Enterprise Risk Management
Beyond financial services
ERM still hasn’t been adopted by most other industries
By Michael J. Moody, MBA, ARM
Over the past three or four years, enterprise risk management (ERM) has been the buzz in the risk management community. Its holistic view of risk management has resonated within corporate America. Having the ability to analyze risks from a 360-degree vantage point has been found to have significant benefits for corporations and their stakeholders. Now, with additional emphasis being placed on ERM by rating agencies and stock analysts, interest in the concept is growing. And with the introduction of the COSO (Conference of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management Framework, an effective implementation plan has been established.
But despite all of these positive developments, it appears that it is only the financial services industry that is moving towards ERM in a meaningful way. Both banks and insurance companies have been adopting ERM strategies in a major way over the past few years. And in survey after survey, non-financial industry participants note problems with accepting an ERM format. What is the problem for non-financial service industries?
Easier said than done
“There are a variety of reasons why banks and insurers are rushing to adopt ERM,” says Fred Travis, associate senior consultant for Shelter Island Risk Services, “and most Fortune 500 companies have not.” He points out that for financial service firms “money is their product,” and this has some distinct advantages from an enterprise risk management standpoint. He notes that their stock and trade are primarily bookkeeping entries, and even this is “facilitated by regulatory agencies and formal markets using standardized methods.”
Manufacturers, on the other hand, have production, distribution and regulatory exposures that vary considerably from industry to industry, each with its own unique set of exposures and risks. Travis, who is the past director of corporate safety & risk management for Anheuser-Busch Companies, Inc., in St. Louis, Missouri, notes that typically the major risks for financial firms are counterparty credit, aggregation, business continuity and system failures. Further, he says, these risks are quite similar from one institution to another. If a bank, for example, were destroyed by fire, they would typically have “an alternative site established where the same people may be able to go to work almost immediately.” However, if the same fire occurred at a production facility, an alternative operation, if available at all, would be generally at a geographically distant site.
Additionally, Travis points out that “robust risk tracking and evaluation systems have been extensively developed for financial service firms.” The same is not true for most manufacturing industries. Operational systems, he notes, for non-financial service firms “are often thin or non-existent.” Financial firms also lend themselves to standardization since their risk management personnel have similar backgrounds and qualifications. As a result, ERM training can also be standardized to a large extent. However, the risk management skills required for manufacturing operations vary greatly from one industry to another and typically require specific experience and training.
Moving forward
Despite the lack of standardi-zation, ERM is beginning to show up at some forward-looking manufacturing and non-financial service organizations. Travis says that anyone contemplating starting an ERM program should consider several key issues. He points out that “systems and information are critical for ERM.” Accordingly, he suggests, “You need a good understanding of your company’s universe of systems before you embark on an ERM journey.” Travis recommends that “you work closely with your organization’s CIO in developing an overview of all of the company’s operational and financial systems.”
Additionally, the CIO should assign someone from the IT department to assist in understanding all the department’s systems. An inventory of each major corporate department—human resources, finance and accounting, and procurement—will be critical to the analysis. Travis says another critical department is risk management and the risk management information system and related components. Any data deficiencies found should be noted and resolved before proceeding.
Other key areas that should be reviewed in advance of an ERM effort are the business continuity and recovery plans. Travis says that while ERM is not a necessary step in the creation of these two important areas, they should be established well in advance of tackling an ERM implementation program.
A thoughtful review of the risk management program is also a good idea according to Travis. “Is ERM a logical next step in the progression of risk management at your company?” asks Travis. “Or do you have a lot of unfinished projects?” He notes that if the company is in the middle of finding a new TPA, for example, “it is probably not the right time to start ERM.”
Practical steps
Travis says that there are some practical steps that a company can take if it is beginning to consider implementing an ERM program:
• Find a champion—It is critical to identify a C-level executive who is enthusiastic about ERM. He or she must be “willing to work at getting ERM high-level consideration,” Travis points out. He goes on to say that “if no one is willing, ERM is not going to get the attention to succeed.”
• Identify compelling reasons—Develop an outline of why ERM is critical to your organization. “A generic list of pros and cons will not suffice,” Travis says. “It must be tailored to the issues that are specific to your company, geography, products and markets.” Here again, “if you cannot come up with a compelling list of reasons, then implementing ERM will not be a priority.”
• Take your lead from COSO—Review the COSO ERM Framework and see how it can apply to your company. The COSO Framework, notes Travis, “provides a standard outline and process for implementing ERM.” He also points out that while it is very general and will require a lot of tailoring to an individual organization’s ERM needs, it is far superior to “reinventing the wheel.”
• Develop timelines—Incorporation of detailed plans and timelines is essential for the proper development of ERM. Travis suggests that you “list all of the steps leading up to a fully functioning ERM system.” Once this list is completed you will need to break it down into phases. While this whole step is important, Travis says the key piece of the puzzle here is the project outcomes: “What will ERM look like when fully implemented?” It is important that you can articulate this aspect of the program. “What are the deliverables and measurable benefits to the organization?”
• Draft a risk map—This is typically the first step in the ERM process and includes a formal, detailed risk identification and assessment process. Travis point out, “If you don’t know what your risks are, you can’t manage them,” but he also says that a key challenge is to find common measures to evaluate risk in terms of severity and frequency/probability.
• Information for the risk map will need to come from primary data sources such as historical loss data, policy checklists, as well as questionnaires and interviews with corporate executives. Secondary sources such as financial statements, business plans and procedure manuals can also help.
• In addition, Travis says it is important to consider the organization’s plans for growth, potential new products and services, and “what would cause the firm to go out of business.” Basically, he points out, “What keeps management up at night?” But Travis says it should be only the key risks facing the company. “Mapping every risk is a task never to be completed.” And it should be remembered that the risk map is the first step in the ERM process, but it is not the only step. “Be sure to place risk assessment in the context of an overall ERM strategy; otherwise, you may never have the opportunity to implement any more steps,” Travis observes.
Conclusion
Enterprise risk management has become a standard operating procedure for many financial services firms but not so much for other industry segments. Travis has highlighted a number of reasons for this lagging development. He points out that one underutilized resource has been the COSO ERM Framework. When the Framework was originally released, the authors made it clear that it was merely a starting point, and they indicated that it would be up to individual trade associations to develop specific criteria for their industries’ unique exposures and risk. To date there has been little movement from the individual industry trade associations, and it would appear that this is hampering ERM development. *
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved. |