Bottom-Up Is Bad for Risk Management

Steering enterprise risk management programs from the top makes more sense because it can provide a better fit with a company’s strategic objectives.
Kristina Narvaez and John BugallaAugust 17, 2012

There’s a lesson CFOs should learn when trying to get a strategic view of the perils facing their entire organization. Too many enterprise risk management programs are launched and championed by a single individual or department from the bottom up, without giving adequate consideration to both the needs and goals of the entire enterprise — a core ERM concept. The result is an ERM effort that is a narrowly focused extension of the sponsoring department.

For example, an ERM effort championed by the compliance or regulatory group will become a compliance and regulatory-biased program. An ERM process initiated by business-continuity planning will tend to focus on the issues associated with emergency management and crisis communications. Obviously, these two organizational capabilities are important, but they should be considered within the overall context of the strategic goals of the organization.

The 7 Habits of Highly Effective CFOs

The 7 Habits of Highly Effective CFOs

Download our whitepaper to discover the technical and behavioral skills needed to lead your business forward.

An ERM initiative that is truly a holistic approach to risk management will not only leverage the best risk identification and risk treatments already in place throughout the organization but also incorporate the same risk processes into the strategic planning process. Strategic and operational benefits from adopting ERM can be achieved when ERM is aligned with the strategic and operational goals of the organization.

Because the strategic plan sets out a vision for the organization’s growth over a multiyear time frame, incorporating the ERM process will support the strategic plan. The reason is straightforward: while the strategic plan is based on various projections over time (including economic, competitive, and demographic), its starting line is with existing conditions.

However, there is an enormous range of changing circumstances. While the consequences vary over time, changing circumstances can quickly turn favorable operating conditions into an extremely difficult environment. Consider the wide range of outcomes possible spanning the five-year time frame of 20122016.

Incorporating an ERM process into the strategic plan will both support growth objectives and minimize the impact of adverse events that could hamper the organization from achieving its goals. Therefore, the benefits, both strategic and operational, that are possible by adopting the ERM process include:

• A far greater chance of achieving the goals of the strategic plan.

• The ability to minimize the impact of adverse events on the strategic plan.

• The ability to optimize value-creating opportunities.

• A persuasive demonstration to credit-rating agencies and other stakeholders that an ERM culture and practice are being embedded within the organization. Also that all critical risks are being managed in relation to each other and considered in the aggregate.

John Bugalla is a principal with ermINSIGHTS and Kristina Narvaez is president and CEO of ERM Strategies LLC. James Kallman, Ph.D., and Joseph Milan, Ph.D., also contributed to this article.