Enterprise Risk Management—ERM: Falling behind? 01/08

Enterprise Risk Management

ERM: Falling behind?

U.S. corporations are lagging behind businesses in other countries

By Michael J. Moody, MBA, ARM

Enterprise risk management (ERM) continues to be a hot topic within the general business community. The business trade press is full of ERM-related articles, and it is now a frequent topic for international seminars and conference sessions. For the most part, the majority of businesses view ERM in a positive light and are now beginning to implement comprehensive ERM programs.

Moving forward

As with most things in life, ERM is being driven by a number of factors, both internal and external. According to a recent study of 200 international companies from a wide array of business segments, titled Risky Business—Is Enterprise Risk Management Losing Ground?, the number one driver of ERM today is “the need to gain a greater understanding of hard-to-quantify risks,” which obtained a positive response from 62% of the respondents. The study, which was completed by the Conference Board, supersedes a similar undertaking by the group in 2004, and shows a significant shift in reasons cited for adoption of ERM. The key driver for adoption cited in the 2004 study was “corporate governance”; however, it has fallen to second place in the current study, 57% vs. 65% in 2004.

But it was the third most mentioned driver that is noteworthy. It was listed as “interest from and requests from the boards.” This points out that the board is finally “getting it.” Certainly, recent court cases and the development of corporate governance best practices have confirmed that directors had better know their companies’ key risks and how they are being handled. This is a testament to the changing legal landscape over the past few years, and directors now realize that they have significant responsibility in their company’s risk management efforts. For the most part, longstanding legal concepts such as the duty of care and the duty of good faith require directors to have a complete understanding of risk and its implications to the company. However, while the directors are aware of the importance of ERM, the study documented that there continues to be a disconnect between what risk management activities are happening in a company and what risk management activities the board thinks are happening. Additionally, many survey respondents indicated that directors needed to focus more on strategic risks, rather than financial or regulatory ones.

New pressure point

The past 12 months have seen the emergence of a major new external ERM driver, specifically the rating agencies. They began by performing analyses of the effectiveness of ERM programs for the financial sector, primarily insurance companies, and more recently for energy companies. Once the ERM analysis was begun in earnest, it quickly became obvious that this element of the rating methodology would have an effect on the overall rating assigned to individual organizations. It was noted that not only were negative ERM implications reflected in the ratings, but positive ones were as well. Most rating agencies have been quite open with regard to their ERM rating criteria and the effect on the firm’s overall financial rating. But a less obvious effect has to do with a corporation’s cost of capital, and at this point there is no clear indication how this will be impacted.

Despite this, one thing is certain, rating agencies now are looking to move beyond the financial sector with their ERM analysis. Recently, Standard & Poor’s indicated that it is actively considering joining Moody’s in evaluating the risk management practices for all companies, a shift that could impact thousands of public companies along many business sectors. The rating agencies believe that either a deterioration in or an improvement in a company’s ERM program could signal changes before the consequences are apparent in published financial results. If this premise is proven, it will mean a significant, renewed interest in ERM.

Trouble ahead?

The new survey confirms that some of the surveyed companies have attained an “advanced” ERM status, which is largely based on the degree of integration that corporations have been able to accomplish with regard to ERM. Among other things, this also analyzes the use of quantitative techniques, as well as the overall effect of risk management on business outcomes. Both the current survey and the prior one clearly show that the “advanced” organizations show greater benefits from their ERM programs than other organizations. Specifically, these companies have found ways to successfully integrate the ERM process into regular business activities such as strategic planning and budgeting, so that they can better determine the risk/reward tradeoffs in their decision-making.

Despite some progress among the “advanced” organizations in the integration area, the majority of corporations are still struggling with embedding ERM into their firm’s day-to-day business activities. Most companies, however, do report some progress in the early stage efforts for critical ERM activities such as developing a risk inventory and risk assessment process. But, in general, it is the companies outside North America that have been more successful in implementing their ERM programs. And the survey suggests that U.S. corporations lag behind corporations in most other countries in this important area.

In fact, the study confirmed that there was little or no growth in the key area of integration-focused ERM activities for many U.S. companies. For the most part, the study has concluded that much of this lag is due in large part to what they call “404 fatigue.” This condition describes the fact that much effort was placed into the Sarbanes-Oxley Section 404 compliance, so that the movement to the ERM model was neglected during this compliance process. The survey also documents that some companies have encountered increasing resistance to all of the SOX compliance issues. Organizations across the United States have become increasingly unhappy with the enormous costs involved with SOX for what they feel are inadequate rewards, and they have termed this feeling “404 fatigue.

As a result of this “404 fatigue,” some U.S. corporations are beginning to accept what the survey termed “ERM Lite.” Typically these are ERM programs that are operated out of the audit department. And frequently, they are limited in scope to risk inventory and risk assessment activities. This approach is consistent with the general audit functions, which consider inventory and assessment that fulfill a SOX and/or NYSE listing compliance requirement. The “Lite” approach lacks a more strategic, forward-looking view of ERM and frequently overlooks the benefits of correlating and aggregating risk across an organization. Additionally, these organizations will never obtain the maximum benefits from their ERM programs and will likely be among the first to abandon the ERM process. This is a troubling trend that the survey indicates can have a profound impact on the overall competitiveness of the U.S. economy in the international area.

Conclusion

Certainly, the study documents the current conditions of the international efforts to implement a holistic approach to risk management. It provides an excellent barometer as to the state of ERM progress, and overall it is a positive picture. There has been significant progress reported worldwide; however, due to compliance-related issues, the United States lags behind most other geographic areas. Some U.S. organizations are moving past the initial ERM activities, however, and are beginning to move beyond compliance risk management. Some companies are in fact moving ERM into operational issues and strategic development.

With increasing pressure coming from the corporation’s board of directors, rating agencies and other interested stakeholders, one would expect the advances in ERM to continue at a rapid pace. Forward-looking organizations are beginning to see the overwhelming importance and value-added benefits associated with ERM by doing business better and making better business decisions. In general, the study confirms that the respondents understand ERM to be more than a compliance effort, with additional benefits that can increase value, if done strategically.

Accordingly, U.S. corporations must begin to focus beyond mere compliance-related objectives to more strategic ones and move into the “advanced” status. Among the more important benefits noted by the survey participants are better informed decisions, improved communications, reduced earnings volatility, increased profitability and, most important, the use of risk as a competitive tool. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.