NC State University’s ERM Initiative hosted its Fall 2012 ERM Roundtable Summit in Raleigh, NC on November 2, 2012. The program featured these topics and presenters:
“Integrating Risk & Business Management”
Puneet Kapoor, Director – Enterprise Risk Management
“Using KRIs and KCIs to Proactively Manage Risks”
“The Pros and Cons of Documenting Risk Information”
A-J Secrist and Turner Herbert
Parker Poe Allen & Bernstein, LLP
“Board Expectations of Management for Enterprise Risk Oversight”
Panel of Board of Directors
Olivia Kirtley, Director – Papa John’s Pizza; U.S. Bancorp; ResCare Inc.
Dave Landsittel, Director – Molex Inc.; COSO Chair
Mike Ressner, Director – Magellan Health Services; Exide Technologies
These sessions provided numerous insights about challenges associated with strengthening an organization’s enterprise-wide risk oversight processes and they illustrated a number of practical solutions for tackling some of these obstacles to ensure ERM is an important strategic tool for management and the board. Key “take-aways” from the sessions include the following:
- For ERM to provide value, the risk focus needs to be explicitly tied to the organization’s business model and emerging strategic initiatives. ERM leadership must be extremely knowledgeable about core drivers of the business, including rich knowledge of key products and services, core markets and competitors, and key operations that support the business model. With that as foundation, risk conversations are driven from a strategy perspective.
- The goal of an ERM process should be to generate risk-related information that becomes a direct input to the strategic leadership of the business. ERM done right should be considered a valuable strategic tool. The more the risk information generated by the ERM process is used to inform the strategy of the business, the greater the value of the ERM efforts. ERM and strategy should be integrated versus separate or distinct activities.
- Effective ERM is more art than science. Sometimes organizations over-complicate their risk identification and assessment processes by creating too much formalized structure. In doing so, business leaders can get mired down by the details of the process and thus lose sight of the bigger picture. Collectively our speakers emphasized the importance of developing a process that is workable in the context of the culture of the organization and that allows and appreciates the need for qualitative judgment when analyzing the output from risk management processes. ERM done right results in a change in the “risk and return mindset” of business leaders across the enterprise.
- Sometimes organizations inadequately consider risks that might be emerging outside the organization, such as macro-economic or geopolitical issues, based on the conclusion that “there’s nothing we can do to control those kinds of risks.” While some risks cannot be directly reduced through policies or controls, all risks can be monitored and in some case managed through other actions. ERM leaders need to challenge business unit leaders to not dismiss risks “outside our control” by asking them to think about “so what can we do if this external event occurs?” Ultimately all risks are “controllable” to some extent through choices being made in running the business and managing its strategies and how they “control” the outcome of an event.
- ERM is not a “one-size-fits-all solution”. ERM is needs to be customized to the business and its culture, often leveraging already existing processes in place for greater strategic risk management value.
- Risk ownership should reside at the business unit level where the process or activity most directly tied to the risk resides. Risks are best managed by those most knowledgeable about the business process tied to the risk concern. Accountabilities for risk management and outcome achievement will significantly increase the level of engagement in risk thinking across the enterprise. Positioning the request for risk information from the perspective of “what challenges do you face in achieving your outcome goals” will help strengthen the embrace of the value of risk-thinking across the enterprise.
- Boards are working more closely with management to better define the types of risk information they want to receive. Often management overloads the board with risk-related reports and presentations. Boards are now trying to redefine how they want risk information presented to decrease the silo-nature of risk reporting by type of risk and to increase the enterprise-wide overview of top emerging risks. Furthermore, boards are pushing management to reduce time required to “present” risk information to the board to allow more time for conversation and dialogue about major risk exposures identified by the risk management process.
- Business leaders are looking for information to help them keep an eye on emerging risks through key risk indicators. Because every business model is unique, there is no “silver-bullet” solution to knowing what risk metrics work best. Risk indicators need to be customized based on knowledge about risk drivers.
- While keeping an eye on risk indicators is critical, making sure that responses to already identified risks cannot be overlooked. Often organizations go through an extensive process of identifying and assessing key risks, but they undervalue the importance of identifying existing responses to those risks and keeping an eye on whether the responses are operating as designed. Organizations are enhancing their key risk indicators by including “key control indicators (KCIs)” to make sure that identified responses are functioning as designed to manage the potential risk event.
- Some metrics that are used to monitor risks can be leading indicators while others are more lagging in nature. Of course, the desired outcome is to have more leading than lagging indicators.
- Hindsight analysis of risk events can be hugely informative about the potential for new risks on the horizon. Examining factors such as the duration of a risk event and how it was discovered (internal vs. external discovery of the event) can provide important insights as to vulnerability points that may be the source of future risk events.
- The ERM function within an organization plays a critical role in helping define a structured and organized approach to risk management. Most organizations view ERM as the hub of the organization’s risk oversight processes. ERM leaders serve in a consultative coaching role.
- While information generated through any ERM process should provide value to help business leaders stay on top of emerging risks on the horizon, there are some legal issues to consider when documenting information about risks. There is a balance between documenting too little or too much information about risks. One key is to “think before you document” and to make sure that there is some trail of information about how the organization is responding to those risks that are documented.
- Some organizations are classifying some of their risk management related documentation as “privileged information” subject to “attorney-client privilege.” Most likely the litigation process will ultimately not treat that information as protected by the attorney-client privilege. So, organizations should assume the documentation will not be protected in a legal setting.
Each of the presenters provided a number of practical suggestions and examples to help risk champions advance the maturity of the organization’s risk management processes.
Be sure to “Save the Date” for our next ERM Roundtable Summit to be held in Raleigh, NC on Friday, April 19, 2013.