Everywhere I look or read there are hundreds of new references, opinions, articles and gimmicks all speaking to the how-to's of ERM.
And in general, I get frustrated with the vacuous content. As I see it, had we been collectively practicing true ERM, we would not be now "enjoying" this juicy economic pickle. Buzzwords like "controls," "transparency," and "disclosure" have become so synonymous with risk management that one would think that all you do is open your books and "Bingo!"--you have good risk management.
It's not so simple. There are essential and non-negotiable elements that evidence a "true" enterprise risk management program. Here are my top five.
Organization's Structure, Culture and Risk Philosophy--ERM-savvy organizations have a culture of openness, awareness and sensitivity to risks and of their social and financial responsibilities to all stakeholders. Risk consciousness and philosophy is championed and lived consistently by senior executives and endorsed by a well structured board. The risk philosophy and tolerance is embedded into the organization's DNA.
Risk-Based Incentive Compensation--Compensation is probably the single biggest lever that management can pull to influence organizational behavior. Incentive compensation has a substantial influence on risk decisions--as witnessed on Wall Street, where compensation is tied to the short-term upside of the risk equation and rarely the downside. Performance measurement can be misaligned in an organization, with one area seeking growth while the other is seeking quality. Risk needs to be part of the bottom line for employees and that means adjusting compensation structures so that all parties face the same objective.
Holistic Risk View and Interdependencies--The word "enterprise" may lead you to think of a federated approach to risk management but it actually means that risks are managed as a portfolio. Risks viewed separately are not the same as when viewed together. Think of baking bread in an oven using flour, eggs, water, butter, yeast. We mix, bake and presto--we get bread. Can you even identify the eggs in the bread now? The components have lost their original identity and are interdependent on the other ingredients. This is similar to risk issues in an organization. Enterprise risk-mature organizations understand the interdependence of risks and their combined effect on goals.
Risk-Adjusted Decision Making Tied to Strategy--Management is decision-making consistent with a company doctrine and clear boundaries. Decisions should match and be harmonious with the organization's strategy, meaning that every action will fall in step with the beat of the corporate drum. If everyone formally accounts for risk in their decision-making process and still marches steadily with that beat, hallelujah, we reach ERM nirvana.
Current and Dynamic--ERM does not operate in a static environment. An ERM process has to be flexible enough to respond to changes. Risk identification that occurs once a year is at best ceremonial and with luck your competition does it even less often.
As the U.S. Treasury welcomes organizations to the bailout trough, let's insist on proof of true ERM.
JOANNA MAKOMASKI, the former risk manager for a global energy company, is a leading specialist in innovative Enterprise Risk Management methods and implementation techniques for ERM Quickstart. She writes on risk management.
December 1, 2008
Copyright 2008© LRP Publications