Risk management at all levels of the enterprise is an attainable goal that encourages productive planning and responsible expansion.
The 2014 Annual Meeting of the Corporate ERM Group focused on broadening the practice and the applicability of ERM throughout the enterprise. Given recent cyber security breaches, members are concerned with ensuring that their company is not the next victim, taking appropriate preventive steps while at the same time taking advantage of growth opportunities that incur risk. These steps focus on education and on support of both business processes and individual responsibility for risk mitigation.
1) ERM and Strategic Planning—All Year Round. While many companies’ ERM programs are characterized by an assessment calendar with a 12-month cycle, one member program has risk discussions all year long. There are certain calendared steps along the way, but ERM is not allowed to slip into the background between scheduled discussions.
2) Look at Operationalization Data. A new but related twist on working ERM into strategic planning is the notion of “operationalizing ERM,” the idea that ERM thinking is so ingrained in the business that it is not a separate activity but a natural component of operations. One company has developed a proprietary in-house tool for gathering risk data from business leaders in order to inform relevant parties.
3) Cyber Security Education. Employees need to understand the basics of how their own cyber security measures work. This includes knowing when files are and are not encrypted, understanding that someone can use one employee’s unscrupulous clicking to hack into enterprise data, and keeping informed about new vulnerabilities.
4) Management vs. Optimization. Not all risks are universally harmful. Some can be leveraged for business expansion and increased profitability. Much of this balance between mitigating and accepting risk depends on risk appetites and cost-benefit analyses, but sometimes a loss from a risk is small enough in comparison to the potential gain from taking it that it’s worth the gamble. . . with appropriate stops in place.
Strategic Planning Integration with ERM
One of the biggest challenges in ERM is getting risk-management considerations into strategic planning and making sure that risk ownership is clearly assigned. Several members voiced the opinion that ERM and strategic planning are naturally linked, and yet the challenge remains. One company that has succeeded in integrating ERM with strategic planning offered some insight.
Key Takeaways:
- Accountability means having a process. When top risks are identified at the enterprise level, there is an immediate focus on mitigation strategies with business unit–level risk owners assigned. These people make sure the risk-mitigation strategies align with strategic priorities and that the necessary related work is understood within the unit and above it.
- ERM is good for business. This company’s initial risk assessments took three hours, but this was reduced as they were worked into the businesses. This required that the businesses help build ERM tools, with the result that they were useful for the businesses themselves. A mutually value-adding experience between ERM and the businesses developed, with the most value for the businesses coming from the ability to identify significant risks to their objectives.
- Have a liaison. Every business unit has an ERM leader who understands that unit’s risks and knows who owns them. This person sits at the ERM table and makes sure that what ERM thinks is true and what is in the list of top risks and plans correspond to reality.
Outlook
No matter how high up the chain of command ERM starts, making sure it is fully integrated in strategic planning takes constant work. People are willing to put in the effort once they see how it benefits them, but ERM needs to be seen as a partner instead of just a controlling function in order to more easily gain access to business processes.
Perspectives on Cyber Security
Given the recent data-security breaches at Target, Neiman Marcus, the NSA and others, finding both internal and external threats is increasingly critical. Malcolm Harkins, Intel’s Chief Security and Privacy Officer, gave an overview of the evolving security landscape and some pointers on how to protect against cybercrime.
KEY TAKEAWAYS
- Stay ahead of the game. Three-quarters of Fortune 500 companies see legislation as a threat to their cyber security. While you may not be able to detect the next technological advance that will allow a criminal to hack into your system, you can see legislation coming and get yourself prepared for that.
- Every company is a tech company. No major company operates without some degree of IT, and therefore some degree of vulnerability to cybercrime. It is worth spending some time and some money to monitor your ability to sense, interpret and protect against threats, and fill in the gaps as they emerge.
- Educate your employees. It is entirely possible to have an unwitting employee click on a single link that allows a hacker to get into the internal system and map the network until something valuable is found. There is a lot of scenario-testing and scenario-imagining employees can be encouraged to do, both to help the company stay ahead of potential attacks and educate themselves on how not to be the point of entry.
OUTLOOK
Cyber security is like the human immune system. Everything can be going great until the person is hit by a bus, likely because he or she didn’t look before crossing the road. Employees need to be taught to watch out for the things they might not think to look for and to do so consistently because threats are going to keep evolving.
Operationalizing ERM beyond Governance and Reporting
While often thought of as a function that imposes rules and circulates reports, ERM can have a much more supportive role in the company. Closely linked to strategic planning, thinking of ERM as being on the front-end as opposed to the back-end of risk management can increase the value the program brings to the business.
Key Takeaways
- Keep focus on the most important variables. Some risks surface every year, but being able to discuss what is new to the top risks and what was there the year before but no longer is leads to more awareness of both risk mitigation and overall business processes. Bringing some risks over others to the Board’s attention serves to focus them on the key activities in the company without losing time on old news.
- Own the process, not the risks. Part of the value added through ERM is helping the BUs think through their strategies and what they are trying to accomplish, and what key risks they need to manage in order to meet their own goals. Encouraging the BUs to look a few years down the road to see what could affect them going forward and prepare to manage these eventualities allows them to manage some risks through their own planning. Then the ERM team can manage the layer of critical risks over all of the company.
- Let the process filter down to the person who has to act. While it is crucial to have someone in authority assigning risk responsibility, it is also possible that the overarching risk articulated at the enterprise level will look nothing like what the person lower down has to manage in order to mitigate it. In exchange for somewhat less direct visibility, there is reality-based and home-grown mitigation.
Outlook
Operationalizing ERM requires understanding where it fits into operations and recognizing that the lower-level operators are part of the risk-management process. Using these people’s knowledge of their own jobs to determine how they can best mitigate risks they might come in contact with is a helpful way to make sure that ERM shows its value to the person who would first have to deal with a problem from an unmitigated risk.
Integrating ERM with GRC
Despite many areas of overlap, ERM and GRC programs are often kept separate. Is this for the best, or can they be successfully integrated? One member demonstrated how ERM can better leverage GRC, especially to enhance risk culture throughout the organization beyond the enterprise level, getting managers to more consistently factor risk into their operations and expanding ERM’s relationship with related areas of the company.
KEY TAKEAWAYS
GRC formalizes what might already be there. Part of promoting a risk-management culture is taking advantage of where that culture already exists. At the presenting company, this means that ERM, Global Internal Audit and risk owners, all of which are already working on their own risk governance, overlap under GRC. This type of “ERM Integration Model” does not necessarily require additional oversight, but naming the interaction and expecting integration adds cohesiveness to risk management throughout the organization. This is an especially apt model for organizations where the ERM team is made up of people in various functions besides ERM.
OUTLOOK
Incorporating ERM into broader company-wide activities of GRC can ensure that ERM communicates with other related functions, such as audit and ethics committees, and that there is sufficient distribution of ERM responsibility. This means spreading responsibilities both vertically to the people who can manage them on the ground and horizontally to the groups where the risks are most likely to exist. In addition to using a GRC tool that might help with data collection and organization of risk responsibilities, a broad GRC function is another way to concretely foster a risk-aware culture in a large organization where ERM may seem like an abstract concept.
Assessing the Effectiveness of ERM Programs
Many companies are required to disclose their risk-mitigation activities, particularly those that are financial in nature, so it’s easy to slip into using this disclosure as the measuring stick for program success. However, there are other ways to measure the benefits of risk management that are more immediate to a company’s well-being.
Key Takeaways
- What can risk do for you? One private company measures its risk-management success on the resulting economic gains, so when it found situations where not enough economic risk was being taken, the ideology changed from pure risk management to risk optimization—finding the right amount of economic risk for a given transaction that allows the company to meet its financial goals, but maintaining enough discipline to not take on riskier endeavors than it could handle. This involves a lot of margin analysis and focusing risk management on its ability to aid in growth.
- Entering a new business. How do you enter a business you’ve never worked with before? Experiment and take a little risk in a disciplined way. Expanding first on a limited scale, taking a comfortable amount of risk and seeing how existing capabilities can be applied to the new business exemplifies the principle of risk optimization. If results are good, expansion continues.
- Managing counterparties. One company that supplies raw materials emphasized the necessity of working with buyers to make sure they understand product liability and recall risk, and also to make sure contractually assumed risks are understood and remain at an acceptable level. The result is an analysis of potential return from being the supplier, as well as an assessment of potential risks and consequences.
- Getting employees to think like shareholders. Risks that rise to the surface are brought to the shareholders to determine the acceptable level of mitigation. This is a continual process, but the end result is one strategy dictated from the top that needs to be brought down through the organization.
- Get feedback from the bottom. When assessing the effectiveness of the ERM program, ask the person working at the bottom how they thought the process went. Then in the meeting with the VPs, and the rest of the team present, an assessment can be done that incorporates everyone’s point of view. This will help clarify any vertical misunderstandings while keeping the process at the operational level.
Outlook
There are opportunities to be had by getting people comfortable with a higher level of economic risk than they might be comfortable with if they applied their personal risk tolerance. Having a clear corporate risk appetite and making sure acceptable and unacceptable risks are understood by anyone who might be deciding to take them is key to managing risk optimization.
CONCLUSION & NEXT STEPS
While some companies have well-established ERM cultures and top-down enforcement, others are coming in from the sides and the bottom and building upward. There are many ways to build an ERM program, but all are constantly evolving. Part of this evolution mirrors advances in data collection and use. Data ranging from qualitative opinions to financial impact assessments lead to a search for an ERM tool, other than Excel, to analyze and make the best use of it. This ties in closely with the cyber security concerns and the creativity necessary to assess and mitigate such evolving risks. These are topics the group will continue to explore at The Corporate ERM Group’s next event, which will be a fall conference call on November 21, 2014.