One of the most critical challenges for management today is determining how much risk the business is prepared to accept as it strives to create value. Yet, research consistently indicates that six of ten senior executives “lack high confidence” that their company’s risk management practices identify and manage all potentially significant business risks.
With the heightened focus on risk management, it has become increasingly clear that traditional risk management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalized. These risk management approaches often limit the focus to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in this rapidly changing world.
Under enterprise risk management (ERM), the focus is on integrating risk management with existing management processes, identifying future events that can have both positive and negative effects and evaluating effective strategies for managing the organization’s exposure to those future possible events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity.
A new approach to risk management
ERM differs from traditional risk management approaches in terms of focus, objective, scope, emphasis and application. It aligns strategy, people, processes, technology and knowledge. The emphasis is on strategy, and the application is enterprise-wide.
Under an ERM approach, management’s attention is directed to the uncertainties around the enterprise’s entire asset portfolio, including its intangible assets such as its customer assets, its employee and supplier assets and such organizational assets as its differentiating strategies, distinctive products and brands and innovative processes and systems. This expanded focus is important in this era of market capitalizations significantly exceeding balance sheet values and the desire of many companies to focus on protecting their reputation from unacceptable risks relating to potential future events.
The COSO Enterprise Risk Management – Integrated Framework, issued in September 2004, defines ERM in broad terms that underscore some fundamental concepts and provides a common language as well as guidance on how to effectively manage risk across the enterprise. Like its internal control counterpart, the COSO ERM framework is presented as a three-dimensional matrix. It includes four categories of objectives across the top: strategic, operations, reporting and compliance. There are eight components of enterprise risk management across the face of the cube. Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix along the side.
This ERM framework does not replace the internal control framework. Instead, it incorporates it. As a result, businesses may decide to implement ERM to address their internal control needs and to move toward a more robust risk management process.
Why implement ERM?
ERM provides a company with the process it needs to become more anticipatory and effective at evaluating, embracing and managing the uncertainties it faces as it creates sustainable value for stakeholders. It helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance.
These contributions redefine the value proposition of risk management to a business. One way to think about the contribution of ERM to the success of a business is taking a value dynamics approach. Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets. This is the essence of what ERM contributes to the organization: the elevation of risk management to a strategic level by broadening the application and focus of the risk management process to all sources of value, not just physical and financial ones.
ERM transitions risk management from “avoiding and hedging bets” to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of new opportunities for growth and returns. ERM invigorates opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities at hand within the organization to manage those risks.
Five steps to implementing ERM:
For organizations choosing to broaden their focus to ERM, there are five practical steps for implementation. While the following steps provide a simplified view of the task of implementing ERM, the implementation process does not occur overnight and, for certain, is not easy to accomplish. ERM is a journey and these steps are a starting point.
STEP 1: Conduct an enterprise risk assessment (ERA) to assess and prioritize the critical risks.
An ERA identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. If an organization has not identified and prioritized its risks, ERM becomes a tough sell because the value proposition can only be generic. Using the entity’s priority risks to identify gaps provides the basis for improving the specificity of the ERM value proposition. The message: Avoid endless dialogues about ERM. Get started by conducting an ERA to understand your risks.
STEP 2: Articulate the risk management vision and support it with a compelling value proposition.
This step provides the economic justification for going forward. The “risk management vision” is a shared view of the role of risk management in the organization and the capabilities desired to manage its key risks. To be useful, this vision must be grounded in specific capabilities that must be developed to improve risk management performance and achieve management’s selected goals and objectives.
“Risk management capabilities” include the policies, processes, competencies, reporting, methodologies and technology required to execute the organization’s response to managing its priority risks. They also consist of what we call “ERM infrastructure.” To illustrate:
Item A. Defining the specific capabilities around managing the priority risks begins with prioritizing the critical risks and determining the current state of capabilities around managing those risks (see Step 1 with respect to conducting an ERA). Once the current state of capabilities is determined for each of the key risks, the desired state is assessed with the objective of identifying gaps and advancing the maturity of risk management capabilities to close those gaps.
Item B. ERM infrastructure consists of the policies, processes, organization oversight and reporting in place to instill the appropriate discipline around continuously improving risk management capabilities. Examples of elements of ERM infrastructure include, among other things, an overall risk management policy, an enterprise-wide risk assessment process, presence of risk management on the Board and CEO agenda, a chartered risk committee, clarity of risk management roles and responsibilities, dashboard and other risk reporting, and proprietary tools that portray a portfolio view of risk.
Here is the message: The greater the gap between the current state and the desired state of the organization’s risk management capabilities (Item A), the greater the need for ERM infrastructure (Item B) to facilitate the advancement of those risk management capabilities over time. A working group of senior executives should be empowered to articulate the role of risk management in the organization and define relevant goals and objectives for the enterprise as a whole and its business units.
STEP 3: Advance the risk management capability of the organization for one or two priority risks.
This step focuses the organization on improving its risk management capability in an area where management knows improvements are needed. Like any other initiative, ERM must begin somewhere. There are many possible starting points. Examples include:
- Compliance with the Sarbanes-Oxley Act (specifically Sections 404 and 302 of the Act)
- Risks other than financial reporting risk (for example, one or two priority financial or operational risks, operational risk in a financial institution, other regulatory compliance risks and/or governance reform issues, etc.)
- Evaluating enterprise-wide risk assessment results to identify priority areas (in other words, migration to ERM begins with first selecting the priority risks and assessing the current state of risk management capabilities addressing those risks, as discussed in Step 1)
- Integration of ERM with the management and operating processes that matter (for example, strategic management, annual business planning, new product launch or channel expansion, quality initiatives, performance measurement and assessment, capital expenditure planning, etc.)
Many public companies in the U.S. may begin their evolution to ERM with Section 404 compliance because the first-year compliance investment is significant and a company cannot have sound governance without transparency in its financial reporting. A strong focus on reliable financial reporting is a good foundation on which to build ERM capabilities. Regardless of where an organization begins its journey, the focus of ERM is the same: to advance the maturity of risk management capabilities for the organization’s priority business risks.
STEP 4: Evaluate the existing ERM infrastructure capability and develop strategy for advancing it.
It takes discipline to advance the capabilities around managing the critical risks. The policies, processes, organization and reporting that instills that discipline is called “ERM infrastructure.” We have asserted that the purpose of ERM is to eliminate significant gaps between the current state and the desired state of the organization’s capabilities around managing its key risks. We provided some examples of ERM infrastructure above when discussing Step 2. Other examples include a common risk language and other frameworks, knowledge sharing to identify best practices, common training, a chief risk officer (or equivalent executive), definition of risk appetite and risk tolerances, integration of risk responses with business plans, and supporting technology.
ERM infrastructure facilitates three very important things with respect to ERM implementation. First, it establishes fact-based understanding about the enterprise’s risks and risk management capabilities. Second, it ensures there is ownership over the critical risks. Finally, it drives closure of gaps.
ERM infrastructure is not a one-size-fits-all. What works for one organization might not work for another. The elements of ERM infrastructure vary according to the techniques and tools deployed to implement the eight ERM components (see the COSO framework introduced on page 2), the breadth of the objectives addressed, the organization’s culture and the extent of coverage desired across the organization’s operating units. Management should decide the elements of ERM infrastructure needed according to these and other appropriate factors.
STEP 5: Advance the risk management capabilities for key risks.
This step begins with selecting the enterprise’s priority risks. After the first four steps are completed, it will often be necessary to update the ERA for change. Once the priority risks are defined, based on the updated ERA, management must determine the current state of the capabilities for managing each risk and then assess the desired state with the objective of advancing the maturity of the capabilities around managing those risks. This has already been accomplished for one or two priority risks (see Step 3). Now management broadens the focus to other priority risks.
Risk management capabilities must be designed and advanced, consistent with an organization’s finite resources. For each priority risk, management evaluates the relative maturity of the enterprise’s risk management capabilities. From there, management needs to make a conscious decision: how much added capability do we need to continually achieve our business objectives? Further, what are the expected costs and benefits of increasing risk management capabilities? The goal is to identify the organization’s most pressing exposures and uncertainties and to focus the improvement of capabilities for managing those exposures and uncertainties. The ERM infrastructure management has chosen to put in place drives progress toward this goal.
Companies in the early stages of developing their ERM infrastructure often lay the foundation with a common language, a risk management oversight structure and an enterprise-wide risk assessment process. Some companies have applied ERM in specific business units. And a few companies have evolved toward more advanced stages, such as the management of market and credit risks in financial institutions and the management of compliance risks in other industries.
Wherever a company stands with respect to developing its risk management, directors and executive management would benefit from a dialogue around how capable they want the entity’s risk management to be with respect to each of its priority risks. The capability maturity model provides a scale for evaluating the maturity of an organization’s risk management capabilities. The model provides five states for rating the maturity or capability of any process ranging from “initial” to “optimizing.”
The capability maturity model is a powerful tool for evaluating sustainability. Using this model, management rates the enterprise’s capabilities in key risk areas, identifies gaps based on the level of capability desired in specific areas, and shifts the dialogue on operating metrics to incorporate appropriate emphasis on process maturity. The ERM infrastructure ensures that the rating process is fact-based and conducted with integrity by the participating risk owners.
The model provides a valuable framework for facilitating substantive dialogue among directors, management and others regarding the capability of the organization’s processes as compared to the critical risk areas identified in their risk assessments. Armed with this tool, Boards and management are able to satisfy themselves that risk management improvements are directed to the areas of greatest concern and exposure. The focus is then directed to implementing those improvements according to management’s plan over time. Again, the ERM infrastructure provides oversight to ensure that improvements are on schedule.
Managing the ERM journey
Companies evolving toward ERM should keep in mind that it is a journey, not a destination. ERM can potentially represent a sea change in organizational attitude and behavior. As with any significant change, the adoption of ERM is fundamentally a process of building awareness, developing buy-in and ultimately driving the acceptance of ownership throughout the organization. Change enablement is, therefore, a significant aspect of an ERM initiative because everyone’s perspective about risk varies.
To help ensure success, keep the following in mind when implementing ERM:
- Develop a compelling business case linking the ERM agenda to real priority business needs; garner support from the top and manage progress against milestones over time.
- Obtain agreement on risk management objectives and the necessary ERM infrastructure; consider relevant cultural issues and focus on enterprise-wide application.
- Implement an effective enterprise-wide risk assessment process early.
- Clarify process ownership issues: Who decides, who designs, who builds and who monitors?
- Integrate risk management with the business planning process.
- Don’t forget the true purpose of ERM infrastructure; be sure to define the future goal state of the capabilities around managing the critical risks and contrast it with the current state.
- Use the COSO ERM components as a framework against which to benchmark ERM requirements.
Properly implemented, ERM can help organizations pursue strategic growth opportunities with greater speed, skill and confidence. Opportunity-seeking behavior is invigorated if managers have the confidence that (1) they understand the risks they are taking on and (2) the organization’s risk taking is aligned with its core competencies and risk appetite. Markets will differentiate competing organizations by the quality and extent – real or perceived – of their risk management capabilities.