Enterprise Risk Management

ERM: Favorable results

Reports show success

By Michael J. Moody, MBA, ARM

Enterprise risk management (ERM) has been the subject of a number of articles and white papers following the recent turmoil in the subprime housing market. Some observers have pointed out that financial institutions were the first to adopt ERM and, to many, it appeared ERM got a failing grade.

To be certain, some financial institutions such as Countrywide Financial, Ambac, MBIA, UBS and even Bear Sterns should receive failing grades. Without question the ERM programs did not function properly at these organizations. Based on analysis of these firms, experts believe, in part, that the major failing was an inability to properly integrate the ERM program throughout each of these companies.

They point to other financial organizations that weathered the “subprime mess” better than those noted above. They point to firms like JPMorgan and Goldman Sachs, both widely recognized for their “best practice” ERM capabilities, as evidence that ERM can work. Both firms maintained better outcomes than their competitors. In fact, they were able to capitalize on the “mess” to strengthen their organizations. Information gained from the “subprime mess” and additional analysis in several recent studies may shed some light on ways to ultimately advance ERM.

Practical guidance

One of the most illuminating works on ERM is a white paper titled “Practical Guidance: Seven Steps for Effective Enterprise Risk Management,” written by software management consultants at Paisley. They note that ERM has become a critical boardroom priority. They indicate that risk management has moved from a “niche specialty” area of management, to a mainstream management discipline.

Thanks in large part to external factors such as regulators, rating agencies, stockholders and other stakeholders, risk management has become a heightened focus. According to the report, regardless of the driver, today it is recognized that business success depends on striking a balance between enhancing profits and managing risks. As a result, an investment in enterprise risk management is “now top of mind for most business leaders.”

The Paisley report is generally tailored after the key concepts as outlined in the COSO “Enterprise Risk Management - Integrated Framework,” which was originally published in 2004. The COSO publication notes that ERM is a process that identifies potential events that may affect an organization, allows them to manage risk within their risk appetite and provides reasonable assurances that the objectives can be achieved. In supporting this idea, boards are insisting on more information about enterprise risk.

However, as the report points out, useful information to this point has been elusive. Further, the report notes that while ERM has had some success with regard to identifying hazards, preventing value erosion and reducing compliance violations, most organizations have had difficulty in adding real economic value. They indicate that value is added when companies seek and exploit opportunities and/or improve business performance.

According to Paisley, it’s this lack of real economic value that has been the real failure of those that try to implement an ERM program. Heretofore, most risk management focus has been on cost savings and efficiencies. They point out that by just focusing risk management on the traditional areas, organizations are ignoring about half of ERM’s potential value. According to the report, it is imperative that ERM focus “on opportunities and provide insight into overcoming obstacles to realizing those opportunities on both a strategic and tactical level.”

Beyond financial service sectors

Originally, the buzz for ERM surrounded the banking industry. This was followed shortly by success in the insurance industry. Then came the movement of ERM into the energy industry, and then nothing. For the most part, ERM implementation beyond the financial service sector has been minimal. There are a wide variety of reasons for this lack of enthusiasm by other industry segments but, suffice it to say, ERM is moving slowly beyond its early proponents.

However, a new report issued by the Aberdeen Group in May 2008 shows the promise of ERM within manufacturing operations. The study notes that there have been major increases in both the number and the complexity of risks faced by manufacturers. Among the more significant noted are supplier non-conformance, quality and compliance management, asset management, employee health and safety, environmental concerns and time-to-market deadlines.

Aberdeen found that early adopters of ERM outperformed industry averages in three key performance indicators. The early adopters scored better in: 1) performance in compliance, 2) standard deviation in production process, and 3) asset downtime. One of the primary reasons for this better performance, according to the study, was that the early adopters had better risk mitigation capabilities. In fact, the early adopters not only exceeded the industry averages for most of these capabilities, but they also outperformed the “best-in-class” firms or the top 20% of all performers.

Additionally, manufacturers utilizing ERM had better capabilities in identification and assessment of impacts from adverse events, monitor-ing and prioritizing operational risks across the enterprise, as well as opera-tional metrics that are linked with financial metrics. Finally, the report notes that early adopters within the manufacturing arena have been able to provide visibility of risks at a facility as well as the asset level, thereby allowing senior management to break down risks by facility or asset so as to assign process owners with the responsibility of controlling these risks at an early stage. Clearly, some manufacturers are now beginning to understand the value of ERM and, as a result, are beginning to gain the competitive advantage that goes to the early adopters.

A growing body of evidence

Even more impressive than the Aberdeen Group study is a study commissioned by the Association of Insurance and Risk Managers (AIRMIC). This study found that ERM can be shown to significantly reduce the net risk exposures to an organization and thus support improved decision-making. This ground-breaking research was carried out by Det Norske Veritas and was based around in-depth case studies of five large organizations. The five organizations included the BT Group, DLA Piper, Nestle, Solvay and a large UK governmental agency. In addition to the in-depth case studies, the findings were confirmed through analysis of risk management information from 20 other enterprises.

One of the major findings that the study documents is that to be successful, an ERM program must be proportionate to the level of risk involved. Obviously, the larger a risk is, the more important it is to be viewed from an enterprise level. The study also notes that an ERM program must be built on several major building blocks to be successfully implemented. In total, the study highlighted 13 key “hallmarks” of a successful ERM program. Among the more important hallmarks that were identified were:

• Use of risk management as a creative process.

• Ensure that sufficient effort is allocated to treating risk after the analysis phase.

• Provide risk information so that it can be used by senior management in decision-making.

An additional hallmark notes that successful ERM exercises must also be well defined, with the desired benefits set out in advance and progress measured against a series of targets.

With the in-depth analysis provided, the study clearly shows that ERM really can help any organization, not just with their operational decision-making, but the strategic decision-making as well—provided that the program is built on a firm foundation. The major take-away from this important research is that ERM actually enables organizations of all types to become more enterprising. This is because the organization better understands and minimizes its risks. This risk understanding is important because it provides the knowledge and confidence to do new things and, as a result, the organization is better able to move on opportunities that may present themselves. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc., an independent consult-ing firm established to advance the practice of enterprise risk management.