With host Parker Hannifin’s 100th anniversary as a backdrop, members learned that if they want to last for a century, they need to embrace a risk-based strategy.
This meeting cemented the belief that full integration of strategy and risk management should be a key objective for members. Some even argued that having two different terms is counterproductive, because it reinforces the separation of risk from strategy. Achieving full integration will be a journey —one that should be undertaken with urgency. One analogy: Think of integration as a smooth waltz rather than some clunky dance. Learning the steps won’t be easy, but it will help enterprises avoid stumbling into value-killing risk. Here are the recurring themes from this meeting:
1) Seizing the Moment: Risk and Strategy. The chief risk officer of a large regional bank walked members through his professional journey, providing a great example of being ready to seize the moment in a crisis. He had built a lot of skills and was able to use them when called on, helping him play a crucial role in righting the bank in the aftermath of the mortgage-backed securities meltdown. Every risk manager will run into urgent, crisis-type situations. Are you ready to step in?
2) Viewing Blockchain as a Risk Management Tool. Caitlin Long, then-president of Symbiont, gave a primer on blockchain and why it should be seen as a risk mitigation tool and not a risk. Blockchain, she argued, has the potential to reduce certain risks through better data, better audit trails and better security. Ms. Long provided examples of how blockchain can be used to capture savings within the organization and free up talent to do other tasks. How well do you understand blockchain?
3) Learning the Strategic Waltz. Dr. Paul Walker from St. John’s University, one of the newer ERM members, walked attendees through the importance of aligning strategy and risk. He noted that in 10 years, more than 40% of companies in business today will no longer exist. Anticipating, interpreting and reacting to signals and noise is vital, he said. The stakes are high, as most strategic plans fail because risk has been underestimated. Is your tool kit up to the task of tackling today’s risks?
Seizing the Moment: Risk and Strategy
Nonfinancial corporates can learn from the experience and insights of banks, which have responded from a risk perspective to the post-financial crisis regulatory environment. The chief risk officer (CRO) of a large regional bank walked members through the bank’s journey and where it is today. He shared some of the important lessons from his experiences as chief risk officer that can help nonbanks learn how risk groups can better position organizations strategically.
KEY TAKEAWAYS
1) Crises create opportunities to seize the moment. Be ready to step in and make use of your knowledge of the industry and the company to right the ship when a crisis strikes. Your effectiveness as a risk officer will depend on your problem-solving skills and your willingness to step up and embrace new responsibilities.
2) Risk appetite is still a “squishy” concept. Establishing a risk appetite has a lot of appeal to bank regulators, and banks are making progress here. However, it appears the underbelly can still be a bit soft. Quantifying qualitative risks remains tough. If you have, say, a moderate risk appetite, how do you define moderate risk? The bank CRO noted he uses a cascade of risk approach, with level 1 risk tolerances (enterprise level) and level 2 risk tolerances (business and product level). It can also help to link the definition to tangible impacts; for example, a moderate risk allows capital return via buybacks to continue. If the board determines that the company should take moderate risk, this doesn’t mean that every business or product is moderate risk. The aggregation of risk needs to be moderate, where some areas don’t take on that much risk and that is deliberate.
3) “The strategies we employ are where the real risk is.” The bank’s core business is to take in deposits and make loans—so you would think the risk is not taking in enough deposits to cover loans made. But as the CRO noted, the real risk is the strategy around the deposit—how do they take the deposit and what is the strategy to make the return that is needed to repay deposits? That risk is not always straightforward, but it is the risk that you should be measuring.
4) Today’s society is more likely to complain and do so more publicly. Reputational risk has now become a greater focus. The first step at the regional bank in question is to acknowledge the complaint and then triage how it will handle the issue and decide who will get involved.
Have a Plan and a Point Person
In a discussion of how firms coped with recent hurricanes in Houston and the Caribbean, members stressed the importance of a good business continuity plan (BCP) that allows a company to make its own luck by being prepared. A Houston-based member walked the group through her company’s Hurricane Harvey experience. She noted the importance of having a plan and point people in place long before disaster strikes. The BCP allowed each department to make its own decisions. Some units, like payroll, sent people out of the area, while some groups stayed in place.
The messaging from the top of this company to employees: Go home and take care of your family. Several members echoed this. Their companies went out of their way to make sure employees were safe and could help others. Some businesses shut down operations in advance so that everyone could get home safely. When flooding was worse than expected, the plan was to check in once a day and make sure everyone was okay. Companies provided mechanisms for communication, like setting up Facebook pages. Others gave employees additional time off.
Finally, be aware of vendor risk. Several members mentioned shipments still going to impacted areas or vendors not being prepared. Another member suggested getting the communications team involved; you want the right people on the line prepared to answer questions.
OUTLOOK
Many companies are still on the risk journey. Regulatory changes and supervised enforcement of this change have helped banks move their journeys along. Absent that regulatory catalyst, members on the nonbank side struggle with calculating and rating qualitative risk. Perhaps by turning to enterprises with a regulatory imperative to overcome this struggle, members will gain knowledge to help move them forward.
Viewing Blockchain as a Risk Management Tool
Caitlin Long, at the time chairman and president of Symbiont, a leading smart contracts platform for institutional uses of distributed ledger technology, offered members her insight on what blockchain is, what it can be used for and how to view it through a risk lens. The main theme of the session was that blockchain should be thought of as a risk mitigation tool and not just a source of risk.
KEY TAKEAWAYS
1) Blockchain provides an immutable log. Blockchain will solve the duplication and reconciliation process, since with distributed ledgers, multiple parties can view the same information at the same time, and it is information that everyone can trust (it’s a home run for health care, government and supply chains). It also offers decentralized, distributed encryption, which is extremely difficult to break. This is especially helpful when parties that do not trust each other need to share information. Blockchain enables the automation of administrative tasks. Another use of blockchain will be speeding up the payment system. Paying a bill could touch four banks, but blockchain can eliminate the need for this. It will also give full transparency to who your shareholders and bondholders are.
2) Risk managers will need to be prepared for blockchain. For example, audit plans will need to be rewritten to reflect the better data, audit trails and better security of blockchains. The risk team can help position the organization to capture these savings, and this technology may free up talent to do other things.
3) Blockchain can get you noticed. You can help two key influencers who might not be aware of the potential—the treasurer (who should have some awareness) and the chief legal person (who’s likely unaware). It gives the ERM group the opportunity to have a reasonable dialogue with treasury, chief counsel’s office and the corporate secretary. Wins with these folks will get you closer to the strategy door.
Beware of the Middle
The CRO from a regional bank presenting to the group noted the importance, when creating a culture that takes risk management seriously, of addressing and attacking a company’s middle-management level. This serves several purposes, including influencing the lower levels or “bottom” of the company through a trickle-down effect. The CRO found that if he did not get the middle on board, he would lose the bottom. This involves making clear that all employees have some risk they need to manage and confronting questions like “What does this mean to me” and “How do I change my behavior?” If you don’t get the buy-in you want around risk and need to let people go, it’s important to let others know in appropriate terms why you’re taking action. But it’s not all about avoiding risk, of course. Many companies need to create a culture that rewards risk-taking and avoids playing it too safe.
OUTLOOK
Understanding how blockchain can be used as a tool for risk mitigation and automation of risk controls will create the opportunity for members to get some wins. Blockchain eventually will be a part of everyone’s life; the only unknown is the timing. Risk managers would do well to get out in front; do the analysis and see whether there is an opportunity to create upside momentum with automation and efficiencies. And also see whether using blockchain’s risk-mitigating attributes has the potential to reduce the downside risk that will come with the change this new technology will surely bring.
Learning the Strategic Waltz
Risk managers understand the need for strategy and risk to be tightly interwoven; however, the struggle to be viewed as a central player in the strategy process is ongoing. Our newest member, Dr. Paul Walker, outlined the academic work he has done in this area and gave members an overview of his program at St. John’s University’s Peter J. Tobin College of Business and the Center for Excellence in Enterprise Risk Management that he leads there.
KEY TAKEAWAYS
1) Business is ahead of academia. There are numerous ways for ERM practitioners to drive the ERM discipline and profession forward, noted Dr. Walker. This is especially important in the area of learning how strategy and risk interact, where businesses can’t rely on business school scholarship. “The opportunity is there for risk managers to get more involved,” Dr. Walker said.
2) Businesses often do not recover from strategic losses. A study done at Babson College’s F.W. Olin School of Business predicted that in 10 years, 40% of enterprise companies will no longer exist. Further, a study by Deloitte suggests that strategic risk is most often the source of company-killing losses. Yet, most companies invest in managing operational, legal and audit risks.
3) Anticipating, interpreting and reacting to signals and noise is vital. Dr. Walker noted when he polled several corporations, almost all commented that anticipating, interpreting, and reacting to signals and noise is vital. However, many of the corporations believe that they are too late in seeing significant changes in the business, with very few believing they are too early. It’s better to be early than late.
4) “Disrupt or be disrupted.” This quote from former Cisco CEO John Chambers points to the need for firms to overcome cultural and organizational barriers to better manage unknowns and disruption. Dr. Walker illustrated this point with the disruption risk example of New York City taxi medallion prices. They’ve plunged from about $1 million in 2014 to $500,000 or less because of the advent of ride-sharing companies like Uber and what’s now called “the Uber effect.”
5) Don’t miss strategic reflection points. Another example (see chart) shows how publishers and booksellers relying exclusively on projected revenues from printed books and ignoring growing e-book options would have made incorrect strategic decisions. A risk team needs to help boards and senior management see these possibilities early at various reflection or inflection points and prove the value of consulting the team.
6) Strategic execution still matters. CEOs need help with strategy or execution. Only 1 in 5 CEOs are good at setting and executing strategy. ERM teams need to figure out how the strategy is most at risk and where to help: “Don’t try to make the Thanksgiving meal yourself if you have never done it before,” Dr. Walker said, noting that corporations often have the right idea but fail to execute on the idea.
OUTLOOK
Having a NeuGroup member who gets to see lots of ERM programs and can devote time to organizing the thinking and evaluating data will help this group get a broader perspective on making ERM a bona fide discipline. Boards want stronger assurances—with reliable evidence—that the company’s strategy and process are sound. This opens the door for a new type of strategic enterprise risk management function. The strategic reviews of old, focusing on where is the risk, are no longer sufficient; now you need to be able to predict the risk and find the talent to help you do so.