BY ROBERT TOROK, an executive consultant at IBM Global Business Services
Editor's note: With the annual convention of the Risk and Insurance Management Society Inc. to be held in Boston later this month, risk managers are preparing to refresh their skills in subjects ranging from enterprise risk management (ERM) to safety and loss control to claims.
This article explores one such hot topic, ERM, and the nuances between ERM and governance and compliance.
"Will this action drive profits?" "Will this action reduce our market share?" These types of business decisions are constantly made by organizations with no certainty of their outcome. Every move has many variables to evaluate, and eventually even the wisest and most careful of business leaders must eventually pull the lever and see where the chips fall.
Enterprise risk management (ERM) is the oversight, insight and guidance to help an organization make these difficult business decisions (as opposed to legal, ethical, or procedural decisions) while minimizing risk. And here "risk" means generating a positive business outcome and avoiding negative ones. ERM guides the behavior and thought process of decision-makers, but doesn't apply an ironclad rule set to the decision-making process. Such a rule set would be impossible to contrive or apply.
Unfortunately, many executives confuse ERM with other risk management functions that apply rules to business actions, most notably governance, risk and compliance (GRC).
Consider this example: In the late summer of 2008, a major airline hedged a substantial portion of its expected 2009 fuel purchases by locking in a large quantity of fuel at a fixed price after analyzing historic price trends and future predictions.
In that year oil prices spiked severely, so this seemed a reasonable idea and was lauded by the media at the time. Within a fiscal quarter, this hedge turned into a disaster, requiring a write-down of tens of millions of dollars as oil and fuel prices plummeted. Was this risk foreseeable? Of course it was but at the time the airline had a choice to make. The risk decision was a judgment call and could just as easily have turned out well as it did poorly.
In this case, there was no compliance rule where the decision-maker could've checked yes or no. There were no hard rules that could inform this decision.
On the other hand, internal controls are a relatively black-and-white matter. They attest that something is correct at a point in time and almost by definition exists at the transaction level. Many controls are built into business processes and are used to examine individual transactions for accuracy and adherence to specific rule sets. Common examples include invoice controls, expense report rules, product quality policies, and financial statement reporting and disclosure requirements.
Governance refers to the processes, systems and cultures by which an enterprise is managed. In some respects, it may be viewed through the chain of command that exists in virtually all organizations of any size. Governance does not, and cannot, address the question of whether a specific transaction is correct, nor whether a business decision is the right or most optimal one. But governance does lead us to ask whether the process by which the decision was made is morally, ethically and legally appropriate, following the established policies and practices of the organization. Examples include the policies related to the employment of relatives or truth in advertising.
At the time a decision is made, neither internal controls nor governance inform a business decision-maker whether it is in fact the right one. No executive can attest, for example, that an HR policy is the right one, that a particular supplier is better than another or that a facility-location selection represents the best alternative. While each of these may appear to be the best choice at that point, circumstances and exogenous factors might make a "good" decision appear terrible six months or six years later, or even 20 years on in some industries.
The distinction between these types of activities is clear but executives still confuse terms when defining ERM.
A recent survey conducted by global accounting and audit firm Ernst & Young asked several hundred global executives, "What risk functions exist within your organization?" Among the nine choices for selection were Compliance/Regulatory; Internal Audit, Internal Control; and Enterprise Risk Management--perhaps confusing some of the inclusive relationships between ERM and other functions.
The same survey, titled "The Future of Risk: Protecting and Enabling Performance," concluded that having many risk functions creates overlap and confusion and imposes a cost burden on most organizations, in part by creating a silo-based approach to managing risk with each silo reporting separately to executive leadership.
There is a solution to this dilemma, as proposed by the law firm Wachtell, Lipton, Rosen & Katz, in a Nov. 2008 article titled "Risk Management and the Board of Directors."
"Directors should instead, through their risk oversight role, satisfy themselves that the risk management processes designed and implemented by executives and risk managers are adapted to the board's corporate strategy and are functioning as directed, and that necessary steps are taken to foster a culture of risk-adjusted decision-making throughout the organization.
The board can send a message to the company's management and employees that corporate risk management is not an impediment to the conduct of business nor a mere supplement to a firm's overall compliance program but is instead an integral component of the firm's corporate strategy, culture and value generation process."
This statement exemplifies the nature of a board's and executive management's responsibilities for risk management. The "culture of risk-adjusted decision-making" is an integral part of firm's strategy to generate business value.
Consider these specific risk functions in context to ERM:
-- Compliance/Regulatory: This group is concerned with adherence to external requirements, and therefore should take a "binary" compliance approach: i.e., nonadherence is not an option and the enterprise should be in a position to categorically state that it is in compliance.
-- Internal Audit (IA): This group ensures that all transactions and accounting decisions meet enterprise and externally mandated standards. The group does not undertake operational audits but focuses on compliance and control.
-- Internal Control (IC): This team focuses on the internal policies and practices that would strengthen the organization. Examples include the establishment of approval limits, travel policies or contracting terms.
Each aspect of GRC is part of an entire ERM program, but they are not themselves ERM nor does their sum constitute ERM, which we qualitatively describe as follows:
-- Because there is no right answer, ERM and the ERM team can only establish practices to follow and help the organization ensure that risks are properly considered before decisions are made. This includes the governance processes that guide the organization's decision-making.
As an example, imagine selling to a new customer. Which group is responsible for what?
1. Evaluating a potential customer: ERM should ensure that due process is followed to determine if the organization should do business with a new customer. This entails developing a precontract checklist that includes items such as credit check and due-diligence review. The ERM team does not perform these checks but ensures that the governance process exists to mandate that they be performed.
2. Sale is made: IA can review the sales transaction to ensure that it has been properly accounted for and recorded. IC can review the same transaction to ensure that approval limits were adhered to. And Compliance/Regulatory might also review the sale/customer to ensure that the items sold were used as intended.
Must these groups coordinate? Of course, but that is no different from the coordination that must exist between marketing and sales and sales and manufacturing to ensure that the business does not stop while these reviews are completed.
It all boils down to this: There are--and should be--many risk-related groups in an organization, each performing a unique role. But true ERM includes both hard and fast control functions as well as guidance for business decisions. Executives must change how they define ERM to realize the full scope of what ERM can and should achieve.
April 1, 2010
Copyright 2010© LRP Publications