Enterprise Risk Management
ERM advice and counsel
Matching a consultant’s strengths with the client’s needs
By Michael J. Moody, MBA, ARM
Today, many corporations are struggling to formalize their risk management programs. They realize that business today is dynamic and complex, and they are trying to identify ways to effectively mitigate or avoid damage to their organizations while maximizing the returns on the risks they choose to accept. Over the past five years or so, enterprise risk management (ERM) has been identified as one potential solution. Of course, identifying a potential solution and implementing it are two separate matters. While many organizations have embraced ERM, they have also begun turning to risk management consultants for advice about how to implement an effective ERM strategy.
As a result, risk management consulting has become a growth industry over the past three to four years. Today, it is estimated that risk management consulting accounts for more than $36 billion in revenue and is growing daily. But in order to get the results that an organization desires for a consulting project, it is important to understand the goal and then select an appropriate consulting partner.
Rapid changes
While there are many reasons why today’s organizations are turning to ERM, many experts believe that it is the rapidly escalating complexity of business that is a major factor. And while many think that this rapidly growing pace of complexity is limited to large, international companies, it applies to smaller organizations as well. Entities of all sizes have to face an increasing array of complex legal, relationship and global risks that are continuing to grow exponentially. As a result, management believes that their firms can benefit from the assistance of risk management consultants, to help implement a proactive ERM program.
On the positive side of the ledger, over the past few years, an ever-expanding list of consultants has been providing risk management advice. However, on the negative side of the ledger, is that too few of these consultants see “risk” in quite the same way. So, from the start, it is important for any company considering a risk management consultant to recognize that all consultants do not have the same view of risk. Currently, there are several different service specialties as follows:
• Enterprise risk strategy—This service focuses on the advice on risk oversight at the board and senior management level. Typical services here would include establishment of risk governance at the board and committee level, as well as executive oversight and company reporting of risks. Customary items to be reviewed would include the organization’s risk culture, appetite, risk tolerance and reporting requirements.
• Risk audit services—This is directed at the growing demand for both internal and external audit services. While these services are not involved directly with the management of risk, they do deal with the overall effectiveness of the ERM program. Much of the work in this area deals with the integration and support of the risk management function.
• ERM organizational and process design—This area typically defines the ERM organization and processes. A review of the ERM function across an organization and its related entities is typically a major portion of work in this service area. Included in this area are the roles and responsibilities of the risk management personnel (chief risk officer) and the structure and reporting, communication and processes to facilitate risk management throughout the entire organization.
• Risk systems design, development, and integration—This specialty deals with the integration of risk and compliance monitoring and controls directly into the enterprise applications and systems.
As noted previously, it is important to know the differences in the service specialties of the consultants retained by an organization, so as to avoid surprises at the end of the project. Accordingly, it is essential to understand and initially relate the goal of the project to any consultants considered for the work.
Basic considerations
In addition to being aware of the individual service specialties of each consulting group, it is also important to consider the specifics of the consulting group under consideration. With more than 200 professional service organiza-tions now offering some form of risk management project work, an organization will need to consider any structural differences between consulting firms.
One of the most obvious structural differences is the size of the consulting firm. Firms can range from small boutiques to large, behemoth organizations. Typically, the range consists of small firms with a deep set of talent focused on a very specific area of risk to large companies with a broad range of risk consulting services to a wide variety of clients. Size usually also relates closely to geographic spread which can range from local to international in scope. The typical spread ranges from the United States to worldwide, and it is important to understand this difference as it applies to the completion of the project.
An important area that must be completely understood is the breadth of services offered by the consulting group. These can range from a single area of focus to an entire menu of risk management services. Closely related to this is any industry focus that is involved in the consultant’s expertise. This can range from a single vertical perspective to a cross-industry team of consultants. This is extremely important because some specific industry segments can have very specialized risk management requirements that will need to be considered as part of any consulting assignment.
Specifics make the difference
Notwithstanding any of the above items, typically a successful ERM consulting project—like any consulting project—will depend on the quality of the service as well as the resources that get allocated to the project. Obviously, just hiring the large-name consulting firm does not always lead to the most satisfactory results. All too often, a project can be staffed with an inexperienced consultant who is learning the trade on your dime. In order to ensure that you hire the most qualified consultant for the job, an organization needs to consider the quality of the individual consultants who will be assigned to the project. Some larger consulting firms will bring in the big guns to close the deal but will then staff the project with less experienced people. In order to prevent this from occurring, insist on reviewing and approving everyone who will be assigned to the project.
While the individual consultant will have the most profound impact on the project, it is also important to determine the depth of the senior management of the consulting firm. The depth of the management matters because they set the tone for the work provided. They are the ones who provide the direction and philosophy of the firm. As such, it is important to understand the experience of the individuals at the top of the organization. In addition, it is also good to understand the professional development and training that is used with the organization’s consultants.
As noted earlier, risk management is based on philosophical principles of what risk is; and because these can vary greatly from one consulting firm to another, it is essential that the consulting firm’s definition of risk management be the same as that of the organization that retains them. Thus, it is also important that the consultant can deliver results with a client-centric focus. Ultimately, it comes down to how successfully the consultant can provide ERM knowledge transfer. Among the issues to check with prior clients is the knowledge transfer. It is not enough for a consultant simply to complete a project in the time frame indicated within the budget agreed to. The client must also be able to continue the ERM program after the consultant has concluded the work. The successful knowledge transfer may well be the key deliverable to come out of the consulting project.
Conclusion
ERM is an evolving process and, as such, it is difficult for most organizations to keep up with the advances. And since currently more than 200 consulting firms offer an expertise in risk management, there are numerous alternatives available for assistance. The key to a successful ERM consulting project is in the upfront research of the consultant prior to the project work.
In order to assure a final report that meets the needs of the client, the consultant will need to educate the client on both the current issues and future trends regarding ERM. Many ERM programs have benefited from the involvement of professional consultants, but it is necessary to make certain that both parties to the consulting project are in tune with one another’s expectations. *
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved. |