In preparation for a presentation I will be doing at an ERM Conference in Miami next year, I was interviewed this month by the organizers. This is the text of the questions and answers.
1. The ongoing financial crisis underscores the need for companies to take a sobering look at their approach to risk management. How pressing is this need do you think?
There is no question that risk management in many companies and in many countries failed. This has been well documented in reports from the OECD, the Basel Commission, the NACD, and others. Companies were taken by surprise. Now, attention is being given both to the critical need for risk management within the organization, and the need for effective oversight of risk management by the board.
The need is not limited to financial services companies. Every organization has to manage uncertainties and their effects. For example, questions have been raised about risk management at BP. BP has responded aggressively, making safety and operational risk management the central part of bonus calculations for its executives.
If you don’t manage risk, you will be surprised. You know, most focus on the negative side of risk, but risk is also about seizing opportunities when they present themselves. If you are not managing risks, you will not optimize performance.
And that is why you have risk management. It’s not just to stay in compliance with laws and regulations, or avoid the effects of hurricanes and fires. It’s to optimize performance. It’s to make risk-intelligent decisions – decisions made with full knowledge of the risks, and with plans to manage them.
Risk management enables more reliable and sustained, optimized performance.
2. Can you give examples of more rigorous and effective Enterprise Risk Management programs that are being formulated as a result of the economic crisis of the last few years?
Organizations are only very slowly getting on board. COSO released the results of two studies in December. The first, with Mark Beasley of North Carolina State, said: “almost 60 percent of the 460 respondents admitted that their risk management processes are ad hoc and informal, almost half (42.4 percent) described their organization’s level of functioning of ERM processes as “very immature” or “somewhat mature”. The study with Protiviti said that “more than 70 percent indicated that their boards are not formally executing mature and robust risk oversight processes”.
So there is still a very long way to go to see if risk management improvements will be made.
But there are signs of progress. The market for experienced risk officers is very hot, as companies are now starting to hire and get a program going. In addition, more companies are wisely buying risk management software, because it is hard to be effective at risk management without it.
Coming back to the question on examples, I would cite my own company first. We have had an extensive risk management program in place for many years, and are now focused on initiatives to improve our strategic risk management. We are also working to upgrade our use of technology and do more continuous risk monitoring. I think that is what a lot of companies are doing. They recognize that risk management must not only address compliance, operational, and financial risks, but strategic risks as well.
3. Far from being a compliance exercise, risk management is a strategic imperative and should be treated as such. How should companies go about ensuring this?
I am a fan of the global ISO:31000 risk management standard. Companies using that framework have an advantage. But, I think both the ISO standard and the COSO ERM framework get it right: risk management has to be embedded in the organization and part of its daily processes and decision-making.
When organizations sit down and consider where risks to its strategies, objectives, and the creation of value are, then they will be on the road to enterprise-wide risk management.
When you realize that risk management has value only to the extent that it influences the decisions you make, and can enable sustained, optimized performance, you are on the right track.
4. How important is it to regularly assess employee risk awareness and engagement to identify gaps between management expectations and employee understanding?
I think you are talking about whether management and staff across the enterprise understand executive management and board expectations for the management of risk.
Clearly, risk is only going to be managed within what we call risk tolerances (the level of risk the organization can afford to take) when people taking risks know where the line is.
What you need is more than awareness. People need training in risk management, and how to include risk in decision-making and the management of performance.
Sometimes, risks appear and come at you fast. You don’t have much time to react before you have to make a decision, take action to address the risk. When this happens, you can’t pull a committee together and start a risk management process. You have to do something.
Your risk tendencies, your personal attitude towards risk will influence how you react, what decisions you will take and what responses will be put in place.
Risk officers need to know what these tendencies are, not only for the organization as a whole, but for all the major decision makers.
So this has to be top of mind for risk officers all the time. They need to know what the tendencies are (what we call the risk culture) and take action when those tendencies are inconsistent with the organization’s risk tolerance.
5. What are the main challenges and concerns that ERM is faced with today?
I am not sure we have enough time to cover this properly, but let me list four that immediately come to mind:
- Board and management commitment to risk management, making it part of how they develop strategy, manage performance, and make decisions – every day
- Figuring out how to set and articulate their risk tolerance (which some people refer to as risk appetite) – the level of risk they can afford. A lot has been said about the need to do that, talking about a number for the organization. But, I don’t buy into that. You need to know for each risk where the line is. Risk tolerance needs to be articulated in a way that you can measure where you are against it, and know whether you have too much, too little, or that its just about right
- Resources. Organizations still have tight belts and getting them relaxed to hire risk professionals and buy software is hard
- Understanding risk management. I referred earlier to the COSO and Protiviti study, where 70% of boards were not satisfied with their oversight of risk management. Other studies have shown that most directors do not believe their boards have the understanding of risk management necessary to provide oversight. I see that same problem with executives – and, unfortunately, with many internal auditors.
Pulling the threads together, I think we are making slow progress. But, it’s not as fast as most of us in the field would like to see.
I am interested in your comments. Do you agree with my answers?