Enterprise Risk Management
Creating a risk-aware corporate culture still on the to-do list for many organizations
By Michael J. Moody, MBA, ARM
Last month Rough Notes discussed how the Risk and Insurance Management Society (RIMS) is beginning to expand its view of enterprise risk management (ERM) to include more of a strategic approach. (See "Moving ahead strategically.") Subsequent to that article, several studies were published that support RIMS' vision of a more strategic view of risk management. One of the more widely distributed studies was provided by the Harvard Business Review Analytic Services. The study, "Risk Management in a Time of Global Uncertainty," was sponsored by Zurich Financial Services Group and discusses the value of moving risk management to a more strategic focused approach.
Overview of the study
The study is based on the responses of 1,419 business executives from companies around the world. Many of the participants were C-level executives, with a concentration of chief risk officers (CRO) and others directly responsible for conducting the company's ERM programs. According to the survey, more than two-thirds were either decision-makers or were at least involved in decision-making with regard to risk management. In-depth follow-up interviews were obtained with 13 of the participants to obtain a better view of their specific program elements.
While ERM has been the focus of many world-wide organizations over the past 10 years, scores have "entered a more intense phase since the 2008 financial crisis and recession," according to the study. Interest continues to grow in ERM at corporations of all sizes. However, despite this growing interest, "most executives still feel that their companies have a long way to go." The survey found that only one in 10 executives believed that their organization was "highly effective" at creating a "strong risk-aware culture." Many of the group did not consider their organization's ERM program to be "proactive," but rather noted they lacked an integrated approach that included the board as well as functional leaders at all levels of the company.
During the more in-depth follow-up questions with the 13 individual participants, the study developers found that there was "broad agreement on the increasing importance of ERM as well as some key 'lessons' that any organizations should keep in mind" when designing an ERM program. Among the more important lessons mentioned were:
• Risk management needs to have a clear "owner" to be effective.
• Risk management and corporate goals must be integrated.
• Companies must manage risk proactively.
• Companies must look deeper and wider to determine what their most serious risks will be in the long run.
• Companies must break down silos and managerial bottlenecks.
One common theme that was repeated by most of the participants was that "tone at the top," including support from the board and the C-suite, were absolutely critical in establishing an effective ERM program. Despite the importance of this element, many participants indicated a lack within their companies.
Another item that got significant attention was the fact that in order to progress as planned, the ERM program needed to be housed within the finance or strategic function so there would be a direct report to the CEO. One theme that represents a major finding was that the "study found that organizations with a chief risk officer do more extensive advanced planning than other companies in almost every major risk management area."
Many of the survey participants also noted that forging a close working relationship between the CRO and the CEO was necessary for ERM success. However, equally important according to the participants, was a strong relationship with line management in order to instill a positive risk culture. One of the "best practice" approaches that was indicated is decentralizing the risk management responsibilities. In this regard, the participants pointed out that ERM should be organized around "three 'lines of defense' including Line Management, Risk Management (including Legal and Compliance), and Audit."
For the most part, participants indicated that the scope of risk had increased; however, they singled out two major types of events—natural disasters, and financial and economic crises—as rising to the top of their companies' risk lists over the last three years. Much of this concern obviously comes from recent events. The effects of the economic meltdown are still going on today, while the effects of the Japanese earthquake and tsunami were still fresh in their minds.
Other risks that were most commonly cited were typically operational in nature and thus would call into question an organization's "ability to deliver their strategic goals, and maintain a viable, competitive organization going forward." One of the most rapidly growing risks the participants identified was the "risks related to talent retention and acquisition." Many believed that this area would represent a key risk exposure going forward.
A long-standing issue that many CROs are still having to deal with specifically is "obtaining the buy-in from line management." And as noted by the majority of participants, "selling the program into their own organizations" was one of the keys to a successful ERM implementation. This was troubling to many of the participants since these barriers "are almost always cultural, rather than technical." Convincing individual unit leaders that ERM is relevant to their business can prove problematic and time-consuming, with little to no assurance of a positive outcome. Again, they noted that the "tone at the top" is vital in this critical area.
When reviewing the benefits from an ERM program, participants identified five key business benefits:
• Increased risk mitigation
• Better ability to identify and manage risks
• Better strategic decision-making
• Improved governance
• Increased management accountability.
As noted above, some of the benefits were not directly related to risk management. Instead, these benefits help organizations "to achieve better overall strategic performance."
The Harvard Business Review survey clearly points out, as many studies previous to this one have, that ERM is gaining significant attention at most corporations. This is occurring at all levels within the organization, but particularly at the board level. For the most part, risk management has become commonplace on the board agenda and boards are beginning to provide considerable oversight to the risk management function. In addition, the study suggests that ERM "has become a more important strategic consideration as well." Initially, the majority of sophisticated enterprise risk management programs were centered within three business sectors: financial services, health care, and energy. However, the broadening of more mature ERM programs is now spread across most business sectors.
"The five distinct 'lessons' that emerged from the survey," should be considered minimum standards. One single "owner" of the ERM program must be identified in order drive success in this area. It is thus important to integrate risk management and corporate goals in order to embed a risk-aware culture. Too often, companies find themselves identifying risks "only after they have impacted the bottom line." Organizations need to develop a revised skill set that allows them to better identify strategic risks, "so they do not have to habitually respond to the cause of the last crisis." Finally, a concerted effort must be instituted to "break down silos and managerial bottlenecks." Failure to correct any of these five areas will serve to marginalize the ERM effort and turn it into nothing more than a compliance exercise.
The survey provides important insights into the current worldwide state of the risk management market. "While most executives still feel their companies have not attained the proactive approach to risk management that typifies best practices in ERM," there was little disagreement regarding the importance of such effort. It is clear from the survey that companies "are now attempting to absorb at least some of these lessons" and move to a more strategic approach for their risk management effort.
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.