Print this article | Return to Article | Return to CFO.com
A torrent of bad news for business may be good news for enterprise risk management.
Russ Banham, CFO Magazine
April 1, 2011
Thanks to the global financial meltdown, we now know what a "black swan" is. But do we know from which direction the next one will swim into view, and what to do when it does?
Black swans are, of course, those highly improbable but painfully consequential events that strike from the blue — or from the streets of Cairo, or from an offshore oil rig, or from a poorly designed car part. They can destroy a company's reputation, cripple its financial performance, and perhaps even kill it outright. Because they are rare and almost impossible to predict, black-swan events tend to fall outside the scope of most companies' risk-management programs (assuming a company has such a program at all).
But hope springs eternal for the proponents of enterprise risk management (ERM), a 10-year-old integrated approach to managing a broad spectrum of risks. A recent spate of black-swan events, combined with an equally long list of regulatory imperatives, will now, they say, spur widespread uptake of ERM.
ERM is, above all, a strategy for overcoming the once-common siloed approach to risk management in which different people within a company focused on different kinds of risk, with little to no interaction between them. In contrast, ERM offers a "holistic methodology" for identifying, assessing, quantifying, and addressing strategic, operational, market, financial, and human risks in order to optimize the risk-return profile.
Three trends are converging that may, in fact, propel ERM to a new level of acceptance and maturity: corporate boards are under regulatory pressure to address risk management explicitly; proponents of ERM are making progress in having it acknowledged as a best practice for overall risk management; and new technologies are enhancing companies' ability to evaluate, measure, and prioritize risks, and to test and report on their potential impact.
James Lam, president of risk-management consulting firm James Lam & Associates, has been spouting the benefits of ERM from its infancy. His prediction? "We're going to make more progress in ERM implementations and its standardization in the next couple of years than we did in the last dozen."
According to Lam's research, almost 90% of global organizations with more than $1 billion in revenue are either putting an ERM program in place or, in 25% of those cases, already have a program up and running. (The figure among small companies is much lower, however; according to a 2010 survey by the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 45% of companies with a median revenue of $50 million have no ERM program in place and do not plan to implement one.)
For large companies, there is little choice. "There is enhanced [regulatory] scrutiny of how organizations manage risk," says Henry Ristuccia, a partner with Deloitte & Touche and U.S. leader of Deloitte's governance and risk-management practice. "Sitting by idly is not a solution."
That scrutiny takes many forms. The Dodd-Frank Wall Street Reform and Consumer Protection Act establishes new requirements for board risk oversight and reporting. Rating agencies, led by Standard & Poor's, now factor ERM criteria for financial and nonfinancial entities into the ratings process. The Committee of Sponsoring Organizations (COSO) rolled out COSO II (referred to by many as "COSO ERM") in 2004 to establish requirements for risk identification, management, and reporting. And the Securities and Exchange Commission has sharpened its stance on risk management, creating a division in 2009 to, in part, create what Ristuccia describes as "new requirements for enhanced proxy disclosure on how a board is executing its fiduciary responsibility for risk oversight."
All this activity should not escape the attention of CFOs, because, as Ristuccia notes, "while more companies are now appointing chief risk officers, many don't have that position, and therefore responsibility for risk management ends up with the board and the CFO."
Alliant Credit Union CFO Mona Leung can relate: her company is in the fourth year of an ERM implementation, and she has oversight responsibility for the effort. "My job is to ensure we have financial stability and minimum earnings volatility, meaning a fairly stable balance sheet and operating procedures," says Leung. "To do that, we need structure. We need to manage risks at the enterprise level, which requires an integrated, high-level program. Otherwise, you end up with distributed risk management — different functional areas managing risk with no idea of overall risk tolerance or resource prioritization."
At Country Financial, a group of U.S. insurance and financial-services companies, a properly structured approach to risk management hinges, in part, on having a director of ERM who reports both to executive vice president and CFO David Magers and to the audit committee of the board. The director oversees a 15-member ERM committee drawn from across the company. Their job is to identify, analyze, and model the top risks to the organization; work with Magers on mitigation tactics; and then monitor the effectiveness of those tactics.
"We have defined 10 categories of risk, such as reputational risk, strategic risk, market risk, competitive risk, and so on," says Magers. "We do some pretty deep dives, especially when it comes to the black swans."
The company turned the recent financial crisis into an opportunity. "As a big investor, we had significant market risk across a number of sectors," he explains. "So [in 2008], we started doing some sensitivity analyses — 'what-if' scenarios involving downsides to our investment portfolio, such as stock prices falling to a certain level, or new regulations that might arise. We then determined how to mitigate those shocks. By doing that, we were better prepared for 2009, when things got really bad." (Magers declined to elaborate on the particulars of Country's tactics.)
At Alliant Credit, risk management is decentralized in some respects, but centralized in others. "Ownership of risks is functionally defined," Leung says. "The investment group, for instance, has its own risk operations program, but all of these groups report up to finance, which then reports on the overall status to the supervisory committee of the board. Our next step will be to form a separate risk-management committee composed of leaders from other committees like governance, asset liability, supervisory, talent and compensation, credit, and the executive committee. We see this as the highest maturity for risk oversight and management."
Will Audit Committees Evolve?
In fact, many experts are taking a hard look at how audit committees do, or don't, get involved in risk management. "I think we will begin to see audit committees evolving into risk committees," Lam says. "A primary function of the board is strategy development and execution. But, as risk management becomes a key agenda item for corporate boards, linking strategy to risk management becomes a logical and desirable goal. You need to define and assess the key risks that can prevent the organization from achieving the strategic objective, and you do that by establishing key performance indicators along with the key risk indicators. This will require that audit committees improve their expertise in risk management, or that the board form a separate risk-management committee with this competence."
Ristuccia supports that view with some hard numbers. "We did a study last year of the S&P 500, and 58% of respondents said their audit committees were responsible for risk management," he says. "Yet, if you talk to the members of these committees they'll tell you they have enough trouble getting through the regular audit-committee agenda without having risk management tossed at them, too. Either the audit committee improves its grasp of risk management or a separate risk committee needs to be formed."
Others agree that audit committees are overwhelmed and ill-prepared for risk-management duties. "Audit does not have sufficient time to handle the responsibility," says Suzanne Donner, interim CFO at payment-processing company WorldPay. "The big debate now is the need for a separate risk committee, and I predict great momentum in the next couple of years in its formation." (Donner formerly was a director in the ERM practice at KPMG and is a partner in executive-services firm Tatum.)
"Audit shouldn't be the default simply because risk management doesn't seem to fit the other committees," says Jack Bergstrand, former CFO of Coca-Cola Beverages Ltd. and the CEO of consulting firm Brand Velocity. "Depending on the type of organization, you need an oversight committee that can address the breadth of key risks to the enterprise, someone with IT expertise to look at IT risks, or someone with marketing expertise to look at market risks. Audit is good for accounting and reporting risks, but you need directors who can actually improve the company by minimizing risks."
Erwann Michel-Kerjan, managing director at the Wharton School's Risk Management and Decision Processes Center, advocates the creation of what he calls an "audit-plus committee," with clear responsibility for risk management. "It's the board's responsibility to oversee internal and external factors that can jeopardize the organization, but there is very little structure right now to allow this, and not many board members have the desire or expertise to do it," he says. "You can't just expect the audit-committee members to suddenly take on the responsibility, unless you train people in charge of audit to do risk management. Since the CFO is responsible to the audit committee from a reporting standpoint, he or she needs to lead this charge."
In Search of Standards
Governance issues aside, ERM would get a major boost if it were widely regarded as an industry standard for best practices. "We are not talking about a one-size-fits-all standard, since risk management is part art and part science, and organizations differ by geographies, markets, business lines, and organizational structure," Lam says. "It can, however, be an industry-by-industry standard, customized by companies within a given industry."
Leung bemoans the current lack of an ERM standard. She points out that if a company decides that ERM is the responsibility of the audit committee, you end up with an ERM strategy that is functionally oriented to audit; if it decides to hand over the responsibility to the chief operating officer, then ERM is functionally oriented to operational risk. "One of the struggles is a need for a standard — not a regulatory standard, but something that defines what ERM is and what its goals are," she says. "Without this, we have too many varying definitions. Consequently, at Alliant Credit we have had to create our own standard."
Having a standard for ERM would allow comparisons against competitors. "A CFO who goes to the board and says, 'I need $5 million to reduce our exposure to cyber-risks,' will have a much better case to argue if he or she can also say, 'This is what most of our competitors are spending and it is a best practice,'" says Wharton's Michel-Kerjan. "The beauty of standards is they help you to think more comprehensively. The challenge is, who is going to be responsible for establishing them? Will we see big consultancies establish them? Establishing accounting standards is easy compared to establishing risk standards."
"Clearly, we will have a framework to help the C-suite make better decisions," says Deloitte's Ristuccia. "As business analytics improve and a clearer sense of the risk dimensions emerge, this creates a framework for discussions within organizations that they can apply to their own strategies."
By having a standard and adhering to it, companies will be more attractive to investors, lenders, and even buyers, says Bill Ingram, director of construction risk engineering at insurer and risk-management services provider Zurich Services. "If you can demonstrate that you have identified and analyzed risks according to a best-practice standard, you have an advantage over competitors that do not closely hew to the standard," he explains.
WorldPay's Donner cites the COSO ERM framework as a good place to start. "It's really just best practices broken into two parts — a process for identifying, evaluating, and prioritizing risk at the enterprise level in a particular industry, and agreed-upon principles for managing these risks on an ongoing basis."
Lam says that one key to spotting the next black swan is to conduct more stress testing and
"what-if" scenarios using the newest business-analytics technology.
Leung uses such software to model risks and quantify their impact from a frequency and financial severity standpoint. "You can't do this manually; you need a tool," she says, with a caveat: "Even the best modeling technology is useless if you haven't first figured out what your risks are across the enterprise."
Figuring them out is one thing, monitoring them is another. "Things are never static, so you need business intelligence on risks that flows in real time to senior stakeholders to enhance their decision making," says Ristuccia. Michel-Kerjan agrees: "We're living in a just-in-time world, where we want and need everything at our fingertips. Anything that has risk dimensions needs to be plugged into a BlackBerry and made viewable in a dashboard."
Country Financial's business-analytics system does just that. The insurer worked closely with Aon Global Risk Consulting to develop a toolkit that supports data-gathering, analysis, and reporting. The toolkit includes an approach for determining tolerance for key risks from an individual and an enterprise perspective. It supports quantitative approaches to understanding risk, as well as the risk transparency and oversight responsibilities of management and the board. "We collect enterprise-level risk data by the minute so we can formulate a plan accordingly," says CFO Magers.
Finally, for companies that manage to get all the aforementioned aspects of ERM into place, Lam has one more suggestion: link executive pay to specific risk metrics. "It's rare to see a tight linkage between compensation and risk management," he says. "One of the key proposals in Dodd-Frank is to tighten this linkage. It's coming."
And so, no doubt, are other black swans.
Russ Banham is a contributing editor of CFO.