Companies Eyeing ERM, But Few Are Implementing

While the vast majority of executives say they are thinking about enterprise risk management, few appear to be implementing it across their organizations’ business processes. That’s according to two separate reports released within the last month, one by The Conference Board and financial services and risk management consulting firm Mercer Oliver Wyman, and a second by Oversight Systems, a developer of monitoring and compliance software.

Enterprise risk management has been an increasingly hot topic since the corporate scandals that began emerging in 2000. Once common only in the financial services sector, ERM is supposedly being more widely considered across industries. That’s not only because some boards of directors are considering a more proactive approach to risk, but because regulators and shareholders have been pushing companies to assess and disclose risks in a more detailed fashion.

In a Sept. 2003 speech in Atlanta, for example, SEC Commissioner Cynthia Glassman urged companies to “fill in the gaps” in GAAP financial reporting, and to provide more forward-looking information on risks. “Obviously, investors need accurate and relevant historical information,” she said, “but it would also be helpful to know the key drivers of the business and the risks the company faces.” Glassman added that companies should use the Management's Discussion & Analysis section of periodic reports “to disclose important matters not reflected in financial statements, including key drivers and risks.”

Glassman

In an exclusive conversation with Compliance Week shortly after that speech, Glassman reiterated that, “ERM is an important tool companies can use to enhance disclosure in MD&A and to run the business more effectively.” According to Glassman, MD&A specifically requires disclosure of known uncertainties to the company, and that includes risks. “By understanding and tracking key performance indicators that will signal to a company when something that is important to the business is going wrong, companies will be a better position to articulate significant risks in MD&A.”

Contributing to the recent ERM buzz was the Sept. 2004 release of the Enterprise Risk Management—Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission. Built on the foundation of COSO’s internal control framework, the ERM document purports to provide companies with a principles-based framework for identifying “all the aspects that should be present in every company’s enterprise risk program and how they can be successfully implemented.”

Hexter

“The corporate failures of 2000 and 2001 created an environment where governance is much tighter,” says Ellen Hexter, co-author of The Conference Board report and a senior research fellow and program director for The Conference Board’s ERM conferences. According to Hexter, The Sarbanes-Oxley Act of 2002 and New York Stock Exchange listing requirements have been the primary impetus for companies to focus on ERM; the NYSE’s Rule 303A—revised in Nov. 2003—requires that audit committees “discuss policies with respect to risk assessment and risk management.”

As a result, says Hexter, “Boards have gotten very involved in trying to understand corporate risks and have some sense that ERM might help them and senior management understand and manage the risks.”

Michael Chagares, director of corporate risk consulting at Mercer Oliver Wyman, agrees that this is a relatively new phenomenon. “Up until two-and-a-half years ago, there were no external drivers [for ERM], per se.” The result, says Chagares, is a greater awareness of the issue of risk. “Our study showed 90 percent of companies getting ready to implement ERM. If we did this study three years ago, that number probably would have been 50 percent or less.”

Intentions Versus Execution

But, to be clear, what The Conference Board/MOW report actually found was that 90 percent of executives “are building or want to build” enterprise risk management processes into their organizations.

However, only 11 percent have completed their implementation.

Similarly, a survey of 87 financial executives by Oversight Systems found high interest in ERM, but low levels of execution. According to that survey, 68 percent of executives said their CEO is placing greater emphasis on the management of all types of risk on a holistic basis.

But only 35 percent of those executives said their company has formally trained executives and business line managers to assess the probability of various types of risk. And most companies (55 percent) don’t have a member of senior management with explicit responsibilities to manage risk.

The same number said their company doesn’t even have a widely communicated definition of risk.

In short, the Oversight Systems survey found that the emerging practice of risk management “is full of good intentions but short on execution.”

Hermanson

“Corporate America faces a gap between the perception of risk management and the reality of an effective risk management program,” said Dana Hermanson, a professor of accounting at Kennesaw State University and an advisor to Oversight Systems. “CEOs are under pressure from shareholders, creditors and regulators such as the New York Stock Exchange to better manage enterprise risk, but executives are struggling to define exactly what that means for their companies.”

Two To Three Years, Start To Finish

So what does implementing ERM really mean? And if it’s so important, why aren’t companies further along in implementing it? Once companies figure out the answer to the former question, the answers to the latter one become obvious: time, money and commitment to culture change. Large amounts of all three are required to successfully implement ERM, and all are typically in short supply at most companies. That’s because implementing ERM is a four-step process that The Conference Board’s Ellen Hexter says can take anywhere from two to three years from start to finish. Another reason most companies aren’t farther along in their ERM efforts, according to Hexter and Chagares at Mercer Oliver Wyman, is that they’ve been busy satisfying the requirements of Sarbanes-Oxley.

“Part of it is a timing issue,” says Hexter. “We surveyed companies last year during the first year of Section 404 compliance, which was hugely costly to corporate America—companies had competing priorities.”

Chagares

While Chagares noted that it’s difficult to put a price tag on a process that can vary tremendously from firm to firm, he said large companies with multiple offices in multiple countries should be prepared to pony up big bucks. “To fully implement [ERM], you’ll be well into seven figures, including internal and external resource costs and the technology to support it,” said Chagares. “A single-product, single-location company won’t spend that kind of money.”

To even consider implementing an ERM program, companies need to make a formal commitment to the process. “That’s a big step,” says Hexter, “because if there isn’t support from the top, this will never fly.” Hexter advises that companies should have an ERM “champion” at the CFO level or higher.

Once a top-level executive has been designated as the point-person, companies should conduct a risk inventory and assessment in every division. “The purpose of the risk assessment is so companies have a sense of what their risks are, what kind of impact those risks can have, and their frequency,” says Hexter. The process, which involves bringing together managers from every division to jointly decide how to prioritize the risks, is time consuming, and can take several months to complete, she notes.

Once companies decide how to prioritize their risks, the next step is developing a framework on how to mitigate or address those risks. “Part of the reason companies need to look at risk enterprise-wide is so they can balance some risks against others,” says Hexter. “Ultimately, the point of ERM is to enable a company’s leaders to understand their risk/reward tradeoffs.”

The final step, which is often the stumbling block for most companies, is implementation. “Implementation entails really building your risk management processes into your existing business processes,” says Hexter. It’s also where ERM gets expensive—in general, the more complex an organization is, the longer it will take and the greater the cost.

COSO ERM

According to the executive summary of Enterprise Risk

Management—Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission in Sept. 2004, enterprise risk management

encompasses the following:

Aligning Risk Appetite And Strategy—Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

Enhancing Risk Response Decisions—Enterprise risk management provides the rigor to identify and select among alternative risk responses—risk avoidance, reduction, sharing, and acceptance.

Reducing Operational Surprises And Losses—Entities gain enhanced capability to

identify potential events and establish responses, reducing surprises and associated costs or losses.

Identifying And Managing Multiple And Cross-Enterprise Risks—Every enterprise faces

a myriad of risks affecting different parts of the organization, and enterprise risk

management facilitates effective response to the interrelated impacts, and integrated

responses to multiple risks.

Seizing Opportunities—By considering a full range of potential events, management is

positioned to identify and proactively realize opportunities.

Improving Deployment Of Capital—Obtaining robust risk information allows

management to effectively assess overall capital needs and enhance capital allocation.

According to the executive summary, the capabilities inherent in ERM help management achieve the

entity’s performance and profitability targets and prevent loss of resources. "Enterprise risk

management helps ensure effective reporting and compliance with laws and regulations, and

helps avoid damage to the entity’s reputation and associated consequences. In sum, enterprise

risk management helps an entity get to where it wants to go and avoid pitfalls and surprises

along the way."

Source: Enterprise Risk

Management—Integrated Framework Executive Summary (COSO, Sept. 2004)

“The process generally takes two to three years from start to finish,” warns Hexter. “It’s a continuous loop with lots of feedback—it needs to be constantly tweaked, revised and improved as the company changes.” For example, she notes that if a company changes its strategy, then its processes change, and hence its risks would change as well.

Reasonable Timeframes, Expectations

Though the implementation of enterprise risk management initiatives can be immense, The Conference Board notes companies that have already implemented ERM report a “significantly higher level of value added” than companies that haven’t fully implemented such measures. Among the most important: better-informed decisions, greater management consensus, and increased management accountability.

“Although it might not be possible for businesses to control external risks, understanding how such risks are interrelated can help companies anticipate major surprises,” says Hexter.

In addition to helping companies build consensus around the areas of risk they want to focus on, as well as the financial benefits that can result from examining operational processes, ERM can also help with strategic issues like mergers. “Business unit leaders tend to fall in love with deals,” says Hexter. “If they have a systematic framework where they can examine what really might happen, they can look at deals in a much more dispassionate way.” As a result, says Hexter, ERM can keep companies from entering into bad deals. “It gives them a better understanding of the risk/reward tradeoff.”

While implementing ERM is no small undertaking, Mercer Oliver Wyman’s Michael Chagares offers some advice to help make the task slightly less daunting.

“The word ‘enterprise’ scares people, because it connotes everything and everybody at once,” says Chagares. “The most important thing is to come up with a plan that will work for your company, and to keep revising that plan at every phase. Set a reasonable timeframe and reasonable expectations.”

Rather than diving in all at once, Chagares says, companies should be selective, and decide where they’re going to implement ERM first. “Pick your spot,” he says. Companies may want to apply their framework only to certain categories of risk at first, such as corporate level or business level risk. “Build, test, pilot, test, then implement,” says Chagares. Once a company has implemented ERM in one area, it can move on to the next.

“ERM is not one size fits all,” he adds, “Every process is customized to a company’s culture, their management team practices, their industry, etc.” Chagares recommends piloting ERM in areas that are “friendly,” where the initiative will be well received. “Don’t pilot ERM in area with the highest risk and the least receptive audience,” he says. “Pick an area that’s controllable and manageable.” For example, a multinational company might start by piloting an ERM framework in a small country where risks are well understood and exposure is low.

“It has to be an evolution, not a revolution,” says Chagares. “If you make it revolutionary, it won’t stick.”

Details on the studies mentioned in this article—as well as extensive ERM coverage, related columns, Q&As with chief risk officers, and additional resources including a summary of the COSO ERM framework—can be found in the box above, right.