Jerry Miccolis | June 1, 2003
There are certain enterprise risk management (ERM) fundamentals—objectives, scope, organization, and tools—that companies can use to establish an ERM framework and implementation plan. For ERM, "getting the fundamentals right" means establishing a company-specific ERM operational framework that clearly and measurably defines what ERM will mean for this company, and then using that framework to develop an ERM implementation plan that is specifically designed for success in that company.
Most companies believe in the concept of enterprise risk management (ERM). But many have been frustrated by implementation issues that have, so far, caused ERM to fall far short of its potential. What's the problem? And what's the secret to getting ERM to work? Borrowing from the playbook of the great basketball coach John Wooden, the simple, but hard, truth is: "There is no secret. It's all about fundamentals." To make ERM work for you, you have to do the gritty groundwork and start by getting the fundamentals right.
For ERM, "getting the fundamentals right" means establishing a company-specific ERM operational framework that clearly and measurably defines what ERM will mean for this company, and then using that framework to develop an ERM implementation plan that is specifically designed for success in that company. There are no a priori, universal "right answers" for how to implement ERM in a given company. There are, though, "right questions" each company should ask itself. Successful ERM really does depend on the specific situations of specific companies with specific histories, cultures, and managements.
The continuing gap between what executives see as the promise of ERM and the fulfillment of that promise is evident not only from what our clients tell us. It also has been documented in several recent Tillinghast-Towers Perrin surveys of ERM practices among companies in various industries. (For more on what those surveys tell us about the current state of ERM, see our March 2003 IRMI.com article, "ERM Lessons Across Industries.")
The gap between ERM's promise and performance shows up in lots of ways, including the following.
To close the gap, our experience with clients has taught us that companies need to have a clear, company-specific "operational framework" in place for ERM. If they don't have one—and most really do not—then they need to create one. They can then use that framework as scaffolding to develop a company-specific ERM implementation plan.
To establish the correct operational framework, company leaders need to candidly answer four key questions.
Question #1: The first question is "What are our objectives for ERM? That is, what are we hoping to accomplish with ERM that we cannot accomplish otherwise?" Companies typically have the same four general objectives for their ERM programs. What makes a company's ERM program unique from this standpoint is the relative priority the company gives to each of these objectives. The objectives, ranging from the reactive to the proactive, are as follows.
However prioritized, the company's ERM objectives should be measurable and should articulate the expected payoff from achieving them. The payoff should be based, to the extent possible, on the expected beneficial impact on the performance measures that are used to run the company. This rule implies, of course, that the company already has in place clearly articulated and well understood performance measures of this sort. (For more on the topic of objectives and measurement, see "The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures," in our May 2002, IRMI.com article.)
It is imperative that these objectives be established by, and be continually and visibly supported by, senior management. "Grass roots"-style ERM movements rarely succeed.
Question #2: The second question that company leaders need to answer is "What will be the scope of our ERM program?" Scope encompasses two dimensions: both the types of risks that ERM will cover and the management processes that ERM is intended to influence.
Risk types covered by a particular ERM program can include those in the following broad categories.
The key principle to follow in defining the risk types a given company will cover in its ERM program—and that company managers need to attend to and manage in an integrated way—is that the risks matter most to the company's strategic goals. Managers need to have a clear, common understanding of what the company means by those risks and why they are important to the company's performance.
The second dimension of scope relates to the management processes that company executives desire ERM to influence. These processes typically include the following.
In setting the scope of their ERM program, company leaders need to make certain that the scope of risks and scope of processes are aligned and that they are likely to help the company reach the ERM objectives they have already set in answer to question #1. And, in determining the management processes to be affected, they need to be realistic about the degree of influence the "ERM function" (see question #3) can exert on the incumbent owners of these affected processes—organizational "turf" is typically cited as a leading obstacle to effective ERM. The pragmatic result is that the initial scope is often less broad than the long-term desired scope.
Question #3: The third major question that guides the creation of a company-specific ERM operational framework is "What kind of organizational structure around ERM will work for us?" Answering this question entails determining the following.
As for organizational integration, current practice suggests that what integration exists is largely an extension of traditional risk management and financial management practices, with ERM being linked most frequently with internal audit, compliance, and investment functions.
Most firms today tend to make ERM more a coordinating, information gathering, and technical supportive function for the rest of organization. We see that, for instance, in the specific ERM activities reported by companies. The most common activities are risk identification and ranking. Much less common are more aggressive integrated risk management activities, such as measuring and exploiting natural hedges among the totality of the organization's risks and evaluating risk management strategies in light of risk/return requirements.
Question #4: The final major question in creating the operational framework is "What specific tools will we need to implement ERM?" The range of possible tools includes, but is certainly not limited to, the following.
When the company's leaders are considering which tools they are going to include in their company's tool kit, they need to make sure the ones they select fit the risks and processes that are in the scope of their ERM effort and fit their company's capabilities, either those they currently have or those they know they can acquire. That said we do need to note a very important caveat about tools. The risks should drive the choice of tools. The choice of tools should not drive the choice of risks covered in an ERM program. And that does happen.
Managers can choose tools they know in order to manage risks they know, simply because they are familiar or easy to quantify. The danger, of course, is that in so doing managers may end up not paying attention to risks that are important and consequential simply because they are hard to quantify and managers don't have, or know about, tools to manage them. The result is a case of having a hammer and only paying attention to nails.
The operational framework that results from the clear-headed answering of these four key questions—ERM objectives, scope, organization, and tools—creates the foundation for a "built-for-success" ERM implementation plan. The implementation plan can then follow the blueprint laid out in our November 2000 IRMI.com article,"Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process."
Companies that have invested the time and effort to get these fundamentals right have been more satisfied than their peers with the progress of their ERM implementation efforts. They have succeeded because they have laid a clear track to follow, established realistic expectations, assigned unambiguous roles and responsibilities, equipped themselves appropriately, and identified objective benchmarks to monitor their progress. This is not rocket science. There is no reason that all companies can't achieve similar success in ERM and, as a result, in their respective businesses.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.