Implementing Enterprise Risk Management: Getting the Fundamentals Right
June 2003
There are certain enterprise risk management
(ERM) fundamentals—objectives, scope, organization, and tools—that companies
can use to establish an ERM framework and implementation plan. For ERM, "getting
the fundamentals right" means establishing a company-specific ERM operational
framework that clearly and measurably defines what ERM will mean for this company,
and then using that framework to develop an ERM implementation plan that is
specifically designed for success in that company.
by Jerry
Miccolis
Brinton Eaton
Associates, Inc.
Most companies believe in the concept of enterprise risk management (ERM).
But many have been frustrated by implementation issues that have, so far, caused
ERM to fall far short of its potential. What’s the problem? And what’s the secret
to getting ERM to work? Borrowing from the playbook of the great basketball
coach John Wooden, the simple, but hard, truth is: "There is no secret. It’s
all about fundamentals." To make ERM work for you, you have to do the gritty
groundwork and start by getting the fundamentals right.
For ERM, "getting the fundamentals right" means establishing a company-specific
ERM operational framework that clearly and measurably defines what ERM will
mean for this company, and then using that framework to develop an ERM implementation
plan that is specifically designed for success in that company. There are no a priori, universal "right answers" for
how to implement ERM in a given company. There are, though, "right questions"
each company should ask itself. Successful ERM really does depend on the specific
situations of specific companies with specific histories, cultures, and managements.
The Continuing Gap
The continuing gap between what executives see as the promise of ERM and
the fulfillment of that promise is evident not only from what our clients tell
us. It also has been documented in several recent Tillinghast-Towers Perrin
surveys of ERM practices among companies in various industries. (For more on
what those surveys tell us about the current state of ERM, see our March 2003
IRMI.com article, "ERM Lessons Across Industries.")
The gap between ERM’s promise and performance shows up in lots of ways, including
the following.
- In the relatively low satisfaction managers express with the tools and
capabilities they think are available to manage risk sources (both financial
and nonfinancial) covered in their ERM programs
- In the relatively limited inclusion of nonfinancial, including operational,
risk sources in ERM programs, despite the intent of ERM to cover both financial
and nonfinancial risk sources
- In the limited integration of ERM with other functional areas across
the company
- In the relatively low consensus on how to "institutionalize" ERM in
the structure of the organization
The Operational Framework
To close the gap, our experience with clients has taught us that companies
need to have a clear, company-specific "operational framework" in place for
ERM. If they don’t have one—and most really do not—then they need to create
one. They can then use that framework as scaffolding to develop a company-specific
ERM implementation plan.
To establish the correct operational framework, company leaders need to candidly
answer four key questions.
Question #1: The first question is "What are
our objectives for ERM? That is, what are we hoping to accomplish with ERM that
we cannot accomplish otherwise?" Companies typically have the same four general
objectives for their ERM programs. What makes a company’s ERM program unique
from this standpoint is the relative priority the company gives to each of these
objectives. The objectives, ranging from the reactive to the proactive, are
as follows.
- Compliance—Reacting to externally imposed corporate governance guidelines
that concern risk identification, disclosure, management, and monitoring.
- Defense—Anticipating problems before they threaten the company’s strategic
objectives, largely a matter of avoiding the "land mines."
- Coordination/integration—Breaking down internal silos by coordinating
various pockets of risk management activity for efficiency’s sake.
- Exploiting opportunities and creating value—Appreciating how risks interact
across the enterprise and exploiting natural hedges among them.
However prioritized, the company’s ERM objectives should be measurable and
should articulate the expected payoff from achieving them. The payoff should
be based, to the extent possible, on the expected beneficial impact on the performance
measures that are used to run the company. This rule implies, of course, that
the company already has in place clearly articulated and well understood performance
measures of this sort. (For more on the topic of objectives and measurement,
see "The Language of Enterprise Risk Management:
A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and
Measures," in our May 2002, IRMI.com article.)
It is imperative that these objectives be established by, and be continually
and visibly supported by, senior management. "Grass roots"-style ERM movements
rarely succeed.
Question #2: The second question that company
leaders need to answer is "What will be the scope of our ERM program?" Scope
encompasses two dimensions: both the types of risks that ERM will cover and
the management processes that ERM is intended to influence.
Risk types covered by a particular ERM program can include those in the following
broad categories.
- Financial—e. g, interest rate, investment, credit, liquidity, asset
market value
- Operational—e.g., technology, people/intellectual capital, political/regulatory
- Hazard—e.g., legal liability, property damage, natural catastrophe
- Strategic—e.g., poor planning and poor execution
- All encompassing—the theoretical ideal of ERM that is seldom actually
achieved, and probably not necessary to achieve for most companies in the
short term
The key principle to follow in defining the risk types a given company will
cover in its ERM program—and that company managers need to attend to and manage
in an integrated way—is that the risks matter most to the company’s strategic
goals. Managers need to have a clear, common understanding of what the company
means by those risks and why they are important to the company’s performance.
The second dimension of scope relates to the management processes that company
executives desire ERM to influence. These processes typically include the following.
- Strategic planning—In particular, assessing the probabilities associated
with the assumptions upon which the plan is based, and the implications
of alternative assumptions.
- Internal audit—This might involve a change in focus to be more forward-looking
with regard to risk identification/assessment.
- Capital management—Establishing the right level of capital at the enterprise
level and the optimal allocation of that capital across the business units.
- Asset allocation—Using risk/reward efficient frontier analysis that
contemplates the structure of the company’s liabilities.
- Risk financing/hedging/reinsurance—Taking into account risk/reward tradeoffs.
- Mergers and acquisitions—Including analyzing the marginal impact on
the company’s overall risk profile.
- Performance measurement—This can involve incorporating risk-based measures
into executive compensations programs.
- Financial modeling—This can range from relatively simple pro forma financial
projections, to statistical analytic techniques, to causal modeling, to
structural simulation modeling, to optimization analysis.
In setting the scope of their ERM program, company leaders need to make certain
that the scope of risks and scope of processes are aligned and that they are
likely to help the company reach the ERM objectives they have already set in
answer to question #1. And, in determining the management processes to be affected,
they need to be realistic about the degree of influence the "ERM function" (see
question #3) can exert on the incumbent owners of these affected processes—organizational
"turf" is typically cited as a leading obstacle to effective ERM. The pragmatic
result is that the initial scope is often less broad than the long-term desired
scope.
Question #3: The third major question that
guides the creation of a company-specific ERM operational framework is "What
kind of organizational structure around ERM will work for us?" Answering this
question entails determining the following.
- Which organizational entities will play a role
in managing ERM, and which functions will they be integrated with? Some firms institutionalize ERM through existing entities with other duties,
such as internal audit or corporate strategy. Other firms institutionalize
ERM with a new, ERM-specific entity. That entity can be a chief risk officer
(CRO), or an ERM policy committee, or an ERM working group, or a combination
of these entities/structures. We regard the combination of CRO and ERM committee
as a "best practice," coupling the individual capabilities of a professional
CRO with the integrating mechanism of a committee.
As for organizational
integration, current practice suggests that what integration exists is largely
an extension of traditional risk management and financial management practices,
with ERM being linked most frequently with internal audit, compliance, and
investment functions.
- What will the ERM function be responsible for? Tillinghast surveys, interviews, and consulting work suggest a range of
responsibilities now being put into practice for ERM functions. These responsibilities
include serving as a coordinating body for the individual risk management
activities of other functions within the organization, acting as a technical
resource and advisory body for other functions, operating as a risk information
gathering and assessment body to advise senior management on totality of
risks, or serving as a strategic body responsible for developing and managing
a comprehensive, integrated risk management plan.
Most firms today tend
to make ERM more a coordinating, information gathering, and technical supportive
function for the rest of organization. We see that, for instance, in the
specific ERM activities reported by companies. The most common activities
are risk identification and ranking. Much less common are more aggressive
integrated risk management activities,
such as measuring and exploiting natural hedges among the totality of the
organization’s risks and evaluating risk management strategies in light
of risk/return requirements.
- To whom will the ERM function report? Present practice shows two dominant reporting lines for the ERM function.
The CRO most frequently reports to either the CFO or the CEO. The ERM committee
most frequently reports to the CEO, and is most frequently chaired by either
the CFO or the CRO.
- What are the most important capabilities and
competencies for the ERM function? Today, those tend to be weighted
toward technical capabilities, including risk assessment, modeling, and
financial engineering. We believe the emphasis will shift, and should shift,
toward communication, organizational management, and project management.
Those skills are more important to aligning the organization with the framework.
They are also more important to the coordination and the culture change
necessary to get ERM broadly understood, accepted, and implemented across
the organization.
Question #4: The final major question in creating
the operational framework is "What specific tools will we need to implement
ERM?" The range of possible tools includes, but is certainly not limited to,
the following.
- Risk audit guides—These guides can be used for risk mapping of individual
risks, risk assessment workshops, and risk assessment interviews—the latter
a "best practice" because interviews are very effective at uncovering how
the business actually works.
- Stochastic risk models—A mathematically rigorous approach used to simulate
the dynamics of a specific system by developing cause-effect relationships
between all the variables of that system. (For more on this topic, see "Modeling the Reality of Risk: The Cornerstone
of Enterprise Risk Management," our July 2001, IRMI.com article.)
- Risk monitoring reports—These can include regular reports to managers,
boards, and relevant external stakeholders such as regulators and investors.
Our experience suggests these reports today are primarily "ad hoc." Where
reporting is more formal, the reports are most likely to go to the executive
committee and the board of directors. Reports are least likely to go to
operational managers through "dashboards" that will enable them to adjust
their actions to the reality of their risk environment.
When the company’s leaders are considering which tools they are going to
include in their company’s tool kit, they need to make sure the ones they select
fit the risks and processes that are in the scope of their ERM effort and fit their company’s capabilities, either those
they currently have or those they know they can acquire. That said we do need
to note a very important caveat about tools. The risks should drive the choice
of tools. The choice of tools should not drive the choice of risks covered in
an ERM program. And that does happen.
Managers can choose tools they know in order to manage risks they know, simply
because they are familiar or easy to quantify. The danger, of course, is that
in so doing managers may end up not paying attention to risks that are important
and consequential simply because they are hard to quantify and managers don’t
have, or know about, tools to manage them. The result is a case of having a
hammer and only paying attention to nails.
What Follows
The operational framework that results from the clear-headed answering of
these four key questions—ERM objectives, scope, organization, and tools—creates
the foundation for a "built-for-success" ERM implementation plan. The implementation
plan can then follow the blueprint laid out in our November 2000 IRMI.com article, "Enterprise Risk Management in the Financial
Services Industry: From Concept to Management Process."
Companies that have invested the time and effort to get these fundamentals
right have been more satisfied than their peers with the progress of their ERM
implementation efforts. They have succeeded because they have laid a clear track
to follow, established realistic expectations, assigned unambiguous roles and
responsibilities, equipped themselves appropriately, and identified objective
benchmarks to monitor their progress. This is not rocket science. There is no
reason that all companies can’t achieve similar success in ERM and, as a result,
in their respective businesses.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.