The “Next Frontier” of Enterprise Risk Management – From Compliance to Strategy

Is this really the next frontier of the enterprise risk management process’ role within the organization?

Or is the future now?

When it comes to seeing what the future holds, you need to know the history. The same applies to enterprise risk management (ERM), which has an interesting history. In fact, this history is nicely written in a Workiva white paper titled “Next Frontier: Performance-Based Continuous ERM” (available for free download).

Evolution of the Enterprise Risk Management Process: A Short Summary

ERM started in the early 1990s with an initial focus on financial risks. A lot of financial institutions continue to concentrate on the financial risks, since it deals with well-known areas such as market risk and credit risk. After several dramatic accounting fraud cases in the early 2000s, operational risks  started being considered, with a focus on accounting processes, process controls, and proper disclosures.

The culmination of events over a 20-year span prompted regulatory action in the form of Sarbanes-Oxley Act of 2002 (for publicly-registered companies) and Basel II (for the banking industry).

And then late 2007 witnessed the global financial crisis, and the “world of risk management fundamentally changed.”  Regulations became more demanding of companies, forcing them to increase capital and liquidity, curb their risk-taking activities, and tighten internal controls.  Banks have new regulations set by the Federal Reserve and the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among other things, elevated risk oversight and risk governance to the board level.

Not to be left behind, the insurance industry saw many states adopt the Own Risk and Solvency Assessment model act, which requires scenario analysis to determine ongoing financial solvency requirements based on individual company risk profiles.

Unfortunately, by this point, many consider risk management either a compliance activity or a way to support decisions to avoid risk during tough economic times.

Views of ERM: The Present and Futureenterprise risk management process

The white paper states that the “next frontier” of ERM is to help create shareholder value.  Next frontier? It is here where my views of ERM differ from the authors of the Workiva white paper.  Personally, this is the way that I have always thought of ERM – adding and protecting value, not helping companies simply “check” the box on risk management.

As an enterprise risk management professional, I want to help companies proactively and constantly identify what could potentially face them, prepare for the future, and assist decision-making by providing leadership with actionable information.

Now, I will say that I agree with all seven key attributes of ERM for it to be continuous and based on data.  Those attributes are:

enterprise risk management process key attributes

When it comes to strategic risk management (Attribute #2), it is important to note that “strategy and ERM should be integrated to support the development, execution, and performance monitoring of corporate and business-unit strategies.”

Yes, you read that correctly; the enterprise risk management process in general, and strategic risk management in particular, should occur at both the corporate and business-unit level.

Many fail to recognize this critical fact – events in a particular business unit can impact the whole organization.

Samsung’s recent issues with the Galaxy Note7 literally exploding is a great example.  Samsung, as an enterprise, has TVs, computers, mobile devices, appliances, and more.  But after the issues with the exploding Note7, most people think about the negative reactions from the company instead of praising the company for its computers or TVs.

Oh, risk appetite…what a misunderstood and misapplied term.  Many companies have no idea what to do with it or how to use it for decision-making.  Step #2 in my article on designing the governance structure of an ERM program goes into detail about risk appetite and risk tolerance.  In it, I also describe two of my key mantras and themes you will see me mention regularly: adaptable and actionable.

For ERM to be effective and add value, companies should have ERM at the table for business decisions.  ERM is not about saying “no” to ideas; ERM professionals should focus on finding ways to increase the chances of a positive outcome and be prepared for any decisions that need to be made as a result.  Check out my blog post “Wait a Second – You Mean We Can Have Positive Risks Too?” for more information on this topic.

To further the integration across the three assurance methods, risk assessment results and related analytics information for the biggest risks should be provided to internal audit to support their risk-based auditing program.

Did you read that the enterprise risk management process should be continuous?  Yes, you are correct. It should be ongoing, throughout the year, providing up-to-date information to the information users.  No semi-annual risk review sessions.  Leadership, business units and ERM should be walking hand-in-hand throughout the year, identifying risks, keeping assessments current, and monitoring the performance of strategy execution.

ERM process continuous

All this continuous activity means no monthly reports.  No quarterly reports.  No (gasp!) annual reports.  

Instead, provide an interactive dashboard, which should be updated as quickly as the information is available and vetted.  Now I am not going to push for any specific ERM software vendor; goodness knows there are several good ones out there.  But most, if not all, have interactive dashboards for different ways to provide risk information.  After all, it is not about reporting, it is about communicating.

Speaking of communicating, all enterprise risk management programs should be soliciting honest feedback on performance and process, so that the program (and its team members) can continuously improve and evolve.

This is a lot of information to take in, especially if your ERM program is still in the compliance mode.

Do you need some help in taking your enterprise risk management process and program to the “next frontier” – from a “check off the list” compliance action to an integral part of protecting and enhancing value for your organization?  I can help!

Click here to learn more about my background, continue browsing ERMInsightsbyCarol.com to learn more, or contact me directly by completing the form below.

Featured image courtesy of NASA.gov

[contact-form][contact-field label=’Name’ type=’name’/][contact-field label=’Email’ type=’email’/][contact-field label=’Company Name’ type=’url’/][/contact-form]
, , , ,

Related Posts

2 Comments. Leave new

Madhu Acharyya
December 27, 2016 1:16 am

Good conceptual article. However, I should argue that ERM is a tool for managing business successfully irrespective of size and industry. There is no ‘one size fit’ ERM solution. This is more like a strategic management tool and requires adopt and adapt approach based on corporate objectives, organizational culture, most importantly available resources. However, the most difficult thing for ERM implementation is demonstrate the tangible value is you want to pursue ERM as a forward looking thinking rather than a compliance function.

Reply

    Hi, Madhu. Thanks for your comments. I agree that ERM is not just for large companies. And definitely not a one-size-fits-all solution! That is why my article on Launching an ERM Program talks so much about making it fit the organization, in culture and processes.

    And yes, that demonstrated value is difficult, but it is achievable. Sometimes you have to start small to show value, then grow the program to work with other areas.

    I look forward to other comments from you in the future on other articles. Take care!
    Carol

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu