Enterprise Risk Management
ERM: Risky business
Best practice study shows way through the quagmire
By Michael J. Moody, MBA, ARM
More and more, enterprise risk management (ERM) is being highlighted in the trade press and now appears to be gaining some serious traction within the general business community. Recent months have seen an increasing level of interest from corporations across all industry segments.
Additionally, since the first of the year, there have been a number of surveys, studies, and white papers from a wide variety of sources about ERM programs Most of the publications emphasize the growing influence of ERM. And some even provide insight and advance implementation ideas to assist those organizations that have not yet adopted an ERM program.
One of the most insightful publications of the past few months came out of the American Productivity and Quality Center (APQC) and is billed as a “best practice” report titled “Risky Business: Employing Enterprise Risk Management to Sustain Growth, Mitigate Threats, and Maximize Shareholder Value.” (Founded in 1977, APQC was previously known as the American Productivity Center and the American Productivity & Quality Center.) In addition to APQC, the report had a supporting cast that included Crowe Chizek & Company and provided specific ERM information from five “best practice” organizations.
Starting at the beginning
According to the report, APQC established the “Risky Business” consortium to benchmark and report on how “best practice” corporations manage risks. The study points out that in today’s economy, risk abounds. And as a result, rather than avoid risks, corporations must address and actively manage them.
The central point that the study aimed to answer was: “How do ‘best practice’ organizations integrate the management of strategic, business, customer, financial, operational and people risk from across the enterprise?” Further, how do they do this “around the globe in order to mitigate threats while maximizing shareholders’ value?” These are ambitious undertakings by anyone’s standards.
What the research showed was that there are 11 major, overarching findings based on a survey of the “best practice” participants. For the most part, these 11 findings are spread across four key areas and include the following:
• Developing an enterprise risk management program
• Defining a governance model and support structure
• Collecting, analyzing and sharing ERM information
• Gauging success
In order to complete this study, the authors carried out detailed analyses of participant “best practice” data as well as on-site visits in order to document innovative performance in one or more of the study’s four focus areas.
Developing an ERM program
The first finding from the study is that maturity of an organization’s ERM capabilities enables “best practice” companies to be more agile and flexible in responding to business needs. The study found that the ERM maturity can be broken down into three distinct stages: early stage (less than two years), enterprise development (two to five years), and core process (over five years).
The study noted that “the commencement of the ERM process is typically triggered by a significant business event or a material loss within an organization.” Further, activities that usually are included in this first stage range from developing a basic charter to assigning dedicated resources for establishing a rudimentary reporting process. Initial success with these tasks will lead the way to moving toward the second stage.
A key characteristic of the enterprise development stage is that the value of a centralized ERM approach becomes well understood and the organization’s measurement activity begins to extend to a broader cross-section of the company. Typically, as benchmarking activities are instituted, the organization will also appoint a chief risk officer.
During the second stage, it is common for management to seek to integrate ERM into the overall business process.
The third stage of the process, the “core process,” is usually when manage-ment sees ERM as a core management process. Further the process is now “fully integrated into the organization’s overall planning and performance management process.” At this point, among other things, there is clear ownership of ERM by the company’s board of directors.
The second major finding of the study is that “ERM is not a stand-alone or discrete activity but rather a part of everyday life”; in essence, it is a performance improvement effort. Best practice organizations make it clear from the start that ERM is part of doing business and as a result, it must “be woven into the fabric of the organization.”
Defining a governance model and support structure
“Effective ERM is conducted at the corporate level in order to communicate policy and provide support to the entire organization,” is the third major finding from the study. And as a result, best practice organizations were “tasked” with facilitating, communicating and supporting the overall risk management agenda.
Additionally, the corporate risk management group needs to point out that they are not the owners of risks but, rather, their role is to help others realize that they own the risks. This typically necessitates a close working relationship with the organization’s operating units in order to establish an effective ERM program.
Another key finding of the study was that “ERM is successful when championed at the enterprise level and owned by the CEO/board of directors. All of the best practice organizations have established clear ownership at the board level. Efforts to implement an ERM program without the board ownership usually fail. And while ownership that is limited to executive level can work initially, as an organization’s ERM program matures, ownership typically gravitates to the board.
Every best practice organization has found that another key finding was that “employees must recognize their ownership of risks within their particular areas of accountability.” As such, it is incumbent upon the risk management group to assist risk owners in identifying and understanding how they own particular risks. At the end of the day, best practice organizations realize that everyone is a risk owner.
Collecting, analyzing, and sharing ERM information
Following up on the previously noted findings, another key point regarding the core process aspects of the ERM program is that risk management must “become embedded into the organizational strategy so that it results in a seamless process for goal attainment.” The best practice participants realize that “by reviewing both the opportunities and threats created by risks, they are better able to assess the true probability of achieving strategic objectives.”
As an organization matures, it begins to leverage technology in order to automate data capture and risk measurements. And while the ability to enable technology via leveraging varies from company to company, the best practice organizations noted that it was the primary reason why effective ERM programs can be operated with small staffs. By aggregating risk metric data across their companies, participants are able to utilize some form of consolidated dashboards to illustrate the risk control and assessments across their organizations.
A commitment to training was another finding from the study. All of the best practice companies have found that formal ERM training is needed in order to ensure that risk management is understood at the individual employee level. Formal ERM training takes a variety of approaches at the best practice companies, although they all utilize both formal and informal training sessions to educate their employees. On-the-job training, presentation, and workshops are also used by the majority of best practice companies. Bottom line, all realize that formal ERM training is required to enable risk management to flourish within their organizations.
Gauging success
Obviously one of the most important aspects of a today’s state-of-the-art ERM program is the ability to measure success. As a result, the study also provides some insight into this important area. It is important that measurements are not established just for the sake of measuring. Corporations must learn to transform data into “information in action” in order to assure that the goals of risk mitigation and process management are effectively targeted.
Best practice organizations have found that a properly structured measurement framework “drives the delivery of risk information and safeguards the integrity of the decision-making process.” Unfortunately however, at this point in the evolution of ERM, there are no universally appropriate ERM metrics.
Best practice organizations have found that regardless of the specific measurements selected, it is important to develop an approach that ties into overall organizational strategies and ultimately aligns with the corporate performance management systems. Most participants agree that one of the major roadblocks to ERM development has been the lack of a generally accepted set of ERM measures.
Most of the study participants believe that establishing an ERM program should not be a “one-off” activity. Rather, ERM needs to be viewed as a continuum and incorporated into the ongoing planning process as a continuous process improvement loop. As a result, the participants agreed that despite the lack of a common base of measure, corporations should develop measurement criteria that are important to them, and then begin benchmarking this information from year to year.
Summary
This is another excellent study that can be used as a blueprint for corporations to begin to develop their own ERM programs. This study provides significant insight into how several of the best practice organizations have built their programs and how that can be applied to other companies. It is certainly worthy of review by anyone who is in the process of designing an ERM program. *