By B.G. YOVOVICH, who has written for national trade publications for more than 20 years
Admittedly, past predictions about the progress of enterprise risk management often have proven overly optimistic, but there's plenty of evidence that suggests that ERM really has reached a key inflection point in its development.
Consider, for example, the observations of ERM pioneer James Lam, president of James Lam & Associates, a consulting firm in Boston, whose comments echo those of many other long-time members of the risk management community.
"I have been involved with ERM since the early 1990s, and the level of interest in ERM has never been greater," reports Lam, whose hiring as chief risk officer at GE Finance in 1993 is often cited as the first-ever appointment to a CRO position.
To support his view of ERM, Lam points to findings from a stream of surveys, studies and reports that document the growing interest. This includes, for example, a survey in mid-2008 by Crowe Chizek and Co. LLC based on responses from more than 780 chief financial officers, audit committee members and chief audit executives, which uncovered the following:
As many as 70 percent of audit committee members and more than 65 percent of the CFOs ranked ERM as the No. 1 challenge for their organizations over the next 12 months, overshadowing worries about improving financial reporting and internal controls.
The survey also found that 21 percent of the finance teams reported that they will devote much greater attention to companywide risk management in the coming year, with 75 percent expecting to devote at least moderately more attention to ERM.
Corroboration of this growing interest in ERM comes from a separate study released in mid-2008 by KPMG and the National Association of Corporate Directors. The study was based on a survey that found that audit committee members ranked risk management as their top priority, replacing accounting judgments and estimates, which had been the top concern in 2007.
"ERM has replaced accounting issues as the top concern for board members, and directors have become a lot more engaged," adds Lam. "My recent calendar has been filled with a lot of board work, and it involves both consulting and training."
One development that definitely has contributed to the surge of interest and activity connected with ERM was Standard & Poor's announcement in May 2008 that the ratings agency will begin to explicitly use ERM as a ratings factor not just for financial firms, but also for all nonfinancial businesses whose creditworthiness it evaluates.
During the third quarter of 2008, S&P began to incorporate ERM into its analysts' ratings discussions with management. Going forward, S&P's plans are to first add ERM commentary as a part of its credit reports, then, during 2009, to implement formal ERM scoring of companies that will be used to determine company credit ratings.
The direct impact that S&P's ERM scoring could have on company credit ratings certainly has grabbed the attention of boards and senior management--and has spurred ERM activity.
At Continental Airlines Inc., for example, the managing director of risk management, Peter Fahrenthold, says, "When S&P first floated the possibility out there last November (2007), I gave a presentation to the board in which I talked about what it would mean for us."
After S&P issued more details in May 2008 on the criteria it would be using in its evaluations, Continental's board decided to aim for its ERM program "to get beyond just acceptable (rating) and to hit one of the higher levels-strong or excellent--that would indicate that S&P felt our system was providing the proper level of review," says Fahrenthold.
And, prior to Continental's first ERM-inclusive meeting with S&P analysts last month, Fahrenthold reported, "We are working madly to be ready."
More generally, risk professionals across the country and across all industries report that the new ERM evaluations by S&P have spurred a surge in board and senior management interest and activity in preparation for those first meetings.
However, the new S&P ratings are only one part of the story of ERM's rising profile. Top-level interest in ERM has been building in recent years, and the move by S&P is part of a set of converging developments that appear to be coming to a head.
Although it is widely used in the insurance and financial-service sectors, ERM began to get increasing attention at nonfinancial firms in 2003 through 2005 as companies looked for ways to respond to a wave of new challenges and disruptions that had arisen during the previous five-year span.
These included the Sept. 11, 2001, attacks; two wars; a string of major hurricanes, earthquakes and tsunamis; new risks arising from outsourcing and globalization; many corporate scandals and failures; and new risk management requirements stemming from Sarbanes-Oxley.
And, as the first wave of early ERM initiatives have evolved, matured and multiplied, they have reached a critical mass that now is triggering a chain reaction of new initiatives.
ERM VERSION 2.0
"When we have asked people, 'What is the biggest driver of ERM?' they tell us that it comes from requests from boards, and often those requests are a result of cross-fertilization from outside board members who have seen the benefits of ERM at other companies within which they are involved," says Ellen S. Hexter, who leads The Conference Board's ERM work. "The risk issues might be different at different companies, but the underlying ideas still apply." Although the initial impetus for many ERM programs arises in connection with SOX and other compliance efforts, successful programs expand their roles.
"When we asked, 'What are you doing differently now that you are using ERM?' the answer at the top of the list was, 'We are better at M&A,'" says Hexter. "They tell us, 'We have more process around M&A. We are better at walking away from deals. We are better at pricing our deals, and we are better at selecting deals on which we should be focusing.'"
At Cisco Systems Inc., for example, the ERM initiative is becoming increasingly involved with the company's M&A efforts. Initially, ERM was used to do post-merger risk assessments of a couple of large acquisitions by Cisco--first, of Scientific Atlanta, a manufacturer of cable television, telecommunications and broadband equipment, and, subsequently, of WebEx, a provider of on-demand collaboration, online meeting, Web conferencing and video conferencing applications.
More recently, says Phil Roush, who heads the ERM team as vice president of internal control services, "We've been asked to put together a template for our M&A specialists so that they can use a risk lens to help evaluate M&A opportunities (before the transaction)."
Companies also often report that their ERM efforts have enabled them to identify previously unrecognized vulnerabilities, with supply chain risk a particularly common application. For example, in the course of implementing its ERM process, multi-industry Textron Inc. discovered that its Cessna line of aircraft was crucially dependent on a single-engine manufacturer, a finding that enabled the company to take appropriate measures to deal with the supply chain risk.
Or consider Continental, which provides a classic example of how ERM can uncover a systemic problem with a company's business-continuity plans that would have been difficult to identify without an ERM-type of cross-silo assessment. "When we were doing business continuity planning," says Fahrenthold, "we divided our business functions into three tiers"--based on how urgently the functions were needed in order for the airline to resume operation.
When the ERM analysis dug a little deeper into the recovery process, it found key functions being performed by seemingly lower-priority operations--which, if they failed, could put the entire recovery at risk.
As a result, says Fahrenthold, "We looked at those bottlenecks, spent a little extra time on the controls that they are using and looked at the ways that the exposures can be mitigated."
"If you look at a situation on a stand-alone basis, if something goes wrong, the interdependencies might result in a much bigger problem than you had realized," the risk manager says. Scans of ERM programs at various companies indicate that the focus of initiatives tends to vary from enterprise to enterprise.
"ERM is not a cookie-cutter, check-the-box activity," emphasizes Carol A. Fox, senior director of risk management at Convergys Corp. and chairwoman of the Risk and Insurance Management Society Inc.'s ERM Development Committee. "ERM truly is something that has to be embedded in the organization for the organization to get the true value out of it. The way that Convergys approaches ERM will be different from what happens at another company, but we can talk about those common elements and attributes."
Hexter adds, "People are all along the learning curve, and even the people who have been doing this for a while can learn from the people who are new and asking the right questions."
For instance, a firm just beginning ERM "might point you to a different kind of approach to a particular risk," says Hexter, "or it could show you a different approach structuring your organization or how you are going to report on risk to your board."
As ERM goes through a period of rapid growth and evolution, says Hexter, "It is always valuable to hear what is going on in other companies.
January 1, 2009
Copyright 2009© LRP Publications