Over the past month I have had the opportunity to meet and talk with a number of risk management executives who have engaged with us at our ERM Initiative Advisory Board meeting, our ERM Roundtable Summit, and our inaugural ERM in Higher Education workshop, and I have traveled to Europe to participate in ERM conferences there. In all these experiences I have observed a number of common themes related to opportunities to strengthen ERM processes. These opportunities seem to transcend organizational size, industry, and geographic location. Let me highlight five challenges that ERM leaders view as opportunities to strengthen the value of their organization’s ERM efforts.
- Strengthening the Integration of ERM and Strategy. While many organizations initially embrace ERM as a tool to identify important risks confronting the business, a number of organizations continue to express a desire to strengthen the integration of ERM and strategy. Unfortunately for some, management, and in some cases, the board of directors perceive ERM to be primarily focused on loss prevention or as a compliance exercise, with little relevance to strategic planning and execution. In fact, survey research conducted by the ERM Initiative at NC State finds that 55% of respondents indicate that their organization’s risk management processes do “not at all” or only “minimally” provide strategic advantage. Because ERM leaders understand the important relationship between “risk” and “return,” they are looking for ways to better connect insights obtained from their ERM processes with the strategic direction of the business. Many recognize that to strengthen the integration of ERM and strategy they may need to rethink the lens that they use to identify and assess risks. Rather than beginning a risk identification process (e.g., risk interviews, workshops, surveys, etc.) with “What risks are you most concerned about?,” they are now realizing that they instead need to first begin with “What are the organization’s current value drivers?” (e.g., what are our “crown jewels?”) and what are the important new initiatives in our strategic plan?” With that as a foundation, the risk identification process can begin by centering management’s attention on the question “What challenges might emerge (internally or externally) that might impact the continued success of our most important core business drivers and new strategic initiatives?” With the core business drivers and new strategic initiatives as the starting point to risk identification, ERM leaders are discovering that they can help management and the board see how ERM can be an important strategic tool to pinpointing the risks most likely to affect the success of their strategic objectives.
- Looking for Clusters of Risk Drivers. Robust ERM processes typically result in the identification and aggregation of top risks for management and board review and discussion. Often ERM leaders summarize and report the entity’s top 10 to15 risk concerns at least annually, if not quarterly, to management and the board of directors. This approach can lead to a robust discussion about each of those top risks, with individual top risks being assigned to various subcommittees of management or the board for further discussion and attention. While such processes are appropriate and value-adding, a number of ERM leaders are realizing these activities may be focusing attention too much on symptoms or outcomes of risks causing management and the board to fail to recognize the interconnectedness among root cause drivers of top risk exposures. To respond to this concern, ERM leaders are increasing the depth of their root cause analyses for each of the individual top risk concerns with the goal that they might identify overlapping root causes among the top risk concerns. Doing so helps management and the board recognize common stress points where a particular risk root cause might relate to more than one top risk exposure. By recognizing clusters of risk drivers, management is in a better position to respond to events that might trigger multiple risks simultaneously, strengthening the resiliency and agility of the organization should those risk triggers occur.
- Strengthening Metrics to Monitor Key Risks. As organizations embrace the concept of ERM, so much of their focus is on the identification and prioritization of risks and the subsequent analysis to understand how the organization is responding to those risks. But once ERM leaders communicate this information about top risks to senior management and the board, they sometimes wonder how they can best keep their eyes on those risks over time. Because most organizations possess significant data and reports concerning the entity’s performance, many believe they have the metrics they need to provide insights about risks emerging on the horizon. Unfortunately, most metrics included in management’s dashboard reports represent key performance indicators (KPIs) that focus on the entity’s historical performance by looking backwards in time to highlight what has happened (good or bad) related to the entity’s performance. While KPIs can provide some insight as to potential emerging trends for the entity, KPIs typically provide insights about risk events that have already occurred. ERM leaders are recognizing the limitations of KPIs in predicting emerging risks and they are working to enhance their management dashboard systems with key risk indicators (KRIs) that have a forward looking view of emerging trends. In doing so, they are looking not only at how internal data might be useful in predicting future trends, but they are also realizing that many of their emerging risks require them to look at data external to the organization focused on macro-economic, competitor, regulatory, and geo-political issues that might provide early signals about increasing risk trends. ERM leaders are investigating how data analytic techniques might help them develop effective KRIs for monitoring top risks.
- Ensuring Both Short Term and Long-Term Horizons are Considered. When engaging in discussions with management about risks on the horizon, ERM leaders typically have management focus on risks that might emerge over an 18 month to two-year time horizon. While that short-term focus is important, ERM leaders are realizing the necessity of complimenting that short-term focus with a long-term focus as well. If organizations fail to look beyond the short-term horizon, they may manage risks that might affect things in the near term, but they may fail to recognize broader megatrends that may be gradually evolving into major risk issues affecting the long-term viability of the entity’s business. ERM leaders are realizing the need to ensure some within the top management team are thinking not only about short-term risks but also about how longer-term risks (e.g., risks emerging in the next 5 to 10 years) may be arising so that they can begin to proactively respond in ways that might help prevent the entity from naively “floating down a stream unknowingly heading towards the edge of a waterfall.” To accomplish this, they are engaging management in risk identification and risk assessment tasks that encourage them to think about risks over both short-term and long-term horizons.
- Obtaining an Honest Read on the Organization’s Risk Culture. Most ERM leaders understand the reality that “Culture is King” when it comes to management and board embrace of ERM processes. Without an effective “tone at the top,” risk management processes may be viewed as low-value activities with little recognition of the importance and value in obtaining a robust understanding of risks to the business. Many ERM leaders are seeking to get a read on the realities of the organization’s culture in regards to risk-taking and risk-management and, based on that understanding, they are seeking to identify techniques to help the organization improve its overall risk culture. The challenge they are facing is that measuring risk culture is very difficult given there are many influencers of culture, such as the board’s engagement, CEO support, commitment to core values, risk transparency, risk ownership, and risk management resources and training, to name a few. While there are some tangible measures of each of these drivers (e.g., we can measure how many employees have completed a code of conduct annual compliance certification), it is the more intangible aspects of risk culture influencers that matter. That is, to what extent are actions by senior management revealing behaviors consistent with the spirit and intent of the code of conduct? ERM leaders are now beginning to explore how they can get a read on the realities of the organization’s current risk culture by engaging in some assessments of key risk culture influencers, even if those assessments are heavily dependent on subjective, qualitative measures. While they recognize many of these measures may be subjective, ERM leaders are realizing they need to start somewhere in assessing their organization’s risk culture so that employees all across the organization sense a culture exists that embraces the escalation of the entity’s most important risk concerns to those who need to be made aware.
ERM leaders have much in common as they seek to strengthen their organization’s risk management processes. The observations herein represent my aggregation of a number of challenges and opportunities expressed by ERM leaders with whom I have interacted over the past month. These challenges seem to transcend different types of organizations and they are not limited to a U.S. perspective. Collectively those in ERM leadership roles are viewing these as next steps to strengthen the maturity of their organization’s ERM processes as they continue on their ERM journey.
The ERM Initiative’s website ( www.erm.ncsu.edu) contains hundreds of articles, thought papers, and other resources that may be especially helpful in strengthening your organization’s risk management processes. Of particular note, readers may find our new video series featuring interviews of ERM professionals especially valuable.
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative at NC State University. He completed over seven years of service as a board member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and has served on other national-level task forces related to risk management issues. He advises boards and senior executive teams on risk governance issues, is a frequent speaker at national and international levels, and has published over 90 articles, research monographs, books, and other thought-related publications.