Historically, Enterprise Risk Management has not received the attention it deserves. It has such negative connotations and few people want to engross themselves in a management activity that is seemingly unproductive. Despite this unhelpful image, Risk Management is leaping up the corporate agenda, propelled by unprecedented economic volatility and encouraged by a growing awareness that it can contribute to value creation and sustained profitability. In this new FSN white paper written with the help of Oracle, Gary Simon, FSN’s managing editor looks at the positive side of Enterprise Risk management.
WHAT IS RISK?
HOW HAVE WE COPED WITH RISK?
RISK FOR COMPETITIVE ADVANTAGE
WHAT ARE THE BARRIERS TO RISK MANAGEMENT?
HOW SHOULD ORGANIZATIONS MANAGE RISK?
CONFRONTING EMERGING RISK
Historically, Enterprise Risk Management has not received the attention it deserves. It has such negative connotations and few people want to engross themselves in a management activity that is seemingly unproductive. Despite this unhelpful image, Risk Management is leaping up the corporate agenda, propelled by unprecedented economic volatility and encouraged by a growing awareness that it can contribute to value creation and sustained profitability.
“Risk Management is painful – not a natural act for humans to perform1.”
Inherently risky industries such as energy and petro-chemicals have long had a deep appreciation of risk but recent events in financial services, media and professional services have illustrated that no industry is immune from it. Audit risk brought down Andersen, illegal activities by a few employees felled News International and imprudent investments in real estate caused the demise of many financial institutions.
But there is an inherent injustice in risk management in that a small incident, low value transaction or immaterial business unit can give rise to a disproportionately large liability. Just one audit out of thousands brought down Andersen and the errant activities of a handful of employees in one small subsidiary shook the reputation of the powerful Murdock organization to its foundations. All of this underlines the need for a pervasive, enterprise-wide response to risk underpinned by a risk-savvy culture and organization that recognizes and takes account of all of the risks a business faces.
However, the notion that risk management is all about harm (or avoiding it) is misguided. Harnessed in the right way, risk management gives organizations ‘permission’ to pursue new products, business acquisitions and ventures in foreign markets safe in the knowledge that risk has been factored into the decision, i.e. that there is the appropriate balance of risk taking and risk appetite, backed by key risk measures and responses. It is this more positive side of risk management that is helping to raise its profile.
But the risk landscape is in a constant state of flux. There are new risks, arising from obligations under new regulations and other risks which ebb and flow according to the passage of time. Added to which there are, so called, ‘emerging risks’ on the horizon which are ill-defined and have the capacity to take organizations by surprise. So the boundaries of risk management are constantly being tested and organizations have to be continuously on their guard.
In view of this how should an organization simultaneously prepare for traditional and emerging risk, both as a defensive measure and as a means of stimulating growth and profitability?
WHAT IS RISK?
Everybody’s definition of risk is slightly different but a more enlightened approach is to use a definition that balances harmful outcomes with opportunities for gain. One definition along these lines is “Risk is the potential for loss or harm - or the diminished opportunity for gain – that can adversely affect the achievement of an organization’s objectives2.”
But risk manifests itself in an extraordinary number of ways. Traditionally this could be described as ‘strategic’, ‘operational’ and ‘financial’ (although there are other categories).
Strategic risks, as the name suggests, derive from the pursuit of an organization’s headline strategy. Plotting a new course, making major acquisitions or pulling out of an established market can have a profound effect on share price and reputation – in either direction. These are risks that a management team should reasonably foresee as part of strategy development.
Operational risks pertain to the ‘business-as-usual’ activities of the enterprise such as its front line activities and transactions with customers or perhaps hiring and firing employees. These risks are often closely linked to regulation and compliance.
Financial risks relate to financial exposure arising from any of the other risks or perhaps financial policy, such as the organization’s approach to treasury management, hedging, tax planning and financial instruments
But all of these historic definitions appear inadequate in the face of a growing inventory of risks often with critical interdependencies that compound the probability of occurrence and magnify the potential outcomes. Categorization of risk becomes even more of a ‘hit and miss’ affair when viewed through the lens of different industries.
More recently, a new category of risk, “Emerging Risk” has gained notoriety as businesses confront the need to deal with a whole range of poorly defined risks which are difficult to identify, quantify and manage and yet can have a devastating impact.
It is becoming clear that a one-size-fits-all approach to enterprise risk management, especially emerging risk, is infeasible. Every organization has a unique risk profile and has to manage it accordingly. But how well have we coped?
HOW HAVE WE COPED WITH RISK?
The answer appears to be not very well. A 2011 survey of risk management practices3 identifies that on average around a third of large companies do not have an enterprise risk management program in place. This implies that risk is often managed haphazardly, for example, by function, perhaps not at all or just on a reactive basis.
The same survey points out that 50 percent of companies are not measuring emerging risks, 57 percent do not measure political risk, 44 percent do not measure reputational risk and around 28 percent are not measuring major financial risks, including business, market and credit risks.
Emerging risk (see later) is a particularly troublesome risk category. It represents risks that are seemingly remote and frequently beyond the control of the organization. For example, the Eurozone crisis and along with it the potential for one or two faltering economies to withdraw from the common currency is typical of emerging risks which are unquantifiable and uncontrollable.
Understandably, to many busy executives it appears that the types of risks to which companies are exposed as well as their severity are growing. It seems that the pace of business change, population growth, globalization and technology have conspired to heap more uncontrollable risks on unsuspecting organizations. Take for example, environmental risks such as contamination, climate change and natural disasters. These can have a profound effect that ripples around the world in an instant. Technological risk such as cyber crime is becoming a major concern for prominent companies and governments. Even societal change, which leads to civil unrest can give rise to supply chain risk and disruption. For the unlucky or unwary, the consequences of emerging risk are neither remote (unlikely) or trivial.
But in the face of this growing list of risks companies seem ill-prepared. Many are still formulating their risk management methodology, risk structures, measurement capabilities, organizational responsibilities, systems and processes. As a result risk management is patchy and operates in organizational silos.
A 2012 survey by Deloittes and Forbes4 makes the point more forcibly. Fewer than 25% of respondents indicated that most risks are continuously monitored in their companies. Even in the areas that are considered to be most volatile, namely financial and strategic risk, relatively few companies use technology to continuously monitor risks. Instead, more than two-thirds say they only periodically monitor risk across the organization.
So there appears to be a glaring mismatch between what management and shareholders expect of risk management and what companies are actually able to deliver. The good news is that companies are starting to become aware of the gap. According to the 2012 survey4, a full 91 percent of the respondents say that their companies plan to reorganize and reprioritize their approaches to risk management in some form in the coming three years.
RISK FOR COMPETITIVE ADVANTAGE
There is a growing awareness that risk management is critical to sustainable growth, profitability, competitive advantage and capital management. Risk management and performance management can be viewed as two sides of the same coin2. It could even be argued that unless an organization is proactively willing to balance its capacity for taking on risk with measured risk-taking in its investment decisions it is tantamount to ‘leaving money on the table’.
On the other hand, enlightened organizations that are willing to look beyond the harmful side of the risk equation can see that risk management built into strategic decision making, planning and forecasting can be differentiating and lead to competitive advantage.
According to one recent survey2 risk management at top-performing companies is now more closely integrated with strategic planning and is conducted proactively, with an eye on how such capabilities can help by, for example, accelerating the move into new markets or other growth strategies.
For example, companies that are able to look beyond limited sensitivity analysis in their planning and forecasting are better able to balance their appetite (capacity) for risk and their ability to manage risk. Traditional sensitivity analysis is being replaced by modern techniques such as Monte Carlo simulation which are able to work with multiple variables at the same time to help refine forecasts and set realistic expectations about the range of possible outcomes and share of risk that an organization bears under each scenario.
“Once we start thinking about forecasting under conditions of uncertainty of sudden change, it becomes clear that a single forecast value for each time period is simply unrealistic. At such times it is obvious that any forecast could be increased or decreased by 5%, 10% or more without flying in the face of common sense. In circumstances such as these it is statistical folly to issue a single valued forecast. What is needed is a range of forecast scenarios based on different assumptions in order to understand the resulting risk range.”5
WHAT ARE THE BARRIERS TO RISK MANAGEMENT?
The most frequently cited barriers to enterprise risk management are cultural issues, cost pressures and a lack of robust information about risks.
Many of the impediments to effective risk management are cultural or organizational in nature. Foremost amongst these is that people are unaware of what they need to do concerning risk. Indeed, ‘ownership’ of risk is one of the most vexed questions in the risk arena. Should risk assessment and management reside in the business units or with ‘C’ level executives. How far should risk management be decentralized and what is the role of the risk specialists? The lack of clarity around ownership of risk comes out highest in the list of challenges to effective risk management4.
Counter-intuitively companies are under pressure to reduce costs at the very same time as needing to invest more in enterprise risk management. This practical concern is frequently highlighted by executives who are concerned that they are unable to strengthen their response to a growing and diversified list of risks. There is also the suggestion that risk management is not taken into account in individuals’ bonus and reward schemes. It seems that people are not sufficiently encouraged or rewarded for containing risk or for pursuing risk adjusted growth.
Lack of information to make risk-based decisions lays bare the inadequacy of enterprise risk management processes in many leading organizations, exacerbated by business complexity and the lack of accountability highlighted above. However, in a sign that the tide is turning only 17 percent of the respondents to the Deloitte/Forbes4 Survey suggested that risk management was not a priority for top management or that the organization lacked the vision to focus on the most critical risks.
HOW SHOULD ORGANIZATIONS MANAGE RISK?
It should be self-evident by now that there are no simple answers to managing risk. Indeed there are many approaches to managing risk but whatever the methodology, there are some common themes.
Clear lines of accountability and responsibility
Where ultimate responsibility for risk management should reside is a thorny question, but as noted above there is a growing acceptance that risk management is a ‘C’ level concern. The question is how much of the responsibility should reside with individual business units and how much at the centre?
The evidence seems to point to the optimum position being a hybrid approach. Recent events in BP, Barclays Bank and News International, all global organizations, underline the fact that reputational risk (whatever the underlying cause) floats to the very top of the organization. In the eyes of the press, the public, politicians and shareholders the CEO is ultimately accountable for risk. But how how should that responsibility be shared?
Opinion is divided. After the CEO most regard the CFO as being the main custodian of risk management closely followed by the Chief Risk Officer (CRO), if there is one. The favored model seems to be one in which the key risks are managed centrally and other risk priorities are pushed down through the organization with individual business managers being assigned responsibility for managing, monitoring and measuring specific risk.
All recent surveys point to a significant willingness to invest in the Risk Management function but there is debate as to the precise role of the CRO. In around 45 percent of cases the CRO is responsible for risk management. But it is vital that the risk management function is not divorced from the business and the issues it faces. The Accenture 2011 study2 shows how companies with the best risk management practices, (Top 10 percent or “Risk Masters”) regularly involve their risk management function in key decisions such as mergers and acquisitions, investment, divestment or financing decisions, large capital projects, outsourcing and core financial processes such as budgeting, forecasting and procurement.
“Risk specialists need to poke their heads outside of their silos once in a while. Risk doesn’t exist in isolation, so risk managers can’t either.”
What is important is that the organization is imbued with a risk management culture that encourages individuals to engage in discussion of risks and takes it into account as a matter of course in its strategy setting, day to day operations and investment decisions. Remembering that effective risk management is about value creation as well as well as value protection helps management embed a risk-aware culture in the organization.
The chosen risk management methodology should not be allowed to detract from the main point of the exercise. Pragmatism is essential. The approach should be sufficiently robust to allow for rapid assessment of risk, identifying, ranking and substantiating existing and emerging risks without getting stuck. Attention should shift rapidly from risk assessment to management and monitoring, allocating risks to individuals who are to be responsible and accountable for overseeing their management across the entire organization.
Risks should not be seen in isolation but set in the context of specific business objectives along with specific Key Risk Indicators (KRI’s) that act as an early warning of difficulty. This allows timely action to be taken to avoid the consequences of a risk coming ‘home to roost’ rather than focusing on recovery after the event.
Infrastructure, systems and processes
The most pressing challenge in risk management is to achieve consolidated view of risk across the enterprise which can then be analyzed by business entity, function and business line. Enabling technologies, such as Governance, Risk and Compliance (GRC) systems can be helpful in gathering and analyzing risk data as well as monitoring Key Risk Indicators, but it would be misguided to consider that technology alone can offer adequate levels of protection against a demanding risk landscape.
“The strongest systems and measures can be foiled by people who are uncommitted, uninformed or untrained. Informed people adapt and with the changing conditions and complexity. Systems typically do not.”
That said, very few organizations (less than a third) have automated their risk management processes. Dashboard reporting for senior stakeholders, data analysis and risk self-assessment are most often a mixture of manual and automated processes. This explains in large part why very few organizations monitor risk continuously. Less than a quarter of respondents to a Deloitte survey4 monitor risks continuously with most choosing to do it periodically. Financial, regulatory and compliance risks are likely to receive the closest regular attention whereas strategic, human capital and political risk languish near the bottom of the rankings.
But there are signs that companies are shifting towards monitoring risk on a continuous basis and are more willing to invest in ERM systems and processes. Strategic and technology risk management are touted as the areas where budgets will increase the most in the foreseeable future.
CONFRONTING EMERGING RISK
Emerging risks are by definition very new, poorly understood and not well measured. If straightforward, financial, strategic and operational risk is difficult to monitor and manage, how much more so must emerging risk put a strain on an organization? Yet paradoxically emerging risk is believed by some to offer the greatest opportunity for competitive advantage.
Social media is a good example of an emerging risk. The risk is pervasive and rising yet it is very difficult to quantify and manage. Like most emerging risks its impact can be devastating and costly. Social media can also amplify and exacerbate other risks. For example, a financial indiscretion, a technology failure, cyber attack or a compliance breach (especially in financial services) can be extremely serious for the reputation of an organization but with social media, reported incidents (or worse still rumor) can spread at twitter-speed across the globe, with devastating consequences.
Most organizations are susceptible to Social Media risk and the impact is severe, but in common with all emerging risks, those businesses that have the ability to detect problems earlier and have a robust response in place can obtain a significant advantage over those organizations that are completely unprepared.
One of the greatest challenges that besets CRO’s and other ‘C’ level individuals charged with responsibility for risk management is how do you identify risks that are without precedent?
There is no easy answer to identifying and dealing with emerging risks but given the systemic and highly toxic nature of emerging risks it is vital that this category of risk is integrated with existing risk management methodology and processes so that it is regularly reviewed. One way to proceed is to start by explicitly identifying key value drivers and then identify the emerging risks which pose a potential detriment on the realization of these value drivers.
Because emerging risks are often systemic and come from external factors, it probably fits best with strategic risk. Special effort is needed to ensure that emerging risk is not side-lined and that organizationally somebody has clear responsibility for identifying and managing it from the top down. Brainstorming with senior management, internal subject matter experts as well as business leaders in key parts of the organization are critical for ‘teasing’ out the most likely concerns. For this category of risk organizations should also consult external sources of information, thought leaders, academics, industry groups and non-industry groups to gain the widest possible perspective on potential risks.
Once the risks are identified they should be categorized and incorporated into the organization’s risk inventory and risk reporting along with methods of modeling, monitoring and measurement using a variety of internally and externally generated Key Risk Indicators. Furthermore, emerging risk should be frequently challenged and reviewed taking account of external sources to validate changes and developments.
It is also critical that emerging risks become an integral part of the risk-aware culture. i.e. that risk awareness is not confined to ‘standard’ (known and controllable) risks such as compliance and operational risk but that individuals within the organization are encouraged regularly to think ‘outside of the box’.
Enterprise Risk management is becoming a growing concern for companies grappling with a new class of “emerging” risk which is contributing to an increasingly diverse and complex risk landscape.
Historically, risk management is an underinvested activity and the majority of businesses have yet to assemble adequate policies, risk structures, systems and processes to effectively counter the wide range of risks they face. Even for those that have implemented enterprise risk management programs less than a quarter continuously monitor risk.
But the tide is turning. There is a growing appreciation that risk management, if harnessed correctly, can improve business performance and profitability by encouraging an appropriate balance between risk appetite and reward when weighing up growth opportunities where competitors that have not learnt to measure and mange risk are fearful of treading.
However, there are significant barriers to improving enterprise risk management capabilities. Many businesses have yet to develop risk aware cultures and many say they are hampered by cost pressures from making the necessary investments. Others do not have the technology infrastructure and processes in place to collect, analyze and report on risks across the enterprise on a regular basis.
Emerging risks are exacerbating the problem but can be managed by constantly reviewing the nature of the risk (as part of an overall risk management program), challenging the organization with internal and external measures and constant vigilance. Furthermore, organizations that have not considered emerging risk as part of a broader enterprise risk management approach leave themselves very exposed and at a significant competitive disadvantage relative to companies that have.
Nevertheless, there are no easy solutions to managing emerging enterprise risks. Each business faces a unique set of risks and what works in one business or industry as a risk management approach is unlikely to be an exact fit with another. Despite cost pressures and doubts about how best to manage emerging risks all recent surveys clearly point to increased investment in risk management systems and processes over the next three years as companies seek to leverage risk management for competitive advantage.
Note 1 Gentry Lee, Chief Systems Engineer at Jet Propulsion Laboratories (JPL) reported in Harvard Business Review June 2012.
Note 2 Deloitte; Putting risk in the comfort zone.
Note 3 Accenture 2011 Global Risk Management Study.
Note 4 Deloitte and Forbes Aftershock; Adjusting to the new world of risk management.
Note 5 Avoiding Profit Warnings, Metapraxis Limited 2005
Oracle Corporation (NASDAQ: ORCL) is the world's largest enterprise software company. With the market-leading Hyperion enterprise performance management suite, world class financial applications, and integrated governance, risk and compliance solutions Oracle helps finance executives maximize potential and deliver results for their organizations. For more information on Oracle's financial management solutions, visit us at http://www.oracle.com/applications
FSN Publishing Limited is an independent research, news and publishing organisation catering for the needs of the finance function. This white paper is written by Gary Simon, Group Publisher of FSN and Managing Editor of FSN Newswire. He is a graduate of London University, a Chartered Accountant and a Fellow of the British Computer Society with more than 27 years experience of implementing management and financial reporting systems. Formerly a partner in Deloitte for more than 16 years, he has led some of the most complex information management assignments for global enterprises in the private and public sector.
Whilst every attempt has been made to ensure that the information in this document is accurate and complete some typographical errors or technical inaccuracies may exist. This report is of a general nature and not intended to be specific to a particular set of circumstances. FSN Publishing Limited and the author do not accept responsibility for any kind of loss resulting from the use of information contained in this document.