Thanks to the global financial meltdown, we now know what a "black swan" is. But do we know from which direction the next one will swim into view, and what to do when it does?

Black swans are, of course, those highly improbable but painfully consequential events that strike from the blue — or from the streets of Cairo, or from an offshore oil rig, or from a poorly designed car part. They can destroy a company's reputation, cripple its financial performance, and perhaps even kill it outright. Because they are rare and almost impossible to predict, black-swan events tend to fall outside the scope of most companies' risk-management programs (assuming a company has such a program at all).

But hope springs eternal for the proponents of enterprise risk management (ERM), a 10-year-old integrated approach to managing a broad spectrum of risks. A recent spate of black-swan events, combined with an equally long list of regulatory imperatives, will now, they say, spur widespread uptake of ERM.

ERM is, above all, a strategy for overcoming the once-common siloed approach to risk management in which different people within a company focused on different kinds of risk, with little to no interaction between them. In contrast, ERM offers a "holistic methodology" for identifying, assessing, quantifying, and addressing strategic, operational, market, financial, and human risks in order to optimize the risk-return profile.

Three trends are converging that may, in fact, propel ERM to a new level of acceptance and maturity: corporate boards are under regulatory pressure to address risk management explicitly; proponents of ERM are making progress in having it acknowledged as a best practice for overall risk management; and new technologies are enhancing companies' ability to evaluate, measure, and prioritize risks, and to test and report on their potential impact.

James Lam, president of risk-management consulting firm James Lam & Associates, has been spouting the benefits of ERM from its infancy. His prediction? "We're going to make more progress in ERM implementations and its standardization in the next couple of years than we did in the last dozen."

According to Lam's research, almost 90% of global organizations with more than $1 billion in revenue are either putting an ERM program in place or, in 25% of those cases, already have a program up and running. (The figure among small companies is much lower, however; according to a 2010 survey by the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 45% of companies with a median revenue of $50 million have no ERM program in place and do not plan to implement one.)

For large companies, there is little choice. "There is enhanced [regulatory] scrutiny of how organizations manage risk," says Henry Ristuccia, a partner with Deloitte & Touche and U.S. leader of Deloitte's governance and risk-management practice. "Sitting by idly is not a solution."

That scrutiny takes many forms. The Dodd-Frank Wall Street Reform and Consumer Protection Act establishes new requirements for board risk oversight and reporting. Rating agencies, led by Standard & Poor's, now factor ERM criteria for financial and nonfinancial entities into the ratings process. The Committee of Sponsoring Organizations (COSO) rolled out COSO II (referred to by many as "COSO ERM") in 2004 to establish requirements for risk identification, management, and reporting. And the Securities and Exchange Commission has sharpened its stance on risk management, creating a division in 2009 to, in part, create what Ristuccia describes as "new requirements for enhanced proxy disclosure on how a board is executing its fiduciary responsibility for risk oversight."

All this activity should not escape the attention of CFOs, because, as Ristuccia notes, "while more companies are now appointing chief risk officers, many don't have that position, and therefore responsibility for risk management ends up with the board and the CFO."

Alliant Credit Union CFO Mona Leung can relate: her company is in the fourth year of an ERM implementation, and she has oversight responsibility for the effort. "My job is to ensure we have financial stability and minimum earnings volatility, meaning a fairly stable balance sheet and operating procedures," says Leung. "To do that, we need structure. We need to manage risks at the enterprise level, which requires an integrated, high-level program. Otherwise, you end up with distributed risk management — different functional areas managing risk with no idea of overall risk tolerance or resource prioritization."

At Country Financial, a group of U.S. insurance and financial-services companies, a properly structured approach to risk management hinges, in part, on having a director of ERM who reports both to executive vice president and CFO David Magers and to the audit committee of the board. The director oversees a 15-member ERM committee drawn from across the company. Their job is to identify, analyze, and model the top risks to the organization; work with Magers on mitigation tactics; and then monitor the effectiveness of those tactics.

• 1
• 2
• 3
• next »