On March 12, 2010 the NC State University ERM Initiative hosted a half-day ERM Roundtable Summit in Charlotte, NC that involved a series of two 90-minute panel discussions. Our first panel focused on “ERM: Lessons Learned,” while the second panel focused on “ERM: Directions for the Future.” Both panels consisted of real-world ERM experts who are heavily involved in leading ERM efforts within their organizations or who are providing significant ERM leadership roles at a national level through organizations such as COSO, Standard & Poor’s, and Grant Thornton. Both panels engaged in lively discussions about real-world experiences and lessons learned from their leadership in ERM implementation process at their companies. Read summaries of each panel’s discussion below.

Panel One: “ERM: Lessons Learned”

Our first panel focused on “ERM: Lessons Learned.” This panel, which consisted of three current Chief Risk Officers and a fourth individual who serves on two boards of directors and as COSO Chair, engaged in a lively discussion about real-world experiences and lessons learned from their leadership in ERM implementation efforts at their companies. The four panelists included:

  • Marshall Croom, SVP and CRO of Lowe’s Corporation,
  • Dave Landsittel, COSO Chair and Member of the Board of Directors for Molex Incorporated and the Burnham Family Funds,
  • Dan Wall, CRO of RBC Bank USA, and
  • Susie Wilson, VP, General Auditor and CRO of Reynolds American Inc.

Bailey Jordan, Partner at Grant Thornton, LLP, moderated this panel.

The panel discussion interestingly started by focusing on the one question where each panelist answered differently – Why did his or her company implement ERM? The responses varied noting that the launch of ERM was motivated by merger activity, by a desire to utilize an established risk framework, and in response to financial reporting scandals in early 2000. This goes to show that there are a multitude of reasons organizations decide to implement ERM and that they may be motivated by reasons other than the increased pressures from investors and regulators we are experiencing today.

A concurring theme that quickly emerged in the discussion was the importance of recognizing ERM as a framework and not an instruction manual or project-task for management to complete in a short horizon. Instead, ERM is an evolution that may go on for years as the world of risk continues to evolve. Thus, it is important that the leadership of the organization understand that implementing ERM isn’t done overnight and that it may never be “completed.”

The panel emphasized that a successful risk management initiative should be tailored to each company’s specific business processes, objectives and strategies in order to produce the desired results. In doing this, the panelists consistently noted that ERM has helped foster more effective communications among management and their boards about risks and it has helped to refine decision-making processes when risks are involved.

The structure of ERM leadership differs slightly among companies with some having a separate executive committee dedicated solely to risk management and others having a process that designates different risk management responsibilities to various committees that are most experienced in that area. However, what is common is the fact that clear communication throughout executive management is necessary so that each person knows who is in charge of tracking which risks. Most panelists further noted that their company’s internal audit function provided synergies with its ERM process while remaining a separate entity itself.

One challenging aspect of ERM was defining a risk appetite for the organization. This was mainly due to the fact that many of the risks being considered aren’t easily quantifiable. Most found defining risk appetite to be a complicated task. To deal with this challenge, the panelists noted that they tried various methods of trying to define risk appetite. One organization decided to not strive towards one specific measure of risk appetite and instead worked towards creating broad, qualitatively described risk appetite guidelines. Another described risk appetite by defining various measures of the impact levels specific risks may have on customers – that helped them describe their overall appetite for risks in terms of customer impact. Dave Landsittel noted that COSO is currently developing more guidance in this area as it is one that generates many questions and requests for additional guidance.

Overall, the panelists pointed out that ERM should be embedded into the culture that is instilled throughout an organization and that ERM must be strongly supported by executive management in order to be successful. Working with risk management efforts already in place to leverage what already exists into an aggregate view can be one of the best ways to efficiently evolve a risk management into an ERM view.

Panel Two: “ERM: Directions for the Future”

Our second panel focused on “ERM: Directions for the Future.” This panel, which consisted of two executives leading the ERM efforts in their organization, a Grant Thornton national office partner focused on national-level regulatory and legislative developments, and the lead spokesperson for Standard & Poor’s ERM evaluation processes. The panel engaged in a lively discussion about their views of the future state of ERM. The most common theme that emerged was the belief that ERM is far from its mature stage in the general public and it is the responsibility of risk management professionals to educate others on the importance and benefits of ERM. The panelists included:

  • Steve Dreyer, Managing Director – Lead Analytical Manager, U.S. Utilities & Infrastructure Ratings, Standard & Poor’s,
  • David Fox, Director of Risk Management, KBR, Inc.,
  • Trent Gazzaway, Managing Partner, Corporate Governance, Grant Thornton LLP, and
  • Jim Traut, Director of Enterprise Reputation and Risk Management, H. J. Heinz Co.

Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative moderated the panel’s discussions.

The panelists began their discussion by considering what the current state of ERM is in the business world today. Each panelist shared similar views in that although ERM has come a long way in only a few years, it is far from being mature. As the complexity of business processes and risks have increased, so too has the need for professionals in the risk management field, especially those with ERM knowledge.

The one topic that panelists considered extremely important to ERM was the recent SEC requirement for increased disclosures in proxy statements to shareholders concerning risk management procedures. Some believe that this ruling will be the big push most businesses needed to implement a better risk management practice. Others pointed out that actual results stemming from these disclosure requirements will take much longer to manifest themselves and that implementing ERM simply to comply with obligations would in effect be useless.

One thing the panelists did agree on is that the SEC ruling has sparked board interest and conversation about what can and should be done within companies regarding risk management. The panelists noted that it is important for board members to see value in ERM and appreciate the importance of connecting ERM to organizational goals rather than seeing ERM as merely a compliance exercise to meet disclosure requirements.

One interesting topic mentioned was the possible impact of ERM on financial reporting. One panelist noted that rather than using a controls based approach with ERM, it should instead be used to take an overall look at how risks are being managed within a company. ERM can then be maintained with monitoring so the company can have instant access to insight about current risks the company is facing.

Panelists then focused on the future of ERM in their companies. While some may be in different phases of implementation, a common thread emerged. ERM must begin and be supported at the top of the company and then work its way down to individual business units slowly. Keeping a simplistic approach and encouraging risk discussion among all levels of employees is key to instilling a risk aware culture and creating a successful program.

The panelists had various thoughts on where ERM will stand in the year 2015. Some believe that if ERM is successfully adopted on a widespread basis, it will actually be discussed less as it will become second nature to consider risks on an enterprise wide basis daily. Others are concerned that the criticisms of the use of modeling in risk management in the recent crisis will be a setback for established risk modeling when what we should be doing is combining both modeling and qualitative analysis for a hybrid risk approach. One common thought is that it will take much longer than five years for ERM to come full circle. In the meantime, professionals should remain diligent in their journey to spread knowledge about risk management. This can be done not only by educating the business world, but also through case studies to show how ERM creates value.