Enterprise risk management (ERM) in the current business environment
May 2011 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion between Craig Wright at BDO LLP, Martin Studer at Ernst & Young and Jeffrey Colburn at Marsh Risk Consulting, on ERM in the current business environment.
FW: Are you seeing an increased demand for enterprise risk management at the highest level? How would you rate corporate awareness of ERM?
Studer: Risk and opportunities are two sides of the same coin. You can never reduce risk to zero without reducing opportunity to zero as well. But what companies can do is develop a clear view of what is an acceptable level of risk compared to their capacity to absorb risk and their strategies. One of our recent surveys, delivered by Forbes, revealed that, while an overwhelming majority of senior executives believe in strong risk management to enhance earnings growth, only 44 percent of companies believe internal audit and risk management help their organisation to achieve its objectives.
Wright: Our experiences are still that many organisations are not proactively introducing enterprise risk management. Where we have seen a demand it has usually been in response to a critical event or real risk crystallising, which has led boards and senior management to consider introducing formal arrangements. For those organisations that have introduced something in the past it is also the case in many instances that the strategic direction from the board is patchy, for instance, the arrangements are in place but are not being utilised to their best effect in order to drive better decision making. This is more so in the corporate arena. Funnily enough in the public sector, where risk management is mandated in some areas, awareness and demand for enterprise risk management at a strategic level is much better.
Colburn: We continue to see an increase in demand for ERM, and have been seeing this over the past several years. Most recently, demand has been driven from active participation by senior management, audit committees, and the board of directors. Corporate awareness of ERM has been trending up in part because of new standards and external stakeholder factors – ISO 31000, rating agencies and SEC guidelines, and recent catastrophes.
FW: To what extent do today’s economic environment and increasing regulatory pressures highlight the need for a more formal, strategic and proactive means of managing risk?
Wright: More so now than ever, the current economic environment highlights this need. Economic pressures have led to many companies going out of business and many more failing to achieve their medium term priorities. Risk management allows an organisation to articulate the risks associated with not achieving those objectives in a structured manner. The future direction of corporate governance in this country could make a significant difference to the attractiveness of the UK as a financial centre and the business community awaits with interest any future regulation changes. Too heavy handed an approach will see companies looking to list elsewhere. Too light a touch may see further incidences of uncontrolled risk and unsustainable business models. Nevertheless, I believe a rules based approach is obsolete. Any new framework needs to be based on principles, and we need to make sure these meet the needs of investors and markets in the future.
Colburn: These pressures are fundamental. Due to recent failures and catastrophes, there is the sense that more effective corporate governance is needed and that many organisations are still unprepared. Consequently, there is a perceived need for more regulation to prevent or reduce the number and impact of future lapses as well as for a more robust process for managing risk to protect the financial interests of the organisation and its stakeholders.
Studer: The past 10 years brought a massive number of new regulations, starting with the Sarbanes-Oxley Act of 2002, Basel II and Basel III, FCPA, the UK Bribery Act, and more than a hundred other laws with an influence on corporate governance and risk management. Most readers will agree that the next 10 years is likely to bring another wave of regulation. Further, there will be a rebalancing between the mature economies and what was formerly called the emerging economies. This new level of globalisation will both bring new risks, and new regulations and rules to be followed by successful players in these markets. The risk environment will remain highly dynamic and will demand stringent risk management structures.
FW: What are some of the key risks that ERM seeks to target? How important is it to develop an effective strategy for identifying and assessing these risks?
Colburn: ERM seeks to target those risks that are material to an organisation and may affect its ability to achieve its business objectives. These risks cover the broadest perspective: strategic, operational, financial, technological, human capital and legal and regulatory. The key risks will vary from one organisation to another, and it is critical that organisations also look at the portfolio view, risk interactions, and emerging risks. Having an effective risk identification, quantification, and assessment process in place is critical. An ineffective process can potentially lead to a false sense of security, inadequate or inappropriate risk transfer and mitigation programs, as well as financial and reputational damage to the organisation.
Studer: At the top of management’s mind are surely regulatory risk and cost-cutting challenges, as well as managing talent. More dangerous, however, are the new risks such as those related to social acceptance or technology. In the short term, Eurozone-triggered risks and currency impacts are in the high risk range for many global players. The fine art of risk management, though, helps management and boards focus on what is really important. While many organisations stop at the point where risk has been identified, a more appropriate approach continues, and includes a qualitative and quantitative analysis to understand the factors driving a particular risk, the initial gross risk as a result of strategy, and the value at risk after risk management strategies have been properly executed.
Wright: ERM seeks to target strategic, operational, hazard, and financial risks. As a minimum any good risk management process should consider these. The better approaches extend to project risks. It is crucial to develop an effective strategy so that companies do not place their finger in the air and guess what may or may not go wrong. Ultimately it is our view that there should be a golden thread from strategic objectives through to risk management considerations. Therefore, identified risks are explicitly considered in the context of achieving or otherwise strategy. ERM promotes this approach.
FW: In your opinion, are companies doing enough to address sustainability and climate change issues?
Studer: These are difficult risks to address, and the answer is surely no. Sustainability, climate change and corporate social responsibility are aspects that are not new on the corporate agenda but their importance has risen steadily. Embracing these risks in their entirety is a rather new discipline, and many organisations are only now starting to understand that addressing it brings the need for significant investments, engaging new technologies and sometimes changing corporate culture as well. For example, supply chain or energy consumption needs to be analysed in detail to provide stakeholders with satisfactory, straight answers. Sustainability will have a fundamental impact on businesses going forward and may soon be in pole position. It is therefore crucial to understand, assess and mitigate key climate change and sustainability risks, including their regulatory and financial impact.
Colburn: Among the organisations recently surveyed for our Excellence in Risk Management VIII report, a large percentage noted that climate change was a risk of relevance to their organisation, though a much smaller percentage had taken action on it. Companies can benefit from folding climate change and sustainability considerations into a comprehensive risk decision-making process.
FW: What advice would you give to companies on integrating risk management into their organisation? Should a primary objective be to create of a culture of risk management?
Wright: When integrating risk management into any organisation, the advice we would offer would always be to start from the top. The board needs to be fully engaged in the process otherwise all levels will not necessarily take the process as seriously as they should. This means setting the organisation’s objectives and appetite for risk management and articulating them via a properly constructed, approved and articulated risk management policy and strategy. When all levels can see that the process is live and meaningful to the board, there is every chance that it will succeed and a culture of risk management will ensue. Secondly, one should ensure that the strategy determines a recognised and structured methodology, aligned to corporate objectives, for the identification, evaluation and management of risk. This should be consistently applied and regularly reviewed. The important thing, however, would be not to make a cottage industry out of the process as that would potentially lead to stifled innovation. Finally, in creating a culture of risk management, everyone throughout the organisation should be aware of the principles of risk management via inductions, job descriptions and performance development if benefit is to be gained from an embedded process. This does not mean that there has to be a risk register in place for every area of the business, however – for example, the person in charge of the car park should at least be aware of the risks associated with leaving the barrier up at night.
Colburn: First and foremost, integrating risk management into the operational fabric of the organisation is critical, but the process takes time. It is important to understand where you are today, and then create a plan for future improvements that helps the organisation to proactively identify, assess, and prioritise material risks; develop and deploy effective mitigation strategies; align strategic objectives and operational processes; and initiate key elements into the culture such as risk ownership, governance and oversight, and reporting, communications and training. Risk management should be baked into the culture of the organisation and everyone should have some responsibility for risk management.
Studer: Risk management must start at the top of the organisation, for instance, the board of directors, the CEO and the executive committee. Those organisations that assign risk management to a corporate function rather than using a risk management function to assist board and management in dealing with opportunity and risk should reconsider their approach. We observe many organisations with numerous separate risk functions. More and more CEOs ask for a clear business case and a more aligned and integrated governance, risk and compliance framework, including sound internal control. Driving such endeavours is surely impacting corporate culture, as business leaders become more involved in prioritising and managing risk as a core competence. Companies should move from a paradigm where risk is ‘bad’ toward taking well-informed risks as a source of progress and sustainability.
FW: What challenges and traps frequently arise when integrating ERM into a multinational company?
Studer: During the most recent recession, organisations found that growth scenarios can turn sour overnight. Although painful for many companies, some learned to develop a robust risk framework to underpin their business. Even those organisations with very solid business models discovered that their underlying processes to enable performance, such as governance, risk management, compliance and internal control, were simply not well aligned. Looking ahead, these companies may struggle to keep down costs and to grow at the same rate as their better-prepared peers. Integrating ERM needs to be a long-term journey with a very clear focus on enabling and improving business. Reducing silos and engaging management from the top down and from the very beginning is often failed and ends in rather value-free and costly siloed system upgrades.
Colburn: Common challenges include a siloed approach to risk management, lack of data, an unwillingness to share information, a lack of efficiency, and a perception of risk management as a tactical, risk-averse function. But these challenges can be overcome. Successful implementation of a cross-functional risk committee can start to break down silos, as can discussing risk in a common language, gathering and analysing data in a consistent fashion, and articulating how risk management can help the organisation meet its strategic objective.
Wright: Typically, reporting channels, structure and consistency. In large, multinational companies there are challenges in the board’s message being heard in relation to risk management. A risk champion has the challenge of ensuring that the framework is consistently applied across boundaries and that reporting arrangements are regular and robust. Local champions can assist with this and regular communication should never be underestimated.
FW: How can risk management functions deliver value in this new economic environment? Should companies treat risk management as an investment?
Colburn: Risk management is not only about preserving value but creating value for the organisation and it is critical in the success of the business. It is also an investment, though an ROI calculation can be difficult. As such, risk management should be thought of in broader terms, and not just as a person or a department. All employees are ‘risk managers’ at some level. Investments can be in the form of training, policy development, tools, and so on, and it enables faster, better, decision making at all levels. By effectively identifying, analysing, and mitigating risk, companies become nimble, competitive, and better positioned for success in today’s global economy.
Wright: I don’t believe that ERM should be viewed as an investment but more as the ‘way we do things round here’. Treating it as some new approach that requires special, extra, and detailed attention will ultimately lead to a process that will stall in time. ERM needs to have dedicated champions, direction from the board, central support, a proper framework and regular reporting/review and not be seen as compliance with externally imposed requirements, or the job of internal audit. The value that will ensue is that it should support strategic and business planning, better targeting of resources, allow a quick grasp of new opportunities, emphasise prevention rather than detection, increase compliance with laws and regulations, promote fewer unwelcome surprises and improve public relations.
Studer: I recommend all my clients start the journey with their stakeholder, be it shareholders and investors, banks or regulators. Assessing their needs and expectations, and translating these into a strict stringent and easy to understand risk management message are typically the most important steps to make ERM a success. We know from research that investors are willing to pay a premium for organisations that can demonstrate sound risk management practices, communicating them clearly and in a timely manner. Banks are considering risk management practices for their credit rating. This is big time value for a focused investment in risk management. Further benefits may include reduced costs and improved performance. The key is to develop a business case that will ultimately underpin the enhanced performance and provide the return on investment the organisation is seeking.
Craig Wright is a partner and national head of Risk & Advisory Services at BDO LLP. Mr Wright has been delivering risk and advisory services for 15 years and extensive experience in internal audit, risk management and corporate governance at a strategic level. He can be contacted on +44(0)161 8338 392 or by email: email@example.com.
Martin Studer is a managing partner at Ernst & Young AG. Mr Studer is part of the founding generation of Ernst & Young’s Risk Advisory business and, as managing partner for their EMEIA Risk Advisory business, is a member of the Area Advisory Executive Team and the Global Risk Advisory Executive team. He has 20 years of audit, risk management, internal audit, internal control and fraud investigation experience and has led numerous global engagements with listed clients as well as ground breaking large-scale transformational projects. He can be contacted on +41 58 286 3015 or by email: firstname.lastname@example.org.
Jeffrey Colburn is a managing director and the practice leader for the Business Risk Consulting (BRC) Practice of Marsh Risk Consulting (MRC). He oversees the daily operations and continuing growth of BRC’s core practices, which include Enterprise Risk Management, Risk Management Optimization, Business Continuity Planning, Supply Chain Risk Management, Reputational Risk & Crisis Management, and Property Risk Consulting. Mr Colburn has more than 25 years of experience in risk management, safety, health, and security, working with companies in industries such as defence, health care, manufacturing, utilities, and hospitality. He can be contacted on + 1 (202) 263 7877 or by email: email@example.com.
© Financier Worldwide
Ernst & Young
Marsh Risk Consulting