Table of Contents 


Enterprise Risk Management

ERM: Looking abroad for guidance

U.S. businesses make progress on the cultural front but lag behind their European counterparts

By Michael J. Moody, MBA, ARM

There is movement on many fronts today with regard to the advancement of enterprise risk management (ERM). While its growth is attributable to a number of factors, a primary one is a strong internal champion. According to several recent studies, it appears that ERM is best served when it has a strong internal supporter. The champion should possess two essential qualities:

• Sufficient knowledge about ERM
• Sufficient influence and position within the organization

It has typically been difficult to find a person who possesses both of these qualities. And while such a person may be found in some financial service sectors, in non-financial service sectors these individual are hard to locate. As a result, other industries have lagged in ERM involvement.

Financial services leads the way

It is widely acknowledged that the financial services sector has been the first to embrace the ERM concept. Initially it was banks that began formulating plans to implement ERM programs; shortly thereafter the insurance industry made a similar move. According to Peter Young, the E.W. Blanch Chair in Risk Management at the University of St. Thomas in St. Paul, Minnesota: “There are a set of tangible reasons why the financial sector evolved so quickly.” One of the primary reasons, Young says, is that the CFO can easily champion the ERM concept because treasury risks have always been a core responsibility for CFOs.

The financial services sector CFO is frequently involved with a number of core treasury functions. These executives routinely deal with credit risk, interest rate risks, and currency exchange risks. Young points out that this “not only provides the CFO with a good technical appreciation for ERM, but also a good vantage point to champion ERM as well.” As one moves away from the financial services sector, he says, it is difficult to find that champion.

Additionally, several outside influences have had a major impact on the financial services sector. The first is Basil II, a broad international regulation that requires many organizations to make major changes to their operations. Basil II has many aspects. Risk management is a key element of the entire process, and compliance is critical for all organizations. The oversight and rating functions associated with Basil II are also vital components and will have a strong impact on ERM.

European approach

While the financial services sector has led the way in the United States, Europe is taking a much broader view of ERM today. Young points out, “In Europe the movement to ERM has begun to move decisively beyond financial services.” While this accelerated movement can be seen in any number of industry segments, it is most visible in the public sector. Young says there are a number of reasons for this rapid growth in the public sector; however, it is attributable in large part to one main driver.

In Europe, he says, there are very strong national governments. Often when the national government buys into something, the local government units pretty much just follow along. And at this point, the national governments have accepted the ERM concept in total. As a result, Young notes that ERM “has been able to make giant advances quickly.” Obviously, he adds, “This stands in sharp contrast to the U.S., where the federal government has, for the most part, limited ability to ‘move’ local governments.”

Even private, non-financial services firms in Europe have been moving forward with plans to implement best practice ERM programs. In this regard, a series of quasi-national responses has warranted attention. New regulations recently published by the London Stock Exchange provided a major shot in the arm for ERM. The new regulations assume that listed companies are practicing ERM. Young says that while the U.S. has some similar regulations, most notably Sarbanes-Oxley, recently there has been some major pushback from these laws.

Cultural clashes

Certainly there is a mechanical or technical side to ERM, says Young, a side that in the U.S. appears to be lagging and not progressing as quickly as people had hoped. This aspect deals with developing plans and identifying tools and solutions, or the visible part of ERM. There are important elements embedded in this side of ERM, such as how many chief risk officers (CROs) are there, and what are the “best practices” issues. Unfortunately, Young says, “These items also happen to be the way we typically measure progress.”

The other side of ERM, the cultural side, has advanced quickly over the last four or five years, according to Young. While he admits that most of the stakeholder groups do not fully understand ERM, “there is now an expectation taking hold that when we talk about risk management any more, it is about all risk.”

This cultural acceptance of the integrated approach to all risk represents an exciting change, and it frankly is the most interesting part of the story to date. Obviously, one of the goals of ERM is to embed risk management within the corporate structure—not just the physical and operational parts of the structure, but its cultural structure as well. For the most part, Young points out, “this cultural change has always been part of the end game for ERM, and it encompasses a view that everyone is a risk manager within the scope of their particular job.” This is the long-term hope for ERM, he says. “You really don’t have to talk about it; it is just part of the way people do their jobs.”

Search for CROs

One of the issues that Young deals with on a daily basis is: Where will the CROs come from? And further: Will the CRO be in the boardroom? Young says that the need for a CRO is “the answer to a long series of questions about how each individual organization operates.” It is heavily dependent on the specific needs of the company with regard to risk management. Some companies, Young says, may conclude that they need a single CRO; others may favor a team composed of upper level management. He does not see any one way being favored today.

One issue that does concern Young, however, is the movement to consolidate governance, compliance, and risk management into a single function. He states: “If you are in compliance, audit, or internal control, you really cannot be in the risk management business.” He says that the Sarbanes-Oxley Act demonstrated that auditing firms had to separate themselves from their consulting practices because there is too much of a conflict of interest. Now, he adds, they are trying to take over risk management, but it still represents a conflict of interest. “This is not where ERM belongs.”


Young believes that U.S. corporations may want to look to the European Union to see the future of ERM. In Europe, he says, “ERM is a boardroom issue.” For the most part, Europe has accepted the ERM concept across all industry segments, and they are moving ahead quickly. They are embracing this expanded role for risk management, and in many instances they are using this as a competitive advantage in their businesses. “Although businesses in the U.S. also are moving in this direction, they are still lagging,” Young says. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.


“This cultural change … encompasses a view that everyone is a risk manager within the scope of their particular job … You really don’t have to talk about it; it is just part of the way people do their jobs.”

—Peter Young
E.W. Blanch Chair in Risk Management
University of St. Thomas
St. Paul, Minnesota