This post first appeared on Risk Management Magazine. Read the original article.
In times of great upheaval for industries or financial
markets, organizations often turn to the formal discipline of enterprise risk
management. After the 9/11 terrorist attacks and the 2008 financial crisis, for
example, ERM gained traction as many organizations realized the significant
drawbacks of a traditional siloed risk management approach. But widespread ERM
adoption remains stalled. It is not for lack of awareness of risk’s increasing
complexity. According to the 2019 State of Risk Oversight report from North
Carolina State University’s Poole College of Management, 59% of business
executives believe the volume and complexity of risks are increasing
extensively over time. The report also found that 68% of organizations have
recently experienced an operational surprise due to a risk they did not
adequately anticipate.
While companies are aware that risk is an enterprise threat,
many are not adopting an enterprise-wide approach to managing it. Indeed, just
31% of those surveyed said they have a complete ERM process in place, and a
mere 23% described their risk management as “mature” or “robust.”
The issue may be how organizations perceive the discipline
of risk management. The report found that fewer than 20% of executives think
that their risk management processes provide important strategic advantage.
Just 26% said that their board substantively and formally reviewed top risk
exposures when discussing the organization’s strategic plans.
This perception has had a negative impact on many
organizations. According to the Global Board Risk Survey EY released
earlier this year, just 21% of board members believed their organization was
“very prepared” to respond to an adverse risk event like the COVID-19 pandemic.
Now, as the pandemic continues to cause prolonged disruption
in nearly every industry, risk management is under the microscope, and success
has never been more critical. Organizations may finally be ready for widespread
ERM implementation.
Stumbling Blocks
The problem with many ERM implementation efforts is that
organizations do not understand how to create an ERM strategy, and make it more
complicated than necessary. “People have made it too bureaucratic and
process-oriented,” said Carol Williams, ERM specialist and owner of Strategic
Decision Solutions. “They have not really looked at how ERM practices can
simply be concepts of mindset and approaches to how people conduct business
today.”
Too often, companies create layers of committees and
procedures that they then have to wade through to make a decision. “By the time
you get through all those steps, it has been days, weeks or months,” she said.
“And by that point, the time to make the decision is long passed.”
Coupled with stories of how other companies have been
unsuccessful at deploying ERM, this approach lends the impression that ERM is
expensive, complex and ineffective. For every five stories of ERM success,
Williams said it takes just one story of failure for companies to back away
from implementation.
At the outset of the pandemic, as a significant number of
workers around the world went home to work, many companies abandoned ERM
initiatives. They were simply more focused on trying to stay in business, said
Dolores Atallo, managing director and North American leader of enterprise risk
management for Protiviti. When they were still trying to gain their footing,
implementing anything new just seemed like a step too far. It was difficult to
overcome communication hurdles and get people together to develop an effective
ERM framework. But now that many organizations have become more comfortable
working and communicating remotely, she believes this is an ideal time to
develop and adopt an ERM program.
It is also the right time for the board to become involved
in formal risk discussions, according to Barton Edgerton, associate director of
governance analytics for the National Association of Corporate Directors.
However, the way risk is communicated presents a common roadblock. Risk
professionals will often attempt to convey the entirety of the company’s risks
to the board, making it “challenging for a director to understand which are the
most important risks, and where the board can most effectively support
management’s discussion about the risks,” he said.
Risk professionals should think beyond just reporting their
activities to the board and focus instead on helping the board and management
partner with them for the good of the business. “A lot of people focus on how
we are going to communicate what we do in ERM to the executive leadership and
to the board,” Williams said. “But it is not necessarily about making
presentations. It’s about the business.”
The Case for ERM
A good ERM process can help the organization and its board
identify opportunities and the accompanying risks, allowing them to change
strategies as the market shifts and evolves. “It’s an opportunity to stand on
higher ground and look across the organization,” Atallo said.
Thanks to a 2016 mandate requiring certain agencies to adopt
ERM, parts of the federal government have been able to take advantage of the
flexibility ERM can bring to organizations. “Every federal agency that is a
part of a CFO Act organization builds an ERM program, implements it, and
creates a risk profile,” said Cynthia Vitters, managing director for Deloitte’s
government and public services practice. That has allowed government agencies
“to leverage existing infrastructure and build on it to help solve some of the
COVID-19 problems, or have a seat at the table,” she said. During the pandemic,
these agencies were able to quickly reassess their risk scoring and reevaluate
mitigation strategies.
A successful ERM program can do the same for companies by
helping them understand their most important risks in any given situation. This
can aid with scenario-planning and tabletop exercises, as well as planning for
the future, particularly as the impact of COVID-19 continues to evolve.
“Scenario-planning plus a framework can equal some sense of ability to project
or think about what could be next so that you can be prepared for it,” Atallo
said. “These are all ways to help you plan and execute and provide the services
or products that your company provides, with more of a sense of understanding
and controlling the moving parts.”
Adopting an ERM Mindset
Effective ERM adoption requires C-suite support to set the
tone of the organization’s approach, and now is a good time to broach the
subject of ERM implementation with stakeholders. “There is not a day that goes
by where you don’t hear the word ‘risk’ and need to consider how things are
being managed and how much appetite you have for risk,” Vitters said.
People are also starting to ask the right questions, such
as, “Did we think about these threats?” “Were we prepared?” and “Did we
incorporate scenario-planning and tabletops to assess the risk?” Risk
management is now a vital part of many business conversations. “We’ve been
preaching all of these things for years,” she said. “Now people understand why
they should have done them because it is impacting their lives in a million different
ways.”
Organizations are now approaching ERM with the right
mindset, which Williams believes is how a good ERM process should work. “You
challenge assumptions, you ask questions, and you provide the tools to be able
to ask the right questions,” she said. “It could be that you have your answer
by the end of that conversation—it doesn’t need to be this drawn out process.”
Companies can get to that point in the ERM process by giving
people the authority to challenge assumptions and ask questions while focusing
on the organization’s objectives. “It’s not just about the minute risks that
exist, but about what the organization is here to do,” Williams said.
That focused risk conversation can bring about more
effective mitigation. Working across the organization, risk managers can
identify the risks that will have the largest financial or consequential
impact. This context can help risk professionals get things done and allow
others in the organization to more clearly see the progress that is made, Atallo
said.
Implementing ERM now allows companies to address current
issues as well as those that are likely to continue or worsen going forward.
“What you need to do is put some pegs in the four corners of your problem and
say, ‘We want to get to the end of the year and we want to achieve these
things, so what are the things that are going to get in our way?’” Atallo said.
As long as risk professionals can channel this focus toward
a conversation about risk, Williams believes the goal of ERM will be fulfilled.
That may take a change in how the risk manager approaches the risk discussion.
“You act as an advisor,” she said. “You are a sounding board. If someone wants
to bounce an idea off of you, it is not about documenting and doing a
full-blown risk assessment—have a conversation. You should act as a consultant
that just happens to work for the company.”
The fact that organizations are once again having serious
conversations about ERM is a sign of progress. Smart organizations will take
advantage of the urgent focus on managing risk to improve all processes,
Vitters said. “The time is now because of the renewed interest and the renewed
chorus of people just thinking more about risk on a daily basis.”