Randy Nornes, Executive Vice President, Aon Risk Services, Inc, based in Chicago, provided insights about effective implementation ideas to push ERM towards risk management excellence at the February 23, 2007 ERM Roundtable. Nornes provided an overview of the state of enterprise risk management (ERM) and related critical success factors necessary to push past barriers to achieve ERM value.  He concluded with several case study examples. 

Role of ERM

Most organizations experience tension or a “tug of war” between balancing the diverse interests of both internal and external stakeholders.  Internally, business leaders are driven by pressures to grow the business, seek unique business opportunities, and leverage the upside of risk, within a context of controls and compliance restrictions that keep the business from running out of hand.  Externally, shareholders focus on maximizing value creation and stock price performance, with oversight and restrictions imposed by debtholders, policyholders, rating agencies, and regulators.  These factors create a constant tension between achieving performance goals while conforming to oversight expectations.

Nornes noted that ERM sits right in the middle of this tension between internal and external stakeholders who seek value creating opportunities in an environment that contains governance and other control and compliance mechanisms.  He argued that appropriately designed and implemented ERM practices should help an organization’s leadership effectively connect strategic opportunities and risk management so that the organization achieves an optimal balance between these tensions.  Organizations that are structuring their ERM approaches to be interconnected between strategy and oversight are obtaining the greatest value out of their ERM implementations.

Current State of ERM

Risk management is becoming more complex.  Nornes stated that most companies, particularly publicly traded companies, have a wide-range of risk management activities underway, including those related to Sarbanes-Oxley, compliance, operations, and risk committees.  Unfortunately, many organizations lack a coherent vision for risk management.  Often senior management and the board of directors have differing views of what information they would like to see from risk management.

ERM has emerged as a major force, according to Nornes.  A significant amount of effort and energy is being devoted to ERM efforts, with some organizations experiencing significant, measurable results.  Others, however, have seen promising ERM efforts fade due to a lack of resources and a lack of support or focus.

Critical Components of ERM

Many organizations are embracing ERM, with most turning to well-established ERM frameworks such as COSO’s Enterprise Risk Management – Integrated Framework, to build their ERM approach.  The struggle for many of these organizations today is that they often fail to understand what to do next once they have designed their customized ERM framework.  For many, management designs and implements an ERM structure and assesses and measures risks; however, they fail to go any further.

Nornes outlined four critical steps to effective ERM processes, all of which are centered around the organization’s objectives and strategies:

  • Design an ERM structure for value creation
  • Assess and measure risks
  • Develop strategies, implement solutions, and optimize cost of risk
  • Monitor and report what matters and continuously improve

Unfortunately, a large portion of ERM work often fails to cover steps 3 and 4, according to Nornes.  Many organizations are effectively accessing and measuring their risks, but they are failing to effectively identify appropriate risk responses and failing to monitor and report on the status of the implementations of those responses.  Or, they fail to keep ERM activities relevant to the business’s core objectives and strategies.  As a result, while these organizations are embracing ERM conceptually, they are currently not realizing the benefits and value creation opportunities that ERM can provide because they are failing on these critical components of effective ERM.  As a result, organizations sometimes ignore the “big monster risks” while over-hedging other risks.

Defining ERM Value

Most ERM leaders note the difficulty of demonstrating tangible, measurable value for ERM efforts.  Nornes noted that there is no magic bullet to define ERM value.  But, perceptions of value will increase as organizations continually link ERM practices to address relevant real-world challenges facing organizations.  To do so, ERM cannot be viewed as static.  Rather, ERM should constantly evolve to make sure it contributes to the ever-changing environment facing the organization.

While there are challenges to demonstrating ERM value, Nornes offered several examples of potential ERM benefits centered around three core objectives:

  • Establish sustainable competitive advantage.  ERM should integrate with business planning and value management processes.  ERM should avoid missing key risks and losing vital opportunities.
  • Manage risk at lower costs.  ERM should seek to minimize risk averse behavior, and ERM should develop cost-effective risk strategies and solutions to avoid redundant or unnecessary controls.
  • Improve business performance.  ERM should support more informed and proactive risk management decisions aligned with business objectives and strategies, and ERM should reduce volatility and prevent surprises.

Common Obstacles to Push Through

Nornes outlined several common obstacles that often minimize the effectiveness of ERM implementations.  These include the following commonly observed limitations:

  • Inability to demonstrate immediate, quantifiable return on investment.
  • Internal competition among business units for who is going to oversee the ERM process.
  • Loss of focus – leaders become bogged down in designing the organization’s ERM framework and then run out of energy.
  • Lack of senior management support or clearly defined vision for ERM.
  • Incompatible culture, including lack of regular and open communications about risk vulnerabilities.
  • Limited technology solutions and tools to identify, assess, and monitor risks and related responses.
  • Failure to grow ERM to a sustainable state.

Paths to ERM Excellence

Organizations that have achieved success from ERM processes are those that have positioned ERM leadership to transcend the various projects and activities that comprise risk management within the organizations, according to Nornes.  These organizations have positioned ERM to deliver measurable impact on the company’s operating performance.

Nornes emphasized that ERM leaders have to view ERM as a process. First, ERM has to involve information gathering to create a risk universe and related risk gap analysis.  Second, ERM has to support the organization’s overall risk management vision and it needs to identify specific key risk projects and activities to achieve risk management excellence.  Third, ERM must have executive support.  ERM overall objectives and related plans must be presented and embraced by senior management.  Fourth, ERM has to deliver on the defined projects and communicate about its progress towards its overall risk management vision.  Benchmarking and self-assessment ERM tools are being created to assist organizations in evaluating their current state of ERM maturity. An effective ERM maturity assessment involves answering these critical questions:

  • What are the goals of the company’s risk management efforts?
  • How does the company define risk management excellence?
  • What is the current state of risk management?
  • What are the gaps?
  • What are the priorities?
  • How will success be measured?

Nornes concluded with these self-assessment questions to consider:

  • Is ERM adding value for your organization?
  • Is the ERM effort stalled or is progress being made?
  • Are there parallel risk management efforts that fall outside of the ERM process?
  • What can be done to automate the ERM process?
  • Are there high impact “drill-down” projects that will deliver ERM value?
  • Is ERM sustainable after the project team has moved on to other assignments?