Print this article | Return to Article | Return to CFO.com
Can enterprise risk management programs deliver bottom-line value?
Eila Rana, CFO Europe Magazine
November 5, 2007
As CFO of RWE npower, Volker Beckers is used to discussing risks at the UK energy company during presentations with analysts and investors. After all, in a sector being shaken up by major regulatory upheavals, price volatility and a host of other uncertainties, the company, which is part of Germany's RWE, faces plenty of risks. Fortunately for Beckers, RWEn has a group-wide risk management system that would turn other CFOs green with envy. Along with risk committees run at the group, divisional and business unit levels by finance executives like Beckers, the company's enterprise risk management (ERM) framework calls for thorough risk reporting and action schemes at its retail and other businesses, covering strategy, day-to-day operations and even gritty processes such as budgeting and planning.
But the best thing about the ERM system is that it also delivers tangible, bottom-line value to the company. At a road show in October, Beckers cited risk management — spanning technical areas such as integrated hedging through to credit-risk management — as one the "strong financial drivers" that underpinned 2006's double-digit growth revenue and operating results, and helped RWEn reach its target of 10% return on capital employed.
If more ERM programmes were like RWEn's, they wouldn't get such a bad rap. Despite several years of toiling over ERM projects — all aiming for the day-to-day, systematic identification, integration, and mitigation of strategic, financial and operational risks — many risk managers report that they're nowhere near where they want to be. Some programmes are still on the drawing board, while others are languishing half-complete or are working in only isolated parts of an organisation, defeating the all-encompassing aim of ERM. Even at many companies that believe they have full-blown ERM programmes in place, there's uncertainty about whether they're as good as they could be. Sergio Beretta, a professor of planning and control at Bocconi University in Milan, recalls how when he attended a conference on ERM, "I had the perception that in at least a couple of cases what they were describing was not a system that is working but a system they wanted to be working."
According to the preliminary findings of a survey of more than 100 companies in the US and Europe to be published by Deloitte later this year, most respondents — nearly 90% — cited "difficulty measuring and assessing risks" as the biggest challenge of ERM implementation. But two other oft-cited challenges were "insufficient understanding of the benefits" and "difficulty proving the business case," suggesting that CFOs such as RWEn's Beckers are in the minority when it comes to drawing a link between ERM and the bottom line.
How companies find that link — or whether they should even try — will be a matter for further debate as more risk management programmes mature, going beyond the box-ticking required under various European and US corporate governance codes.
It's not just law makers and regulators who are exerting pressure to bolster ERM efforts. In 2005, Standard & Poor's, a ratings agency, introduced a set of criteria for its analysts to assess ERM at insurers. Last year, the agency made these criteria a standalone category in the ratings process, stating, "We expect ERM to be a competitive advantage for these insurers over time."
AM Best, another ratings agency, also has ERM on its radar, but its approach differs from S&P, says Edward Easop, vice president of rating criteria and rating relations. "They have a separate analytical team that meets with companies and assesses their risk management practices separately from assigning a rating on the company. We thought we really couldn't separate the two because how well a company does at risk management is going to be evident in how strong its balance sheet is, etc." But what is AM Best looking for? "We don't believe every company has to have exactly the same process," says Easop. "It will depend on products and scale, the strength of the management team and board, what the risk appetite of the company is, and so on."
Yet even with that increased attention from arbiters of corporate financial health, "there's a credibility issue about what it is that risk management is delivering to the bottom line," asserts Paul Hopkin, technical director of Airmic, the UK professional organisation of risk managers. And he believes CFOs are partly to blame. "In the minds of CFOs, many are thinking, 'Okay, I have to do this risk management,' but for compliance, not for business efficiency, or that ERM is costing them money and adding work."
That's why Airmic — along with Norwegian consultancy Det Norske Veritas — recently began a project to study ERM's influence on the bottom line, the first project of its kind, according to Hopkin. Around 20 companies are included in the project, each with ERM projects at least three years old and having some form of value analysis. The challenge of distilling ERM's value "has been ever present," he concedes, but he hopes the study "will give risk managers some ammunition when they go to their CFOs with ERM projects." Airmic expects to publish its findings early next year.
Not everyone agrees that exercises to link ERM with the bottom line are useful. "I don't think it's possible to make any direct links [to the bottom line]," says Sally Russell, global supply risk manager at Diageo, a UK drinks company. Since the company was formed by a merger between GrandMet and Guinness ten years ago, risk management has evolved into a full ERM programme much admired in risk circles. "Unfortunately, it's the nature of being a risk manager that if nothing untoward happens, you've been successful, but nobody can quite see that," she adds.
That's true up to a point, says Jens Madrian, Beckers' risk controller at RWEn. "You will most likely never get the correct value because the correct value doesn't exist," he says. "The point is to understand the complexity and integration of that risk and to make the best mitigation on that basis. The quantification just gives us a hand in terms of visibility and transparency." And it also provides a good story to tell at the next road show, Beckers would add.
Eila Rana is a senior editor at CFO Europe.
ERM Rescue Remedy
Frans Eelkman Rooda, CFO of OPG Group, reckons that the ERM programme at the Dutch mid-cap healthcare company is like most others — unfinished. In the preliminary findings of a survey to be published later this year, Deloitte found that most ERM programmes are less than two years old, and only around a fifth of 71 European companies polled feel their programmes are fully operational.
Not long after OPG's ERM launch three years ago, Rooda sensed that enthusiasm for enterprise-wide risk management was already waning. "Like any company wanting to increase its emphasis on controls over the past few years, fatigue was starting to set in," he says. "I was starting to get an 'oh no, not again' type of reaction." That was a worry given that a key component of OPG's programme depended on regular self-assessment exercises run by each business unit, and without the entire company's buy-in, the programme would be dead in the water.
So Rooda and his risk manager explored how other companies dealt with this problem. "We wondered whether what we were seeing internally was unique to us," recalls Rooda. After getting in touch with other medium-sized Dutch companies, "we began finding patterns," he says.
And those patterns were also reflected in an internal benchmarking exercise of two OPG business units — one, with annual sales of €22m and 190 employees, was not happy with its ERM rollout, while the other, with annual net sales of €90m and 175 employees, was. Why the difference? The scope of the project was one reason. The unhappy unit had a broad range of projects, perhaps too broad, as it was plagued by delays and over-complexity. The other unit selected a narrower range of projects, each delivered to a tight implementation schedule.
Another striking difference was leadership. While the ERM programme at the unsuccessful unit was run by finance, the other unit involved the entire management team. "It really is a shared responsibility, and leaving it to either finance staff or to line management is not enough," says Rooda.
Although the primary responsibility for ERM usually lies with CFOs — as noted a recent survey by Treasury & Risk magazine of more than 200 executives — broader sharing of leadership might be just what ailing ERM projects need.