Risk Managers On Shaky Ground Without ERM Safety Net In Place

o Increased Scrutiny:

Companies today face more stringent accounting, regulatory and rating agency standards than ever before.

This is due, in large part, to the string of corporate scandals in the early 2000s, and the subsequent enactment of Sarbanes-Oxley disclosure and corporate officer accountability mandates, as well as guidance issued by the Securities and Exchange Commission and the Public Company Accounting Oversight Board that called on businesses–primarily those within the financial services industry–to undertake a thorough "top-down" risk assessment.

Furthermore, compliance with corporate governance reforms such as Turnbull in the United Kingdom, Nouvelles Regulations Economiques in France and KonTraG in Germany are changing the way companies manage their risks.

More recently, the public and private sectors have also begun to look more closely at internal company risk management policies and procedures. Rating agencies have been factoring ERM into their overall credit rating of financial services firms.

Moody's Investors Service and Standard & Poor's have also been working to develop consideration of ERM as a component of their ratings methodology for businesses in multiple industries, building on work they have already completed on this front with insurers and banks. How heavily weighted ERM is in Moody's assessment of a company's credit rating varies by industry, capital position and risk exposure.

The rating agencies' efforts have received renewed urgency in the past three months, as the extent of the subprime mortgage crisis has become apparent.

Many experts agree one of the key shortcomings that led to the subprime crisis was the lack of a comprehensive, enterprisewide view of risk management within financial services firms. The current situation certainly illustrates how many traditional, siloed risk management programs were not able to prevent the extent or impact of the current crisis.

Rating agencies are beginning to raise ERM expectations for insurers as well. Last year, S&P completed 274 ERM evaluations of insurance carriers, finding that most had merely adequate programs.

According to S&P, those firms that develop strong enterprisewide risk management programs have strong overall scores and should have lower losses relative to long-term average income in adverse times. S&P has made it clear that in 2008, it will continue to enhance its evaluation of insurer ERM capabilities as a fundamental part of its credit analyses.

Insurers could benefit from the lessons learned recently by the banking industry–companies that are best weathering the current crisis are those with agile risk management processes and systems.

Within the insurance sector (a capital-intensive industry), insurers face tremendous pressure from regulators and shareholders as well as the threat of costly catastrophes–which is in large part why insurers have taken ERM to heart more than other industries. Insurers are considered by many as being at the cutting edge of ERM–due largely to the involvement of actuaries within the individual insurance companies.

o Growing Interdependency of Businesses and Economies:

Regulatory and investor scrutiny is not the only reason ERM is in the spotlight. The ever-evolving nature of business itself, as well as changes in the world economy, is also providing new impetus to the adoption of ERM.

As companies increasingly globalize production and maintain supply chains that span the world, they inevitably increase their potential vulnerabilities–and, if they're not careful, place themselves at greater risk. Two recent interruptions in the global supply chain provide a good illustration of how the increasing interconnectedness, and interdependency, of business is complicating the process of risk management.

When, in 2006, Sony announced it was recalling lithium-ion batteries because they were potentially prone to overheating or exploding, almost every major laptop manufacturer around the globe was affected by the shortage in one way or another.

Dell Inc. recalled 4.2 million laptops, while Apple Computer Inc. recalled 1.8 million of its laptop products. Lenovo, Toshiba and Fujitsu all joined the recall as well. The recall was estimated to have cost Sony in excess of $200 million.

Meanwhile, the Japanese auto industry ground to a standstill in July of 2007. When a Tokyo-based Riken Corp. facility–one of a limited number of suppliers that provides specialized parts to the auto industry in Japan–was hit by a 6.8 magnitude earthquake, production among almost all major Japanese auto makers was brought completely to a halt due to the resulting shortage of essential parts.

The impact was felt by many organizations such as Fuji Heavy Industries, Honda, Mazda, Mitsubishi, Nissan and Toyota. Since this incident, Riken has diversified production to other cities to reduce the impact of future supply chain interruptions, but a question that comes to mind is how prepared were Riken's customers for this event?

Could it have been anticipated, and in each case what practical steps were taken to mitigate impact to revenue flow? Will their key suppliers always take such actions to reduce the risk of disruption?

Changes in the world economy are also putting an increased importance on ERM. As economies become more interconnected, the effects of changes in employment, national income, rate of growth, gross domestic product, inflation and price levels can be felt around the world.

Take, for example, the current financial crisis in the United States. While primarily focused here, countries around the world have been impacted in varying degrees.

According to the results of a recent Harris Interactive poll, Italy appears to be the hardest hit, with 29 percent saying the U.S. financial crisis has had a major impact, while an additional one-third say it has had a moderate impact on their personal financial situation.

France and Spain are the next hardest hit, as one in six in France (15 percent) and Spain (14 percent) say the impact on their personal financial situation has been major, while three in 10 French (30 percent) and Spanish (31 percent) adults say the impact has been moderate.

o Complexity of Risks:

The complexity of risks has also grown. As businesses expand their enterprises around the world, they face the traditional risks of competition, pricing and currency, fire, power-grid blackouts, equipment failures and natural disasters.

Meanwhile, numerous other risks are emerging, such as pandemics, terrorism, political risk, cyber risk, as well as increasingly complex business strategies that rely on outsourcing, single-sourcing and just-in-time delivery. Traditional risks, such as natural disasters, are potentially more costly for businesses today.

New risks, such as pandemics, are not necessarily as apparent for businesses. Many companies now recognize that a severe influenza pandemic could pose a threat to the continuity and viability of their businesses. Insurers are particularly vulnerable, as they could experience unprecedented losses from claims, downturns in their investment portfolio and reduced staff productivity from sickness.

Understanding and preplanning for pandemics will help companies make decisions about the best ways to protect themselves.

A formal ERM program provides a framework by which a company can more completely prepare and manage both known and unknown risks. The benefits of ERM are thus the business benefits that a company could realize by holistically increasing its self-knowledge and reducing managerial uncertainty.

Looking ahead, it is becoming more evident to business executives that ERM will be increasingly important across all industry segments in the near future.

Clearly, implementation of an effective ERM program takes adequate time and appropriate resources–especially ones that can, and must, stand up to the external scrutiny of rating agencies.

So, could 2008 be the year that ERM truly comes of age? Companies that welcome enterprise risk management will be well positioned to reap the potential rewards.