By Bryan Richardson
Companies grapple with identifying and incorporating emerging risk into their planning.
The notion of enterprise risk management is still a concept that many corporate leaders struggle to get their head around. Particularly the seemingly mundane tasks of what it encompasses, who owns it, what it routinely does and how much it costs. All are issues that must be understood and embraced, preferably in the boardroom and C-Suites first, in order for an ERM program to have any hope of getting off the ground.
Many companies have taken on the ERM challenge with success—oftentimes with the depth to staff an ERM department with 10 or more people.
Not for everyone
But many companies remain recalcitrant, not seeing enough value to warrant the necessary resources and attention. In a recent email discussion among treasurers in one of The NeuGroup’s peer groups only 47 percent indicated they had a formal ERM program while 40 percent said they had none. The remaining 13 percent professed to having ERM “light.” Of those with no program or a light program, various reasons were given as to why they hadn’t moved forward with something more formal.
One treasurer’s “light” program? Internal audit: similar benefits and “less of a cost.”
“We looked at a formal ERM program but decided not to implement one. We concluded that our informal program through internal audit achieves some of the benefits at less of the cost,” said one treasurer.
Added another: “ERM was sort of overseen by a cross-functional global risk council—or herded together by legal. But the overall management of this is in transition and it continues to suffer from reprioritization.”
nascent risks
Most companies with a robust ERM program will readily admit that they still have many shortcomings in their programs. One of the most notable is that of effectively identifying and managing emerging risks. Oliver Wyman, the global consulting firm based in the UK, in partnership with the Financial Times, recently published the results of its second annual research survey on global emerging risks.
This very comprehensive survey included 650 respondents from global companies with a minimum of $1bn in market cap. While the survey covered numerous sectors, the results were heavily weighted in the industry sectors of financials
(28 percent) and technology/communications/media (19 percent). The remaining responses were from at least 12 other
sectors. The survey defined emerging risks as “new risks or familiar risks in new or unfamiliar conditions” and identified the top 5 “perceived global emerging risks” as follows:
1) Global recession
2) Regulation policy
3) Liquidity/credit crunch
4) Financial market volatility
5) Commodity price volatility
While this is informative, the survey results offered other interesting revelations on the matter of emerging risks.
More Attention, Exasperation
A remarkable 90 percent of respondents indicated that over the past 12 months they had increased their focus on emerging risks in a variety of ways (see chart below). The efforts focus on improved approaches to identification through metrics and staffing, and enhanced reporting to senior management and the board of directors.
However, these efforts have not yet yielded the preferred outcomes. Nearly two-thirds of respondents believe their ability to incorporate emerging risk information into their business and deliver meaningful decisions, is either “ineffective” or “moderately effective” which translates to questions about the cost benefit of ERM, or at least the emerging risk component.
The survey addresses the obstacles cited for inhibiting more progress (see chart below). Not surprisingly, 25 percent of respondents blamed the usual suspects: lack of “resources and time” to allocate to emerging risks as the chief challenge. The more interesting key challenge, however, cited by 35 percent of respondents, was the inability to interpret relevant data and incorporate it into the company strategies and operations. These companies had spent the time and resources to acquire the needed information but lacked the ability to use it effectively. Part of this problem is due to acquiring more data than you can analyze and act on. The report quoted a chief risk officer saying: “We’ve cut down the frequency of our risk assessments because we end up with too many risks on our register and not enough time to do anything about them.”
The report surmises that emerging risk “blind spots” exist within corporate leadership due to the lingering effects of the global financial crisis. Indeed, the top five perceived emerging risks cited above clearly related to that prolonged event. This distraction skews executives toward preparing defensively for these events by protecting cash flow, capital access and costs. The report suggests that executives would be better served by taking a more offensive posture and taking actions such as entering new markets, developing new products and other such strategic initiatives.
Emerging Risk Myopia
Another conclusion drawn from the survey and report relates to the source of data used for identifying emerging risks. The researchers find that companies, to their detriment, tend to rely too heavily on internally generated data and too little on external data. Internal subject matter experts and internally developed risk indicators are the primary sources for identifying emerging risks. The report argues that companies are exposed by the limitations of their people. The counterpoint of course is who knows the business better than the local operator, who also has accountability, and likely personal incentive, for its success?
On the matter of regularly reporting emerging risks, the report shows that every area of the company (12 standard departments within a company) had improved toward being “regular recipients of emerging risk information” from the prior survey in 2009, although some far more than others. From being the least improved, R&D went from 13 percent to 16 percent of respondents, while Finance and Treasury was the most improved, going from 54 percent to 81 percent.
Strike a balance
In the final analysis, ERM and emerging risks are tough nuts to crack and companies often conclude that they adequately manage risk without a formal ERM program, while others might swear by it. A good balance of views within the company is always healthy however, such as that expressed by one Tech 20 member, “The board is keen on ERM, but the CFO is somewhat loathe to do ‘boiling the ocean’ exercises.”