Your Risk Management Magazine
Mind the gap

Font size : + -

email print

Enterprise risk management (ERM) has been a mainstay of risk management discussion over the past decade, but available evidence suggests it remains an elusive concept for many. In the first of a two-part series, Stuart Fagg reports on ERMs state of play

Ever since it entered the management lexicon, enterprise risk management (ERM) has elicited debate, praise, condemnation and confusion almost in equal measure. A brief search around the internet reveals a huge disparity in definition, understanding and progress as does a quick glance at the plethora of research reports and surveys aiming to quantify the progress and success rate of ERM developments.

Indeed, in this magazine’s short history, ERM has been described as the only way to effectively harness the positive power of risk management, an invention of opportunistic consultants eager to part naive executives from their budgets, a dead parrot and the future of corporate strategy. Ultimately, most agree that ERM is all about being confident all risks are being addressed, but also having information about those risks being effectively communicated around the organisation in a form that non-risk professionals can use to meet their corporate aims.

However, there is no doubt that it is a concept that most organisations, be they large listed companies, government departments or private organisations, are somewhere along the ERM journey – a journey, senior risk professionals are at pains to point out, that has no logical end. So while it’s clear ERM remains a fundamental pillar of risk management’s evolution, problems remain. There are several reasons for this, but perhaps the main barrier is the human tendency to view risk as a potential downside, as opposed to something that can add value to an organisation in the same way as an acquisition or new marketing push. That is reflected in the relatively conservative nature of many organisations’ ERM approaches.

According to Jeanette Ward, director, corporate and government services at ratings agency Standard & Poor’s, which increasingly considers ERM frameworks as part of its assessments and ratings of listed companies, a recent survey the firm completed revealed this conservatism. “As with the divergence between aspects of the ERM framework, the survey also revealed an imbalance in the [survey] group’s risk management strategies in terms of exploiting the risk information delivered to management,” said Ward. “Indeed, far from making most of the risk information available, the survey respondents indicated that they are still fairly conservative by being largely focused on the downside of risk.”

That conservative view makes the job of the risk professional trying to lead his or her organisation down the proactive ERM path all the more difficult.

“There’s a real challenge in being able to – from a risk manager or chief risk officer’s point of view – embed a risk management culture in the business without it being seen as someone from head office coming with a big stick and saying you must do this,” said Craig Jackson, Oceania leader, risk advisory, at Ernst & Young. “I think that’s where the challenge lies.”

Rising to that challenge requires a step change in the way risk professionals communicate throughout their organisations and is reflected by the need for upgrading of skill sets to master influencing and negotiating skills internally.

“I think that most companies and or organisations are still struggling in that area, and they are probably not communicating the value of risk,” said Gary Anderson, managing director at Protiviti. “That means risk information is not being used by those line managers and executives to the extent that the risk management profession would like it to be. I think that is really a reflection of the shortcomings of what is currently being done.”

This means that while risk may be being effectively managed by the risk management function, true ERM is not achieved.

“It’s partly driven by some limitations on the skills of the people in the organisations,”Andersonsaid. “Perhaps they’ve got some good mechanical skills in risk management itself but they haven’t got the right communication skills or the right framework or measurement process to really engage and capture the more motivated side of the line management.”

Another barrier to ERM is that there can be a tendency to assume that it is only suitable to large, complex organisations operating in environments that carry significant risk, be it business risk, operational risk, compliance risk or environmental risk. While it is generally accepted that organisations operating in industries that carry higher risks – the financial services industry and the mining and resources industry are often cited as ERM leaders – couching ERM in those terms means squandering the benefits on offer.

“One of the questions that people often ask is, ‘do those industries with moderate levels of operating risk need to be as advanced with ERM than some of the higher risk industries?’” said S&P’s Ward. “That’s a question for the companies themselves, but if they want to benefit from the upsides of ERM, they do need to be more advanced.”

Australian organisations are in a relatively unique position, however, with many non-executive directors serving on a plethora of boards in vastly different industries. Given the increased exposure of directors to risk issues and their increased liability, they are in a position to take leading edge approaches from one industry to another, a trend that is already underway.

“The financial services sector and the mining sector are probably at the front of the pack because of the nature of their industries and the risks, regulation and global issues that they face,” said Jackson. “There is a lot of interest outside of those sectors on what is being done and what can be learned from it. We have meetings with directors, non-executive directors and other committee chairs on a regular basis, and when we talk about what’s happening in financial services there is a real interest in issues such as capital allocation, ie how we do allocate capital to various projects or businesses and get a return commensurate with the risks involved.”

Anderson added that increasingly, ERM approaches pioneered in financial services and banking are making the jump to other areas that have lacked the regulatory catalyst for action. “It is fairly well accepted within banking circles that the qualification and measurement of that risk is a direct benefit to the way the actual organisation conducts its business,” he said. “Accordingly, management have pretty well embodied that as a core element of how they go about their work. If it works in financial services, why wouldn’t it work elsewhere other than it is harder to measure and … there hasn’t been the same regulatory pressure and there hasn’t obviously been the same transaction profile that has enabled management.”

The lack of regulatory catalyst and the view that ERM and risk more generally do facilitate transactions and add value to the business may have clouded ERM developments outside financial services, he added. “I think some people have probably become a bit disappointed that organisations outside financial services or the risk management community as a whole don’t have an equivalent alternative as has been developed in financial services. But again, I think that reflects just a shortfall in the way risk management is being applied in those organisations, that there is a gap in the way it is being reported.”

However, despite the progress, there remains significant work ahead for organisations on the ERM journey. “Most companies are still grappling with how to get an efficient and effective ERM framework in place,” said Jackson. “How do you make sure that you have covered all the key risks and that you have not spent too much time and effort on less significant things? I do not think there are many organisations outside the financial services sector –and even then there are those that have issues – that have got to the right level of effective ERM framework. It is an issue right across major corporates.”

For risk professionals who are struggling to articulate the benefits of ERM to executives, there are more and more compelling reasons that should convince them. For example, in Australia S&P’s work on ERM has not resulted in any ERM-related ratings changes, which reflects the firm’s positive view of developments. That, however, may change. “As risk management practices evolve, the insights gained on ERM will be increasingly factored into our credit ratings,” Ward said. “Indeed, with ERM considered a major advancement in the risk management discipline, the adoption of ERM, and how strongly it becomes embedded, has the potential to be as much a positive factor as it is a negative influence – supporting or constraining ratings and rating actions. Equally, ERM shortcomings also have the potential to flag early warning signals for possible poor performance.”

Moreover, some insurers in the US and Europehave seen their credit ratings boosted by demonstrating effective ERM frameworks.

S&P’s has been considering ERM as part of its insurance ratings criteria since the second half of 2005 and uses them to monitor an insurer’s ability to respond to risk and financial volatility. So far S&P’s has used the criteria on 78 insurers and reinsurers.

Additionally, leading institutional investors are increasingly shunning companies that cannot demonstrate successful risk management frameworks.

According to analysis from Ernst & Young issued just over one year ago, around two-thirds of investors will apply a penalty to a potential investment target if they consider risk management to be insufficient. More than half of those surveyed have removed their investments for the same reason.

However, the study also unearthed the growing influence of good risk management on business strategy and the facilitating of transactions. More than 80 per cent of investors will pay a premium if they see evidence of good risk management.

Third-party scrutiny of ERM is a trend that will intensify, leaving those not on the way to implementation at a competitive disadvantage.

“There is an emerging differentiation between those businesses that cover risk well and those that are perceived not to,” said Jackson. “I think that whole theme has developed over the last year and I think will continue to develop in the next year. Of all the other factors that are assessed from the outside when looking at a company, this is really another. The way the company deals with risk is just another factor and there are positives and negatives. You’re either on the positive end of the scale, or you’re on the negative end. If you’re on the negative end, your share price suffers or the way you’re perceived suffers.”

Next month: ERM technologies, benchmarking and measurement

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.