RIMS Special Section
Moving ahead strategically
ERM & SRM—complementary disciplines to handle risk
By Michael J. Moody, MBA, ARM
A few years ago, according to Carol Fox, director of RIMS' Strategic and Enterprise Risk Practices, the RIMS' board of directors identified strategic risk management (SRM) as an emerging practice and noted that it should be viewed as the next step in the evolution of enterprise risk management (ERM). To confirm this conclusion, they commissioned an external study in 2009 that came up with similar results. The key findings were noted as:
• Concepts are immature, but developing.
• Less consideration for the potential upside risks in actual practice.
• Organizations are seeking direction from a global leading authority that can provide services in these evolving practices.
Recognizing that strategic risk management is an evolving practice, RIMS formed a Strategic Risk Management Development Council, which Fox heads up, to complement the strong work of its ERM Committee. This new advisory council is made up of a variety of strategic and enterprise risk management practitioners as well as a published academic on the topic. By using common board and staff liaisons, as well as including a member liaison from the ERM Committee, RIMS sought to secure a solid directional link for RIMS.
In creating the council, Fox indicates that "RIMS emphasized that SRM is not meant to supplant ERM, nor is this focus on SRM intended to create a new risk management silo." Instead, she says, "We envision the convergence of ERM and SRM as more organizations formally adopt enterprise risk management. RIMS recognizes that each organization determines what it needs from risk management, and that strategy is driven by executive management, primarily through strategic planners." RIMS—in meeting its mission for advancing the risk management discipline—is ready to serve those respective needs.
"While a number of organizations already have embraced strategic risk management as an integral part of their respective enterprise risk management practices," Fox says, others are developing or practicing strategic risk management as a focused discipline outside of a formal enterprise-wide risk management effort. RIMS intends to become the leading global authority on strategic risk management, whether an organization chooses to make it part of its enterprise risk management practices or focus its risk practices on strategy separately, she points out.
The next evolution
It is important to note that while the movement in a more strategic direction may appear to some to represent a major change for RIMS, according to Fox, "It's not a change; we are just becoming more vocal about it." This is a plan that was actually set into motion several years ago, by the RIMS Board. At this point, "we have decided to become much more of an advocate for SRM and help determine how best it should be implemented in concert with ERM."
However, a number of organizations have already chosen to tie ERM with governance and compliance, Fox notes, thus including risk as a compliance and control function. Fox emphasizes that RIMS is saying that that is not an o.k. thing to do; there is more value on the table by focusing on ERM and SRM." And she adds, that today, "SRM is where the board of directors of many companies are most interested." And the boards at these corporations are telling their risk professionals that when you report on risks, you need to include strategic risks. "They want to know what are those things that are most important and can reduce our ability to execute against our selected strategies." For the most part, this is what RIMS believes "is the new focus of today's boards," says Fox.
However, she indicates this whole competitive approach between the various departments within some corporations "is just a giant time waster." At the end of the day, she says, "We are arguing over very similar concepts." In reality, "We need to be advancing risk management for our organization's success. It's counterproductive to try to determine which standard is 'better' and who owns what." RIMS is now aware that there are many "owners" of risks within a corporation. As a result, Fox points out that there are actually many "risk practitioners" that are involved with various aspects of the risk management program. She goes on to say, "We all own pieces of it." Unfortunately, she notes, "We are just hurting ourselves if we continue to cause confusion within our organizations. It is now time to find a better way to work together with the organization's other risk practitioners."
She points out, "Conventional risk managers have been dealing and partnering with all types of corporate functions, since many of them now see the benefit of collaboration." And she says synergistic opportunities already exist so that "we need to be exploring how we might complement each other."
While risk managers should lead the corporate risk management effort, they should do so by being facilitators that are working towards a wider view of risk management. By moving to a more strategic approach, Fox notes, RIMS will be required to move past the theoretical aspects of risk management to a more "how-to" approach. "We must become stronger advocates for strategic risk management," she says, adding that this is already happening. Overall, RIMS has increased its educational and professional development efforts, with more on tap for 2012.
Both ERM and SRM sessions have been added to the annual conference. In addition, Fox says that they are producing several specific Webinars on SRM best practices, as well as publishing at least seven executive briefings around SRM topics. Finally, based largely on the positive feedback at last year's ERM Summit, RIMS will also host a Fall ERM conference in San Antonio, Texas. All of these educational opportunities will be directed at furthering the SRM effort.
The same but different
RIMS has always viewed ERM as "a strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio." Along with other principles, ERM encompasses all areas of organizational exposure to risk (including strategic) and seeks to embed risk management as a component in all critical decisions throughout the organization.
As envisioned by RIMS, strategic risk management (SRM) is "a business discipline that drives deliberation and action regarding uncertainties and equally important untapped opportunities that affect an organization's strategy and strategic execution." Strategic risk management, notes Fox, "whether alone or integrated in an ERM program context, can potentially identify situations in which risk can be a competitive advantage instead of only a threat to the strategic plan." SRM encompasses the interdisciplinary intersection of strategic planning, risk management and strategy execution in managing risks and seizing opportunities. According to RIMS, this not only allows for protection against losses, but for reducing uncertainties and seizing opportunities, thus enabling better performance in achieving the organization's objectives and greater resilience in an uncertain environment.
There remains a development need for practical risk management applications in reducing uncertainty in strategy-setting as well as strategy execution. Formal risk assessments may be made at different points along the value chain. However, Fox notes, the methods and processes for aggregating and analyzing these strategic risks within an organization's appetite and tolerance for risk against the expected reward outcome are in limited use. The value-driven risk management techniques most useful in a strategic setting are different from those that may be used currently.
Overall, ERM and SRM are closely related, particularly in the processes used. However, the emphasis is different as the level of insight and certainty differ considerably between current operational and future strategic uncertainties. ERM risk assessment methodologies used in many organizations focus on certain elements of risk: primarily relative impact and probability of occurrence, frequently focused on the present day or over a relatively short-time horizon. By their nature, ERM identification and analysis methodologies tend to focus on events, rather than trends and may rely heavily on historical data, which may or may not be predictive of future conditions. These risk-based and event-driven techniques may be limiting in strategic planning where the focus tends to be more trend-driven while considering potential future events.
"SRM methods and techniques focus primarily on uncertainty from a relevance and importance perspective in achieving strategic objectives," points out Fox." The assessment elements may also include timing, impact to reputation and impact to various stakeholders, but usually with less emphasis on relative impact and/or likelihood. While many of the risk assessment techniques used in an ERM context can be useful in strategic planning and decision-making, different or modified methods and techniques specific to strategy-setting and execution need to be applied. There are multiple reasons why an organization that has an ERM program may want to include a specifically focused SRM approach within its ERM framework and practice.
First, successful achievement of the organization's objectives may not be considered fully if the ERM program's primary focus and contribution are on value protection (i.e., mitigation, compliance and/or control). Value may be untapped and lost if the organization views risk only as an impediment rather than a potential opportunity.
Second, the people within the organization who are accountable for corporate strategy and execution may be different from those who are responsible for functional day-to-day operations. Decision-makers and influencers at the strategic level may include a board of directors, trustees, executive management and others in strategy-setting who have a strong focus on emerging and dynamic risks. Other risks—operational, financial, legal and compliance risks—which may or may not be strategic in nature, generally are managed at various levels throughout the organization with a primary focus on known or foreseen risks.
Third, strategic and emerging risks may not find "natural" owners for identification, assessment, planning, and monitoring in current ERM governance structures, although such risks may affect multiple parts of the organization. While this may initially represent an impediment to SRM adoption, long-term, it will allow a much better approach to an expanded view of the risk management universe.
The key here, according to Fox, is that "by incorporating a disciplined strategic risk management focus, a more direct connection between the risks related to the strategy itself and its execution is achieved."
Furthermore, "A strategic risk management focus is more likely to reframe risks as potential opportunities."
Thus, she says, "Risk practitioners, who support and drive a strong risk management process throughout an organization, provide the common discipline for SRM as well as ERM." Fox believes that "strategic risk management can be implemented as a focused discipline in strategic planning, without having an enterprise risk management program in place." However, she notes, "This is certainly not the preferred method to manage risks." She goes on to suggest that for those risk managers who "get it," being cross-functional change agents will undoubtedly bring quantifiable added value to their organizations.