Breaking finance and business news, tax information, jobs and more for finance directors and senior finance professionals.

The application of ERM emerged in financial institutions and world-class corporate treasuries as they applied at-risk frameworks, capital attribution technology and other measurement methodologies to the management of market and credit risk. Developments in recent years have made it clear that volatility isn't just a currency, interest rate or equity security risk. Customer preferences, competitor product offerings, labour markets and technology are changing fast.

No business model is impregnable. Successful companies must innovate and create new sources of value for their customers and markets or they will lose ground to nimbler rivals. Business strategy setting is a fluent, dynamic process.Risk management augments the strategy-setting process.

Many executives ask why they should implement ERM.

Some even consider ERM a fad. The problem is often their inability to quickly grasp what ERM is and its value.

What is ERM?

ERM differs from traditional risk management approaches. It aligns strategy, people, processes, technology and knowledge with the objective of continually improving the organisation's risk management capabilities. The COSO Enterprise Risk Management - Integrated Framework, issued in September 2004, defines ERM as: "A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

Note that the context of the definition is strategy setting. The application is enterprise-wide. The standard is the enterprise's risk appetite. ERM advances the enterprise's capabilities around managing its priority risks. Under an ERM approach, management's attention is directed to the uncertainties with respect to the enterprise's entire asset portfolio, including its customer assets, its employee/supplier assets and such organisational assets as its differentiating strategies, distinctive products, brands, innovative processes and systems. This expanded focus is important in this era of market capitalisations significantly exceeding balance sheet values and the desire of many companies to reduce the risk of reputation loss.

Why implement ERM?

Traditional risk management approaches tend to be fragmented, compartmentalising risks into silos. They often limit the focus to managing uncertainties around physical and financial assets. Because they focus on loss prevention, rather than enhancing enterprise value, traditional approaches do not provide the framework most organisations need to redefine the risk management value proposition in a rapidly changing world.

ERM, on the other hand, provides an organisation with processes to become more anticipatory and effective at evaluating and managing the uncertainties it faces as it creates sustainable value for stakeholders. ERM helps an organisation manage its risks to protect and enhance enterprise value in three ways:

• First, it helps establish sustainable competitive advantage. ERM helps management overcome silo behaviour by aligning and integrating views of risk and enabling the enterprise to respond to a changing environment. It elevates risk management to a strategic level by broadening the application and focus of the risk management process to all sources of enterprise value.
• Second, it optimises the cost of managing risk. Through ERM, management aggregates risk acceptance and transfer decisions, eliminates redundant activities and determines the level of risk the organisation is prepared to accept.
• Third, ERM assists with reducing unacceptable performance variability by anticipating the impact of major events and developing responses to prevent them occurring and/or managing their impact on the organisation if they do occur. ERM transitions risk management from 'avoiding and hedging bets' to a differentiating skill for enhancing enterprise value as management seeks to make the best bets in the pursuit of new opportunities.

ERM invigorates opportunity-seeking behaviour by helping managers understand the risks they are taking and gain capabilities to manage those risks. The focus of ERM is on integrating risk management with existing management processes, identifying future potential events that can have positive and negative effects and evaluating effective strategies for managing the organisation's exposure to them. ERM transforms risk management to a proactive, continuous, value-based, broadly-focused and process-driven activity. These contributions redefine the value proposition of risk management to a business.

There are five practical steps for implementing ERM.

Conduct an enterprise risk assessment (ERA)

An ERA identifies and prioritises the organisation's risks and provides quality inputs to make effective risk responses, including information about current capabilities in managing priority risks. If an organisation has not prioritised its risks, ERM becomes a tough sell because the value proposition can only be generic. Identifying gaps relating to the entity's priority risks provides the basis for improving the specificity of the ERM value proposition.

Articulate the ERM vision and value proposition

This step provides the economic justification for going forward. The ERM vision is a shared view of the role of risk management in the organisation and the capabilities needed to manage its key risks. A working group of senior executives should be empowered to articulate the role of risk management in the organisation and define relevant goals and objectives.

Advance risk management for one or two risks

This step focuses the organisation on improving its risk management capabilities in an area where improvements are needed. Like any other initiative, ERM must begin somewhere. There are many possible starting points. Examples include:

• Compliance with Sections 404 and 302 of the Sarbanes-Oxley Act;
• One or two priority financial or operational risks based on the enterprise-wide risk assessment results;
• Regulatory compliance risks and/or governance reform issues;
• Integration of ERM with the management and operating processes that matter, such as strategic management, annual business planning, a product launch or a channel expansion.
  
  

Develop a strategy to advance ERM infrastructure

It takes oversight, control and discipline to advance the capabilities around managing the critical risks. The policies, processes, organisation and reporting that instill that oversight, control and discipline is called 'ERM infrastructure'. The purpose of this is to eliminate gaps between the current state and the desired state of the organisation's capability of managing key risks.

ERM infrastructure facilitates three important things with respect to ERM implementation. First, it establishes fact-based understanding about the enterprise's risks and risk-management capabilities. Second, it ensures there is ownership of the critical risks. Finally, it drives closure of unacceptable gaps.

What works for one organisation might not work for another. The elements of ERM infrastructure vary according to the techniques and tools deployed to implement ERM, the breadth of the objectives addressed, the organisation's culture and the extent of coverage desired.

Advance risk management for other key risks

This fifth step begins with selecting the enterprise's priority risks. After the first four steps are completed, it will often be necessary to update the ERM for change. Once the priority risks are defined, based on the updated ERM, management must determine the current state of the capabilities for managing each risk and then assess the desired state. The objective is still to advance the maturity of the enterprise's capabilities around managing its key risks. In taking this step, management broadens the enterprise's focus.

Improving risk management capabilities

For each priority risk, management evaluates the relative maturity of the enterprise's risk management capabilities. From there, management needs to decide how much added capability it needs to achieve performance goals. Improvements in risk management capabilities must be designed and advanced, consistent with the organisation's resources and the expected costs and benefits. The goal is to identify the organisation's most pressing exposures and uncertainties and to focus the improvement of capabilities for managing them.

The chosen ERM infrastructure drives progress.

Companies in the early stages of developing their ERM infrastructure often set the foundation with a common language, a risk management oversight structure and an enterprise-wide risk assessment process. Some companies have applied ERM within specific business units. A few companies have evolved toward more advanced stages, such as the management of market and credit risks in financial institutions and the management of compliance risks in other industries. Wherever a company stands with respect to developing its risk management, directors and management would benefit from considering how capable the entity's risk management needs to be with respect to each of its priority risks.

The key success factors

Companies evolving toward ERM should keep in mind that it is a journey, not a destination. ERM can represent a sea change in organisational behaviour, requiring a process of building awareness, developing buy-in and ultimately driving the acceptance of ownership throughout the entity. Change enablement is, therefore, a significant aspect of an ERM initiative because everyone's perspective about risk varies.

To help ensure success, keep in mind the following:

• Develop a compelling business case linking the ERM agenda to priority business needs, acquire support from the top and manage progress against milestones over time;
• Obtain agreement on risk management objectives and the appropriate ERM infrastructure, consider relevant cultural issues and focus on enterprise-wide application;
• Integrate risk management with the strategy setting and business planning process and implement early an effective enterprise-wide risk assessment process;
• Clarify process ownership issues around who makes decisions with respect to the desired risk management capabilities, who is responsible for designing improved capabilities to close gaps and who monitors progress;
• Remember the purpose of ERM infrastructure is to provide the appropriate oversight, control and discipline around continuously improving risk management capabilities.

Properly implemented, ERM can help organisations pursue strategic growth opportunities with greater speed, skill and confidence by aligning the organisation's risk taking with its core competencies and risk appetite. Markets notice strategically focused organisation and will differentiate these organisations by the quality and extent of their risk management capabilities.

James W DeLoach is a Managing Director with Protiviti, a consultancy on corporate governance, business and risk technology management and internal auditing.