Making the Value Case for Enterprise Risk Management
[Editor's note: This article was co-authored by Warren Stippich. See bio below.]
Introduction
In the recent Report on the Current State of Enterprise Risk Oversight: 2nd Edition,[1] 47.5% of survey respondents described their organization’s risk culture as either “strongly risk-averse” or “risk-averse.” Yet despite this tendency toward caution, 48.7% of respondents characterized the sophistication of their risk oversight processes as being “immature to minimally mature.” Why this dichotomy? The same survey also established that the top reasons companies do not embrace an enterprise risk management (ERM) approach to risk oversight are competing priorities, insufficient resources and — perhaps most importantly — a lack of perceived value.
As discussed in a previous column, many executives have become inured to the risk of loss and no longer consider it to be sufficient justification by itself for investment of scarce resources, despite the recent signs of improvement in the U.S. economy. The challenge for GRC executives advocating implementation of or improvements to ERM is to look beyond risk and make the case that an efficient and effective ERM program can create a positive, tangible impact on the top or bottom line.
Change your story
Those faced with the task of convincing the board and management to budget for and allocate resources to a new ERM program — or to elevate ERM on the organization’s priority list — must build a compelling value case to have any hope of justifying the related costs. While every organization’s value case will be unique, there are two common approaches GRC executives should leverage:
1. Don’t dwell on what may be lost without implementation or enhancement of an ERM program. Instead, provide specific examples of how ERM can directly and tangibly support the company’s strategic objectives:
- Increased operational efficiency: ERM serves as a strategic analysis of risk throughout an organization, cutting across business units and departments. The nature of ERM is to get business leaders communicating and working together to support the company’s strategic goals. Units or departments may have worked in their own silos before ERM, but its implementation helps drive engagement across the enterprise, establish a common set of management goals, and take a consistent approach to achieving those goals.
In the process of creating its risk profile, an organization may identify high-return areas for operational improvement. Supply chain failures, service quality improvement opportunities, or even issues with individual suppliers or customers may come to light when an organization takes full inventory of its potential risks.
Risk prioritization, another key element of ERM, may reveal that unnecessary or inappropriate resources have been assigned to low-priority business issues or low-probability business risks. With this discovery, management can more effectively assess whether they are expending scarce resources in support of those efforts most likely to create tangible value for the business.
- Organizational growth and strategic opportunities: By evaluating, accepting and managing risk in an organized process, companies can create the ability to measure the potential rewards associated with a given initiative or action and can help increase shareholder value by limiting some risks and exploiting others. Without that organized process, a company’s ability to weigh the expected risks versus rewards on an ongoing basis is ad hoc at best and absent at worst.
- Strengthened corporate culture: Establishing a proper tone at the top regarding risk can shift an organization from a culture of compliance to a culture of confidence — that is, from an exclusive focus on controls to an atmosphere in which employees can confidently choose, based on thoughtful analysis and strong corporate values, which strategic risks to take, mitigate or avoid. A strong and well-supported ERM program communicates the board’s and management’s level of risk appetite so that business unit leaders are making decisions consistent with management’s direction regarding acceptable risks.
- Improved brand: A well-executed ERM program can help improve a company’s reputation in the marketplace and build trust with customers, strategic partners, rating agencies and regulators by demonstrating to stakeholders a company’s commitment to managing risk for itself, its suppliers and its customers.
2. Use past successes to demonstrate future potential.
Results will sell in a way promises never can. Where has the company experienced success in creating tangible value by leveraging an existing ERM program or asset (or an asset that would commonly be part of an ERM program if such a program does not already exist)? For example:
- Has a past evaluation of risks related to vendor concentration also revealed opportunities for lower-cost sourcing from new vendors?
- Have the company’s risk management practices, formal or informal, contributed in a meaningful way to a sale or new customer relationship?
- Has a technology asset implemented to support risk management also in some way produced a meaningful operations performance improvement?
Even one story that can present a quantifiable positive impact on the top or bottom line can give decision-makers a concrete reason to support ERM. Companies that cannot provide one such example may need to make incremental efforts toward success before asking for additional funding or resources.
Those seeking ideas for pitching ERM may find them in the Enterprise Risk Management Initiative at North Carolina State University’s College of Management; this initiative was created to meet a growing need for new tools, methods and strategies that will help businesses manage risk more effectively. The Committee of Sponsoring Organizations of the Treadway Commission also publishes thought leadership papers on ERM that can be a source of ideas and inspiration.
Next steps
GRC executives preparing to make the value case for ERM may wish to begin by refreshing their understanding of the company’s key strategic objectives and looking at ways that leveraging existing ERM programs or other existing risk management efforts can advance those objectives. Look next at what modest improvements could deliver significant short-term value, and use these improvements to anchor a broader case to implement or enhance the company’s ERM process. Let the outcomes of these efforts form the basis for a discussion with key decision-makers about initiatives and investments to be championed in the coming quarter and year.
[1] Report on the Current State of Enterprise Risk Oversight: 2nd Edition, 2010. The survey was conducted by the American Institute of Certified Public Accountants (AICPA)’s Business, Industry & Government Team and the Enterprise Risk Management Initiative at North Carolina State University’s College of Management; see http://www.mgt.ncsu.edu/erm/index.php/articles/entry/state-erm-2nd/.
About Co-Author Warren Stippich
Warren Stippich is a partner and the practice leader of Grant Thornton LLP’s Business Advisory Services group in Chicago. In addition, he is the national Governance, Risk and Compliance solution leader.
He has more than 19 years of experience working with multinational, entrepreneurial and high-growth public companies. Stippich brings experience to the business risk consulting and internal audit services areas from both public accounting and industry perspectives.
**********
About the Author
He serves as an Executive Director in Grant Thornton LLP’s Business Advisory Services practice in Atlanta, Georgia.
Matt can be reached via email at matt.podowitz[at]gt[dot]com.
Tags: corporate culture, enterprise risk management, erm, Governance, matt podowitz, warren stippich
[...] the full article here or visit http://www.corporatecomplianceinsights.com. var a2a_config = a2a_config || {}; [...]