At every ERM Roundtable Summit participants discover innovative and practical tips for making their ERM processes better and to refresh their approaches to identifying, assessing, and responding to key risks to their organizations. This fall’s event featured key insights from risk leaders at the American Red Cross, AFLAC, Experian, and Bank of America. Also, this fall’s Roundtable Summit included a Panel Discussion moderated by Bonnie Hancock, the Executive Director of the ERM Initiative, and included four panelists with sometimes disparate views on the ERM issues Bonnie introduced.
ERM – Supporting the Mission of the American Red Cross
Rob Ryan, Chief Audit Executive and Head of ERM for the American Red Cross (ARC), highlighted the phenomenal transformation that has occurred in his organization over the past decade. He acknowledged the role of ERM in helping enable that success. Rob outlined the structure of the process he heads and mentioned that his CEO has embraced the process and, in fact, considers herself to be the entity’s Chief Risk Officer as well. Rob chairs the Enterprise Risk Council which consists of ARC senior management that meet regularly to coordinate with risk owners to help develop, evaluate, and monitor risk responses implemented by the risk owners. Rob also shared many of the materials he uses to document the ERM process and to communicate with the CEO and her senior leadership team.
Rob emphasized the importance of developing a shared understanding of risk appetite within the organization and its usefulness in communicating boundaries around acceptable and unacceptable behaviors at ARC. He also discussed the importance of brand and reputation, a theme that continually emerged throughout the Roundtable Summit presentations. Finally, Rob described how he has been able to leverage the work of internal audit and enterprise risk management at ARC. Since he oversees both activities he has a unique opportunity to identify areas of concern and to direct resources that maximize the likelihood of identifying key risks to the American Red Cross.
Integrating ERM into Strategic Decision Making at AFLAC
Bobby Thomas, Senior Manager, US Risk Management and Elliott Long, Enterprise Risk Management Consultant, both from AFLAC, led a presentation that focused on AFLAC’s success in achieving a tighter integration between the ERM process they help lead and the strategic planning function at AFLAC. Bobby described the evolution of ERM at AFLAC and how it has moved from a “post-decision” add-on to having a significant “pre-decision” role in evaluating new projects. He attributed this evolution to a growing recognition that the ERM process can help identify important risks related to new projects across three dimensions:
- Risks this new project can potentially reduce
- Risks this new project may potentially create/intensify
- Risks in executing the new project
The presentation also included ten actionable lessons that Bobby and Elliott felt have helped them to advance the ERM process at AFLAC. Several of these particularly resonated with the audience:
- Hone your “elevator speech.” That is, be ready to explain your role and how the ERM process adds value to the decision-making process. Be able to convey this message concisely and effectively.
- Come to the table with your own research and analysis. Prove that your goal is to help the organization “know” versus being the person or group that says “no.”
- Learn how to effectively challenge assumptions but recognize the power in phrasing challenges in the form of questions. Questions are often meet with acceptance and conversation while blunt statements may lead to a broken dialogue.
Managing Risks Across a Global Footprint at Experian
Sam Chari, Global Head of Risk Management at Experian shared his successes and challenges in coordinating the enterprise risk management process across a large, global entity. He stressed the importance of a shared risk language across the organization and offered his “Top 5” list for program success. These key points were:
- Organizational success starts with people who become trusted partners. Building a strong and diverse team with the right mix of technical risk management skills and excellent interpersonal skills helps his team to become a part of the strategic decision-making process.
- The importance of a shared vision with a focus on a small set of goals. Always looking ahead and asking “where do we want to be in three years” helps to steer conversations to the key risk issues. His team seeks to be an enabler of “no gig (negative) surprises.”
- Adopt a global risk framework but respect regional/cultural differences. Provide and enforce minimum standards but allow for flexibility to do more where needed. Pay attention to regulators as a driver of culture and the realities associated with separation of duties in smaller markets where team members must wear multiple hats at times.
- Promote information sharing and always look for opportunities to demonstrate the value of ERM.
- Recognize the importance of a strong governance framework and for developing consolidated/easy- to-understand reporting across the organization.
ERM Challenges and Opportunities
A panel discussion about ERM Challenges and Opportunities featured four ERM leaders: Laurie Brooks, Member of the Board of Directors of Provident Financial Services; Sean Browning, Director of Enterprise Risk Management, Lowe’s Companies, Inc.; Samantha Coster, Head of Enterprise Risk Advisory, Hilton Worldwide; and Zach Wolff, Director of Enterprise Risk Management, Consolidated Edison, Inc. The panel exchanged their views on a variety of topics introduced by Bonnie Hancock, Executive Director of the ERM Initiative. From the panelists comments it was clear that ERM is truly a process where “one size fits one.” All of these organizations have mature and effective ERM programs in place, but they do not necessarily follow the same procedures to accomplish the shared goal of providing risk information for intelligent risk-informed decision-making within their companies.
One common theme did emerge, however. All panelists agreed that a central role for ERM is to bridge the gap that often exists between subject matter experts and the board and senior leadership team. This agreement surfaced in a discussion around cyber risk where all felt it was an appropriate and necessary role for ERM to serve as “translators” to ensure that both parties were fully aware of the information needs of the other.
An interesting difference of opinion emerged around the question of how the role of Chief Risk Officer may differ five years from today. Some felt that the position would be different—that the continued evolution of ERM would mean that the CRO position would be more elevated in status and would have direct access to the CEO in most instances. Others felt that fundamentally the role of CRO (and ERM programs) will continue to build a strong connection to strategy, to build a consistent process for organizations to socialize around, and to break down siloes within organizations to promote the sharing of risk information—all important roles today.
Rethinking Reputation Risk
Jim Pierpoint, Senior Vice President, Global Risk Management at Bank of America led a fascinating overview of how reputation risk can be capable of quantification and rigorous study. He demonstrated several metrics that are collected and are available that correlate highly to significant market value collapse in the aftermath of a reputation event. These metrics can be validated by examining the share price declines following a variety of recent high profile reputation events such as product recalls, environmental disasters, credit card information hacks, and food-borne illnesses in the fast-casual restaurant space.
One of the main takeaways from Jim’s presentation is the importance of data integrity and vigilance in data collection. In general, the use of time-series data of this type requires that the data collection process be consistent and robust to avoid the introduction of error that may be misinterpreted during the analysis phase of your research. Fundamentally, the ability to track data that indicates reputational risk damages should allow organizations to better predict potential risk event outcomes and develop action plans to mitigate damages more rapidly and in magnitude by having a “playbook” developed to respond to such events.
It is apparent from this fall’s Roundtable Summit that organizations are continuing to evolve their ERM processes and mature their capabilities to identify, assess and respond to key risks to their strategic objectives. Many new and practical techniques were shared at this Roundtable Summit and we anticipate that our spring 2020 Roundtable Summit will offer similar opportunities to learn more about advances in ERM thinking. Mark your calendars for the next ERM Roundtable Summit on April 24 so that you can get the latest ERM insights first hand! Register Now!