“At companies that have a formal ERM program — by no means a majority – ERM is generally in a nascent stage. We believe that ERM eventually will not be a distinct discipline because it will become integrated with everyday practice. At some point, risk management may be likewise part of every senior executive’s repertoire of skills.” Standard & Poors Credit FAQ: Standard & Poor’s Looks Further Into How Non-financial Companies Manage Risk June 24, 2010
Most organisations aspire to practise effective Enterprise Risk Management (ERM), but very few are achieving it. Over the last decade, much effort has gone into implementing systems to comply with Sarbanes Oxley, COSO, Turnbull, Basel II, COBIT and other regulatory standards. Most organisations are now stuck in a world of compliance-oriented risk management. They are therefore failing to take advantage of the benefits gained from a more strategic approach to risk.
Putting ERM in place delivers significant benefits:
- Accurate business planning and objective setting
- Enhanced reputation and credit rating
- Better decision making:
- Use of capital
- Negotiating key contracts
- Supply chain management
- Product demand and development
- Improved performance and shareholder value
- Reduced cost of insuring risk
- A sound platform for corporate governance.
Our “Five Steps to Enterprise Risk Management” article gives an overview of how organisations can address this shortfall, providing insights for the Chief Risk Officer, based on Risk Decisions experience of helping organisations implement ERM.
This new article is the first in a series of five that builds on this overview to give risk managers insights into how to start embedding ERM into their organisation. It describes the three most important documents required to achieve effective ERM. It also stresses the importance of understanding risk attitude and accommodating different perspectives of risk across the enterprise. Finally, it considers the risk structure required to provide a consolidated view of risk at different levels in the organisation.
This first step is not costly or time consuming; it just requires simple and practical steps to get the right people involved in ERM.
1. Enterprise risk documentation: framework, policy and process
It is the board’s role, as part of its corporate governance, transparency and disclosure responsibilities, to maintain a framework, policy and process for managing risk.
However, for management of risk to be effective, it is important that everyone in the organisation understands their role in managing risk. To achieve this, the risk manager needs to ensure that three key documents are in place and communicated across their organisation: a risk framework; a risk policy; and a risk process.
Risk framework – getting people involved
This document sets out for everyone in the organisation how the management of risk (threats and opportunities) maps onto the organisation’s structure. It includes information on:
- Who is responsible for different types of risk (e.g. strategic, financial, safety),
- The wider stakeholder community’s involvement. (e.g. contractors and suppliers)
- Objectives and expected outcomes
Essentially, the risk framework is about getting people engaged in the management of risk.
Risk policy – defining thresholds
Senior management is responsible for ensuring that their organisation behaves in a pre-determined and measured way when faced with significant threats or opportunities. One way to achieve this is through setting the risk policy. In which risk managers clarify their organisation’s vision and therefore how risk taking or risk averse they are willing for the organisation to be. In the risk policy document risk managers give guidance on:
- What level of risk taking is acceptable
- For more on this see Section 2: Understanding risk attitude
- Which risks owners should escalate to senior management, and when
- Budgetary sign off for risk and mitigation actions
- Risk approval levels (e.g. for business cases).
In keeping with existing company policy you may find it appropriate to align risk budget sign-off thresholds with general budget sign-off (i.e. delegated powers).
Risk process – communicating consistently
The risk process is a statement on how you want your organisation to identify, manage, mitigate, report, and otherwise communicate risks consistently across the organisation.
Identifying a suitable process for your organisation is generally the most straightforward of these three steps, as there are many well established standards to choose from. This includes the recently published ISO:31000 international risk management standard. It is up to you to decide which best suits your organisation. See Appendix 1 for a selection of those available.
Whichever process you select you will often need to adapt it to reflect your organisation’s specific requirements or existing working practices. Bear in mind too that these needs may differ across different divisions, business units, functions etc. See Section 4 for more on accommodating multiple perspectives on risks.
You may also have certain areas (e.g. safety, environmental) that require specialised risk procedures – we suggest that you either document these separately or add them as appendices to the main risk process. Remember, it’s important to understand your senior management’s information requirements, and ensure that your risk process(es) can deliver these.
2. Understanding enterprise risk attitude
Of the three documents outlined in section 1, the policy document is likely to be the most difficult one in which to align aspiration with reality. This makes it important that all employees understand what management of risk actually means to your organisation.
a) A high tech company
A high tech company may pride itself on being innovative and therefore seek opportunities and take risks, with a view to maximising reward. Top down, managers will tend to encourage employees to think out of the box in an environment free of excessive control. To balance this, management are likely to develop close working relationships with key employees and have communication mechanisms that allow fast decision making. In this scenario, it is vital to properly understand and take measured risks.
b) A long established business
In contrast, a long established business relying on its trustworthy reputation for repeat business and referrals may take a risk averse attitude. The organisation will expect employees to follow strict codes of conduct: avoid deviating from procedure, and maintain the status quo. However, it needs to guard against becoming introverted and overtaken by external events. Risk management can address this.
Of course, most organisations take a position somewhere between risk taking and risk averse extremes, adopting a portfolio approach to balance investment, innovation and core business. Whatever position your organisation takes, it is essential that it consciously understands its risk attitude, measures the risk and makes sound decisions on the basis of good information.
It may be useful to get some external help in assessing this. You may think you are risk averse, but actually are avoiding facing up to risk, which in turn can be extremely risky.
3. Embedding risk into the corporate structure
Having documented your risk management framework, policy and process, (including a definition of risk attitude), you then need a practical strategy for implementing and embedding them across the enterprise.
The organisation’s risk manager is likely to have responsibility for this strategy. This requires a major change programme, taking a threepronged approach:
- Top down from “board level risk representatives” including input from non-executive board members
- Middle out via a “risk steering group” (comprising function, business unit and programme managers)
- Bottom up from existing pockets of good practice via “risk champions”.
Board-level risk representatives
Your organisation will take the lead on what people do from the top down. Therefore, you need to ensure that each member of the board takes a specific interest in risk. It is a good idea to map each board member to a relevant organisational risk perspective, according to their skills, experience, interests and expertise. Forming a comprehensive set of board level ‘Risk Representatives’, covering all the organisation’s perspectives on risk, provides a natural way of hooking into risk and opportunity activities further down the company. For example, an oil company will require specific focus on safety and the environment, whereas a technology company may have a particular focus on market competitors.
All organisations will have finance and HR perspectives. See section 4 for more information on multiple risk perspectives. Some organisations find it useful to form a Risk Committee – although take care to consider the benefits and barriers of this approach. It is generally better to integrate risk into all board activities as opposed to making it a separate exercise. However, the complexity of risk in some organisations (e.g. financial institutions) may require this specialist committee approach.
Functional-level risk steering group
For ERM to work effectively, communication about risk must flow in all directions in your organisation, so the most efficient way to implement communication of risk information is to focus on middle managers, and in particular the functions. Each function is responsible for oversight of their discipline across the organisation, and therefore it makes sense for them also to be responsible for overseeing risk.
However, clarifying responsibility for risk at this level is not enough: using risk management to break down the traditional functional stove pipes gains the most benefit. Creating a function-led Risk Steering Group can be an effective way to achieve this. A significant number of an organisation’s risks occur in one area of the business and impact in another, so the benefit of bringing managers together to work as a team on managing risk is a major step forward.
There will already be pockets of good risk management in your organisation, which you should encourage and reward to demonstrate that the organisation values risk management activities. One of the ways to do this is to identify and recognise risk champions and task them with the job of helping to spread good risk management practice more widely.
However, it is important to understand the issues with ‘not invented here’ and ‘but we’re different’ attitudes often found in large organisations. Each area of the business should be encouraged to adopt their own take on the management of risk, subject to remaining within the defined framework, policy and overarching process. See Section 4 for more information on multiple risk perspectives.
Having identified these three key groups, the final step is to generate lines of communication between them, whereby board representatives can gain a deeper insight into specific risks through dialogue with relevant members of the functional Risk Steering Group of specialist risk champions. Similarly, risk champions can sound out higher level opinions on areas and types of risk that they believe should be gaining more management attention.
The role of the Chief Risk Officer (CRO) and Internal Audit
The CRO and the internal audit team play a key role in facilitating communication and understanding between these different levels of risk management. They will play a practical role in meetings and help ensure that appropriate lines of communication are in place.
4. Accommodating multiple risk perspectives
In the same way that risk attitude varies from one organisation to another, so perspectives differ within each organisation. This is easiest to understand when you consider different functions or disciplines.For instance:
- IT departments will be concerned with risks relating to data protection and e-security, cyber crime, virus protection and so on; so they may follow the COBIT guidelines as part of their working practices.
- Safety, Health and Environment’s risk focus will include hazard analysis and prevention, staff training and awareness, risk assessment checklists; they will need to adhere to HSE legislation.
- Finance Directors, Heads of Major Projects and Operations Managers will place a different emphasis on risk again.
An effective ERM strategy must not only recognise and accommodate all of these disciplines, but more importantly find the right level at which they fit together.
Organisations often assume that they can only implement ERM as a single structure, with risks being rolled up from bottom to top, and the CEO sitting at the top of the pyramid, reviewing everything underneath. In fact, there are many different ways to aggregate risk and therefore, a pyramid is unlikely to be best way to gather and report on risk information.
Instead, you need a number of ways to slice and dice data, by discipline, budgetary authority, contracting mechanism, geographical location, technology and so on. So therefore, rather than create a single hierarchy, a more effective approach is to create a number of hierarchies containing risk information.
Combined with this multi-hierarchy structure, you also need a simple risk map (covered in a later white paper), to ensure risk information is communicated horizontally and vertically and reported at the right levels.
Finally, you will need a central repository for risk information. The current practice of trying to consolidate a myriad of spreadsheet-based risk registers cannot deliver efficient ERM:
- They do not provide an audit trail
- Considerable effort is required to produce a consolidated view for reporting and analysis
- Spreadsheets do not give multiple users concurrent access.
There are many tools available on the market, but one of the key criteria when you are selecting a tool is to ensure that it is configurable to match the multiple perspectives in your organisation.
Top down governance of risk is the responsibility of the board, setting the vision and direction for the organisation, including the way forward on embedding Enterprise Risk Management. Producing guidance and documentation is the easy bit. Developing and implementing a strategy to roll ERM out across the organisation is the challenge.
Establishing top down risk representatives, a middle layer risk steering group and champions within the organisation is one of the fastest ways to move from a tactical fragmented approach to risk management to embedded ERM.
While there will be many perspectives on risk, with different capture and reporting requirements, it is important that the basic risk process steps are the same for everyone. When cross-functional groups meet, they need to use a common language. ERM provides central visibility, consistent identification, reporting, communication and aggregation for decision making at all levels. But it also maintains distributed responsibility of management of the risks and response actions.
Overall, make sure your organisation’s attitude to risk is well defined from the top and communicated down through the organisation in a practical way.
Finally, remember that Enterprise Risk Management should be simple to understand and simple to implement. Keep it simple! Make it effective!