Home > Risk > Building the case for ERM

Building the case for ERM

October 28, 2010 Leave a comment Go to comments

This week, a risk officer from a major UK company asked me how to move the mind of top management from thinking about enterprise risk management (ERM) as something they have to do (a ‘ check-the-box activity) to something they want to do.

I have found this to be an issue in all parts of world. Even where companies are appointing chief risk officers (CRO) and agreeing to a risk management program, their hearts aren’t really in it. Risk is not top of mind. The CRO is not at the executive table and does not participate in executive decision-making, such as the setting of strategies and plans.

Why? Because they don’t see risk management as something that helps them succeed. All the CRO is offering is insight into the top risks facing the company. Hopefully, this is driving actions to ensure those risks are monitored and remain within organizational tolerances.

So risk management may be considered as helping protect the business, but is that enough? Apparently not.

I believe the problem lies in talking about ERM as protecting value.

I believe the solution lies in talking about ERM as helping optimize performance – the corporate bottom line. It enables agile, sustained operational and financial performance.

Change the perception of ERM and the role of the CRO from being the department of “no” to the department of “how”. The CRO can be the pilot of the ship, helping them not just avoid hazards – but reach the desired destination quickly.

Move from talking about caution to talking about achievement.

Do you agree?

The best CRO works with management not only to recognize and understand risks, but to seize opportunities and navigate the organization to success.

The best CRO shares the desire of the corporate leadership team to grow stakeholder value. He or she understands where that lies, the strategies the board and leadership have established, and has a positive frame of mind about achieving them.

The best CRO is not a “worry-wart”, always thinking of what could go wrong. He or she is thinking of how to move forward – with due consideration of potential obstacles and opportunities.

One more thing: an ERM program that assesses risks and takes action on a periodic basis cannot be effective. That’s like driving down the road at 40 miles per hour and looking up every 10 minutes. Managing uncertainty (and that is what risk is: the effect of uncertainty on objectives) requires constantly looking around and being prepared to make adjustments.

Are you driving at 40 miles per hour and looking up only every 10 minutes? Or are you monitoring risk and making adjustments on a continuing basis? Is risk part of daily decision-making, at every level of the organization? If not, make sure you are ready for the inevitable crash – when you run into the obstacle that materialized when you weren’t looking.

So back to the question. Top management will want ERM when they see it contribute to improved performance. The CRO can do this with the right attitude. Work with believers to get some “wins” and spread the news – of the new department of “how” to succeed.

About these ads
  1. nmarks
    October 28, 2010 at 8:44 AM

    Internal auditors: I have made a related post, a call for action by internal auditors, on my IIA blog: http://www.theiia.org/blogs/marks/index.cfm/post/Building%20the%20case%20for%20ERM

  2. October 28, 2010 at 9:32 AM

    Agreed. Find a way to promote and have it accepted by executive management and the board (audit committee). I have said before, IA, GRC, ERM, C&E, etc. organizations are missing the boat. Advocate how they help the board and the audit committee satisfy diligence and oversight, protect their rear, avoid nasty problems, gain good governance reputation, help the company strategy by looking ahead at good and not so good risk, and maybe lower insurance costs. And there is probably more. If any group wants help with board and/or audit committee presentation to educate, etc. send me an email. Sent from my iPhone, excuse any errors.

  3. David
    October 28, 2010 at 9:44 AM

    Norman,

    Great insight as always.

    My comment may be more appropriate on the IA blog, but I think it works as well here.

    As an IA Dept head, this all sounds very familiar. This topic was heightened when SOX rolled around and CEO/CFOs were required to sign-off on the 302 and 404 Certs.

    How many of them actually owned that signature vs. just asking, “is it okay to sign?” I am sure opinions will vary.

    This sounds like the same discussion.

    If you replace “CRO” in your piece with “IA Dept Head”, we would see it works as well.

    My thinking is that in order to protect, “we” have to be proactive. To be proactive “we” have to be included up-front, not as an after-thought. That to me is the core issue of all these discussions.

    I agree with your suggestion to make this a protection focused discussion, but in the end the real challenge with this is how to show we added value and protected the company from something that didn’t happen, right? Isn’t that like proving a negative? How can we our direct link?

    I suggest we need to be more directly proactive, maybe in a publish or perish sense and avoid this counter factual thinking…

    After all, wasn’t the Govt’s stimulus package suppose to cap unemployment at 8%, when in fact, I saw a projection today that it will still be near 10% by the end of 2011 – now that’s counter factual.

    regards,

    David

    • David
      October 29, 2010 at 9:23 AM

      For a publicly traded company, shouldn’t showing the value of a CRO and the GRC function be fairly straight forward?

      In quarterly, as well as, annual reporting. public companies disclose a set of Risk Factors. I agree some of these are generic and apply to all companies in an industry, but the others I believe focus on that specific company.

      Wasn’t it the CRO and the GRC function that gleaned the environment to compile, rank, and report that list?

      Isn’t that of tremendous value, given that shareholders will factor in a risk premium in their expected performance from owing the Company’s stock?

      In addition, can’t the Board evaluate the Company against these Risk Factors to assess how well the CRO and the GRC function performed?

      David

  4. Donn Parker
    October 28, 2010 at 10:27 AM

    You know what to expect from me. Management hates bad news and anticipation of bad news, and involuntary risk is mostly negative, bad news. The way to motivate management to reduce such risk is, as you say, find a positive approach. One way is to avoid the risk approach altogether (leaving a risk manager vulnerable) and present solutions justified by staying ahead of the competition with better controls; assuring management they have plausible deniability when bad things occur; following the advice and admonitions of the auditors in the annual audit letter; set a goal of meeting standards, regulations and the law, and ethics; submitting positive text of progress in these matters for public, managers’ friends’ and associates’, competitors’, shareholders’, Wall Street analysts’, employees’, lower management’s, partners’, and other stakeholders’ consumption.

  5. October 28, 2010 at 5:04 PM

    Norman,

    An excellent article. You have brought out the point very well, that as risk managers we focus on problems and not solutions. Human beings psychologically to not like depressing news which does not provide a way out. We need to focus on identfying risks, and classifying them as reduciable and unreduciable risks, to clearly determine what can be managed and acheived.

    My two cents :)

    Sonia

  6. nmarks
    October 29, 2010 at 12:53 AM

    Separately, somebody asked how a risk officer can help optimize value. This is how I replied:

    • Risk-adjust the forecast. For example, choosing which of ten products to manufacture and sell depends on estimates of market demand, material prices, manufacturing costs, logistics capabilities, availability of key personnel, the level and quality of competition, the relevance and impact of relevant laws and regulations, etc.
    • Ensure measures are in place to manage the risks to success. So, if availability of key personnel is a factor, ensure that appropriate actions are being taken
    • Monitor the identified risks and be alert for new opportunities. If raw material prices change, understand the potential impact on the project and adjust the course as necessary
    • Etc

    I like the metaphor of a pilot on a ship entering the harbor. She doesn’t just identify and point to rocks and sunken ships. She helps navigate through to the destination.

    I see too many risk officers pointing to the iceberg instead of helping navigate past it.

  7. Larry Brown
    October 29, 2010 at 4:22 AM

    Norman – I’d argue the CEO is the pilot and the rest of the C-suite helps provide the navigation. The open question is whether there’s room for an ERM/GRC-type CRO in the C-suite, or whether that person, to extend your earlier metaphor, is another set of hands on the wheel, making sure the car not only goes 40 mph, but also swerves all over the road, as one driver per vehicle seems to be the optimal design – CEO drives, C-suite helps navigate.

    The CRO position is a regulatory mandate in many industries, and, as such, this is primarily a compliance role by design. A well architected management team ensures an organization achieves its goals, identifies new opportunities, etc., etc. Trying to insert another person to sprinkle ERM dust on the highly functioning management team is like putting another set of hands on the wheel – not usually a good idea.

    Keep up the debate!

    Larry

  8. Dan Clayton
    October 29, 2010 at 10:46 AM

    Norman,

    Talking about opportunity rather than threat will only get us half-way there. However it is a good step that many still need to take. Yet, the more pressing and perpetuating problem is a different perspective of risk and management. Most of us see RISK management, but most operational folks see MANAGEMENT of risk. So we present them with reporting focused on RISKS TO BE MANAGED and it doesn’t fit within what they are managing, so they think we expect them to create a separate process which they resist. We get frustrated, but it is our own fault for not seeing it from their side. Risk is a sub-set of business objectives, as its meaning comes from its ability to impact them. Management manages business objectives not risk. So we must link to what is at risk (objectives) and describe in their language why. In this context risk has two sides. On one side it is vulnerability due to the strength of management’s response to their objectives and on the other it is threat (what we are more familiar with.) Vulnerability is measured by the maturity of the people; process and technology in place to achieve the objective. Threat is measured on the likelihood of its occurrence. Residual risk can only be found when defining the objective, its current state of vulnerability and threat. That information means something to management. Yes we need them to understand how we can help achieve objectives, but then we need to show it in our reporting of the current state of residual risk.

    My humble opinion,
    Dan Clayton

  9. October 29, 2010 at 1:28 PM

    Norman, we’re on the same page. I’m a director at Epiphany and we produce Risk Network, probably the leading international risk management software solution (don’t worry this isn’t a sale pitch). Having clients feel that risk management actually drives performance is critical for us, it helps us retain those clients. We don’t want them feeling that risk management is some bureaucratic process that they are forced to undertake and use our software as a result. We want them to experience that by using it, it actually makes life easier and helps keep personnel focused on achieving their objectives (almost making managing risk incidental).

    To do this, it is important for us to communicate the relationship between the organisational structure, objectives, child objectives, objective alignment, real time risk reporting & risk management, and enabling risk management to function as a collaborative activity across the organisation, no matter how large, small, complex, or geographically dispersed the organisation is.
    What we’ve found is (we have a 100% client retention rate over 6 years to support this) that when the risk management program helps personnel understand the organisations objectives, how those objectives cascade down through the organisation, and where the individual sits in terms of responsibility or contribution for the realisation of those objectives, then risk management takes on a whole new meaning. At that point it becomes personalised and intrinsic to the day job (which helps ensure risk management embeds).

    This helps the organisation promote its objectives internally, and align them down through the organisation from top to bottom (ensuring the strategy and risk management are fundamentally linked), defining and confirming accountability at an individual level, and providing a mechanism to track performance and report risks associated with objectives in a manner that enables controlled real time escalation.

    The result is, risks get managed is real time making the organisation more responsive, personnel collaborate increasing the efficiency of response, performance improves through increased focus and understanding, and the organisation becomes pulls together more effectively to enable more meaningful contributions with every part of the organisation visibly tracked against what it has set out to achieve.

    We see first-hand the problems organisations have with risk management when you realise that more than half of the organisations out there are still using spread sheets or a paper based system to capture and manage risk. How can that ever be real time, or enable true collaboration? Too often it states that the organisation isn’t aware of the performance benefits of taking a more evolved approach, and at worst it says that it doesn’t really consider it worth investing in a more evolved approach.

    You can see how we do it here http://www.epiphanyrisknetwork.com/explore

  10. nmarks
    October 29, 2010 at 10:59 PM

    I am always curious about claims to be “the leading” this or that. You are free to mention your solutions, but please use caution in positioning yourselves inappropriately.

    Thank you

  11. October 31, 2010 at 2:09 PM

    This is a great discussion.

    I was just studying the ERM Benchmark white paper report from Deloitte where they clearly indicate some key ERM trends and challenges:

    1. Regulation and regulatory compliance appear to be key drivers of ERM.
    2. There is confusion about what ERM really means.
    3. The primary goals of current ERM programs emphasize process and structure over outcomes.
    4. Risk has not yet been fully incorporated into core business decision-making processes, such as strategic planning, capital allocation, and performance management.
    5. The combination of lack of understanding of the benefits of ERM and difficulty in proving the business case is the biggest challenge facing ERM proponents.
    6. The majority of respondents are not confident in the level of their organization’s preparedness for mission critical risks.
    7. Current ERM programs are typically focused on risks to existing assets and miss the connection to future growth.

    Challenges of ERM as underscored in the survey are:

    Difficulty in measuring and assessing risks
    Time and costs required to implement
    Lack of understanding of the benefits of the integrated management of risk across the enterprise
    Lack of in-house skills
    Lack of support among management
    Difficulty in proving the business case
    Higher/redundant cost for managing risk at both corporate and business unit level
    Competing initiatives (e.g., SOX)
    Regulatory or legal issues

    This and other industrial white papers we collect at GlobalRisk community website. Our members upload white papers and we aggregate news in rich multimedia format. http://www.globalriskcommunity.com

  12. October 31, 2010 at 2:12 PM

    This is a great discussion.

    I was just studying the ERM Benchmark white paper report from Deloitte where they clearly indicate some key ERM trends and challenges:

    1. Regulation and regulatory compliance appear to be key drivers of ERM.
    2. There is confusion about what ERM really means.
    3. The primary goals of current ERM programs emphasize process and structure over outcomes.
    4. Risk has not yet been fully incorporated into core business decision-making processes, such as strategic planning, capital allocation, and performance management.
    5. The combination of lack of understanding of the benefits of ERM and difficulty in proving the business case is the biggest challenge facing ERM proponents.
    6. The majority of respondents are not confident in the level of their organization’s preparedness for mission critical risks.
    7. Current ERM programs are typically focused on risks to existing assets and miss the connection to future growth.

    Challenges of ERM as underscored in the survey are:

    Difficulty in measuring and assessing risks
    Time and costs required to implement
    Lack of understanding of the benefits of the integrated management of risk across the enterprise
    Lack of in-house skills
    Lack of support among management
    Difficulty in proving the business case
    Higher/redundant cost for managing risk at both corporate and business unit level
    Competing initiatives (e.g., SOX)
    Regulatory or legal issues

    This and other industrial white papers you can find at GlobalRisk community website where our members upload their white papers and we aggregate news in the rich multimedia format. http://www.globalriskcommunity.com

  13. November 1, 2010 at 3:49 AM

    Good discussion.

    ERM can and will only be sustainable succesful if it is fully integrated in managing the performance an organization. As said before a KPI = KRI. If not reconsider either the KPI´s or the KRI´s. Quantify uncertainty of the performance which is your risk profile. You dont have to call it risk management. If well embedded in the business you could discuss if a risk manager is necessary except for those companies where managing risk is the core business, such as banks and insurance companies.

    Furthermore I am a great advocate of quantifying uncertainty as that is the only way to see how good and bad it can get. This quantification should be done on the P&L. A simple Monte Carlo analysis can already give much insight and a tornado diagram is easily understood even by ´not quants´.

    Next to that risk management should be part of strategic planning, as there is sufficient proof that the biggest risks companies are run are strategic risks. But also then it has not to be called risk management per se, but strategy management in which risk management is embedded.

    In the end it is all about management control: how do you manage the performance of the organization, the upside as well as the downside. With regard to the analogy, it is the driver that should be in command of the brakes, he should not ask another person to put his foor on the brakes for him. That creates dangerous situations as you can imagine.

  1. October 30, 2010 at 11:56 PM
  2. November 14, 2010 at 4:27 AM
  3. January 7, 2011 at 9:54 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,305 other followers

%d bloggers like this: