Is this really the next frontier of the enterprise risk management process’ role within the organization?
Or is the future now?
When it comes to seeing what the future holds, you need to know the history. The same applies to enterprise risk management (ERM), which has an interesting history. In fact, this history is nicely written in a Workiva white paper titled “Next Frontier: Performance-Based Continuous ERM” (available for free download).
Evolution of the Enterprise Risk Management Process: A Short Summary
ERM started in the early 1990s with an initial focus on financial risks. A lot of financial institutions continue to concentrate on the financial risks, since it deals with well-known areas such as market risk and credit risk. After several dramatic accounting fraud cases in the early 2000s, operational risks started being considered, with a focus on accounting processes, process controls, and proper disclosures.
The culmination of events over a 20-year span prompted regulatory action in the form of Sarbanes-Oxley Act of 2002 (for publicly-registered companies) and Basel II (for the banking industry).
And then late 2007 witnessed the global financial crisis, and the “world of risk management fundamentally changed.” Regulations became more demanding of companies, forcing them to increase capital and liquidity, curb their risk-taking activities, and tighten internal controls. Banks have new regulations set by the Federal Reserve and the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among other things, elevated risk oversight and risk governance to the board level.
Not to be left behind, the insurance industry saw many states adopt the Own Risk and Solvency Assessment model act, which requires scenario analysis to determine ongoing financial solvency requirements based on individual company risk profiles.
Unfortunately, by this point, many consider risk management either a compliance activity or a way to support decisions to avoid risk during tough economic times.
The white paper states that the “next frontier” of ERM is to help create shareholder value. Next frontier? It is here where my views of ERM differ from the authors of the Workiva white paper. Personally, this is the way that I have always thought of ERM – adding and protecting value, not helping companies simply “check” the box on risk management.
As an enterprise risk management professional, I want to help companies proactively and constantly identify what could potentially face them, prepare for the future, and assist decision-making by providing leadership with actionable information.
Now, I will say that I agree with all seven key attributes of ERM for it to be continuous and based on data. Those attributes are:
When it comes to strategic risk management (Attribute #2), it is important to note that “strategy and ERM should be integrated to support the development, execution, and performance monitoring of corporate and business-unit strategies.”
Yes, you read that correctly; the enterprise risk management process in general, and strategic risk management in particular, should occur at both the corporate and business-unit level.
Many fail to recognize this critical fact – events in a particular business unit can impact the whole organization.
Samsung’s recent issues with the Galaxy Note7 literally exploding is a great example. Samsung, as an enterprise, has TVs, computers, mobile devices, appliances, and more. But after the issues with the exploding Note7, most people think about the negative reactions from the company instead of praising the company for its computers or TVs.
Oh, risk appetite…what a misunderstood and misapplied term. Many companies have no idea what to do with it or how to use it for decision-making. Step #2 in my article on designing the governance structure of an ERM program goes into detail about risk appetite and risk tolerance. In it, I also describe two of my key mantras and themes you will see me mention regularly: adaptable and actionable.
For ERM to be effective and add value, companies should have ERM at the table for business decisions. ERM is not about saying “no” to ideas; ERM professionals should focus on finding ways to increase the chances of a positive outcome and be prepared for any decisions that need to be made as a result. Check out my blog post “Wait a Second – You Mean We Can Have Positive Risks Too?” for more information on this topic.
To further the integration across the three assurance methods, risk assessment results and related analytics information for the biggest risks should be provided to internal audit to support their risk-based auditing program.
Did you read that the enterprise risk management process should be continuous? Yes, you are correct. It should be ongoing, throughout the year, providing up-to-date information to the information users. No semi-annual risk review sessions. Leadership, business units and ERM should be walking hand-in-hand throughout the year, identifying risks, keeping assessments current, and monitoring the performance of strategy execution.
All this continuous activity means no monthly reports. No quarterly reports. No (gasp!) annual reports.
Instead, provide an interactive dashboard, which should be updated as quickly as the information is available and vetted. Now I am not going to push for any specific ERM software vendor; goodness knows there are several good ones out there. But most, if not all, have interactive dashboards for different ways to provide risk information. After all, it is not about reporting, it is about communicating.
Speaking of communicating, all enterprise risk management programs should be soliciting honest feedback on performance and process, so that the program (and its team members) can continuously improve and evolve.
This is a lot of information to take in, especially if your ERM program is still in the compliance mode.
Do you need some help in taking your enterprise risk management process and program to the “next frontier” – from a “check off the list” compliance action to an integral part of protecting and enhancing value for your organization? I can help!
Featured image courtesy of NASA.gov