Return to Table of Contents

Enterprise Risk Management

ERM: The big picture

Poor implementation can, and has, led to crisis

By Michael J. Moody, MBA, ARM

Over the past 10 years, one of the most talked about topics in some business circles has been enterprise risk management (ERM). In general, progress of the ERM movement has been slow and disjointed—two steps forward and then one step back. However, one industry segment, financial services—particularly banks—accepted ERM and made a meaningful commitment to it. And up until about 12 months ago it appeared that all was going well.

Events have shown, however, just how poorly ERM was being implemented within the financial services sector. What has become commonly known as the “subprime meltdown,” exposed the banking industry’s true commitment to ERM. And by most standards, it has been a total failure.

Many shortcomings

There are about as many reasons for the failure of ERM as there are people commenting on this topic. Despite this, several primary issues added to a bad situation. Among the most noted issues are:

• Lack of a uniform approach to ERM

• Newness of the ERM practice,

• Inability to properly aggregate risks

• Lack of qualified risk professionals

In addition, several other key issues led to the current problems in the financial sector. Much of the blame must be put on the self-regulating aspects of the industry that allowed organizations to take maximum advantage of financial leverage. At the end of the day, while the industry was formed on the concept of risk taking, few of the key players actually had “skin in the game.” This lack of meaningful risk involvement has led to a relaxation of traditional underwriting requirements for home mortgages.

An additional factor regarding the lack of underwriting requirements was the compensation schemes that accompanied these programs. Many firms were wired into the concept of paying per mortgage, so with each successful mortgage loan, a commission was paid to the originating loan officer. This concept also led to a relaxation of the traditional underwriting criteria. No consideration of the long-term effects of this aspect was ever provided, while many loan originators were getting wealthy by bundling subprime loans and selling them to the public.

When you distill all of these items down, however, you’re left with one overriding problem: failure to incorporate ERM in the corporate culture. In essence, most organizations were giving little more than lip service to ERM and failed to support ERM at the top of the organization. The “tone at the top” never reflected a true commitment. And this is needed to properly implement a successful enterprise risk management program.

Importance of embedding

Just how important is incorporating or embedding ERM into the corporate culture? The Federal Reserve has long been a proponent of a strong risk management program, and at a recent conference Federal Reserve Board Governor Randall S. Kroszner made several specific references to ERM. He pointed out that “the ongoing fundamental transformation in financial services offers great potential opportunity for those institutions able to integrate strategy and risk management successfully.” And he said, “I will argue that survival will hinge upon such integration,” adding that he believes that it “is necessary for institutions to improve the linkage between overall corporate strategy and risk management.”

Further, Kroszner noted that over the past year there have been a number of studies analyzing the causes of the current turmoil, and many found “shortcomings in the risk management practices of the various financial institutions.” In some of the strongest terms yet from the Fed, he pointed out, “Risk management needs to be interwoven into all aspects of a firm’s business and should be a part of the calculus of all decision-making.” He concluded his remarks by noting that, “having a corporate strategy that does not include risk management at its core is not really a strategy at all.”

Recent results

Despite knowing that they have ultimate responsibility for establishing the tone at the top, many directors of financial service firms continue to fail at embedding ERM into their organiza-tion’s corporate culture. A recent study by PricewaterhouseCoopers (PwC) of more than 300 financial company board members illustrates just how far they are from the school. The survey, which was taken between September 22, 2008, and October 4, 2008, notes that 65% of the participants still say they lack the tools and transparency to properly assess risk and exposure. And PwC also points out that the majority (88%) of the participants do not adequately account for their exposures to off-balance-sheet entities.

The survey also found that despite ERM being a strong board priority, most of their organizations lack the necessary firm-wide understanding of the objectives and responsibilities related to ERM. The study points out that this remains limited and may in fact undermine the company’s day-to-day decision-making. In the final analysis, the summary notes, “It’s how well developments are being embraced by frontline managers.”

One of the conclusions that the survey reaches is that it is critical that the board get additional training on its risk oversight responsibilities. This has become an important element for the boards of all corporations. They must seek outside assistance, if internal resources are not adequate. Additionally, the board must demand adequate information, both recent and relevant data that will offer a comprehensive overview of the organization’s risk management program.

Some managements point out that Sarbanes-Oxley (SOX) has already addressed the issue of the board’s oversight duties with regard to risk. However, it is important to note that while there are specific references to risk oversight within SOX, it is equally important to note that SOX has no bearing on whether transactions are pursued wisely, only on whether they are recorded accurately. And now that stakeholders’ expectations of their boards are higher than ever, it is advisable that the boards find ways to embed ERM within their organizations.


At this point in time, it appears that ERM is set to become an intricate part of most corporations’ overall strategic management initiative, so the stage is set to allow ERM to become a major aspect in financial management. But, it still remains the board’s responsibility to oversee risk and, given this responsibility, few board members can afford to neglect to include it in the corporate culture.

Based on recent events, from a big-picture standpoint, it is now evident that some form of robust, proactive risk management will need to become incorporated in all strategic planning efforts. Obviously ERM fulfills that role and provides an enterprise approach to risk management; however, it can function only to the extent it is embedded into the organization. The board must continue to convey the importance of ERM to operational management.

As Kroszner noted, “Having a corporate strategy that does not include risk management at its core is not really a strategy at all.” And the ultimate responsibility for setting the tone at the top as well as risk oversight remains with the board of directors.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF), an independent consulting firm that has been established to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.


“Risk management needs to be interwoven into all aspects of a firm’s business and should be a part of the calculus of all decision-making.”

— Dr. Randall S. Kroszner
Governor, Federal Reserve Board















Return to Table of Contents