Over the years in 30 countries, I have had many discussions with directors and executives about enterprise risk management (ERM). The discussions have ranged from what it is and why it matters to how it should be implemented. With respect to the “what is it” question, I have always believed that a fundamental purpose of ERM is to provide the discipline and control to ensure that risk management capabilities are improved continuously in a constantly changing business environment. This underlying purpose frames the question, “why improve risk management?”
We believe there are six fundamental reasons for improving risk management. Each serves to help elevate risk management to a higher level and drive improvement of risk management capabilities in a changing business environment. We discuss them below.
1. Reduce unacceptable performance variability
Most companies tend to focus on traditional risks that have been known for a long time. Risk assessment processes also must undertake a systematic approach to anticipating unknown and emerging risks. Accordingly, management must (a) evaluate the likelihood, impact, velocity, persistence and response readiness around major events; and (b) develop responses that either prevent high-impact events from occurring or manage their impact on the entity if they occur, particularly if they are high-velocity and high-persistence in nature. Learning of critical risks too late or by accident spawns the type of “firefighting” that drains resources, creates new vulnerabilities and erodes brand value.
A key point in this regard is that market capitalizations often exceed historical balance sheet values significantly. Furthermore, the market capitalization of most companies cannot be fully rationalized by historical and prospective future earnings and cash flows. There is a gap attributable to intangible assets supporting business models that impact market valuations. Just as potential future events can affect the value of tangible physical and financial assets (and the related contractual obligations), so, too, can they affect the value of other sources of enterprise value, such as significant customer assets, employee/supplier assets and such organizational assets as the entity’s distinctive brands, differentiating strategies, innovative processes and proprietary systems. This is the essence of what a strategic approach to risk management contributes to the organization – the elevation of risk management to a strategic level by broadening its application to ALL sources of value, not just physical and financial ones. Thus, the challenge is to elevate the line of sight of the limited traditional risk management focus to a strategic level. With this broadened perspective, effective risk mitigation and response planning increases the emphasis on reducing earnings volatility, minimizing the risk of earnings-related surprises and managing key performance indicator (KPI) shortfalls.
2. Align and integrate varying views of risk management
There are many silos within organizations with a point of view on managing risk (e.g., treasury, insurable risk, EH&S, IT, and within the various business units). Silo mentality inhibits efficient allocation of resources and management of common risks across the enterprise. When there are multiple functions managing multiple risks, there is a need for a common framework that:
- Assesses the need for a Chief Risk Officer (or equivalent executive), including that individual’s role, authority and reporting lines;
- Integrates risk management into critical management activities (e.g., strategy-setting, business planning, capital expenditure and performance management processes);
- Links risk management to more efficient capital allocation and risk transfer decisions;
- Focuses on the importance of risk culture on risk-taking behavior and risk management performance;
- Increases transparency by developing quantitative and qualitative measures of risks and risk management performance (KRIs); and
- Aggregates common risk exposures across multiple business units with the objective of understanding the overall profile of the greatest threats to the enterprise as a whole and formulating an integrated enterprisewide risk response.
3. Build confidence with stakeholders and the investment community
As institutional investors, rating agencies and regulators increase their focus on the importance of risk management in their assessments of companies, management may be incented or even required to disclose and comment on the organization’s capabilities for understanding and managing risk. These disclosures are intended to enable stakeholders to make informed assessments as to the viability and sustainability of the organization and whether returns are adequate in relation to the risks undertaken. As companies increase the transparency of their risks and risk management capabilities and improve the maturity of their capabilities around managing critical enterprise risks, management will be able to articulate more effectively how well they are handling existing and emerging industry issues.
4. Enhance corporate governance
Risk management and corporate governance are inextricably linked; each augments the other. Elevating risk management to a strategic level strengthens board oversight, forces an assessment of existing senior management-level oversight structures, clarifies risk management roles and responsibilities, sets risk management authorities and boundaries and effectively communicates risk responses in support of key business objectives. All of these activities are germane to good governance. By the same token, effective governance sets the tone for (a) understanding risks and risk management capabilities and (b) aligning risk appetite with the entity’s opportunity-seeking behavior. Directors often ask, “what are the risks, how are they managed and how do you know?” An effective risk management process provides the answers.
5. Successfully respond to a changing business environment
When the business environment changes, the pace of change accelerates and the effects of change are disruptive, organizations must become better at identifying, prioritizing and planning for risk. Management must (a) understand the critical assumptions underlying the strategy and business model and (b) monitor the vital signs in the external environment to ascertain whether market trends and developments are occurring that render one or more of these critical assumptions invalid. This approach provides relevant information for decision-making and drives management to identify alternative future scenarios, evaluate the likelihood and severity of those scenarios, identify priority risks and improve the organization’s capabilities around managing those risks. As the environment changes, new risks emerge and are escalated in a timely manner for action and possible disclosure, impacting how resources are allocated across the organization.
6. Align strategy and corporate culture
Management must create risk awareness and an open, positive culture with respect to risk and risk management. In such an environment, individuals can raise issues without fear of retribution. It takes a lot of work to sustain an internal environment of this nature. With respect to matters of enterprisewide importance, centralized policy-setting:
- Creates greater focus, discipline and control;
- Clarifies the distinction between risk-taking and risk-avoidance behaviors;
- Improves tools for quantifying risk exposures;
- Increases accountability for managing risks across the enterprise; and
- Facilitates timely identification of changes in an entity’s risk profile.
Effective alignment of strategy and culture encourages balance in both the entrepreneurial activities and control activities of the organization, so that neither one is too disproportionately strong relative to the other.
These six fundamental reasons for improving risk management provide a perspective as to management’s purpose in improving risk management capabilities. Each reason serves to help elevate risk management to a higher level and drive improvement of risk management capabilities in a changing business environment. Continuous improvement efforts can enable organizations to align risk appetite and strategy, enhance risk response decisions, reduce operational surprises and losses, identify and manage cross-enterprise risks, provide integrated responses to interrelated risks, seize “early mover” opportunities and improve deployment of capital.
As the pace of disruptive change quickens, risk management is becoming a root differentiator between mere survivors and industry pacesetters. Risk management capabilities aligned with the speed of risk and a changing marketplace protect reputation and brand image and engender confidence in facing the future. Is this enough to warrant continuous improvement in risk management? We expect more boards and executive management teams to agree that, indeed, this is more than enough.