- Telephone
- 01376 562 957
ERM - Good business sense even without the regulator
ERM – What does it mean?
The term “Enterprise Risk Management” [ERM] gained wide exposure when the COSO Integrated Framework was published in the US in 2004 but at that time it was poorly understood, even among risk professionals, and no-one was applying it in practice. ERM is still a developing field and it is accepted that even leading edge organisations have some way to go, but since the COSO guidelines were published many organisations have recognised a need to manage risk differently – continuing to control downside risk cost-effectively but also improving their capacity for understanding and exploiting value creating risk. In this environment ERM, by explicitly linking risk to strategy, by bringing information about different types of risk together into a global risk profile and by allowing risk appetite to be set and managed-to in an integrated way across the organisation has gained ground.
So how does ERM work and why is it different from previous models?
Historically, different types of risk – for example insurance, credit, market and operational - were managed through discrete vertical processes which focused primarily on risk reduction. The language of risk management reflected this approach. Risk “treatments” were taught as being the appropriate responses to risk and although “Accept” was one of the widely accepted treatment options, “Seek out / Optimise” was not. This language suggests that what we would now describe as strategic risk management wasn’t being practised effectively, as it is at the strategic level that risk optimisation really functions and this is what drives the ERM approach.
ERM recognises that there is uncertainty in all aspects of decision making, and that applying only tactical level controls to mitigate risk means that some of the critical risks within the organisation – those relating to strategy – are not explicitly recognised and managed. This doesn’t mean of course that ERM suggests that the processes by which the individual risk types are managed no longer matter – they are key components in ERM as they facilitate managing risk within appetite. What ERM does is to recognise their limitations.
Processes for managing single risk types tend to be housed in individual functions making it difficult to see correlations and natural hedging opportunities. Working in this way also means multiple outputs and reporting formats have to be forced together to create a global risk profile, something with which many organisations struggle. Most importantly however managing risk types individually creates a conflicting rather than harmonising approach to risk management. In this scenario strategy does not drive risk appetite but is driven by risk exposure. Successful ERM will turn this relationship around so that strategy and appetite are managed coherently and risk optimisation becomes the key strategic objective.
This is why the most important component in ERM is senior management input. Strategy is set at the highest level and any risk optimisation philosophy has to come from the same place. Only by considering and challenging strategic objectives and risk appetite together can an integrated enterprise wide risk approach succeed.
So what are the benefits of ERM?
AIRMIC recently published a report “Research into the Benefits of Enterprise Risk Management”, based on original research conducted in organisations which had undertaken ERM initiatives in the three years up to 2006. The report identified a number of benefits, including “Better decision making, especially in the development of corporate strategy, because of the availability of more reliable risk information”. This may sound bland but more interesting is the comment from the CRO of one of the organisations used as a case study “The firm has an entrepreneurial culture …………the better we manage risks, the more risks we can take”. This is borne out by statistics showing that during a period of substantial business growth for this firm the cost of risk – measured as direct losses, insurance premiums and risk management staff costs - as a percentage of turnover – is falling.
In another of the AIRMIC case studies, benefits highlighted were the fact that the organisation is no longer “comparing apples with oranges” in assessing risk information and that “Risk Managers are now working collectively, no matter where their risks impact on the business”
These are three of the biggest benefits that ERM can bring – reduced cost of risk, consistency in approach leading to better informed decision making and collaborative risk management across functions and business units. Add in risk management which informs and underpins strategy and the arguments for ERM start to add up.
So, what do you need to put an effective ERM approach in place?
As mentioned above, the most crucial component is senior management engagement and commitment. Strategic risk management demands strategic thinking and this sits at the top level in most organisations.
An effective process, a shared risk language and robust data are also needed so that everyone in the organisation understands the conversation, agrees the facts and underlying assumptions and can challenge proposals from a firm base.
But even if all these components are in place, ERM can founder on the rocks of organisational culture. Openness and transparency are not givens nor is the response to good risk information always decisive and positive action and if these cultural elements aren’t in place ERM will not succeed. An ERM initiative can provide an opportunity to drive cultural change if it is treated as a learning experience and is a cooperative and collaborative programme which allows everyone in the organisation to find their feet. What does this mean in practice? It means “Don’t shoot the messenger”. An ERM initiative if it is to generate genuine change is likely to bring to light perspectives and views which challenge the status quo and this can create discomfort for individuals and the organisation. The response to this discomfort is what determines whether ERM becomes an integral part of a better business which no-one even notices after a while or one of those initiatives everyone recognises as a missed opportunity, and refers to with a wry smile. Which outcome you get depends on the tone from the top. If senior managers are not seen to be open to the change the rest of the business will not have the confidence to really engage with and take advantage of the opportunities the initiative offers.
And finally, the regulator?
ERM is entirely aligned with the requirements of regulators because it is a flexible, substantive framework which encourages constant measurement of and challenge to an organisations risk appetite, tolerance, capacity and exposure. Development of a global quantification methodology for risk can only make stress and scenario testing easier. Firm anchoring of risk management focus at the strategic level not only provides good information for decision making but also gives senior managers greater assurance that risk management processes are working, because they are able to challenge outputs and assumptions and take action in response to variations in risk exposure. These are the requirements which underpin both principles and rules for regulators so undertaking an ERM initiative is one way of putting your organisation in the position it needs to be in to meet developing regulatory requirements and in particular to pass the “use test”.