By Michael J. Moody, MBA, ARM
PwC survey of CEOs points to increased demand;
Lloyd's chairman & SEC concur
Today's fast-paced business environment requires companies to undertake a "top-to-bottom" assessment of risks to ensure that they touch every aspect of their businesses as necessary.
Enterprise risk management (ERM) is a concept that has been around for the past four or five years. And despite an early interest by financial services organizations, it is a concept that has been slow in gaining traction in other business segments. However, the past six months have seen a renewed interest in ERM. To be certain, regulatory considerations such as the Sarbanes-Oxley Act as well as several stock exchange regulations have generated much additional interest in the whole ERM concept.
What's more, additional support for ERM is coming from a wide variety of sources. Among the most recent acknowledgements are those from the chairman of Lloyd's. Lloyd's is the world's leading specialist insurance market and its chairman, Lord Peter Levene, urged business leaders to put risk management at the heart of their board's agenda. Earlier this year, in his address to the World Affairs Council, Lord Levene stated that corporate executives needed to raise risk awareness to the board room so that board members could respond actively to a changing risk environment.
Further evidence of this increased visibility comes from Lori Richards, director of the Office of Compliance Inspection and Examinations of the Securities and Exchange Commission (SEC). She emphasized the need for firms to proactively identify areas where they may be at risk. Director Richards made her comments in a speech given in mid-April 2004 where she also stated that enterprises must implement controls to reduce or eliminate risks. She noted that today's fast-paced business environment requires companies to undertake a "top-to-bottom" assessment of risks to ensure that they touch every aspect of their businesses as necessary.
7th annual global CEO survey
But without question, one of the most notable ERM-related matters was presented by PricewaterhouseCoopers (PwC) at the World Economic Forum held in Davos, Switzerland, earlier this year. PwC introduced the results of its latest survey titled "Managing Risk: An Assessment of CEO Preparedness," and it included the results from about 1,400 CEOs worldwide. As Miles Everson, partner in PwC, points out, the survey provides ERM information from the top level. "What I like about it is that CEOs were surveyed, as opposed to risk or audit professionals. . . . To my knowledge it's the only in-depth survey of CEOs," he said, "and it is an excellent barometer as to their views on ERM. From the results, it's clear that CEOs are quickly beginning to see the benefits of ERM in these uncertain times."
While the current regulatory environment has given many companies a reason for exploring the benefits of ERM, regulations themselves cannot unlock the complete benefits of ERM. As Everson notes, those firms that are considered advanced performers have a totally different view of ERM. He says that the survey shows that "there is a strong feeling from the advanced performers' CEO suite that when you do ERM right, it also helps you get more creative and entrepreneurial." Everson says this is a "very different tone than what you hear from people that have been exposed to ERM only from a Sarbanes-Oxley perspective."
Unfortunately, with all the new regulatory constraints, some organizations are viewing ERM as a part of this overall environment. Everson points out that ERM is "principles-based, and in addition to helping a company achieve compliance objectives, it also helps an organization achieve strategic and operational objectives."
Definitions still a problem
Despite the fact that enterprise risk management has been part of the business management lexicon for several years, people still struggle with a specific definition for the term. That was one of the issues that arose in the recent PwC survey. As Everson notes, "ERM still means too many things to too many people." He says that overall we need "a little bit more common ground with regards to ERM's meaning."
In fact, that was one of the driving forces in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioning PwC to draft the ERM Framework. It is this common base of knowledge and, more specifically, the definition of terms that makes "the COSO document such a powerful step," according to Everson. Progress in finalizing the draft of the ERM Framework continues. And, in addition to finalizing the Framework, PwC will also be releasing an "Application Guidance," which will provide illustrations on techniques a company may apply in implementing some of the concepts. Everson says, however, "this should not be considered as a best practices manual," but rather assistance in how to implement the concepts.
Value creation
A key concept of ERM, which is noted in the introduction to the ERM Framework, is value creation:
"Value is created, preserved or eroded by management decisions ranging from strategy setting to operating the enterprise day-to-day. Inherent in decisions is recognition of risk and opportunity, requiring that management consider information about internal and external environments, deploy precious resources and recalibrate enterprise activities to change circumstances. ... Enterprise risk management facilitates management's ability to both create sustainable value and communicate the value created to stakeholders."
"ERM gives you a line of sight for your decision making which balances growth and return," observes Everson. "In essence, it looks at how much risk a company is taking under its growth initiatives and how much risk is resident in the return that is expected." He says this "trade-off is the value creation side of the process." Everson points out that "some financial institutions are good at this already." However, many other industry segments significantly lag in their understanding of this aspect of the process.
Everson also notes that the Framework can help an organization identify opportunities for further value creation. For example, when a company designs its response to risks, it can respond by trying to minimize the current risk, or alternatively, can decide to respond more creatively. This creative response may be the capture of what is considered to be a systemic industry risk, thereby gaining a competitive advantage.
The future of ERM
Make no mistake--ERM is a major change in our view of management, but some question the need for it. Further, many want to know where ERM is headed. Everson says the key to the future of ERM lies with the rate of change that is occurring in the general business environment. Change is going on around us constantly but, overall, as a "global society, we have not even realized the rate of change from our technology developments," he says. "While change is fast now, it will continue to increase in speed in the future. In order to compete effectively, an organization will need to understand how events could affect its objectives." Everson says, "Event detection and identification capabilities are going to have to be more robust."
Pressure on event detection and identification capabilities will only grow with time. And those capabilities will become paramount in the future. It is no longer sufficient to just manage a company's risk. In today's increased regulatory environment, "you must also evidence it and demonstrate it to outsiders," Everson points out. And in order to properly do this, "you need to embed that capability into the way a company runs its business."
Conclusion
Lord Levene noted the speed of the changing risk environment. Director Richards also noted today's fast-paced business conditions. And Miles Everson talked about how businesses are having to move to higher speed zones for event detection and identification. There is little doubt that today's businesses must operate at a faster pace. And what this means, in no uncertain terms, is that there is no longer a "status quo." You either move forward, or you fall back. It is just that simple.
Such is the current business climate. There is help, however, in the form of enterprise risk management. And as PwC's 7th annual global CEO survey points out, CEOs worldwide are beginning to use ERM to deal with uncertainty and associated risk and opportunity. And as the "advanced performers" have shown, ERM can enhance management's ability to build value. *
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.