Drive business results by harnessing uncertainty
I am very pleased to see new guidance on risk management from Ernst & Young (EY) that recognizes that risk management is not a defensive activity designed only to protect value. It can and should be used to drive business performance and results.
I usually have significant criticism for the consulting and auditing firms when it comes to their risk management guidance, so I was surprised to see so much “good stuff” in their latest.
Drive business results by harnessing uncertainty, appropriately subtitled “Expecting more from risk management”, is important reading for board members, business executives, and risk practitioners.
EY doesn’t say directly that it is not nearly enough to limit risk management to a periodic review of a list of risks (the practice at the majority of risk management functions). But their description of what risk management needs to do and look like makes it clear that they, at least, have moved on.
Here are some excerpts, but I encourage you to read the three-part piece (just click ‘Next’ at the foot of each page to get to the next one).
They start with this commentary:
In an increasingly competitive, fast-paced world, organizations need to continually advance their risk management practices, building on the strong foundation of protection and compliance into an expanded focus on risk factors that impact strategic decision-making and operational performance.
For many global organizations, risk management is still seen as only a high-level compliance exercise to educate the board and audit committee. As a result, there are often no clear lines of sight from the boardroom to the operations themselves.
Risk management approaches need to change to better reflect the dynamics of today’s rapidly evolving global marketplace. What carried companies through in the past is not good enough anymore.
We believe a paradigm shift in risk management is beginning, which is:
- Tied to the increasingly complex world in which companies now operate
- Based on the awareness that uncertainty is embedded in (and impacts) everything we do
- Focused on both capturing upside opportunities as well as protecting the business
EY includes a meaningful list of questions. Here are the first four:
- Does your company view risk management as a key component in managing business performance?
- Is there continuity of understanding in the risks associated with your plans and objectives, which carries through from strategic planning to capital allocation and operational execution?
- In addition to protecting your business, is your risk management providing direct benefit to your growth efforts as well?
- Is risk management integrated into the “rhythm” of your business processes, versus a later lens or add-on?
They make this key point:
You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.
There are several key business processes, and structural and functional components that make up this rhythm of the business, working together to deliver business value creation. Within these components of the business, we see four basic business process suites:
- Strategic oversight and planning — board and executive management level activities
- Business level planning/budgeting — management translation of strategies into business plans and allocation of capital
- Operational execution — value creating implementation of plans and strategies
- Monitoring and compliance — audit and compliance activities
I like their reference to “risk-enabled decision making”. It recognizes that risk is created or modified with every business decision; only when all options are considered, with an understanding of not only the uncertainty that exists as managers make decision but the uncertainty that will result from the decision, will great decisions be made that drive improved performance and results.
Is this a perfect piece of guidance? No, and much of what it has to say is not new to many risk thought and practice leaders (especially some of the more advanced advocates of the ISO 31000:2009 global risk management standard). However, it is great to see one of the firms talking this way instead of focusing on the “risk de jour” and how important it is for the board to discuss it.
COSO is embarking on an update of their Enterprise Risk Management – Integrated Framework. They should give this document their careful attention. I think its thinking is far ahead of what the current framework promotes; I would like to see the project team and its advisors take careful note of the need to make risk management part of how you succeed rather than how you avoid failing.
What do you think of the piece? How could it have been improved?