Enterprise Risk Management
No one right way
Professors advocate a balanced approach to managing risk
By Michael J. Moody, MBA, ARM
Looking forward at a new year, and back at past years, usually provides a sense of progress. Such is the case with enterprise risk management (ERM), as 2012 begins. It is easy to see the progress that ERM has made during the past few years, as it has now become an accepted and vital branch of management, closely aligned with strategic management. As a profession, it has gone from "fall guy" during the financial crisis of 2008-2009 to beginning to play a key role in numerous corporations around the world.
Despite the upward movement, many challenges remain to be resolved—not the least of which have been noted in past articles in Rough Notes as well as other trade press. ERM implementation continues to lag. While experts have been quick to cite reasons for this lag, the fact remains that corporations are not embracing ERM in significant numbers. Without question, the proliferation of ERM frameworks has provided roadblocks to execution.
Today, no less than half a dozen popular frameworks are being used by corporate America to develop successful ERM programs. Most share a number of similarities, but one area that frequently offers the most striking differences is in the classification of risks. While this may appear at first blush to be a minor issue, it is quite the opposite because much of the frameworks rests on the concept of risk identification and management. Unfortunately, in all too many cases the classification is inconsistent and lacks the logic needed to sell the ERM concept.
Some ERM consultants have suggested that a simpler, more logical approach to risk classifications be developed. That's the idea that two Harvard Business School professors, Robert Kaplan and Anette Mikes, advanced in a recent "Balanced Scorecard Report" titled Managing the Multiple Dimensions of Risk. They indicate that all organizations face three groups or categories of risks. Each risk classification has a different degree of controllability and thus requires a different approach towards mitigation and management.
Kaplan and Mikes provide significant insight into the three categories of risks; however, they are quick to point out that the classification system was not original with them. In fact, they note that it was former U.S. Defense Secretary Donald Rumsfeld who referred to these classifications in a February 2002 Defense Department briefing. According to Rumsfeld, the classifications were:
• "known knowns" — things that we know we know
• "known unknowns" — some things we know that we do not know
• "unknown unknowns" — the ones we don't know we don't know
For the most part, these appear to be useful distinctions for risk management. Let's start with the risks that are considered as Class I and are caused by employees' unauthorized, illegal unethical, or inappropriate actions. In general, management knows the actions it wants employees to avoid (the "known knowns") and has specific management tools and processes to deter or prevent them from occurring. Ideally, companies want to drive the probability of Class I risks to zero.
Class II risks arise primarily from strategic execution. Organizations voluntarily take on Class II risks so that they can generate high returns from their strategies. Managers can identify Class II risk events (they are "known unknowns") and can generally influence both their likelihood and impact. While managers have some ability to reduce the likelihood and impact of Class II risks, they cannot eliminate the probability of their occurrence. Despite management's efforts, some residual risks always remain.
Class III risks arise from events outside the company and its strategy and thus are beyond the company's direct influence or control. Managers cannot estimate their likelihood and, in many cases, are not even aware of such events (the "unknown unknowns") or that they could jeopardize the company's strategy and survival. Managing Class III risks requires a process of "risk envisionment" in which managers rely less on quantitative risk management and more on their experience, intuition and imagination to create new mental models about future scenarios and strategic uncertainties. Once Class III risks have been envisioned, managers can brainstorm about how to enhance organizational resilience to withstand the most consequential of them.
Having now introduced a multiple-classification view of risk, Kaplan and Mikes note that organizations must tailor their risk management processes to the inherent nature and controllability of the different classes of risks they face. Building on this framework, they can then focus on the roles of an internal risk management function. Multiple business units in a company can be involved in risk management, including the finance and internal audit departments, as well as the actual operational business units. In addition, a formal risk management department headed by a new organizational executive, the chief risk officer (CRO), needs to participate so as to help remove the typical "silos of risk" approach.
The key here is to recognize that there is no one, right way to organize an enterprise's risk management functions. Specific types of risk are best managed by specific staff functions that carry out critical risk management processes. The staff function that coordinates risk-management activities is the Office of Risk Management (ORM), which may be a virtual office if those activities are spread across multiple organizational units. Every ORM should follow these three principles, according to the Balanced Scorecard Report:
• "Complement (rather than displace) existing internal audit and management control practices."
• "Promote business-relevant discussion and debate in the business lines."
• "Challenge business executives about the risks emanating from their strategies."
The report notes that at the highest level within a corporation, risk management involves running or facilitating processes that help identify, assess and control uncertainties in order to turn them into "manageable risks." It involves "periodically reviewing and, if necessary, revising risks and controls in light of new information and evolving objectives." Risk management also "counters the organizational tendency to become inured to risks, accept deviances and near misses as the 'new normal,' and override controls." In short, risk management encompasses the formal processes through which an organization learns about and attempts to prevent the adverse effects of risks.
If existing functions performed all of these risk management processes well, then an ORM would not be needed since it would be redundant. However, based on the study, ORM typically adds value through two mechanisms. First, "It promotes the continual questioning of existing controls: Are they fit-for-purpose in light of the organization's underlying and evolving risk profile?" Such an oversight role requires independence from the business units. Second, "The ORM helps businesses envision uncertainties and risks that are outside their day-to-day thinking but that, once identified, can be mitigated and managed and converted to controllable risks.
"In this second capacity, the ORM must demonstrate its understanding of and relevance to the business units and their strategies in order to engage them in a constructive and ongoing dialogue on risk. The study notes that this "dual requirement on the ORM to deploy independent overseers as well as embedded, business-savvy risk managers is a formidable structural and human resources challenge."
In summary, according to the Balanced Scorecard Report, management wants to, and generally can, prevent any Class I risk event from occurring; it can also reduce the likelihood of Class II risks and/or mitigate their adverse consequences, should they occur, in a cost-effective way; and, finally, it anticipates the most dire consequences of Class III risks by modifying strategies and taking actions to reduce their consequences should they occur. The logic of this approach to classifying risk can't be ignored. Bottom line, "It is easy for operational management as well as the board to understand and support."
Regarding the Office of Risk Management, the authors provide a number of specific case studies that illustrate one further point: "Each corporation developed a specific approach to ERM that 'fits' its own organization." While program similarities between the organizations do exist, in no way should this be viewed as a "cookie cutter" approach to implementation. As a result, corporations must modify any framework they decide to utilize to fit their own unique corporate culture. This easy-to-understand classification system should be considered when developing and implementing any ERM program. There is something to be said for simplicity.