The emerging, seemingly popular notion that enterprise risk management may not be meeting expectations and may be on the way out is much contrived and more than a bit overblown. In fact, while ERM may be at a crossroad of sorts, it offers organizations greater and more significant opportunities to make a difference.
To wit, Standard and Poor's has just announced it will begin applying ERM rating criteria to its credit rating for nonfinancial entities. This says loud and clear that the rating agency sees value in assessing ERM capabilities in all rated companies.
Admittedly it is not, as the age-old question from management was posed, that firms haven't been managing their risks. See the many tomes on risk management–most especially "Against the Gods: the Remarkable Story of Risk," by economic consultant Peter Bernstein–and you'll have to agree that entities have always "managed risk." It has merely been a question of effectiveness and remains so.
What is effective enterprise risk management? S&P in particular has spent considerable time defining it. And while their approach has, I think, been particularly crafted to the exposures of financial institutions, it can still be effectively applied to nonfinancials, with some adjustment.
In particular, the evolution of ERM has brought us to a crossroad that I would call the gap between "enterprisewide" and "strategic" risk management. Here's how I see it:
The most common approach to ERM has been to first identify and understand the most significant risks to the business. That's very appropriate. After all, these should be the risks with the greatest chance of bringing down the house in medium to very large ways, as well as those exposures of lesser likelihood but whose impact cannot be ignored.
To do this well, an ERM framework must undergird this work. A good framework details how the identification, assessment, measurement, mitigation and monitoring processes will be done, by whom and how often.
The next most typical phase of ERM has involved peeling the onion back further, to better understand the cross-segment impacts of these risks–how they correlate and aggregate–and ensure operational controls are designed and keep operating effectively.
This last piece does not typically limit itself to traditionally auditable controls but importantly includes the mitigation strategies more commonly applied to business and strategic risks.
Through these phases thus far, much has been accomplished to satisfy many stakeholder interests–but not all.
Therein lies the opportunity defining our present condition–improving and connecting the output of these efforts to the decision-making and planning processes. This is the biggest challenge that all who walk this road will face–and it is a road with many potholes!
I like to say that a risk isn't a risk unless it threatens an objective. If that's true, then our most important task is to identify, assess and manage those risks that first threaten our biggest objectives–and ultimately more.
In fact, a fully integrated risk management process is one that by default ensures all threats to all objectives are at least assessed.
In the required preordination of business, it is only appropriate that for most of the "small stuff," going beyond initial assessment is not productive. Nevertheless, we must look deep within our business models to ensure that anything that could take us down has been dealt with according to its threat level.
But what is the chasm between "enterprise" and "strategic" risk management? In the simplest terms, it is:
o Driving the more relevant and usable output of our risk process into day-to-day decision-making at every level.
o Producing measurable output that management and governance can quickly understand and to which they can ascribe value.
o Helping all risk owners make the connections between, risks, objectives, controls/mitigation strategies and ultimately business performance.
o Being able to use risk data to allocate human and physical–not just financial–capital.
o Enabling risk owners to make prudent decisions about risk treatment (acceptance, avoidance, transfer or through controls).
Let's face it, you can do risk management across an enterprise, with little effect. To manage risk strategically implies its integration into the culture of the company, making it a part of "Management 101."
This means all employees must be educated and trained to be aware of risks in their realms, able to identify new risks of significance, and then effectively deploy responses to mitigate exposures to predetermined management- and governance-validated risk tolerances.
What's more, they must do all of this in concert with their company's appetite for collective risk. Easy? No way. Quick? Not a chance. Necessary? You bet!
"All employees must be educated and trained to be aware of risks in their realms, able to identify new risks of significance, and then effectively deploy responses to mitigate the exposure…"
Chris Mandel
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.