APQC recently spoke to Kristina Narvaez, President & CEO of ERM Strategies, about enterprise risk management (ERM). In the interview below, she talks about several factors that tend to undermine ERM programs.
APQC: What are the essential components of an effective ERM program?
KN: First off, I have yet to find the perfect ERM program. Some organizations have been more successful at implementing their programs than others. So, let’s consider why.
A successful ERM program has three key elements: (1) a clear and concise charter stating the purpose of the program; (2) the right ERM processes in place and the right technology to collect, aggregate, and report crucial information to decision makers; and (3) the right people with the necessary skill sets at various levels of the organization who understand how the ERM process can best engage the senior-leadership level, the executive level, and the business unit level.
You also need a member of the senior-leadership team to champion the ERM program. And you need various executive-level managers working together to assimilate risk information from various corners and analyze how it impacts the organization as a whole. Most important, you need risk management practitioners who truly understand the mechanics of the ERM process: risk identification, risk assessment, risk analysis, the implementation of controls, and risk monitoring. They also need to be committed to regular evaluation of the ERM program and continuous process improvements.
Then there’s the issue of where ERM should reside. It is surprising how many organizations try to combine the risk management function and the internal audit function in an ERM program. You need both risk management and internal audit to collaborate together in an ERM program but not compete against each other. You need both internal audit and risk management to do their jobs independently, but share their findings with each other.
Internal audit's role in ERM has several aspects: to give assurance about the effectiveness of the risk management process, to evaluate risk information gathering and reporting, and to see where the gaps in the ERM process lie. For its part, the risk management team should set the risk appetite, the risk strategy, and decide on the most effective risk treatments. The risk management team should also be training managers on how to use the ERM process in their various business units. But of course accountability for risk should lie with each risk owner.
Finally, many organizations lack both a board-level risk committee and an executive-level risk committee. I think having both is essential in terms of governance and communication.
APQC: Why do we see so few companies adjusting their strategic plans after major risks have been identified?
KN: Dr. Torben Juul Anderson from the Copenhagen Business School noted in his 2010 book Strategic Risk Management Practices that "in many organizations, it is common practice to consider risk management activities and the corporate planning process as two entirely separate management process."
I feel the reason for this may be ascribed to the fact that current risk management approaches in many organizations focus on obtaining protection against potential negative outcomes and not on how risk taking can also create opportunities for an organization.
Dr. Anderson also states in his book that "risk management is not received as an integral part of strategic management considerations or as part of the value-creation proposition. Yet, many of the key components within the formal risk management cycle are comparable to central elements of the strategic planning process. In both cases, their objective is to provide comparable, sequential, and rational analytical steps comprised of: (1) identification, data collection and analysis, (2) evaluation and planning, [followed by] (3) management actions and monitoring of outcomes.” He also states that "the tools applied in the analysis of strategic issues are in many ways similar to the approaches adopted to identify risks within a formal ERM framework. An important element of the strategic planning process as well as the risk management process is to evaluate the robustness of existing and alternative strategies within a changing risk landscape.” All in all, the strategic planning process and the ERM process can fairly easily be incorporated into the same framework, which means that ERM evaluation can become part of the corporate strategy development process.
APQC: Our new case study on Rockwell Collins explains how the ERM team is sensitive to the fact that some people in operations may, for a variety of reasons, be resistant to the ERM process. The case also highlights the need to be creative in how you keep people engaged. What are some keys to building a culture that embraces ERM?
KN: There is a large utility company in Salt Lake City, Utah that had one division leader who was very resistant to implementing ERM in his division. The chief risk officer (CRO) of this utility company resolved the concern by asking the division head sit on the Executive ERM committee. Then, the CRO engaged the division leader in conversations about organization-wide risk. When the division leader started seeing the various risks in the organization that were outside his responsibilities, he started to catch the vision of ERM. He eventually became one of the strongest ERM champions in the organizations.
My point is that ERM facilitation workshops and ERM committees do provide opportunities to break down silos and resistance and help various levels of leadership in the organization understand the different types of risk. Dr. Paul Walker from St. John's University said it best in your latest APQC report on ERM that you need to realize that most business leaders have never been trained in ERM. It is not taught in many business schools. So how do leaders gain practical awareness of enterprise-level risks? This happens when there is an understanding of how interconnected risks exist in the organization. That’s when you see leaders wanting to understand how it all impacts their duties and responsibilities.
APQC: Our survey showed that only 26 percent of organizations describe their ERM processes as being mature. Big companies like GM are now being questioned about the way they handle risk. Will this current spotlight prompt companies across the land to reevaluate their attitudes about ERM program implementation?
KN: Realize that both Lehman Brothers and MF Global had very comprehensive ERM programs and very knowledgeable CROs, and they still failed.
Why did this happen? In both cases, the CRO's advice about risk-taking activities was ignored by the CEO. Thomas Stanton, staff member of the Financial Crisis Inquiry Commission, explained in his recent book "Why Some Firms Thrive While Others Fail" highlighted the issues that can surround the role of the CRO. "In the crisis, too many major firms nominally managed risk but took actions that threatened the firms' survival. One organization that failed (Freddie Mac) fired the CRO. Another (Lehman) sidelined the CRO to a lesser position. At a third firm (AIG), a part of the firm that was taking excessive risk (AIG Financial Products) simply denied the corporate CRO access to information. Other firms (such as Citigroup) lacked capacity to aggregate information about risk exposures across the enterprise. More recently, MF Global dismissed its CRO after he challenged the size of the firm's bet on European sovereign debt."
Until the status of CRO is raised in many organizations, ERM will not be seen as a necessary business practice. On a positive note, we are starting to see progressive organizations building ERM into their strategic planning and decision-making processes. These organizations are supporting this integration with thoughtful resource allocation and investments. And at the business unit level, these companies are using the ERM program to measure risk-taking by employees. Connecting risk and strategy is where ERM is headed, but it isn't there yet.
Kristina Narvaez writes regularly in ERM Strategies blog. She has co-authored a paper that will be published in May 2014 in the Journal of Risk Management in Financial Institutions entitled "CRO-The Hire Wire Act in the Financial Sector."
To learn how successful ERM programs work at companies such as the LEGO Group, Rockwell Collins Inc., and Exxaro Resources Ltd., be sure to read our new best practices report: Enterprise Risk Management: Seven Imperatives for Process Excellence and listen to our free webinar: our free archived webinar: Enterprise Risk Management: A New Landscape Prompts Change.