Elevating Value of Leading-Edge ERM:  Highlights from the April 22, 2022 ERM Roundtable Summit

Garrett Petraia, Chief Security Officer at Levi Strauss & Company, provided an outstanding overview of the ERM process at his organization. Garrett stressed the importance of making the risk conversation intuitive for business partners within the organization by asking about their goals, objectives, and key performance indicators. He also shared that his function exists to help these partners manage the headwinds and to assist in preventing their occurrence. Key questions to ask include “Are we prepared to manage through the disruptions if they do occur?” and “How might the risks and associated disruptions (i.e., headwinds) we’ve identified affect your ability to achieve those goals and hit performance targets?”

Garrett argued that this represents a shift from controls-based risk management toward the concept of ‘anticipatory risk management.’ The concept of anticipatory risk management focuses on preparing for the realities of disruptions without trying to guess what might trigger the disruption. This approach can yield multiple benefits as summarized in the sidebar.

Garrett closed his presentation by discussing how the content of his Enterprise Risk Committee meetings have evolved given this change in focus. Each meeting now addresses three important topic areas:

• What’s new? This consists of updates since the last meeting.
• What’s now? Which risks, crises, and initiatives are we managing now?
• What’s next? Scanning the horizon to identify and address emerging risks and disruptions. What actions are we taking now? What can the ERC do to help?

Benefits of Preparing for Disruptions:

• We know disruptions will occur. Most disruptions now seem driven by forces outside a company’s control.
• The key is building agility and resilience to manage whatever disruptions come next.
• There is value in shifting the philosophy from focusing on the cause, to focusing on dealing with the disruption, recovering, and creating opportunities.
• Requires focus - pay attention to the important, not the interesting.
• Makes crisis management & business continuity an integral part of ERM.

Brittany Tomkies, a Manager serving in EY’s Risk Transformation practice, provided an overview of the multitude of risk issues that are important to consider and monitor as entities increasingly engage with third-party providers. Brittany began her presentation by defining third-party risk management (TPRM) as a process to allow an organization to identify, evaluate, monitor, and manage the risks associated with third parties and contracts. Brittany also identified several key drivers that highlight the importance of a robust TPRM process:

• Significant disruption can impact revenue and reputation: The risk of service failures, security breaches, revenue loss, supply chain interruption, loss of customers and penalties can negatively impact the reputation of organizations.
• Extensive dependence on the third-parties: Key operational, financial and compliance-related functions are increasingly placed in the hands of third-parties or the technology solutions they provide.
• Increased data protection obligations and regulatory focus: Complex laws and regulations mandate that corporate control activities extend to third-parties when appropriate.
• Efficiency gains: Companies seek to reduce costs, increase efficiencies, and drive quality back-office functions. Many institutions incur redundant costs when the same suppliers are independently assessed multiple times.

Brittany laid out a model TPRM process she and her team can implement and introduced a set of key questions to stimulate discussion about this topic. These include:

• What type of third-party risks are important to your organization?
• Does your organization have a comprehensive inventory of third-parties and existing third-party risks?
• Are you able to differentiate among third-parties in order to align resources against the most significant third-party risk areas?

Business Case for Explicitly Focusing on Third Party Risk Management

1. Unmanaged risks can lead to significant disruption impact on revenue and reputation.
2. The dependence on the third-parties is extensive and growing quickly for most organizations.
3. Increased data protection obligations and regulatory focus encompasses data impacted in many ways by third parties.
4. Efficiency gains can be realized if risk management efforts are coordinated and consolidated across third parties.

Joe Pugh, Director of AARP’s ERM and Compliance efforts, led our fifth session. Joe is the architect of the ERM program at AARP and helped establish the risk governance cadence that provides risk information to executives and the Board of Directors as they make key strategic decisions. In his session, Joe shared insights about what AARP has done to engage both the board and the senior management team in an integrated partnership that leads to an effective approach to ERM.

Joe discussed four key components of the ERM process that he believes have been integral to the success of the program at AARP. First, he stressed the importance of the creation of a ‘risk working group’ that consists of two members of the AARP board, four executive team members, and an ERM facilitator. This group was tasked with establishing ground rules for engagement, to meet on regular basis between Board meetings, to create a sense of collaboration and shared responsibility, and to develop ERM advocates within the organization. Next, a robust education effort was undertaken to provide a foundation and to level-set the ERM process while clarifying board risk oversight responsibilities. Third, a joint risk assessment survey is used to identify gaps between management and board perspectives on the likelihood and impact of potential risk events, which serves to stimulate risk conversation where such gaps exist. Finally, a joint risk scenario workshop is conducted to deeply explore the potential implications of key risk exposures. Joe closed with key takeaways from this effort: (1) Board and executive management now reach a consensus on the critical risks driving strategy, (2) AARP can now formally bake risk appetite into the strategic planning process, (3) There is an annual cadence for the review of risk appetite, (4) Robust strategic conversations are happening in the board room, and (5) A more risk savvy board.

Steps to Strengthen Board + Management Risk Partnership

• Create a risk working group of management and board.
• Educate to provide foundation and to level-set the ERM goals and roles.
• Identify gaps in risk views between board and management.
• Engage in discussions about potential risk exposure gaps.

Our final session of the ERM Roundtable Summit featured a presentation by a team of our Jenkins Graduate School students who have developed a case study identifying innovation opportunities in ERM. The team consisted of Carson Best, Bibiche Bolobiongo, Madi Bonello, Peyton Gilbert, and Ashwin Ramachandran and was supervised by Ericka Kranitz, Director of the the Master of Management, Risk and Analytics program in Poole College. The student team interviewed a number of ERM leaders in a variety of organizations and posed the following questions to them:

• What have you done in the last two to three years to advance your ERM program?
• What is on your ERM to-do list for the next two to three years?
• How do you envision ERM in your organization a decade from now - in 2032?
• What qualities and skill sets are important for new hires and what development opportunities have you created for current employees?

Four key themes emerged from their conversations. First, culture is critically important to the success of ERM and that will only be increasingly true in the future. Senior management must continue to establish the proper tone to encourage buy-in across the organization. Second, the expanded availability of data and the use of data analytics will be crucial. We live in a data-rich world and leveraging the opportunities this presents will be both a challenge and a significant opportunity. Third, talent risk and solutions are affecting all organizations. The ideal ERM candidate was identified as someone who is a natural problem solver, who is comfortable presenting strategic information, and who knows how to ask the right questions. A blend of both soft and technical skills will be required for ERM innovation to occur. Finally, the ability to think strategically and be forward-looking is essential. Innovation can take place when we can associate individual risks with emerging risk themes, when we can proactively act on opportunities, and when education efforts within the organization create new opportunities for honing our gaze on the emerging risk landscape.

4 Themes to Support Innovation in ERM

• Culture is critical: Buy-in to the importance of ERM for the organization is critical for fostering innovation.
• Data Analytics will be crucial: Leveraging data to generate more real-time, holistic metrics of emerging risks will be a game-changer.
• Hard and soft skills needed for risk leadership: Problem-solving skills and strategic mindset lead to innovation opportunities.
• Forward-Looking focus: A strategic, forward looking mindset helps look beyond the status quo of ERM processes to pinpoint new opportunities.