Resisting this change is an unwise gamble. As Franz Kafka said, "When it is you against the world, bet on the world."
These new demands necessitate a new way of managing risk. Enterprise risk management differs significantly enough from traditional risk management that old assumptions about the structure and composition of risk management no longer apply. As risk management evolves from avoidance-based risk management to enterprise risk management, new solutions are necessary and new structures forged.
Two key changes require special attention: the structure of risk management departments and the reporting channels. Traditional departments, which focus on insurable risks, vary in structure but are essentially the same. There is a head risk manager, usually a director, and a team of two to five risk professionals who support the director.
ERM departments, on the other hand, focus on all risks facing the company and take on a different structure. Their broad view of risk requires that the ERM head coordinate with heads of the various business silos.
Risk information gathered is generally intended for strategic decision-making at the C-level or among the board of directors. Because the position by its nature requires such high-level reporting, it must exist as a function at the vice-president level or higher. Of course, not every company is eager to create a new chief risk officer. But imagine if the analysts started asking about the management of the risks listed in the 10-K filing? What level of visibility would be required to give them a reasonable level of comfort?
Because the ERM function is designed to manage risk company-wide, the function must report to the top levels. But there is also a conflict of interest that makes this necessary. If the head of the ERM department notices that a certain organization is making decisions that could prevent the company from reaching its goals, he has an obligation to report it.
But what if the organization responsible for reckless behavior is his own? What if he is a director and has to report this to leaders two layers above his boss? It creates a moral hazard. The fear of career repercussions for going outside of the chain of command would be prohibitive in most organizations.
A study by the Corporate Executive Board found that 68 percent of risk management departments (not ERM departments) report directly to a CRO, CFO or the board. This is an indication that risk management is important to the top levels of corporate governance. It is also a recognition that much of the risk management function must report to leaders above separate business silos.
ERM is not driven by risk management. Rather, it is a response to a world that no longer wants to roll the dice in hopes that large corporations maintain their market capitalization. Corporate disasters of the past have irreversibly changed how risk is looked at in the context of big business.
Just as risk management has changed to align with these forces, the basic assumptions about where risk fits within the organization also have to change to align with corporate goals and regulatory pressures. As the world requires scrutiny of corporate risks, those wishing to remain sane need to try new solutions.
manages risk for Sun Microsystems Inc.
September 1, 2005
Copyright 2005© LRP Publications