-
-
Marketplace
-
Channel Resources
Articles from this Site
-
One brand, one Web site! DM Review is now the home of all the content you're used to at BIReview.com and much more. If you are registered at BIReview.com, you're already registered at DM Review. If not, take just a moment to sign up for all the free services we have for you at the new DMReview.com.
The Top I0 ERM Mistakes
Enterprise Risk Management ("ERM"), and what we should and shouldn't be doing to implement ERM within our organizations, is still evolving. We hear about this concept and appreciate how it can invigorate, or in the best of worlds, re-invent, our business. And while we're beginning to understand what makes it succeed, we are learning, in equal measure, what makes it fail.
What are the keys issues for ERM today?
Risk professionals mostly agree about the key drivers of the ERM process. Indeed, in recent years, the pressures have sorted themselves out by degree of urgency. At one end, we're driven by statutory compliance. At the other end are the nice-to-have risk initiatives we willingly take, given the time and money, because they actually help the business. Between these extremes, lots of hands are out - investors insisting on increased disclosure; market/credit analysts demanding stronger transparency; auditors clamoring for more forward-looking reporting; stakeholders demanding that we stabilize any material risk that affects our solvency.
What can you do about them?
For a start, there are well-documented successes by notable corporations we can model. There are frameworks that tell us where to start. We have analyses to help us differentiate operational vs. financial vs. business risks. We have ways to measure and map our vulnerabilities; banks of data to help us define our appetite; and consultants to walk us through the maze.
We have all of this, and a database of charts, to show the Board. We can argue that our best defense is an offense. And we can plead persuasively for the Board's support in our struggle to develop a culture where all significant business decisions are based on a risk-adjusted capital model. These issues help us understand: (1) why we need to act, (2) what we need to do and (3) how we need to do it. The question is, what have we learned about: (1) when we shouldn't act, (2) what we needn't do or (3) how we mustn't do it? In science, there's a place for failed experiments, for refining the process by saying "this works, this doesn't." Risk is less forgiving.
Top 10 Things You Shouldn't Do About ERM
Because ERM responds to traditional questions with non-traditional answers, the old verities are gone. The answer to seemingly obvious risk questions could have wholly different versions, depending on the audience. The same goes for the consultant, auditor, attorney, regulator, or any risk-owner at any link in the corporate value chain. Each has an institutional memory and vested interest, so each has a sense of what to do. By contrast, losses being more nagging than wins, we might be closer to consensus on what not to do. Like Thomas Edison, how can we avoid two thousand ways not to make our light bulb?
1. Don't wait. ERM is a process, not a product. It takes time - it can take years -to make it happen properly. If you haven't already started, you're late, especially with regard to compliance.
2. Don't bite off more than you can chew. ERM is a process, and so, by definition, it's incremental. Start with a battle you can win. Pick a risk that will make a difference, change behavior, attract attention.
3. Don't stop. It's absolutely critical to understand that the risk map you're showing the Board is a means, not an end. It might attract attention, but it won't change behavior or save money by itself. Think Churchill, after Rommel's defeat: "This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning."
4. Don't waste what you've already done. They may not be self-evident, but there are surely good answers to the question "I've complied, now what?" Have you collected data you can redirect? Can you transfer your ERM template from finance to operations? Have you evolved best practices, generated intellectual capital or created alliances you can leverage?
5. Don't overestimate the value of dedicated software. The best IT vendors have kept pace with the problems. Having immediate access to risk information that is comprehensive is a huge edge if you're big, especially complex or uniquely high-risk. But here, as elsewhere, technology is an edge, not a magic bullet. Used properly, you can score certain ERM victories on an Excel spreadsheet.
6. Don't discount the softer risks. The discipline continues to develop ways of measuring risks that, before the flood, wouldn't have been recognized as "risks," much less "measurable." Not having an executive succession plan is a risk. Ample data, clear precedents, and new metrics exist and can be used to assign quantitative values to qualitative entities.
7. Don't be a hero (1). You can't manage risk from the top without help from the top. On an enterprise basis: no sponsorship, no success.
8. Don't be a hero (2). You can't manage risk, top-down, without help from the sidelines. This is as true for the executive as for the plant manager. More and more, ERM successes are being scored by internal coalitions.
9. Don't be a hero (3). There are specialists in this business who can import the framework and manage the process. They can provide or complement in-house resources; monitor compliance; gather, store and manipulate data; preserve confidentiality; assemble and facilitate cross-unit alliances; extrapolate local successes around the globe. They can help you convince the Board that high employee turnover can be as endangering as a computer worm or gases under pressure.
10. Don't think the pressure's going away. This isn't a bad thing. In days to come, MBA students will be exploring the ERM dynamic as a case study: >Enron (point of departure) >External enforcement (Sarbanes-Oxley) >Internal imperatives (Board of Directors) >Marketplace insistence (credit analysts, auditors, investors) >Business as usual.
The ERM payoff
It's a case study we will have lived through. And if, along the way, we've learned in equal measure what to do and not to do, then surely we'll be able to explore a merger, contemplate a new product line, attract capital, expand overseas, hire a CEO or night watchman - without having to puzzle out the "risk" on a piece of paper. Risk will long since have been factored into the equation.
Corey Gooch is Associate Director, Enterprise Risk Management at consultancy Aon Corporation, Inc. Contact him at corey-gooch@ars.aon.com.
For more information on related topics, visit the following channels:
