Enterprise risk management (ERM) is an old idea that has gained renewed focus and relevance in the wake of the financial crisis. All industries are now facing unprecedented levels of risk. The pace of change and the speed of information flow are causal factors in the escalation of risk. Advancements in technology have spawned new business models that drive these changes and new threats, ranging from data vulnerability to the viral spread of rumours via social media. This has also resulted in an increasingly interdependent world where the sourcing practices of a manufacturer in Delhi can cause regulatory and reputational consequences for a business in Dallas.
Alarmed by the escalating risks, investors, regulators and rating agencies are challenging companies to be more transparent about their risks and more effective with their ability to manage them. As the bar rises, managing risks in silos is no longer seen as acceptable. The sanctions for failing to meet stakeholder expectations range from market losses and share price declines to enforcement action and lasting reputational damage.
Survival and success in this uncertain environment demand risk-resilience — being able to anticipate and adapt to change; absorb and recover from a broad range of risk events (including unexpected ‘black swan’ events); and seize the opportunities hidden within those risk events.
So how can your ERM programme become more risk-resilient? Conventional risk-management frameworks provide guidance for thinking about risk, but they don’t say enough about how to execute an ERM programme. That helps to explain why the practical application of ERM often fails to live up to expectations.
Underlying problems include allowing risk management activities to be managed by personnel who are separated from those who drive the business. This is compounded by an approach to risk that is backward-looking and insufficiently geared to the execution of forward-looking business plans. This can result in an inability to pick up on emerging threats. Incentive systems often add to the problem by rewarding managers for short-term profit generation rather than realising longer-term strategic goals through the anticipation and management of unfolding risks.
With little or no link between strategy and risk management, ERM programmes are static, while the business environment is dynamic. You don’t need a new form of ERM to overcome this. But you will need to make sure its operation reflects the dynamic and unpredictable nature of the risk and wider business environment you face. We have developed five questions that will help boards to judge whether their ERM programme is equipped to deal with this environment and move to a more resilient and forward-looking approach (risk is defined as ‘any issue that impacts an organisation’s ability to achieve its objectives’).
Risk-resilience is only really possible when the people who are responsible for driving business results are accountable for the associated risks.
Organisationally, risk ownership begins with senior management and cascades down to the business units and key functional areas (e.g., finance, treasury, legal, IT and HR). The higher the level in your organisation, the more strategic the risks owned. Senior management should be responsible for macro risks, such as the threat of political instability, while employees in the field will need to manage lower-level risks. The key is assigning responsibility for particular risks to the people who have control over them and training them accordingly. The board is responsible for challenging management’s approach to risk ownership and questioning whether they have a programme in place to identify, assess, manage and monitor risk effectively.
Risk information should be timely, reliable and meaningful enough to allow the board to assess and address the impact on strategy. By being able to judge performance through the lens of risk, boards will have key insights into how to evaluate management’s strategy and recommend changes in direction where necessary. All too often, however, boards are deluged with data rather than relevant information on the genuinely critical strategic issues. If lower-level issues are constantly sent up to the board, this may signal that risks are not being handled at the appropriate level in your organisation. Thus the board should also be challenging the risk management process, not only the result.
Business unit risk tolerances should align with the level and types of risk your organisation is willing to accept in pursuit of its strategy (‘risk appetite’). Reports should highlight any variations from these tolerances so your board can discuss these with management. All too often there is no dialogue about such variations, leading to a disconnect between the level of risk being taken by the business units and the risk appetite approved by the board.
Many organisations only assess risk intermittently, often after a crisis. Building regular risk updates into the planning process can help your business to anticipate emerging risks more effectively.
Most organisations are reasonably good at dealing with risks they are familiar with. But unforeseen and emerging risks are less well managed. The ability to identify and address unfolding risks would give your business a valuable edge over less proactive competitors.
Forward-looking scenario analysis can help to identify and assess broad areas of change, emanating from both internal and external factors, that might generate new risks. This would allow modelling teams to elevate risk identification to a new level of agility and proactivity.
To encourage managers to look further into the future, forward-looking risk assessments should form an important part of performance evaluations. This will help to make sure that your organisation can meet its long-term strategic objectives, rather than just short-term profit goals.
Integrating the strategic ERM programme into corporate planning and performance management will provide a solid basis for forward-looking analysis and preparation. This can help your organisation to identify and assess emerging risks and act on them in a timely manner, leading to fewer unforeseen black swan events. Indeed, the financial meltdown was not a black swan for organisations that saw the warnings and were already mitigating the risk before the crash occurred. Similarly, many companies had already recognised the inherent risks of a single-vendor supply chain and had moved to spread the risk across geographically dispersed suppliers, thus mitigating the catastrophic impact of the Japanese tsunami in 2011.
When true black swan events do occur (e.g., an earthquake or terrorist attack), strategic ERM can provide a framework for swift and decisive response and recovery. It can also open up opportunities. For example, companies that had built business continuity management into their ERM programmes were able to get back up and running after the Japanese tsunami faster than their competitors and used this advantage to capture market share.
Integrating ERM into strategic planning and performance management processes requires little additional cost. Quite a lot of risk mitigation is already in place as a natural part of doing business (e.g., a bank has vault doors, whether or not it has an ERM programme), and these should not be included in considering the cost of implementing a strategic ERM programme. Deploying people to carry out the integration does have some costs. New tools, methodologies and the training to implement them will be needed, but the incremental investment required does not have to be substantial.
The returns on this relatively modest outlay can be significant and can be measured in several ways. This includes realising your goals more effectively. It also includes fewer surprises or lower interruption and remediation costs after crises. Further payback includes the ability to identify and capitalise on opportunities.
Considering these questions can prompt a review and rethink of how to manage risk. The strategic ERM continuum in Figure 1 illustrates the typical evolution of risk management capabilities, from initiation of a strategic ERM programme to achievement of risk-resilience. The continuum moves from a focus on processes and risk management as a function (stages 1 and 2) to its integration into strategic and performance management (stages 3 and 4).
Many companies use the continuum as a basis to gauge their progress in managing risk and as a strategic target for programme enhancements. The further along the continuum, the greater your ability to survive and thrive in a complex and dynamic business environment.
Risk is managed by a centralised team. Processes are put in place to identify and record risks within accepted tolerances. ERM documentation tools are deployed to communicate risk profiles and support decision making by senior management and the board. But this may not provide a good foundation for decision making, as the reports are developed from the perspective of internal audit or the risk management department, often without effective ownership from business units and functional groups.
At this stage, the focus is mainly on known historical risks. This is necessary but not sufficient, as emerging risks and potential black swans may have a greater impact on the organisation’s ability to realise its strategy.
In stage 2, the organisation begins to focus on emerging as well as past risks, and risks identified in operational areas are linked to those identified at the strategic enterprise level. Consistent methodologies are used to assess risks and to determine risk tolerances. ERM tools are used to complement the strategic planning process, and more robust risk reports are developed. But risk analyses are not yet translated into changes to business operations.
During this stage, your organisation would begin to establish risk ownership at the appropriate levels. Leaders of business units and functions would start to consider their risks in light of how they will affect their ability to meet their goals and how they intend to bring these risks within acceptable levels.
Risk management in stage 2 is becoming more effective but is episodic. It is not performed as routinely as needed to adapt in an environment of constant change and risk volatility.
As organisations move into stage 3, there is a cultural shift toward frontline ownership of risk. Your organisation can become more forward-looking, focusing on emerging risks and black swans as well as past risks. ERM is integrated into business planning. The strategic risk assessments completed in stage 2 are translated into operational plans and ERM becomes a tool supporting performance management.
During stage 3, risks are discussed in connection with specific strategic objectives, and this often brings to light risks that had not been considered before. For instance, if the strategic plan calls for 30% growth in market share, you might find that you do not have enough production capacity to realise this.
By the end of stage 3, risk assessment and management practices have become routine and embedded deeper in the organisation. Planning sessions are held more frequently and the strategic plan is adjusted as needed to reflect changes in the organisational risk profile resulting from internal and/or external change.
In stage 4, business units develop key indicators and performance metrics to help them manage their operations within defined risk tolerances. Risk management becomes an element of routine management activities.
At this stage you can begin to develop a risk-aware culture. All employees are responsible and accountable for owning the risks related to their roles. They understand that generating profit requires risks and are trained in ways to manage the balance between risk and reward. And if they see risks taken outside of the tolerances, employees are empowered to raise a red flag.
With strategic ERM embedded in the organisation, the board and management can make decisions with greater confidence and clarity. Routine, low-level risks are managed by the business units, and only more complex, emerging risks are escalated to senior management and the board.
In stage 4, scenario modelling capabilities come into their own. Many companies also use ‘reverse stress testing’ to understand the potential impact of severe risk events and develop mitigation plans. The risk-aware culture that evolves in stage 4 extends beyond the organisation to include suppliers, partners and others, making your business even more resilient to major risks.
While ERM is well established within many organisations, integrating the changing risk profile into decision making at the strategic and operational levels is, in practice, relatively rare.
Moving through the ERM continuum can not only make your business more resilient, but also open up opportunities that less well-informed organisations may miss or be reluctant to pursue. The five questions highlighted in this article can help your business to identify how ERM could be improved and lay the foundations for change.
Developing and executing a solid strategic ERM programme will greatly improve your ability to realise your strategic objectives. However, if your risk management stands still in the face of relentless change, you can expect to face recurring risk events and regulatory crises — and to fall behind your more agile, risk-resilient competitors.