correlated across the enterprise; A common risk management framework (the “process”) is in place, with accountability established for measuring, managing, and monitoring risk; Risk quantification and aggregation is enabled throughout the organization via common methodologies and tools; Risk reporting to management and the board is effective (that is, it captures risk trends and emerging risks); The ERM program supports strategic decision making and brand protection and has predictive value; and Corporate governance processes are strengthened. Implementing an ERM approach is certainly not easy, and it cannot happen overnight. But as ERM’s practical applications evolve, leaders have learned that an ERM approach can help organizations with two critical challenges: How to derive tangible value from regulatory compliance efforts and How to link risk and strategy to drive business performance and enhance the organization’s brand. An ERM program is no longer an option; it is a mandatory program for any organization intending to create and preserve shareholder value, to improve investment decisions and support growth, to attract and retain stakeholders (such as employees, creditors, and investors), and to prevent financial disasters and survive corporate crises. As the risk management guru James Lam in his book “Enterprise Risk Management: from Incentives to Controls” (2003) would often tell his audience when speaking on the importance of risk management, “over the long term, the only alternative to risk management is crisis management – and crisis management is much more expensive, time consuming, and embarrassing.” Taking the practical first steps to build internal consensus can help enable leaders to meet rising external demands and, over time, to use ERM as the foundation for building competitive advantage. |