Think your company does a decent job of assessing, prioritizing and preparing for their major strategic risks? The American Productivity & Quality Center’s latest research on best practices in enterprise risk management (ERM) will make you think twice.
On the one hand, the survey of nearly 100 large companies showed that 61 percent of participants believe they are doing OK. They have processes in place that aim to enumerate the potential impacts that their enterprise-level risks — a.k.a. strategic risks — could have on such areas as market share, revenue and product-delivery times. This is understandable, given that boards of directors are pushing ERM leaders to bolster their capabilities in response to pressure from investors and regulators to provide assurances that the company’s ERM processes are in good shape. Arguably, in the past boards cared more about boosting earnings than they did about the finer points of risk management.
But it’s my contention that many senior executives harbor a false sense of security when it comes to balancing risk and reward. Six out of ten survey respondents say that the identification of a major risk has limited or no impact on their strategic plan formulation. (See chart.) So, most companies do not systematically ensure that strategic plans are explicitly adjusted for risks that have been identified in the risk review. This is a worrisome vulnerability. How did it arise?
Our empirical evidence shows that a lot of organizations do their annual strategic planning before they do their annual ERM assessments. And most are loath to call a halt to a strategic pursuit once it has begun. Instead, the assumption is that the identified risks will be managed satisfactorily after the horses have left the barn.
Surely, some CEOs and CFOs do this purposefully. They don’t want the risk conversations to dampen planning activities. Either that, or they feel that ERM is too important to fold into another key management process. But APQC case study research suggests that allowing a space to exist between the two processes can lead to trouble. The business gladiators already on the field are probably not going to want to stop very long to assess whether risk mitigation strategies are well-thought through.
Another concern underscored by the survey findings involves new forms of risks. Only 19 percent of organizations say that their ERM process is effective when it comes to identifying risks that they have not yet encountered but could encounter. While more than one half of the respondents indicate that they are somewhat effective at imagining new contours or types of risk, the problem remains that risks that are easily dismissed as remote have the capacity to inflict severe damage if they materialize. That’s why best-practice organizations develop group exercises to prompt decision makers to think unconventionally.
Many companies already use such tools as color-coded heat maps that sort out small versus medium versus large strategic risks. The maps also prioritize those risks according to likelihood, velocity (how quickly risks create loss events) and potential impact. Companies also put tons of effort into creating risk registers that place a potpourri of risks into neat categories. Some define external versus internal risks and ask themselves deep questions about what they can and cannot control — and what they could do if an uncontrollable risk were to materialize.
One example of such a risk comes in the form of riots that could threaten company employees and facilities in under-developed economies simmering with talk of government overthrow. Internal risks, on the other hand, are those that arise either partially or wholly from employees’ actions, whether sanctioned by management or not. Internal risks also tend to be divided into the traditional categories of strategic, operational and financial. Those can be broken down further; for example, integrity risks and cyber security.
But most companies don’t go the extra mile and conduct granular scenario and sensitivity analysis to gain a sense of the potential impacts on financial outcomes that could, for example, alter equity analysts’ views of a company’s desirability as an investment holding.
The true best-practice ERM leaders are trying to clarify how much actual shareholder value is at stake if a major risk materialized. During the recent recession, many organizations determined that long-standing risk management approaches were inadequate when it came to assessing risks to shareholder-value generation.
Just one example: a major power company in 2008-09 realized it had contractual obligations to a large municipality which could lose its commercial paper credit rating or bank revolver if it was hit by a rating agency downgrade. If the credit spigot suddenly went dry, the city would be unable to pay the power supplier. While the municipality might have been able to side-step bankruptcy for a while, a number of situations were imaginable. Conversations between the CEO, the CRO and the audit committee of the board went like this: “We are still contractually required to deliver power, so let’s quantify the risk to our revenue stream under various default scenarios for the city.” They also looked at the potential impact on reported earnings.
The old-school concepts and languages of risk grew out of internal audit and risk transfer. The questions asked tended to revolve around:
- “Do we have internal control weaknesses [read: some frauds or innocent errors could slip through the cracks]?”
- “If we see a currency risk emerging, can we put on some financial hedges to minimize our likely exposures?”
Today, large organizations still ask those questions. But they also need to look at the shareholder value at stake under various risk scenarios — and the possible effects on a range of financial ratios that could wreak havoc with debt covenants, capital raising efforts, and strategic partner assurances, among many others. And this is where finance has to play a vital role.
Mary C. Driscoll is a senior research fellow at the American Productivity & Quality Center.