|
1. Introduction
This white paper outlines the business drivers surrounding enterprise risk management (ERM), explains the differences between enterprise and traditional risk management, defines an ERM program, and explains its benefits.
The type, scope, and frequency of both internal and external risks facing companies today have increased significantly. To meet business objectives, business leaders must now address new and different forms of business risks. Many factors contribute to most companies’ changing risk profile, including changes in strategies and operations and increased risk from their external environment.
Global conglomerates increasingly dominate today’s ever-changing market. To compete, companies need to be fast and nimble. Business leaders must continuously adapt strategies and operations and introduce new initiatives to meet these competitive business challenges. However, without an appropriate risk management program, these could expose companies to additional and increased risks. For example, new product initiatives can increase exposure to commodity price volatility, market risks, and additional product liability lawsuits. New acquisitions can expose a company to increased political and business risks.
Changes to a company’s external environment represent another reason for an increased risk profile. Most businesses today are rapidly transforming due to technological advances, more sophisticated business processes – such as outsourcing – changing consumer preferences, more efficient manufacturing methods, and globalization. The result is increased competition, shortened product lifecycles, and decreased margins. From a risk perspective, the result is increased exposure to new and more serious business and operational risks.
Regulatory and legal changes also increase risk exposure. Under the recently signed Sarbanes-Oxley Act of 2002, corporations face harsher civil and criminal penalties if they misrepresent or incorrectly state their financial earnings. The new rules raise the standard for all companies. Regulators are pressing companies for better risk reporting and for a more formal, integrated, and comprehensive risk management.
The message to management and boards of directors of both public and private companies is clear – the bar has been raised; for public companies earning surprises are not acceptable. It is the responsibility of the leadership team to ensure that rigorous internal control and risk management policies, practices, and procedures are in place to ensure accurate financial reporting.
There are several reasons why this change is occurring now:
- Outsiders are pushing companies to manage risk more comprehensively and systematically.
- Investors are becoming more sensitive to any deviation from earnings estimates, encouraging companies to address the causes of earnings volatility.
- Shareholders are increasingly holding boards of directors and senior executives to higher accountability standards.
- The continuing convergence of the traditional capital and insurance markets is yielding innovative approaches to managing emerging risks.
- Many companies perceive a rise in the number and severity of the risks they face.
Today’s business leaders need to understand that increased risk is the price to pay for change and progress. However, there is a difference between taking a chance and taking a risk. In taking a chance, the outcomes are uncertain because it is done without foresight or knowledge. In risk taking, the down side outcomes can be controlled, if conducted within the proper risk management structure.
2. The Traditional Approach to Risk Management
Risk is the level of exposure, both known and unknown, to market uncertainties that the organization must understand, identify and effectively manage as it executes its strategies to successfully achieve its business objectives. In order for most companies to meet their goals and objectives, they must face new challenges and take greater risks. However, if the risk management process is flawed, a company will suffer in the competitive marketplace.
Traditionally, companies adapted a siloed approach to risk management. Responsibility for managing various types of risks was assigned to the business or functional unit with the greatest exposure. Business risk was assigned to the operating units; insurable or transferable risk to the Corporate Risk Management Department; financial risks (market, interest rate, etc.) to Treasury; and compliance risk to Legal. Companies focused primarily on easily measurable risks. Ill defined or ambiguous risks, such as strategic and operational risks, were often not coordinated or were overlooked. The risk management strategy for the individual risk was usually tacked onto existing business processes without a uniform approach or a common risk language.
3. Enterprise-wide Risk Management
Enterprise-wide Risk Management (ERM) is the means of applying active risk management to all the risks facing an organization. A recent survey conducted by The Economist Intelligence Unit and MMC Enterprise Risk found that 41% of companies have some form of ERM. The survey also found that companies using ERM are more confident in their ability to manage risk.
In the wake of corporate scandals, earnings surprises, and the loss of consumer confidence, more companies recognize the deficiencies of the traditional approach to managing risk. They now are turning to ERM solutions to better prepare them for the new challenges and uncertainties emerging in today’s changing environment.
ERM is a disciplined and integrated approach that supports the alignment of strategy, process, people, and technology, and allows corporations to identify, prioritize, and effectively manage their critical risks. By understanding all risks in an integrated framework, companies can execute proper strategies to successfully achieve their objectives and to meet their performance goals. It allows companies to identify the risks they can:
- Transfer through insurance or hedging programs;
- Accept as is;
- Reduce through rigorous management practices; or
- Simply reject by eliminating a process, a product, or a geographical zone.
An ERM approach is anticipatory and proactive. It provides a process to actively support the realization of the company’s strategic objectives. It is not an obstacle to taking risk. On the contrary, it allows companies to assume additional risks as part of a rigorous, well-defined framework. After implementing an ERM approach, management fully understands all critical risks and how they can be proactively managed. It provides them with tools and techniques to balance realistically the risk/return trade-offs and to seize quickly the market opportunities. A fully implemented ERM is not a just a process for expanded corporate governance, but it also provides an opportunity for utilizing risk as a competitive advantage in the marketplace. With ERM, companies can effectively utilize risk as a competitive weapon, and not view it as a threat. The following chart clearly illustrates the differences between the traditional approach to risk management and ERM:
Exhibit One
Traditional Approach to Risk Management versus ERM
| From |
To |
| Limited strategic influence |
Effective support of strategic and business planning |
| Risk aversion |
Proactive risk management comprising risk avoidance and risk exploitation |
| Silo effects and barriers |
Integrated, holistic approach |
| Inconsistent risk reporting |
Concise and consolidated reporting |
| Infrequent risk assessment |
Continuous risk assessment, reevaluation and management |
| Ambiguous ownership for certain types of risk |
Risk ownership assigned in management business and evaluation plans |
| Closed communication |
Open communication |
| Lack of clear definitions of roles and responsibilities |
Risk management roles and responsibilities clearly defined and communicated |
A common misconception is that ERM transfers the responsibility for risk from the line managers to a centralized, bureaucratic unit. In fact, the opposite is true. A universal principle of ERM is that risk must be managed by the business unit that incurs it. A properly functioning ERM insures that the line managers understand their risk management responsibilities, are given the tools to manage the risk effectively, and are compensated based upon the success of their efforts.
An effective ERM program should have three long-term objectives:
- Optimize the costs and efficiencies of risk management programs. The new program should eliminate unnecessary controls, consolidate mitigation programs across all functions, and focus risk transfer and financing activities.
- Improve business performance. The new program will better align risk programs with strategic objectives, provide more accurate measurement and monitoring techniques, and reduce the volatility of outcomes.
- Establish a sustainable competitive advantage. It will give managers the tools and processes to identify favorable risk taking opportunities and to quickly pursue them.
4. Implementing an ERM Process
To succeed, ERM must have the full support of company leadership and management. To insure broad management support, an Implementation Team, composed of managers from all functional areas across the organization, is formed with responsibility for establishing ERM within an organization. During each phase of the ERM development, the Implementation Team will make specific recommendations to a Risk Management Committee, which will be composed of the senior managers with direct responsibilities for managing each of the key risks. Once ERM is implemented, the Risk Management Committee will be responsible for the ongoing supervision of ERM activities. ERM implementation phases include:
Assessment Phase: The Implementation Team and selected senior managers work together in a series of facilitated sessions to identify and prioritize the critical risks facing an organization. A common vocabulary should be developed in order to ensure that management and staff use the same terms in describing risks and opportunities.
Design Phase: Based upon the prioritized risks and the facilitated sessions, the Implementation Team will design an ERM framework that will include the roles and responsibilities for management throughout the company, the organizational and reporting structure, and the program’s policies and procedures. The risk plan must be aligned with the organization’s business strategies and objectives.
Implementation Phase: During the implementation phase, the principle elements identified in the Assessment and Design Phases are institutionalized.
Improvement Phase: As the process begins, additional risk areas will be discovered that should be included, along with better ways of managing the process.
5. Benefits of ERM
As a result of implementing an ERM program, senior management can expect the following benefits:
Improved Risk Assessment: An ERM solution will provide an organization with a means to understand, identify and prioritize risks. Through risk mapping, management will have a better knowledge of its critical risks and their potential impact on the company. It will be better prepared to manage its risks and maximize its opportunities within the acquisition, product, and funding programs.
Increased Risk Awareness: Because associates will have a common language for describing risks and its potential effects, staff will be better equipped to monitor potential risks and opportunities. The company will be able to address uncertainties in a timely fashion before challenges, such as class action lawsuits, explode and disrupt business.
Reduced Number of Risk Incidents: An integrated ERM process will reduce the number of risk incidents because management will be better equipped to handle emerging challenges.
Reduction in Cost of Capital: With an effective ERM process in place, an organization can allocate fewer resources to risk incidents. Efficiency will increase, and therefore, less capital will be needed to monitor and manage risks. Increased efficiency may provide the opportunity to positively impact earnings.
Improvement in Risk Measures: Management will have more quantifiable measures of risk exposures, because an ERM process requires more rigorous management oversight. This will result in better pricing and capital allocation decisions.
Increased Competitive Advantage:A company using ERM will maintain a competitive edge. It will be better equipped to handle challenges in a changing environment. By proactively monitoring risks, there will be fewer surprises and more ability to maximize opportunities. Communication pathways will be more effective.
5. Conclusion
ERM can successfully integrate a company’s existing risk management process into their business objectives and goals. Through a common risk language, managers can more effectively communicate critical risks and strategies. ERM provides for effective risk assessment and management, coupled with efficient and timely reporting methods, thus enabling management teams to reevaluate and improve practices, policies, and procedures as the environment changes. With better management, communication, and reporting, adverse risk incidents will decrease, while confidence in a company will increase. As a result, resources once spent offsetting risks can be allocated to other parts of the business, thus contributing to a lower capital loss and an increase in earnings. Under the discipline and structure of the ERM process, organizations will minimize surprises and maximize their opportunities.
|
