Nearly every corporate executive will agree that business risks are becoming more prevalent and increasingly complex. An endless list of trends and developments—including ransomware attacks, regulatory change, political uncertainty, terrorism, climate change, disruptive innovation, and many others—are making it increasingly difficult to manage and respond to risk.
To cope, many companies are starting formal enterprise risk management (ERM) initiatives, often with the help of internal audit, to coordinate their efforts and manage risk in a more consistent and holistic way across the company. Such efforts, of course, aren't new. The first academic papers on ERM began to emerge in the mid 1990's and the first ERM frameworks date back to 2003 and 2004. Since then, many companies have initiated ERM programs, yet most are still in the early stages.
"We are still very much on the upswing on the maturity curve for adopting and developing ERM programs," says Mark Beasley, a professor of enterprise risk management at the Poole College of Management at North Carolina State University, and director of the university's ERM Initiative. For Beasley, that fact represents more of an opportunity than a problem. He sees a chance for organizations to develop a more unified approach to risk management. "The volume, complexity, and uncertainty of risk is rising very fast. We need a more formalized, integrated, and consistent approach to risk management," he said.
Beasley, who spoke on ERM last week in Chicago at MISTI's Chief Audit Executive Master's Program: Perspectives of 100 CAEs, says there are five common opportunities for enhancing the ERM journey. He listed them during a presentation at the event. "This is where some organizations are trying to think differently when it comes to risk management," he said. The idea of ERM being a journey is important to Beasley. He said that some companies make the mistake of undertaking ERM as a one-time project and not a long, ongoing process. "It's a common problem for ERM initiatives, particularly if the board asked the CEO to do it, but the CEO isn't really on board with the idea," he said.
Five common opportunities for enhancing ERM:
1) Strengthen integration of ERM with strategic execution
According to Beasley, for an ERM initiative to be successful it has to be viewed as a valuable strategic tool. "You absolutely have to link it to strategy and position risk thinking with strategic execution. Executives speak the language of strategy," he said. To do that, management needs to consider the risks to the strategy, such as what might prevent the company from executing it, as well as the risks of the strategy, such as pursuing the wrong strategy or triggering unintended risks from the successful pursuit of an initiative.
Another link between ERM and strategy are the assumptions that the strategy is based on. "Help me understand the big assumptions we are making," said Beasley. "Every strategy has assumptions tied to it." If ERM can provide more insight on those assumptions, then the strategy has a better chance at success.
ERM can also be linked to strategy by illuminating the risk vs. reward equation. "To what extent is ERM prompting management to identify the opportunities to take risks?" asked Beasley. "Risk and return go together, so that risk information ought to be informing my strategy planning and execution," he added.
2) Look for interdependencies and clusters of risk drivers
The second opportunity, according to Beasley, is for ERM to shed more light on how different risks can interact to create bigger risks. "You need to drill down to the root cause of risks," he said. ERM can provide a good tool to do that since it gathers thinking and information about different risks all in one place. They aren't siloed out in the organization where it may not be clear how risks are connected. "We need someone to assess the robustness of our thinking on risk. Lose sight of the detail, and we lose sight of the connection between risks," said Beasley. "When you look at what may trigger the risk or what the root causes of risks are, you can better see how they can converge," he said. "It's looking at it form a more integrated perspective to say, 'It's not just a standalone risk. If I can reduce the root cause, it may have an effect on several different risks."
One of the common arguments for not adopting ERM is that good managers should always be thinking about the risks and carving them out into a separate function could provide a false sense of security among front-line managers that they are being managed by others. But a siloed approach doesn't allow the company to see how different risks may interact. "People are realizing that risks don't behave in isolation and a risk does not know your org chart. If they hit, they will hit in a variety of places, so we need to have a better understanding of that," said Beasley. Since ERM is a more holistic and cuts across the organization, it can help organizations see those interactions better.
3) Strengthen metrics to monitor risks
The next opportunity is to get a better understanding of what drives risks and the indicators that risks are increasing or declining. "Management dashboards are loaded with performance indicators, but what about risk indicators?" asked Beasley. He said the organization should be putting together key risk indicators (KRIs), in addition to key performance indicators (KPIs), and that an ERM program can help it do that. "The question here is how robust is management's understanding of what might trigger the top risks," he said. "The current system for monitoring risks has room for improvement. KPIs, for example, are historical and based entirely on internal data, while KRIs are forward looking and can pull data from external and internal sources.
4) Develop "playbooks" for top risks
Along with lots of robust information about tying risk to strategy, understanding how they interact, and what the indicators are, ERM has a great opportunity to do more to help organizations respond to risks when they are triggered. Beasley called them "risk playbooks" and said companies should have one for each of its top risks. "It's critical that we carry it to the level of what we are doing about the risk. What is the game plan if the risk is realized? Or if the risk starts escalating, have we proactively thought about how we will react."
A playbook can put detailed information in the plan and can be used in various parts of the organization that could be affected by the triggered risk. He says a risk playbook can have timelines and external reporting triggers built in. "So it's not just what we can do to prevent it, but how do we deal with the consequences if we can't do much to prevent it. How do we stop the bleeding if it starts to occur?"
5) Name the barriers to implementing ERM
There are some common themes of resistance to ERM, said Beasely, such as:
- We already think about risk without ERM
- It's too costly versus the return we stand to get from it
- We don't have the resources and manpower to devote to it
- It just creates too much complexity
- There is no measurable return on investment
- It adds bureaucracy
- and several others
According to Beasley, there is an opportunity to identify and understand these barriers in the organization to ERM and overcome them. "You need to find strategies to navigate around the barriers," he said. That's because implementing a robust ERM program can pay big dividends for companies that get it right. Beasley identified three payoffs of implementing ERM:
- Move more unknown risk to the known state. "It's not acceptable to say, 'oh, we didn't know that was happening in the organization,' " he said.
- Link risk management to the strategy and business model of the organization.
- Enable more robust and rich conversations about risk in the organization.
"ERM is not becoming easier, but it is becoming more critical," said Beasley. "Risk and strategy is the link, and ERM is an important strategic tool."