ERM group discusses how to get more time with the board and looks at considering good and bad risks.
Are Boards Giving ERM Enough Air Time?
Pre-meeting one-on-ones facilitate addressing ERM at the board level.
So much risk to discuss with boards of trustees, and so little time, at least during actual board meetings.
One solution may be deep dives with each board member prior to the official board meeting, informing them more fully of the company’s risks and lessening the chance for problematic board-meeting confrontations.
For most companies the number of risks to consider is growing, and how each risk is addressed inside an organization typically varies widely. Ongoing cybersecurity risk can have scores if not hundreds of employees dedicated to mitigating it, while an emerging macro risk may be identified but yet to find executive ownership within the company. So how does the enterprise risk management (ERM) function address such a panoply of risks with the board of trustees, often in a presentation of less than an hour that may be scheduled just once a year?
Education facilitates. In the NeuGroup’s recent Corporate ERM Group meeting, a member described how his company is now looking into modifying its program so more than just a few minutes is devoted to the explanation of each risk to the board. ERM Group members commiserated at length about that challenge, but only one solution drew “oh, wows” and other gasps of approval: Sitting down one-on-one with each board member prior to board meetings to discuss in depth the pertinent risks.
“We walk each board member through the presentation, so once we get to [the board meeting] they already know what they would ask about or recommend before the full board,” said the head of ERM at a large technology company.
From the top. He noted that the approach took several years to put in motion, and ultimately the company’s CEO suggested it to the board, on ERM’s recommendation. It was put in place last year. The meetings, scheduled over several months before the board meeting, are typically attended by the corporate treasurer and the head of ERM, and sometimes audit. If the board member asks detailed questions about a specific risk, the team follows up with the executive who owns that risk. During the meeting, the board member is also asked whether he or she sees risks that are not being adequately covered.
“Believe it or not, some board members don’t want to display their ignorance or lack of knowledge [about certain risks] in a board meeting,” the ERM head said, adding that by educating board members beforehand, during the board meeting they go straight to the point—“no nonsense.”
He said that during the board meeting, board members no longer ask, “Why didn’t you think years ago about flooding in Thailand,” because they’ve already had that opportunity to inquire about that and hear the explanation during the one-on-one. “And ERM doesn’t get blindsided.”
Standards Org Boosts ESG
COSO guidance supports new ESG risk framework.
Environmental, social and governance (ESG) risks have gained prominence in recent years, raising the likelihood that boards of directors will ask how they fit into their companies’ enterprise risk management initiatives. But help on that front arrived late last year in new guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
At NeuGroup’s recent Corporate ERM Group meeting, in a session about updating the ERM framework and other guidance from COSO, Paul Sobel, chief risk officer at Georgia-Pacific and current COSO chairman, noted that ESG risks have become increasingly important. He pointed to the World Economic Forum’s assessment that the top five risk likelihoods and impacts globally in 2019 are predominantly ESG-related, while 10 years ago they were mostly economic.
Why it’s critical. Mr. Sobel added that a 2018 Ernst & Young survey found that 80% of institutional investors agreed that companies have failed to consider environment and social risks and opportunities to their core businesses, and nearly half of shareholder proposals in the US were related to those issues. The Wells Fargo and Volkswagen scandals are examples of poorly managed governance risk.
The World Business Council for Sustainable Development (WBCSD), comprising upwards of 200 large global companies seeking to understand and manage ESG risk, had come under pressure from its funders to develop an ESG risk framework. Instead of reinventing the wheel, it approached COSO, whose mission since its founding in 1985 has been to provide comprehensive frameworks and guidance on ERM and related areas, including internal control and fraud deterrence.
“Last October we issued guidance on how to use the COSO framework to think about, identify, assess, understand and hopefully manage ESG risk,” Mr. Sobel said.
An ESG resource. He added that that 120-page document is longer than COSO’s actual ERM framework because it is essentially a reference guide providing numerous examples of how ESG risks have manifested themselves and techniques to potentially manage them. It also refers readers to websites to get more information.
“One of the unique things about [ESG risks] is that some may manifest themselves over many years, making them difficult to assess,” Mr. Sobel said. “But if we’re talking about materiality, then these are some of the highest-impact risks out there.”
Environmental risks are related to climate change, natural resources, pollution and waste, and environmental opportunities; social risks are related to human capital, product liability, stakeholder opposition and social opportunities; governance risks involve corporate governance and behavior.
How it should help. The joint COSO/WBCSD guidance on ESG risks echoes COSO’s newly revised ERM framework and identifies five main components specifically for ESG: governance and culture; strategy and objective setting; performance; review and revision; and information, communication and reporting. Performance for ESG-related risks is subdivided into identifying risk, assessing and prioritizing it, and implementing responses.
The NeuGroup member noted several ways in which the guidance can help organizations:
- Enhanced resilience.
- A common language for articulating ESG-related risks.
- Improved resource deployment.
- Enhanced pursuit of ESG-related opportunities.
- Realized efficiencies of scale.
- Improved disclosure.
Risk Without Reward?
Corporate risk appetites are incomplete without considering upsides.
Generating a formal corporate risk appetite and imbuing it throughout the company is critical for executives to make good business decisions. Nonetheless, a complete risk appetite must also include the potential rewards.
“In most commercial areas, if you are offered an opportunity and there’s some risk associated with it, is that risk acceptable or not? I have absolutely no idea unless you tell me what the potential reward is,” said a participant in a recent NeuGroup Corporate ERM Group meeting.
Developing a risk appetite. The comment arose in a session in which representatives of another NeuGroup member presented the company’s effort to develop a risk-appetite statement that can be applied across the company to aid decision-making. The effort was important, one representative said, because the executives didn’t have a tool to gauge which risks were more important than others, and consequently how to prioritize resources to address risk.
He noted that his company’s risk management framework is designed to support better decision-making while helping deliver its objectives, and he displayed a graphic illustrating the framework that other members praised as very comprehensive yet concise. As part of a risk governance structure, the graphic listed four main types of risk, and then elements of risk hierarchy, appetite and policy architecture; it also noted the tool set to deal with risk.
The presenter explained that his company views risk appetite as important because it:
- Helps maximize opportunities while keeping risks under control.
- Establishes clear boundaries for taking and accepting risks.
- Increases transparency and awareness, helping align board and management expectations.
Risk decisions are incomplete without potential rewards. Soon after, the member, noting the importance of considering the potential rewards from executive decisions, cited his “conceptual problem thinking about risk appetite in isolation,” adding, “We’ve found it important to step back and think about risk in general, and we’ve concluded that reward and risk are inseparable.”
The presenter said that the current version of his company’s risk-appetite statement now in the works aims to consider reward—or “profit” in his company’s nomenclature—as part of institutionalizing risk appetite into decision-making. His ERM team colleague noted, however, that so far the statement has not captured decisions’ upside opportunities.
Risk radar drives discussions. The presenters then displayed a color-coded risk “radar” in the shape of a square, with the center being the optimal balance of risk vs. risk controls, the top right in red representing the acceptance of too much risk and the bottom left in green too little. A decision falling in the red area should prompt decision-makers to reduce risk and/or tighten controls. A decision in the green area should prompt taking on more risk and/or loosening controls, implicitly suggesting an exploration of the decision’s potential rewards.
“So the risk appetite is designed to let people take on more risk” if necessary, the presenter said, acknowledging that measuring the potential reward is difficult, and “finding that opportunity between opportunity and risk is tricky.”
His colleague added that developing a quantitative risk appetite remains a journey in progress for his company, requiring a culture change and a different level of awareness and understanding of risk among decision-makers. Nevertheless, the risk appetite statement and tools such as the risk radar are driving discussions about when the company is accepting too much or too little risk in light of factors such as current resources and controls devoted to managing it, and potential rewards or upsides.
Another member agreed, noting blogs that question the necessity of developing a risk appetite statement. He argued that, in fact, such statements play an important role.
“For one, it gets the board involved so it can exercise risk oversight responsibilities, and two, the statement is less important than the conversation that goes on around it,” he said.
Get Ahead of Future Surprises
Cross-functional brainstorming about future risks can give companies a head start.
No company can predict all the emerging risks it may face but pooling different perspectives and experience from across the company could give companies a leg up on competitors. The idea is for this gathering to game how specific risk scenarios may unfold and pinpoint what to look out for as early indications of an inflection point.
At the recent Corporate ERM Group meeting, Michael Zuraw, senior director of global enterprise risk management (ERM) at ON Semiconductor, a $6 billion Fortune 500 technology company, described in detail his team’s approach to organizing such day-long events. Largely unstructured, they are typically populated with executives a level or two below the C-suite and focus on a single, large, unifying trend. The annual events prompt attendees to imagine two or three plausible scenarios for what issues may develop 15 or 20 years into the future as a result of these shifts.
“From a meeting coordinator standpoint, the scariest thing about these sessions is that they’re very unscripted, and we honestly don’t know where they will go,” Mr. Zuraw said of what are called emerging risk scenario planning sessions.
The theme last year was autonomous connected vehicles, and the year before it was geopolitics. This year’s meeting will explore how the artificial-intelligence (AI) environment might in 15 years or so shape the company’s drivers of value, customers and sales of its products.
“Then we try to work backwards … If that’s the world in 15 years, what will happen as it unfolds,” Mr. Zuraw said, adding, “Is there an inflection point, and can we put leading indicator-type ideas around that inflection point, to give warning when it may arrive?”
A company monitoring for such indicators may then pick up on the inflection point before its competitors and have a clearer idea about the first steps to take to respond to the potential risk. In terms of AI, Mr. Zuraw said, one risk avenue to explore may be how the technology impacts the company’s current manufacturing process and footprint, including potential disruption to political and societal stability around the world.
Another group member said his firm is considering a similar exercise and asked whether his peer has used any “external facilitation” to prompt discussion. Mr. Zuraw responded that his team had invited the DC-based Eno Center for Transportation for the connected cars meeting, and will use an AI expert from Microsoft at this year’s event.
The emerging risk scenario planning session themes are not simply plucked from the headlines, he said, but rather compiled in a list generated from discussions with executive management and the board of trustees. Climate change may be an upcoming theme
A stenographer provides a detailed script of the discussion and ideas generated by the cross-functional attendees, the roster of which changes each year. Then a one-page summary is provided to board members, explaining how the risk scenario progressed, the key value drivers at risk, the potential impact and opportunities, the leading indicators of an inflection point, and the two or three steps to take should those indicators emerge. A more in-depth, five- to six-page report analyzing the two or three event scenarios explored by the group is then officially filed for the record and distributed to recent and prior event participants.
“We have people who actually want to go, and having folks want to go to a day-long meeting has never happened before,” Mr. Zuraw said. “People actually enjoy it, and want to be included.”
More profoundly, the goal is to inspire executives to think more creatively about risk. The hope, he said, is that key people walk out of the room thinking about risk differently, especially those who will attend the executive strategy meeting that typically takes place soon after.
“We don’t know what we don’t know, and we probably don’t know what we think we know,” he said. “So part of this is getting used to a risk-aware culture.” Decision-making is always done in an environment of uncertainty, so risk is simply part of the equation.
Mr. Zuraw noted that when participants determine important inflection points and the steps to deal with them, at times a light bulb flashes that, in fact, it would be worthwhile taking those steps sooner rather than later—regardless of any specific future scenario.
In one minor example, he said, the geopolitics planning session led to the realization that operating more “locally” everywhere the company does business is important. As a result, a community service and volunteerism program now operating in Phoenix is being rolled out across more than a half-dozen countries in the coming year, and—eventually—across all the company’s units worldwide. “Why not just get involved because it’s a good idea anyway?” he said.
Reputation an Amorphous Risk
Social media’s insidious impact and the difficulty of managing reputation risk.
Forget about major events that can impact a company’s reputation. Accusations of corporate wrongdoing spread via social media don’t have to be correct or accurate, and they may never go away. But is reputation really a risk from an enterprise risk management (ERM) perspective?
A participant in the NeuGroup’s recent Corporate ERM Group meeting noted a blogger’s accusations about one of his company’s products, which prompted five days of calls between the general counsel, three senior attorneys and the head of communication. Those tiny “mosquito bites,” he said, in which incorrect or misconstrued information spreads rapidly over the over the Internet, can burn up enormous resources and time.
Another participant noted that Google and Bing searches may resurface such accusations years later, often without the retraction that was published at the time.
Reputation’s place. Corporate reputations can be damaged, but participants debated whether reputation is actually a risk, since unlike product liability, intellectual property, cyber and other clearly defined risks, few mitigation measures can be taken in advance. The member leading the ERM Group session, called “Managing the Risk Register,” shared a graphic illustrating image and brand reputation stretching in a band across four columns of risk types: strategic, operational, legal and compliance, and financial. The different risks his company faces, ranging from innovation and technology to internal control environment, were placed under their appropriate columns, several sharing two.
Another member said he “struggled” with how to think about the graphic because it suggested reputation was a risk, but “I’m not sure if we want to call something a risk if it’s not manageable as a risk.” Other members agreed, with one saying his company considers reputation and financial consequences to be impacts of a risk event, since they are the outcome of risks unfolding rather than risks themselves.
Decision-making. The session leader essentially concurred, suggesting the graphic, with “brand reputation” as a solid band across all four risk categories, was more a reminder that ERM’s goal is to enable executives to make better business decisions while considering their potential risks.
“Part of what we think ERM can drive is more proactiveness and readiness,” he said. “So when you have an event, it’s not the event that’s going to drive the reputation impact, but how you handle it—the decision-making that goes on when the event happens.”
Another member asked whether any peers’ companies viewed reputation as an actual, stand-alone risk. One responded that his firm does not view it as stand-alone but instead part of a mixture of other risks. Nevertheless, given that the company sells its product directly to consumers, its new CEO has invested heavily in understanding the impact of reputation, contracting with the Reputation Institute, which surveys consumers’ perceptions around organizations’ reputations.
Damaged reputations. “Does it ever boggle your mind how companies caught making egregious mistakes, such as Wells Fargo and Volkswagen, do not appear to have experienced long-term reputation damage?” asked one participant.
Fellow members begged to differ, and one noted he and his wife severed ties with Wells Fargo as a result of its seemingly avoidable troubles. “Wells has taken a huge hit reputation-wise,” he said.
Another said that “part of the benefit of having a great reputation is that the company gets the benefit of the doubt. If Volkswagen were to say, ‘There’s no software problem and our cars do what they say,’ would anybody believe them?”
Forget Handbooks, Videos Great Way to Communicate ERM Mission, Risks
Video is key to getting out the ERM message on what it does, key risks.
Enterprise risk management serves little purpose unless the policies it creates can effectively be conveyed to management and more generally to employees. Currently that task may mean competing with pets.
One participant at NeuGroup’s recent Corporate ERM Group meeting said that his team has set up channels on Yammer, a Microsoft social-networking service used within organizations, that are devoted to risk optimization and megatrends. The intent is to use the channels to provide videos and other materials to educate employees about ERM.
“Another channel shows pictures of pets, and more people follow that one than either of ours,” he said, adding that he nevertheless sees significant potential for ERM in such channels if employees can be persuaded to follow them. “Long term, this the way millennials want to get their information, so we have to figure out how to use it.”
Recently, Caterpillar’s ERM team won a Telly Award for its catchy, 1960s, Jetsons-esque explanation of how enterprise risk management can help increase “total enterprise value,” which is described as the “theoretical purchase price of Caterpillar, plus future earnings.” ERM can affect this by “lessening exposure to risk by reducing negative uncertainty.” Even moving the needle slightly in a positive direction “can add billions to the total enterprise value,” the video says.
Communication alternatives. At the ERM meeting, attendees swapped ideas about effective ways to communicate ERM risk policies. One recalled a peer who a few ERM Group meetings ago showed members pamphlets his company produces to describe risk policies. The pamphlets were “risk management 101” but effectively conveyed the basics. The peer said his company still produces them. Its new open-space office environment has complicated distributing the paper version, but they are available online.
Another member of the ERM Group said that most such communications are now done via video, either by hiring a videographer or via animation, and the others generally agreed. Like a Yahoo page, the videos are ranked by popularity and may be visible on the company’s website for one or several weeks, eventually disappearing from the screen but remaining searchable in the archive.
Lessons learned. Members of the group laughed, however, when asked how many ERM teams actually have a budget for a videographer, given that a three-minute video typically costs between $5,000 and $10,000. Some lessons learned by members of the ERM Group:
- The video has to be captivating, perhaps involving a star at the company.
- Coaching is key, to avoid the appearance of a “hostage video.”
- Animation can be very effective, and it’s less expensive than a videographer.
- The most effective videos are two or three minutes in length, although highlighting a well-known and highly respected personality can extend it.
- Videos discussing policies, plans and other general overviews are more effective if illustrated by concrete examples that speak to specific subgroups.
- Such videos, if they’re not time-stamped, can be recycled in a year or two, or used in training sessions.