The 2008 global financial crisis exposed a risk management challenge with consequences far beyond just the practices of big banks. The root causes and, ultimately the costs, of the Great Recession stemmed from a much broader set of risks than finance was accustomed to measuring. Financial models were blown up by unforeseen behavioral and operational risks. What we learned from this experience was that as long as CFOs remain focused only on managing their limited portfolio of financial risks (credit, market, liquidity, forex, interest rates, etc.) they will inevitably repeat the same mistakes of the past. To account for these outside risks, CFOs need to look at how different factors across the organization can give rise to uncertainty, and how that uncertainty can affect the company or the broader economy — not just financially, but in terms of operations, strategy, and reputation.
As most finance chiefs well know, it is inherently difficult to identify metrics that can be used to monitor key risks. In fact, the 2014 “State of the ERM Function” study issued by CEB, a member-based business performance advisory firm, found that while establishing Key Risk Indicators is important for risk management’s success, even risk managers struggle with developing effective KRIs. So, what can finance do to get ahead of risks and better plan forecasts of the organization’s health?
At Consolidated Edison, a New York City energy utility focused on operating performance, we asked ourselves this exact question. Identifying key risks is only the first step of our organization’s risk management process. We also need to monitor these risks, put appropriate mitigation plans in place and make adequate preparations should the risk come to fruition.
In order to tackle this challenge, our ERM team was asked to work with other areas of finance and operations to develop KRIs for all of the major corporate risks. The idea was that these metrics could then provide signals representing increasing risk exposures in various areas of the company and could also alert management to trends that may adversely affect the attainment of organizational objectives or indicate the presence of new opportunities.
The ERM team then began partnering with organizational risk owners (the individuals responsible for managing and responding to key risks) to identify KRIs that could be traced to the root causes of risks. From the root causes, we developed indicators that help the organization identify multiple threats that can cause a risk event. This process takes place with subject matter experts (risk owners) in a workshop facilitated by the ERM team. While most organizations hold discussions about risk events and the potential consequences those events could bring, our workshop starts at a deeper level. It includes an open discussion on the identified root causes and consequences of the risks, concluding in a bow-tie analysis.
A bow-tie analysis is a visual representation (in the shape of a bow tie) in which you place a risk event in the center of the bow tie, place the causes of a risk event on the left hand side and the likely consequences on the right-hand side. ConEdison used this process to evaluate the organization’s key risks to identify multiple threats that could lead to a risk event. In this case, risk owners were asked to identify data points and report out on KRI status for each root cause.
Once the participants document all the root causes for a risk event, the risk owners identify one data point relevant to each root cause. For example, if one key risk is “material misstatement,” one root cause could be “internal control deficiencies.” The risk owner would then identify “number of Sarbanes-Oxley deficiencies” as an indicator for that root cause, which is ultimately tied to the original risk.
For each data point, risk owners collect three years of historical data so they can firmly understand the risk tolerance range. In most cases, risk owners can use metrics that already exist for these root causes and that are already being monitored regularly. Using the historical data the risk owners have compiled, they work with the ERM team to set thresholds and target levels for that indicator. The risk owners then assign a weighting to each indicator. Given the finance department’s role in managing risks, the team was brought in throughout the process to provide valuable input and feedback.
The next step of the process involves reporting on the risks. Each individual KRI is assessed, and then the ERM team aggregates the data. Using the weighting assigned to it and the status of each KRI, the team determines an overall assessment for that risk. The results of the process are then compiled into a report delivered to senior management.
Through this approach, we have found that bow-tie analysis clearly articulates the causes and effects of the organization’s top risks and also creates a sustainable system for measuring risks and their root causes. As risk owners collect three years of data for each risk root cause, they end up with valuable data to forecast future risk exposures. In turn, this gives the finance department ample data to work with when building their own forecasts of the organization’s financial health.
Getting Ahead of Key Risks
We’ve been told that since our successful implementation, a growing number of organizations are starting to deploy KRIs to help their business partners better anticipate and act on risks. Conversations with CEB members have shown us that an increasing number of companies are mapping these indicators back to the root causes rather than the immediate indications of the risks. Mapping allows risk owners to produce metrics that serve as early warning signals so they can better allocate funds to reduce the likelihood of a risk event.
Most organizations want to make their ERM programs more quantitative. Yet, it is inherently difficult to quantify risk exposure, especially for operations-type risks. As an effective middle ground, KRIs are a valuable tool that links to business processes and enhances risk-informed decisions. Given that 20% of Heads of ERM have a primary background in finance and 29% of ERM teams report into the CFO, it is no surprise that a wide array of finance chiefs have directed their teams to focus on developing key risk indicators.
Robert Hoglund is senior vice president and chief financial officer and Richard Muzikar is the director of risk management at Consolidated Edison Co. of New York.