ENTERPRISE RISK MANAGEMENT
By Michael J. Moody, MBA, ARM
IIA, CAS, RIMS all vie for hegemony
Events of the past year or so have assured that the course of risk management is headed toward an expanded view of risk management.
At this point, there is little doubt that companies of all sizes will ultimately adopt enterprise risk management (ERM) programs. Events of the past year or so have assured that the course of risk management is headed toward this expanded view of risk management. Among the key events that have assured this course over the long term are:
1. One of the most influential pieces of financial legislation--the Sarbanes-Oxley Act of 2002--was passed late last year. As a result, it will have a profound impact on the way corporations interact specifically with their stockholders and the public, in general. The act imposes significant new requirements on U.S. stock exchange-listed companies. While the act encompasses a wide variety of areas, the rules are particularly onerous in the areas of risk assessment and risk oversight that support external financial disclosures.
2. Additionally, earlier this year, the National Association of Corporate Directors (NACD) issued a report based on the findings of their Blue Ribbon Commission regarding the board's role on risk oversight. The report noted in no uncertain terms that it is a corporation's board of directors that has ultimate responsibility for risks. And it suggests that many of the previous "crescendos of crises" could have been prevented or lessened in severity if the board had strengthened its role in risk oversight. The report concluded by saying, "The Board has a fiduciary responsibility for risk oversight and as part of that responsibility needs to be able to detect failures in their company's risk management practices."
3. Further, Robert J. Shiller, best selling author of Irrational Exuberance, notes in his new book--The New Financial Order: Risk in the 21st Century--that there is a fundamental change coming to the future of finance. And the change will center on how corporations view risk. As many companies have discovered over the past few years, economic risks are far greater than they originally believed. As a result, a "new financial order" will develop improved strategies around how financial executives can better position their organization's risk management efforts. Shiller notes that much of this change will be driven by advancements in information technology, and improvements in risk management theory. He believes that competitive advantages will go to those firms that are innovators and early adopters of the new risk management landscape.
Clearly, these events foretell the future of enterprise risk management. They also indicate that companies of all sizes must begin to develop and implement comprehensive ERM programs. Having said that, one has to wonder where the leaders of this movement will come from. Currently, three groups appear to be preparing to assume this responsibility.
Casualty Actuarial Society (CAS)
One group that has made a significant commitment of intelligent capital to this endeavor is the Casualty Actuarial Society (CAS). They were early proponents of ERM and over the past several years have added significantly to the body of knowledge that makes up the core competency of ERM.
Initially, CAS believed that it could carve out an ongoing role for its members in the ERM arena. Accordingly, over the past three years, it began creating a substantial involvement with the ERM movement. Many of the companies that accepted the ERM concept in the early stages were in the financial services area. Both insurance companies and banks were able to see the value that the ERM process could bring. During this period, casualty actuaries were instrumental in defining the ERM process and presenting a conceptual framework. Throughout this timeframe, CAS held a number of meetings and seminars that promoted ERM to its members.
While it is unclear where casualty actuaries will fit into the ERM process, the need for comprehensive analysis of individual business risks as well as the projections of the portfolio effects of the risks will continue to grow. Thus, the casualty actuary's involvement in the ERM process will continue.
Institute of Internal Auditors (IIA)
Recent corporate meltdowns in the Fortune 500 ranks have also attracted the attention of the members of the Institute of Internal Auditors (IIA). Over the past few years, the IIA has zeroed in on enterprise risk management as a growth area for its members. And for the most part, they have been actively lobbying for a more substantial involvement in the ERM process.
One of the major research efforts in the ERM area was completed by IIA, when they retained Tillinghast-Towers Perrin to finalize a study regarding the current state of the ERM movement. The information that was generated, as well as the key findings, were used to write a book titled Enterprise Risk Management: Trends and Emerging Practices which became a benchmark for the application of ERM. More recently IIA has offered several seminars (Enterprise Risk Management: Paradigms and Partnerships) and conferences (Enterprise Risk Management and Control Self-Assessment Conference) for its members. In addition, IIA has developed a separate track on ERM that will be presented at their annual conference, scheduled for this month in Las Vegas.
The IIA and its members believe that they have a role in the growth of ERM. And in support of this, IIA offers its members ample educational opportunities about ERM principles and practices. Many believe that the internal auditors will play a critical role in the development of corporate ERM programs.
Risk & Insurance Management Society (RIMS)
The Risk & Insurance Management Society (RIMS) has also indicated an interest in supporting enterprise risk management. Over the past couple of years, RIMS has become more involved in the ERM movement. It now offers regional, two-day workshops on the ERM concept and objectives through the "RIMS Fellow" program. In addition, RIMS also contributed, through the Spencer Foundation, to the formation and operation of the University of Georgia's Center for Enterprise Risk Management and more recently, the Center for Enterprise Risk Management and Assurance Services at Georgia State University.
Despite these notable accomplishments, RIMS annual convention continues to lack educational opportunities on ERM for its members. For example, the 2003 RIMS Conference held in Chicago earlier this year held only one session on ERM. The session, titled "ERM: Reality or Fantasy," was scheduled for 1:45 to 3:45 p.m. on Thursday, April 10 (the last day of the convention). The lack of educational sessions at the RIMS annual conference may have a profound impact on its members as the ERM philosophy begins to take root in other financial disciplines.
There is little doubt that RIMS senior leadership is committed to the ERM movement. RIMS Immediate Past President Chris Mandel is an assistant vice president of Enterprise Risk Management at USAA, and current RIMS President Lance Ewing handles the ERM duties for his employer, Park Place Entertainment Corp. Both of these individuals see RIMS members serving a much more active role in their respective companies as they begin to implement ERM strategies.
Conclusion
Directing a company's enterprise risk management efforts should emerge as a key leadership position within any organization, most likely the chief risk officer. Certainly many company's boards of directors now realize that they have significant oversight responsibilities for risk management and will be looking for someone at the officer level to make certain that risk management is handled effectively. However, the boards are generally indifferent as to who fills the leadership role. Ultimately, it will fall to those individuals who best display the ability to implement a holistic program that circumvents or eliminates the silos that dominate most risk management programs today. *
The author:
Michael J. Moody, ARM, is managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.