Enterprise Risk Management Questions ?

Questions a Compelling Business Case
for ERM Should Answer

Enterprise Risk Management (ERM) will help any organization drive value and strategy as well as meet risk oversight challenges. However, these overarching ideals can appear vague and may not convince executives to invest in ERM. Identifying quantifiable data to support the implementation of an ERM program is difficult because it is an emerging discipline, but guiding questions can help to more specifically define the value of ERM for an organization.

Why does the organization need ERM?

What Benefits Have Other Organizations in the Industry Experienced?
Financial institutions that have implemented ERM programs have reported improved performance management, better risk-based pricing and reduced capital allocation and credit losses. Similarly, publicly-held companies have reported stock price improvements, debt-rating upgrades, early warning of risks, loss reduction and regulatory capital relief. ERM's increasing strategic value is attributable to these benefits gained by early adopters.
Any organization with a well-integrated ERM program can enjoy these advantages:

  • Highly efficient and effective management
  • Discovery of new opportunities
  • An increased probability of achieving objectives and goals
Including evidence of ERM as a competitive advantage can be persuasive evidence in a business case.

What Compliance Models Are Other Organizations in the Industry Adopting?
Although ERM has not been mandated by reporting and governing organizations (except National Association of Insurance Commissioners (NAIC) requiring insurers subject to Own Risk and Solvency Assessment Model Act # 505), emerging compliance models focus on an organization's adoption and integration of ERM. Therefore, compliance with accepted models is becoming a driver of ERM, which is a compelling reason for organizations to view ERM as a strategic priority. Organizations can convert the significant costs they have incurred to comply with the Sarbanes-Oxley Act of 2002 into a business benefit by implementing an ERM program, which provides more benefits than simple compliance. Implementing ERM may also help organizations avoid potential rating agency downgrades and risk to their reputation.

What Strategies Should Be Driven From the Board Level Through the Organization?
An organization can use ERM to implement and monitor a consistent cross-functional program to more effectively address threats and opportunities. Implementing such a program can ensure that decisions throughout the organization are consistent with the stakeholders' risk tolerance. This can be a compelling argument in a business case if the organization has previously failed to address stakeholder concerns. Board members and executives can defend against potential regulatory investigations by demonstrating their organization's ERM effectiveness in compliance oversight issues.

How Can ERM help to Maintain Consistency in a Changing Environment?
Consistency in risk monitoring is an important organizational capability, especially in a changing environment. Having a clear process to make informed decisions improves an organization's resilience. An ERM program with risk monitoring systems is clearly valuable if impending changes in the organization's environment are obvious and the potential for gains or losses based on knowledge of the shifts in risk can be demonstrated. Evidence of situations in which the organization failed to take adequate action and quantifying the value of that failure can be compelling additions to a business case. For example, if a steel forming company did not recognize that the cost of raw materials would rise and failed to secure prices at the lower rate, the difference between the anticipated and actual costs can be calculated as a loss that could have been avoided were an ERM program in effect.

What resources must be committed to ERM?

The investment required for an ERM program depends on the organization's existing risk management program.

The extent of an ERM program depends on the organization's size, goals, values, industry, risk profile, competitive environment and financial resources. Some risks are apt to be a key concern for any organization and should therefore be prioritized for action. ERM methods for addressing these prioritized risks can then be drafted and the required investment estimated.

The resources committed to the existing risk management program, as it addresses the prioritized risks, are then compared to the investment required in the proposed ERM program. The difference is the resources required. The estimate of resources should include four types of costs:

  • Infrastructure improvements
  • Capital expenses
  • Change issues in processes
  • Oversight, facilitation and training
How will the success of the ERM program be measured?

Measures of success are important because they provide a way to determine whether an ERM program is making a difference. In a business plan, the measures are the target goals against which actual results can be compared. There are two broad and closely related approaches to measuring ERM success:

  • Results-based: success of the ERM program in addressing the organization's risks
  • Activity-based: success in the implementation of the ERM program

Success of the ERM Program in Addressing the Organization's Risks
Obvious goals for an organization implementing ERM are to effectively address risks, especially those identified as high priority for action, and to be able to measure the effectiveness of the actions taken compared to the resources committed. Executives need to be able to respond to the question, "Was implementing ERM a good decision, and would we have had different results if ERM had not been implemented?" Management can use this "results-based" method to evaluate the ERM program's success. Measurements of this type of success can fall into a number of categories, depending on the risks that the organization is attempting to address.

To be effective, measurements of success proposed in an ERM business case should be practical and logical and embody these characteristics:
  • Quantifiable in terms of currency, percentage, number, or as compared to internal or external benchmarks
  • Consistent and traceable over time using standards that are readily identifiable
  • Related to the probability or severity of the organization's key risks
  • Representative of predictive and historical indicators
  • Useful in supporting management decisions
  • Timely and cost effective
  • Simplified, but not overly simplistic, monitoring process

Success in Implementation of the ERM Program
The success of an ERM program's implementation can also be evaluated based on the ERM program's activities. This method of evaluation relies heavily on the engagement of senior executives and the board members; establishment of policies, systems and processes; defined risk appetites; development of communications and an ERM dashboard; and integration of ERM in strategic planning, business processes and performance management.

The "ERM Measurements of Success-Examples" exhibit illustrates some of the measurements that could be used to assess the success of the ERM program in a given organization.

The Risk and Insurance Management Society's (RIMS) Risk Maturity Model (RMM) provides an effective set of attributes for measuring the degree of ERM competency within an organization. The RMM framework distills elements of ERM by category and then into assumed best practice factors and indicators within each category. This approach provides a model for ERM benchmarking as an organization progresses in several areas of implementation:
  • Adoption of ERM-based approach
  • ERM process management
  • Risk appetite/tolerance management
  • Root cause discipline
  • Uncovering risks
  • Performance management
  • Business resiliency and sustainability

Who will be in charge of the ERM program?

The effectiveness of ERM depends on the effectiveness of the organization's information and communication. Information and communication about risk should be integrated for the organization as a whole, by business unit, by functional unit, for product units and by geographic units. To make this possible, one or more senior executives should be in charge of ERM. Small organizations may distribute ERM responsibilities across several executive managers, depending on the degree to which ERM has been actualized within the organization.

What could "go wrong" or derail the ERM program?

Naturally, an organization's stakeholders will want to understand the positive aspects associated with implementing ERM. However, an ERM implementation also can fail. An ERM business plan should inform the stakeholders about possible events that could derail the program. A well-informed organization can avoid repeating errors encountered by early adopters. Mistakes and negative drivers can be broadly categorized:

  • Failure to secure strong board and executive management support and/or align risk appetite with strategic plans can derail an ERM program. If the organization's leaders cannot agree about the value of the program or define acceptable risk limits, any further ERM program plans could come under constant question, stunting confidence in the program.
  • Lack of communication, realistic goals, or common vocabulary can cause misunderstandings and potentially narrow the focus of the ERM program. This could lead to potential risks being overlooked. The extent of the ERM program, its purpose, definition of terms and the desired impact of the program should be communicated throughout the organization.
  • Failure to clearly define the roles and responsibilities for ERM and accountability for implementation of the program can degrade the importance of implementation.
  • Failure to acknowledge current risk management programs or individuals with developed risk management skills and abilities can create dissension.
  • Having a false sense of security because an ERM program is implemented can result in the organization's failing to collect risk information from all processes and effectively identify actual risks.
  • Allowing regulations and compliance to define the conditions for an ERM program's success limits activity and does not allow the organization to effectively recognize the benefits of the ERM program.
  • Overcomplicated data and reports can overwhelm the monitoring process and cause essential indication of risk to be overlooked. An ERM dashboard should simplify the monitoring process and provide dynamic access to information.
Why might an organization not want to implement an ERM program?

Despite the many advantages ERM can provide, ERM programs have not been fully embraced by all business sectors. For example, the financial service industry has been quick to recognize the benefits of ERM because of compliance issues and quantifiable, economic benefits. Conversely, for other businesses, the qualitative costs related to risk to reputation, social responsibility, risk culture and sustainable development are only just emerging and being recognized.

Additionally, organizations in the public and local government sector remain compartmentalized. Silos still exist in these organizations (a scenario that does not support the development of ERM. A public risk manager often is not an organizational decision maker, and continuity of service) essential to the success of an ERM program (is often absent from the public and local government sectors).

An organization might not want to implement an ERM program for these reasons:

  • Difficulty blending ERM with the current corporate culture
  • Board does not support the ERM concept
  • Board does not discern quantifiable benefits
  • Stakeholders do not want the organization to pursue certain ERM initiatives
  • ERM program is perceived as being a costly investment
  • Existing organization infrastructure does not facilitate required information flow.

A final reason why an organization might not want to adopt an ERM program is because an organization's senior management might feel overwhelmed with the perceived amount of information required to support ERM and the information technology infrastructure with business intelligence applications required to collect and interpret it. For ERM to be effective, all segments of an organization must communicate with each other; data must be exchanged and the information gathered must be analyzed, prioritized and integrated into the organization's overall strategic plan.

Adapted from Enterprise-Wide Risk Management: Developing and Implementing, 1st Edition, Edited by Louisot & Ketcham.

Refine your risk management knowledge