Do you judge the value of a conference based upon the number of ideas or “take-aways” you hear? For the many conference goers that do, our most recent ERM Roundtable Summit was clearly a winner. While I probably could have just as easily listed 20 or more practical tips shared by ERM practitioners at this event, I am going to focus on the top ten.
- Organizations should look for ways to strengthen the integration between strategy and ERM.
Organizations make their biggest bets (or take the biggest risks) typically in setting strategic direction. In fact, some studies have suggested that the greatest loss of value results from “strategic blunders”. It is no surprise then that risk should be discussed alongside of strategy. ERM leaders need to evaluate the current focus of their ERM efforts and consider whether it aligns with value creation, realization, and preservation. Frank Martens, PwC COSO Project Lead Director, and Helene Katz, Director, Risk Consulting and COSO Project Team emphasized the increased focus on risk and strategy as they provided an update on COSO’s Proposed Revision to its Enterprise Risk Management – Integrated Framework. In June 2016, COSO issued an exposure draft of this revision which updates and strengthens the 2004 framework in response to the growing complexity and speed of risk and the importance of risk management that has transpired over the last decade. The COSO Board, with project leadership from PwC, is in the process of considering the insights received through the exposure process.
- ERM professionals need to stress the connection between risks and their organization’s objectives.
Any discussion or presentation regarding your organization’s top risks will be much more relevant to business leaders if you describe how those risks may potentially impact the organization’s ability to achieve its goals. This is key to engaging the board and senior management in a meaningful discussion of risks, including appetite for risk taking and ownership of risk responses. This was the point hammered home by both Frank and Helene as they discussed the changes that were being made to the framework to consider how risk relates to performance. The updated framework, which will likely be issued sometime this summer, includes substantive changes that elevate the discussion of strategy, enhance the alignment between performance and enterprise risk management, examine the role of culture, and delineate between enterprise risk management and internal controls.
- Position ERM as a resource to make people throughout the organization “look good”.
Informed risk taking is critical to the creation of value. An ERM team can support and encourage innovation by providing the tools to appropriately identify, assess, and mitigate risks related to strategies intended to enhance value, according to Debby Fisher, Institute Risk Officer and Meghan Devaney, Manager of Institutional Risk Services, both from Massachusetts Institute of Technology (MIT). Using an ERM framework and tools promotes good business practices that integrate risk thinking with strategy execution. Doing so positions the ERM team as a valuable resource that can support effective decision-making with the goal of helping business leaders who own the risk be more successful. Be sure that your ERM team is focused on finding solutions rather than creating roadblocks. Helping business leaders “look good” can go a long way in creating buy-in and demand for ERM.
- The ERM team needs to create a stakeholder network that can serve as an extension to your ERM office.
Most ERM teams are very lean and risk not having the bandwidth to implement ERM across the organization; therefore the creation of a stakeholder network across the organization is crucial to advancing ERM beyond just the top risks. Debby Fisher and Meghan Devaney suggested using working groups of subject matter experts to contribute to assessments and to selectively use senior staff for advice and counsel on engaging the organization. In addition, they suggested leveraging existing structures and natural partnerships, such as committees or councils, that already have a risk focus as well as functions within the organization that focus on risks such as Legal, Audit, Insurance and Safety.
- Manage expectations and pace the rate at which you advance your ERM process.
Debby and Meghan warned that there is a danger that your process may get ahead of the substance that is the focus of ERM. There will definitely be times when you need to “reinvent” some aspects of your ERM program that have not worked well, but when that occurs, be sure that you make changes at a pace that is comfortable for your organization, and be sure that the changes you have planned are consistent with the way that the organization operates. You want to avoid the potential “risk fatigue” that may occur if you try to do too much too soon. At the same time, you need to manage the expectations of your board of directors who may be impatient to see a fully mature ERM process in place.
- <Re-position your management level risk committee to be more strategic.
Are you using your management level risk committee to its full advantage? The focus of this committee should be on the more strategic risks as well as those risks that are emerging; these are the risks where coordination across the organization is so important. Management level risk committees typically are used to build awareness of enterprise risks; however, they should also be used to make decisions regarding those risks such as determining the top enterprise risks and assessing response plans. Assigning decision-making responsibilities to the risk committee elevates its importance in the organization and should encourage greater engagement. This was one of the tips for maturing your ERM process shared by Christol Bordovsky, Manager, Enterprise Risk & Advisory Services at Tesoro Corporation.
- Map out the multitude of assurance activities within your organization.
Another suggestion from Christol was to examine the different assurance activities taking place across your organization and actually engage in a mapping exercise to see areas of potential overlap as well as gaps. She suggested it was important to not just examine the activities, but also to look at the various objectives or mandates that each assurance activity was carrying out. The mapping process should provide an enterprise view of risk and assurance and allow for the elimination of duplicate functions, a reduction in the total cost of risk management, and more efficient decision-making.
- Focus on the” known unknowns” and “unknown unknowns”.
Individuals are most comfortable focusing on the “knowns” in terms of risks. Those are the risks that are fairly predictable and occur with some regularity. However, those are probably not the risks that pose the greatest danger to your organization. Fred Stuckel, Vice President of Enterprise Risk & Audit at Express Scripts stressed that we should put more focus on the “known unknowns” and on the “unknown unknowns”. The “known unknowns” are those risks we know can occur but could vary in terms of frequency, severity or a combination of both. These are the risks we know could happen, but we can’t predict when and how severe. These risks are likely to be listed in the risk factor section of the 10-k. The “unknown unknowns” are events that are inconceivable and unpredictable, but when they occur, there is little time to react and the stakes are high. Those two types of risks have the greatest potential for severe impacts, and should be the focus of enterprise level risk management activities, including the assignment of risk owners, definition of warning signs and development of action plans.
- Develop “playbooks” for your top risks.
Fred also shared techniques for developing a “playbook” or comprehensive plan that provides guidance in determining key actions required to achieve a desired outcome when addressing company risks as they arise, whether foreseen or not. Elements of an effective playbook include definition of objectives, identification of primary and secondary contacts responsible for effecting action, specifics about applicable company protocols for emergency response or business continuity, and tools and templates for response communications to ensure that accurate, up-to-date information is disseminated to the appropriate stakeholders. Playbooks can function separately but should also work in tandem with other playbooks. It is necessary to involve a broad inter-disciplinary group of participants in the development of playbooks.
- Use table top exercises to ensure your organization is as prepared as possible.
Having a robust playbook in place doesn’t always mean it will operate as intended. Fred suggests that periodically management should simulate various crises to ensure the organization is as prepared as possible. These simulations will help to identify strengths and weaknesses in the playbook and can clarify and increase awareness of roles and responsibilities. It is also a means to test backup sites and operating systems. By engaging in periodic tabletop exercises, you can ensure that responses have not become stale and will continue to operate effectively.
If you attended this most recent Roundtable Summit, then you probably have your own unique take-aways from the event, but if not, you may be able to use these insights to improve the ERM process at your organization. Either way, mark your calendar for our next ERM Roundtable Summit on November 3, 2017, and sign up for our ERM newsletter here so that you won’t miss any upcoming events!
Mark your calendars for our next ERM Roundtable Summit on November 3, 2017 at the Raleigh Marriott Crabtree Valley.
Download a copy of this article here .
SAVE THE DATE!
FALL 2017 ERM ROUNDTABLE SUMMIT
FRIDAY, NOVEMBER 3, 2017
RALEIGH MARRIOTT CRABTREE VALLEY, RALEIGH, NC
As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process.