Home > Audit, Governance, Risk > Drive business results by harnessing uncertainty

Drive business results by harnessing uncertainty

February 7, 2015 Leave a comment Go to comments

I am very pleased to see new guidance on risk management from Ernst & Young (EY) that recognizes that risk management is not a defensive activity designed only to protect value. It can and should be used to drive business performance and results.

I usually have significant criticism for the consulting and auditing firms when it comes to their risk management guidance, so I was surprised to see so much “good stuff” in their latest.

Drive business results by harnessing uncertainty, appropriately subtitled “Expecting more from risk management”, is important reading for board members, business executives, and risk practitioners.

EY doesn’t say directly that it is not nearly enough to limit risk management to a periodic review of a list of risks (the practice at the majority of risk management functions). But their description of what risk management needs to do and look like makes it clear that they, at least, have moved on.

Here are some excerpts, but I encourage you to read the three-part piece (just click ‘Next’ at the foot of each page to get to the next one).

They start with this commentary:

In an increasingly competitive, fast-paced world, organizations need to continually advance their risk management practices, building on the strong foundation of protection and compliance into an expanded focus on risk factors that impact strategic decision-making and operational performance.

For many global organizations, risk management is still seen as only a high-level compliance exercise to educate the board and audit committee. As a result, there are often no clear lines of sight from the boardroom to the operations themselves.

Risk management approaches need to change to better reflect the dynamics of today’s rapidly evolving global marketplace. What carried companies through in the past is not good enough anymore.

We believe a paradigm shift in risk management is beginning, which is:

  • Tied to the increasingly complex world in which companies now operate
  • Based on the awareness that uncertainty is embedded in (and impacts) everything we do
  • Focused on both capturing upside opportunities as well as protecting the business

EY includes a meaningful list of questions. Here are the first four:

  • Does your company view risk management as a key component in managing business performance?
  • Is there continuity of understanding in the risks associated with your plans and objectives, which carries through from strategic planning to capital allocation and operational execution?
  • In addition to protecting your business, is your risk management providing direct benefit to your growth efforts as well?
  • Is risk management integrated into the “rhythm” of your business processes, versus a later lens or add-on?

They make this key point:

You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.

There are several key business processes, and structural and functional components that make up this rhythm of the business, working together to deliver business value creation. Within these components of the business, we see four basic business process suites:

  1. Strategic oversight and planning — board and executive management level activities
  2. Business level planning/budgeting — management translation of strategies into business plans and allocation of capital
  3. Operational execution — value creating implementation of plans and strategies
  4. Monitoring and compliance — audit and compliance activities

I like their reference to “risk-enabled decision making”. It recognizes that risk is created or modified with every business decision; only when all options are considered, with an understanding of not only the uncertainty that exists as managers make decision but the uncertainty that will result from the decision, will great decisions be made that drive improved performance and results.

Is this a perfect piece of guidance? No, and much of what it has to say is not new to many risk thought and practice leaders (especially some of the more advanced advocates of the ISO 31000:2009 global risk management standard). However, it is great to see one of the firms talking this way instead of focusing on the “risk de jour” and how important it is for the board to discuss it.

COSO is embarking on an update of their Enterprise Risk Management – Integrated Framework. They should give this document their careful attention. I think its thinking is far ahead of what the current framework promotes; I would like to see the project team and its advisors take careful note of the need to make risk management part of how you succeed rather than how you avoid failing.

What do you think of the piece? How could it have been improved?

  1. Arnold Schanfield
    February 7, 2015 at 4:11 PM

    I will comment on this piece separately and whereas it is a good thing what they are saying today- this piece by itself does not mean that they have moved on as you state above. The proof of the pudding so to speak will be what they say tomorrow, the day after that, next week, next month and next year. I do not believe that the capabilities exist at these large firms to fully grasp the messages you are trying to communicate. Don’t forget that you have been at this for years and inventing and reinventing in the midst of the same old same old. Anyone that believes that they will pick up a copy of your soon to be released book or ISO 31000 and HB 436 and be off and running is in for a rude awakening. We are talking about years of training year- so don’t plan on retiring anytime soon.

  2. February 9, 2015 at 8:38 AM

    I totally agree with Arnold. We should be glad if all organizations that support the development of forward-looking ERM would write in the same spirit as EY.
    But aren’t those the same ideas that you guys been fighting for the last decade? So, I don’t understand what EY is talking about – a new paradigm – moving from protecting value, to also creating value?
    To me, understanding customer/client needs and expectations, how these are to be met today and tomorrow, stakeholders’ interests, the business model and the value chain, is part of understanding the Context within ERM. Always seek where value is created and where is it being destroyed.
    I like EY’s “grow, protect, optimize” illustration. Especially the INNOVATE part in the middle.
    I also like the “Plan of Attack” on p12; in contrast to all talk about “lines of defense”.
    Currently I’m reading an interesting book by Andrew Smart (at Manigent) called “Risk Based Performance Management” (RBPM; another new acronym). His thinking is to a large degree based on Kaplan/Norton’s balanced scorecard, which brings structure (like strategy maps from en ERM perspective). By the way, Andrew also claims that RBPM is a paradigm shift. We’re soon running out of paradigms.
    Whether it’s a shift or not. The more that is publicized about ERM in relation to value creation and performance, the better.
    All the best/Per

  3. Greg Sosbee
    February 10, 2015 at 2:20 PM

    Since my definition of Enterprise Risk Management is the Management of the Unknown to Protect and Advance the Enterprise, I am in agreement with the the entire article.

    Enterprise risk management as a formal process is relatively new. The E&Y article should serve as a guide for development of an enterprise risk management program. However I have found that the real issues to implementation are: (i) establishing an ERM program with real teeth (i.e.more than a “checking the box exercise”); and (ii) who is to be the Chief Risk Executive (CRE) and what is the CRE’s position in the senior management hierarchy.

  4. February 11, 2015 at 11:42 AM

    EY is at least 10 years late to the game. Arnold us spot on. For a firm with great talent and resources built on mandatory external audits of limited value, I am surprised! Perhaps not.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: