By LAURA TAYLOR, ERM global practice leader for Aon Global Risk Consulting
In recent years, there has hardly been a person worldwide who hasn't experienced the need for enterprise risk management. From the investor who has seen his portfolio depleted from the financial industry meltdown, to the patient whose medication was unavailable due to supply chain interruptions, to the grocer who had empty shelves due to yet another tainted food recall. Enterprise risk management may not be a household phrase quite yet, but producers and consumers recognize its value for maintaining a safe and stable economy. And those of us in the business understand the growing importance of ERM's direct impact on the bottom line.
During my 15 years as a risk consultant, I've seen a shift in the perception of ERM by practitioners, clients and stakeholders. The old-school version of ERM was sometimes viewed as either too conceptual or too compliance-driven. In either case, there was no strong link integrating ERM into practical processes. Now, when we are invited into a company, the focus is on helping the organization increase its ability to deliver on its strategic plan. It is all about driving value. The approach includes:
-- Evaluating how, and how well, risk is currently managed
-- Determining the client's current and desired level of ERM maturity
-- Developing practical strategies to leverage strengths and close gaps
-- Defining a corporate risk profile
-- Quantifying the potential impact of key risks on financial performance
-- Embedding risk information into management decision processes
Now, the emphasis is less on the reports themselves and more on the measurement of risk management in enhanced strategic decision-making.
BUILDING ON EXISTING PROCESSES
This new method requires creativity, sensitivity, collaboration and a little intuition. It is not about imposing something new into an organization; rather, it is about understanding the culture, building on existing strengths and processes, and integrating more risk information into decision processes. In some cases, this means taking a more quantified approach to some of the risks. While some may think that the strategic and operational risks cannot be quantified, that is simply not the case. As one of my colleagues often says, "If you are making a decision, then you have modeled the risk even if it is only in your head."
The goal is to improve the overall decision-making framework by adding rigor to the analysis and integrating information and insights from others in the organization. This is a positive trend that is welcomed by boards, employees, vendors, shareholders and investors alike.
This transition has resulted from both internal and external influences. Internally, executive leadership teams and boards are asking much more focused questions and expecting a much deeper understanding of the risks and opportunities that face their organizations. Externally, there has been an increase in regulatory requirements, most recently with S&P including a review of ERM programs in their ratings analyses for all companies, and the Securities and Exchange Commission's ruling last December in favor of increased disclosure regarding risk, compensation and corporate governance. While companies can expect more questions from regulators on their overall enterprise risk management programs, these are questions companies should be asking themselves regardless of the regulatory environment. Questions like:
-- What are our key risks?
-- Which business unit brings the most risk?
-- Who is managing these risks?
-- What metrics are used to monitor key risks?
-- What is our risk appetite and tolerance?
-- Do employees understand their risk management roles?
-- How involved is the board in risk?
-- Do our compensation policies drive inappropriate risk taking?
These are advanced ERM activities that go well beyond the basic reports of ERM's early days and provide evidence of the rapid evolution within our industry. Having said that, Aon's 2010 Global ERM Survey findings indicated less than 10 percent of organizations are leveraging risk to drive value, although companies have made significant improvement in ERM maturity since 2007. This reflects an opportunity for organizations to continue to improve and enhance their programs.
RISK OVERSIGHT AND OWNERSHIP
In addition to asking these key questions, we've also seen more interest in defining a risk structure within organizations. Historically, the responsibility for risk management was housed in an organization's audit, finance, legal or insurance function. The focus of the ERM program, the tools and approaches used to initiate ERM, and management's expectations of results tended to be influenced by the discipline that sponsored it. For example, ERM initiatives that grew out of the finance discipline often were focused on financial risk management and reporting. Those originating in audit tended to be compliance driven, with a focus on adherence to existing risk controls. Risks that were not well understood outside of the sponsoring function were sometimes missed or downplayed.
Today, there is a movement toward appointing a senior-level executive with the responsibility of risk oversight. In many organizations, this role is held by a member of the C-suite, such as the chief financial officer or general counsel. More recently, organizations are seeking guidance on their risk oversight structure:
-- Should they appoint a chief risk officer?
-- Should they create a separate board-level risk committee?
-- What information should the board be getting and how often?
The answer is different for each organization, and we are tasked with helping organizations weigh their options.
While certain industries, such as energy, finance and life sciences, pioneered the ERM movement, momentum is gaining across the spectrum and not just because of external pressures for disclosure. ERM consulting has become more flexible, no longer imposing rigid processes in a cookie-cutter approach. Individualized solutions cultivated out of an organization's specific industry, operations, hierarchy and mission are now offered, opening up the possibility of ERM practices for small and growing companies that are reading about successes in business publications and hearing firsthand accounts at conferences. More and more, experienced practitioners are willing to come forward to tell personal stories, using their ERM experiences as a positive marketing tool for evidence to stakeholders of their abilities to manage risk well. Companies now understand the opportunities for leveraging risk management to drive value.
It is this desire to use ERM as a strategic tool that has been most profound within our industry. New clients want to take a static, conceptual framework and make it dynamic and practical. Existing clients want to embed risk decision-making up and down the hierarchy. Organizations are moving away from simply identifying and prioritizing risk to focusing on bottom-line impact:
-- A pharmaceutical client that began ERM from a compliance initiative now uses the framework to evaluate its strategic initiatives.
-- A chemical client was able to stave off customer concerns after an explosion at a key supplier's plant due to the organization's application of ERM. Due to its proactive focus on business continuity, the chemical firm's customers were quickly reassured that they would continue to receive shipments.
-- A number of manufacturing clients use ERM to protect long-standing reputations.
This individualized and flexible approach is what makes ERM challenging and exciting. Every client has unique needs that demand unique solutions and this personalized approach is the future of our industry.
Looking forward, it is our challenge to make sure that the recent groundswell in ERM interest goes beyond simply using the right buzzwords in annual reports or creating placeholder oversight committees. ERM needs to be positioned as a tool for strategic decision-making. It is no longer about reports. ERM is now about having improved sightline, about driving value for the organization.
May 1, 2010
Copyright 2010© LRP Publications