FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   
BI Review content and features are now in DMReview.com!

One brand, one Web site! DM Review is now the home of all the content you're used to at BIReview.com and much more. If you are registered at BIReview.com, you're already registered at DM Review. If not, take just a moment to sign up for all the free services we have for you at the new DMReview.com.

Opportunity Aversion

For better or worse, corporate governance activities have dominated executive decision-making in public companies over the past 18 months. With the Sarbanes-Oxley Act filing deadline for Section 404 now passed for large companies, the natural question is, "What's Next?"

How about enterprise risk management? Big accounting firms and others in the governance consulting game are aggressively arguing that corporate compliance activities are merely a springboard for bringing ERM into organizations.

"Compliance isn't the destination - it's just the start of a journey to corporate excellence," is a common pitch these days. Instead of viewing Sarbanes-Oxley as an additional cost with little economic benefit, compliance is offered as a step to create a corporation better able to manage its many risks.

There is seductiveness to this idea. Why not create something useful out of a government forced investment? Companies however should think twice or three times before letting a governance-centric approach underpin corporate ERM activities.

The distinction is obvious. ERM's central purpose is to enable a corporation to take quality risks to create new corporate wealth and value. Among other things, this means that all decision makers at all levels of the organization know and understand a variety of risks to the best degree possible, and understand that some risks lead to opportunities. Such an organization understands risk volatility, how risks can couple into chains, and how disparate risks can create multiplier effects. Importantly, the corporation balances its appetite for risk with its capability to tolerate a risk if it turns into a problem.

A corporation with an effective ERM approach can gain competitive advantage chasing "risky" opportunities others cannot because it manages those opportunity-associated risks better than its competitors. A key reason for this is because its people are not afraid to identify, communicate and manage the risks in an integrated, open, and holistic fashion.

It is pretty clear that creating a corporation with such a mindset requires a change in organizational culture, a point that compliance-to-ERM advocates readily admit. Most corporations have balkanized approaches to managing risk, and many executives would rather announce that they have a venereal disease than admit to risk in whatever task they are working on. It is a lot easier to ask for money to solve problems (wait for a risk to materialize) than to explain why you need money to try to avoid something that might never happen (and if it doesn't, you can't prove that risk mitigation saved the day).

Building on a governance or compliance-centric approach to ERM risks creating a control mindset to risks. Just look at the words in the COSO integrated framework for internal control, the guiding document for most corporations in their quest for Sarbanes-Oxley compliance: "The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure." Do you really want to build an ERM approach - one that seeks out new risks to conquer - on top of a "control consciousness" culture?

One large international corporation I have dealt with attempted such an approach, and found it very unsatisfying. The organization was worried that it was losing its innovative edge and believed that instilling an ERM culture might help get it back. Senior management, seeing all the money it was spending on compliance activities - perceived as risk management - decided it could piggyback on these activities. So it ordered its internal audit organization to create and instill the ERM activities across the organization, since internal audit was in charge of the corporate compliance activities.

Major complaints soon arose to senior management from managers across the company who were receiving mixed messages. "You sic the internal audit guys on us on Monday, telling us we have to ensure that we don't take any risks that might send the CFO or CEO to jail. Then on Tuesday, these same guys are back telling us we need to be more innovative."

To avoid a cynical reception for ERM, the message as well as the messenger is important. The U.S. army let a compliance mentality rule its organizational culture in the 1980s and 1990s, creating a "zero-defect" mentality - one where a single mistake could end a career. The result, which the Army has been desperately trying to undo, is an organization filled with people afraid to innovate, lest they fail.

Compliance activities should not be seen as corporate risk management activities but as specific problem management activities - you either comply with the regulations or not. Compliance only becomes a risk management activity if you are making a conscious decision not to follow the regulations - something that corporate executives are going to jail for now.

If you want to create an ERM culture within your company, separate those activities from your governance activities. ERM requires a different mindset and organizational behavior than governance that is more than simply adding new risk management practices. Yes, there are some overlaps (compliance is a proper subset within the world of ERM), but good governance should result naturally from ERM, not be imposed by the government. Compliance is to ERM as auditing is to financial management. Auditing is helpful to keep the regulators and tax man at bay, but the results don't create the information to run the business or create new wealth.

Charette's Recommended Reading:

  • The Timid Corporation: Why Business is Terrified of Taking Risk, Benjamin Hunt, Wiley, 2003
  • Corporate Aftershock, Christopher Culp and William Niskanen, Wiley, 2003
  • The Risk Management of Everything, Michael Power, Demos 2004, available at www.demos.co.uk

Robert Charette is president of risk management consultancy ITABHI Corp. and director of the Cutler Consortium's ERM & Governance practice. He can be reached at charette@itabhi.com.

For more information on related topics, visit the following channels:



Industry Vendors