Implementing Enterprise Risk Management: Getting the Fundamentals Right

The Continuing Gap

The continuing gap between what executives see as the promise of ERM and the fulfillment of that promise is evident not only from what our clients tell us. It also has been documented in several recent Tillinghast-Towers Perrin surveys of ERM practices among companies in various industries. (For more on what those surveys tell us about the current state of ERM, see our March 2003 IRMI.com article, "ERM Lessons Across Industries.")

The gap between ERM's promise and performance shows up in lots of ways, including the following.

• In the relatively low satisfaction managers express with the tools and capabilities they think are available to manage risk sources (both financial and nonfinancial) covered in their ERM programs
• In the relatively limited inclusion of nonfinancial, including operational, risk sources in ERM programs, despite the intent of ERM to cover both financial and nonfinancial risk sources
• In the limited integration of ERM with other functional areas across the company
• In the relatively low consensus on how to "institutionalize" ERM in the structure of the organization

The Operational Framework

To close the gap, our experience with clients has taught us that companies need to have a clear, company-specific "operational framework" in place for ERM. If they don't have one—and most really do not—then they need to create one. They can then use that framework as scaffolding to develop a company-specific ERM implementation plan.

To establish the correct operational framework, company leaders need to candidly answer four key questions.

Question #1: The first question is "What are our objectives for ERM? That is, what are we hoping to accomplish with ERM that we cannot accomplish otherwise?" Companies typically have the same four general objectives for their ERM programs. What makes a company's ERM program unique from this standpoint is the relative priority the company gives to each of these objectives. The objectives, ranging from the reactive to the proactive, are as follows.

• Compliance—Reacting to externally imposed corporate governance guidelines that concern risk identification, disclosure, management, and monitoring.
• Defense—Anticipating problems before they threaten the company's strategic objectives, largely a matter of avoiding the "land mines."
• Coordination/integration—Breaking down internal silos by coordinating various pockets of risk management activity for efficiency's sake.
• Exploiting opportunities and creating value—Appreciating how risks interact across the enterprise and exploiting natural hedges among them.

However prioritized, the company's ERM objectives should be measurable and should articulate the expected payoff from achieving them. The payoff should be based, to the extent possible, on the expected beneficial impact on the performance measures that are used to run the company. This rule implies, of course, that the company already has in place clearly articulated and well understood performance measures of this sort. (For more on the topic of objectives and measurement, see "The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures," in our May 2002, IRMI.com article.)

It is imperative that these objectives be established by, and be continually and visibly supported by, senior management. "Grass roots"-style ERM movements rarely succeed.

Question #2: The second question that company leaders need to answer is "What will be the scope of our ERM program?" Scope encompasses two dimensions: both the types of risks that ERM will cover and the management processes that ERM is intended to influence.

Risk types covered by a particular ERM program can include those in the following broad categories.

• Financial—e. g, interest rate, investment, credit, liquidity, asset market value
• Operational—e.g., technology, people/intellectual capital, political/regulatory
• Hazard—e.g., legal liability, property damage, natural catastrophe
• Strategic—e.g., poor planning and poor execution
• All encompassing—the theoretical ideal of ERM that is seldom actually achieved, and probably not necessary to achieve for most companies in the short term

The key principle to follow in defining the risk types a given company will cover in its ERM program—and that company managers need to attend to and manage in an integrated way—is that the risks matter most to the company's strategic goals. Managers need to have a clear, common understanding of what the company means by those risks and why they are important to the company's performance.

The second dimension of scope relates to the management processes that company executives desire ERM to influence. These processes typically include the following.

• Strategic planning—In particular, assessing the probabilities associated with the assumptions upon which the plan is based, and the implications of alternative assumptions.
• Internal audit—This might involve a change in focus to be more forward-looking with regard to risk identification/assessment.
• Capital management—Establishing the right level of capital at the enterprise level and the optimal allocation of that capital across the business units.
• Asset allocation—Using risk/reward efficient frontier analysis that contemplates the structure of the company's liabilities.
• Risk financing/hedging/reinsurance—Taking into account risk/reward tradeoffs.
• Mergers and acquisitions—Including analyzing the marginal impact on the company's overall risk profile.
• Performance measurement—This can involve incorporating risk-based measures into executive compensations programs.
• Financial modeling—This can range from relatively simple pro forma financial projections, to statistical analytic techniques, to causal modeling, to structural simulation modeling, to optimization analysis.

In setting the scope of their ERM program, company leaders need to make certain that the scope of risks and scope of processes are aligned and that they are likely to help the company reach the ERM objectives they have already set in answer to question #1. And, in determining the management processes to be affected, they need to be realistic about the degree of influence the "ERM function" (see question #3) can exert on the incumbent owners of these affected processes—organizational "turf" is typically cited as a leading obstacle to effective ERM. The pragmatic result is that the initial scope is often less broad than the long-term desired scope.

Question #3: The third major question that guides the creation of a company-specific ERM operational framework is "What kind of organizational structure around ERM will work for us?" Answering this question entails determining the following.

• Which organizational entities will play a role in managing ERM, and which functions will they be integrated with? Some firms institutionalize ERM through existing entities with other duties, such as internal audit or corporate strategy. Other firms institutionalize ERM with a new, ERM-specific entity. That entity can be a chief risk officer (CRO), or an ERM policy committee, or an ERM working group, or a combination of these entities/structures. We regard the combination of CRO and ERM committee as a "best practice," coupling the individual capabilities of a professional CRO with the integrating mechanism of a committee.

  As for organizational integration, current practice suggests that what integration exists is largely an extension of traditional risk management and financial management practices, with ERM being linked most frequently with internal audit, compliance, and investment functions.

• What will the ERM function be responsible for? Tillinghast surveys, interviews, and consulting work suggest a range of responsibilities now being put into practice for ERM functions. These responsibilities include serving as a coordinating body for the individual risk management activities of other functions within the organization, acting as a technical resource and advisory body for other functions, operating as a risk information gathering and assessment body to advise senior management on totality of risks, or serving as a strategic body responsible for developing and managing a comprehensive, integrated risk management plan.

  Most firms today tend to make ERM more a coordinating, information gathering, and technical supportive function for the rest of organization. We see that, for instance, in the specific ERM activities reported by companies. The most common activities are risk identification and ranking. Much less common are more aggressive integrated risk management activities, such as measuring and exploiting natural hedges among the totality of the organization's risks and evaluating risk management strategies in light of risk/return requirements.

• To whom will the ERM function report? Present practice shows two dominant reporting lines for the ERM function. The CRO most frequently reports to either the CFO or the CEO. The ERM committee most frequently reports to the CEO, and is most frequently chaired by either the CFO or the CRO.
• What are the most important capabilities and competencies for the ERM function? Today, those tend to be weighted toward technical capabilities, including risk assessment, modeling, and financial engineering. We believe the emphasis will shift, and should shift, toward communication, organizational management, and project management. Those skills are more important to aligning the organization with the framework. They are also more important to the coordination and the culture change necessary to get ERM broadly understood, accepted, and implemented across the organization.

Question #4: The final major question in creating the operational framework is "What specific tools will we need to implement ERM?" The range of possible tools includes, but is certainly not limited to, the following.

• Risk audit guides—These guides can be used for risk mapping of individual risks, risk assessment workshops, and risk assessment interviews—the latter a "best practice" because interviews are very effective at uncovering how the business actually works.
• Stochastic risk models—A mathematically rigorous approach used to simulate the dynamics of a specific system by developing cause-effect relationships between all the variables of that system.
• Risk monitoring reports—These can include regular reports to managers, boards, and relevant external stakeholders such as regulators and investors. Our experience suggests these reports today are primarily "ad hoc." Where reporting is more formal, the reports are most likely to go to the executive committee and the board of directors. Reports are least likely to go to operational managers through "dashboards" that will enable them to adjust their actions to the reality of their risk environment.

When the company's leaders are considering which tools they are going to include in their company's tool kit, they need to make sure the ones they select fit the risks and processes that are in the scope of their ERM effort and fit their company's capabilities, either those they currently have or those they know they can acquire. That said we do need to note a very important caveat about tools. The risks should drive the choice of tools. The choice of tools should not drive the choice of risks covered in an ERM program. And that does happen.

Managers can choose tools they know in order to manage risks they know, simply because they are familiar or easy to quantify. The danger, of course, is that in so doing managers may end up not paying attention to risks that are important and consequential simply because they are hard to quantify and managers don't have, or know about, tools to manage them. The result is a case of having a hammer and only paying attention to nails.

What Follows

The operational framework that results from the clear-headed answering of these four key questions—ERM objectives, scope, organization, and tools—creates the foundation for a "built-for-success" ERM implementation plan. The implementation plan can then follow the blueprint laid out in our November 2000 IRMI.com article,"Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process."

Companies that have invested the time and effort to get these fundamentals right have been more satisfied than their peers with the progress of their ERM implementation efforts. They have succeeded because they have laid a clear track to follow, established realistic expectations, assigned unambiguous roles and responsibilities, equipped themselves appropriately, and identified objective benchmarks to monitor their progress. This is not rocket science. There is no reason that all companies can't achieve similar success in ERM and, as a result, in their respective businesses.