Driven
by a broad spectrum of risk factors—ranging
from natural disasters and terrorist
threats to pending legislation
and supply chain interruptions—businesses
of all sizes increasingly are
looking to Enterprise Risk Management
(ERM) to assess the potential
impact of such risks on their
success and their very survival.
The
goal of ERM is to prevent the
significant damage that can be
experienced by an organization—both
financial and reputational—when
risk is addressed in silos, as
historically has been the case,
rather than managed across the
enterprise.
ERM
is a framework for identifying,
measuring, monitoring and controlling
risks in a holistic, top-down,
integrated and comprehensive manner
throughout an entire company.
ERM is best defined by "Enterprise
Risk Management – Integrated
Framework," a
document published last fall by
the Committee of Sponsoring Organizations
of the Treadway Commission (COSO).
(Access
the executive summary.)
According
to the COSO document, ERM is:
- A
process, ongoing and flowing
through an entity;
- Effected
by people
at
every
level
of
an
organization;
- Applied
in a
strategic
setting;
- Applied
across the
enterprise,
at
every
level
and
unit,
and
includes
taking
an
entity-level
portfolio
view
of
risk;
- Designed
to identify
potential
events
that,
if
they
occur,
will
affect
the
entity
and
to
manage
risk
within
its
risk
appetite;
- Able
to provide
reasonable
assurance
to
an
entity's
management
and
board
of
directors; and
- Geared
to
achievement
of
objectives
in
one
or
more
separate
but
overlapping
categories.
Among
the tools that organizations are
using to apply this approach are
statistical and spreadsheet packages,
treasury workstation risk modules
and specialized ERM software.
Leveraging
Compliance Efforts
In response
to the Sarbanes-Oxley Act of 2002
(SOX), many organizations have
deeply examined their internal
processes and have greater responsibilities
for transparency and due diligence.
Their managers can leverage the
information they gathered in the
compliance effort to affect future
strategic business decisions across
the entity.
Stephen
Baird, Principal at consulting
firm Treasury Strategies, explains: "Companies
are seeking to create a stronger
process for identifying and managing
risk, and making this process
accountable at the senior-most
level of the organization."
The
ultimate goal is using "prudent
business judgment with a balanced
application of tools to optimize
performance and shareholder value," Baird
says.
According
to Treasury Strategies' 2005
Corporate Treasury Management
Research Program, over 20% of
ERM programs reside in treasury,
more than in any other function.
Treasury managers, who are often
tapped to lead risk management
efforts, are well positioned for
this expanded role. The same Treasury
Strategies survey revealed that
treasury managers already see
benefits and value in implementing
ERM, such as:
- enhanced
internal controls and SOX compliance;
- improved
ability
to
identify
existing
and
newly
developing
risks;
- reduced
insurance premiums;
- reduced
cost
of
capital
and/or
enhanced
debt
capacity;
and
- an
instilled
culture
of
risk
management
at
the
business
line
level.
Treasury
Takes Lead on Risk
"Treasurers
will come into the leadership
role with credibility on financial
risks," says
Michael Bailey, Managing Director
of Protiviti, a provider of risk
consulting and internal audit
services. "The
key is extending that credibility
to other types of risks—operational,
strategic and reporting."
To
get started on an ERM program,
begin by studying the COSO document
cited above. Bailey suggests your
next steps include the following:
- Insist
on senior management or board
involvement.
- Clearly
define
what
the
company
wants
to
achieve
through
ERM.
- Develop
a
value
proposition
for
ERM
that
outlines
costs
and
benefits,
both
tangible
and
intangible.
- Build
relationships
with
other
areas
of
the
company
and
draw
them
into
the
process.
- Realize
that
most
other
risk
types
are
harder
to
quantify;
don't
reflexively
apply
financial
risk
techniques
to
non-financial
risks.
- Integrate
ERM
with
the
core
management
processes
and
the
firm's
business
and
strategic
planning
activities.
- Leverage
the
infrastructure
created
to
comply
with
SOX.
Bailey
adds that linking ERM to the existing
performance measurement framework
can move the organization to better
strategic decision making with
powerful results. "Linking
ERM with leading indicators such
as brand awareness and customer
satisfaction, cost efficiency
improvement, product innovation
and others can advance the cause
of ERM substantially," he
says.
Measure,
Quantify Investments
"Treasury
has the opportunity to steer ERM
away from the compliance character
it has taken on at many companies
toward a greater focus on optimal
risk taking," Baird
suggests.
Still,
up-front investments in ERM, whether
in software or consulting fees,
must be measured and quantified
against its long-term success,
he says.
To
that end, cutting edge companies
are measuring ERM's
success by quantifying the risk/reward
tradeoff. Some are capturing the "near
miss" adverse
events and using Six Sigma to
understand what potential losses
could have been. Others are tracking
actual loss events over time and
measuring any reductions attributable
to ERM.
ERM
Challenges
Challenges
to successful ERM implementation
include insufficient time, inadequate
personnel and insufficient budget,
according to the recent research
study, "Managing
Business Risk in 2006 and Beyond," conducted
by FM Global and Harris Interactive.
But
when you consider that 80% of
all major value losses involve
the interaction of more than one
risk—according
to the risk consulting experts
at Deloitte—companies
today cannot ignore the potential
of ERM to help them more smoothly
navigate a volatile future.
