Determining which risks to report up and the best means to do so is an important component to effective ERM. However, communication goes both ways, and risks identified at the top also need to be brought down and addressed at the business level.
A recent session at The NeuGroup’s Corporate ERM Group recent May meeting explored methods of addressing risks identified at the top of the management chain and incorporating them into the ERM matrix.
One of the first questions members of the group delve into was whether ERM should start at the top or end at the top? This was a key topic of discussion among the group as one member who led the session described her process that begins with one-on-one interviews with the chairman of the board, CEO and CFO. She then uses their input as the starting point for building out the risk assessment and covers their top-five risks and a review of the prior year’s items to see what might carry over.
This member also incorporates into the discussion findings from her ongoing review of outside and inside research, such as the annual risk report from the World Economic Forum. The output from these senior executive level discussions is then communicated down the chain for further input and review, serving as the foundation for the annual risk assessment.
Another member described a different approach. This company starts the assessment at lower levels in the organization. ERM interviews the senior executives at the end of the process and allows them to review and comment on the findings from the lower levels. Still another member said his ERM begins their program starting with senior executive interviews. It then switches to starting at the bottom but have now returned to starting the process at the top. ERM surveyed the BOD and asked board members if they were getting enough information to exercise their responsibilities of monitoring risk at the company. All of the feedback was favorable.
But taking it to the board isn’t just an overview, it’s a deep dive. The session presenter said she meets with the chairman, CEO and CFO in December of a year and then the management committee in February. She then prepares those results for a “deep dive” review with the BOD sub-committee on each of the top risks. This is done in late winter or early spring and is shortly followed by a report-out to the full board. She reports that the BOD sub-committee has now asked the ERM team to consider three additional elements in the process of assessments:
1.Impact of global climate change.
2.Should China be its own risk rather than a component of other risks?
3.How to see the unknown unknowns.
The views of the most senior leaders of the organization can either lead the ERM process or react to it. But regardless of which end of the process their input is focused on, it is critical to the success of any program. Some would argue that no one knows the risks better than those at the top. Others would argue that no one knows the risks better than those closest to the risks. It’s hard to say which is true, but both philosophies seem to work. The key, as many ERM professionals have indicated, is to simply have the conversations and get the right people thinking and talking. But the “right people” definitely needs to include executive management.