Much like the homeland security chief’s latest “gut feeling” about an increased risk of a terrorist attack in the United States this summer, some risks facing businesses today can be hard to pinpoint and even harder to quantify.

While enterprise risk management attempts to identify and measure the totality of a company’s risks, considerable ambiguity remains about how to assess non-financial, noninsurable risks. What ERM experts agree on is that companies should take a comprehensive view and apply the same approach to all risks, financial or not, such as the risk of production disruptions caused by natural causes or reputational damage due to fraud or ethical lapses.

Tebben

“It is important to think through the broad spectrum of risks and focus on the ones that really matter in making sure that a company is executing its business model,” says Shawn Tebben, managing director of risk consulting firm Protiviti. “Quantify what you can quantify, and over time, recognize that you will get more sophisticated as you get better information.”

Being A Detective

Many experts say the ERM process does not need to be overly complicated.

While the official ERM framework promulgated by the Committee of Sponsoring Organizations of the Treadway Commission—widely known as “COSO II”—has been criticized as too dense and complex for most companies, it does not necessarily need to be imbibed and deployed ubiquitously to pursue risk management across the enterprise. Start with a clear picture of the organization’s strategic goals, Tebben suggests, and then figure out what could happen to impede those goals. A similar, straightforward strategy is advocated by John Farrell, the top ERM partner at KPMG.

Experts say companies need to pursue strategies that are most appropriate for their organization, culture, and industry. Risk identification, for example, can begin with input from the top—for instance, the audit committee and the board of directors—or can be initiated at the bottom of the employee hierarchy. Many say that starting with senior managers ensures that companies get the necessary institutional support at the outset. One method of collecting the initial data is to send out questionnaires, but some say gathering executives and managers together in a room and brainstorming is likely to be more effective.

“One thing that’s required in this process is a really good imagination. You have to ask a lot of ‘what ifs.’ It’s like being a detective,” says Martin Grace, professor of risk management at Georgia State University. The most valuable data come from people who have “lived and breathed in the company,” he adds, because non-financial risks tend to be context specific and often unique to the company.

The tools for calculating a non-financial risk’s potential effect on the bottom line are likely to be more rudimentary than the models used to calculate financial risks. To determine potential loss or profit, one can look at the company history to see the impact of past risks. If no data is available in the company, risk-management executives can research the experience of comparable companies, which is difficult but not impossible, Grace says.

“Companies don’t talk about this,” he adds. “It’s kind of like top-secret stuff.”

In addition, loss calculations don’t have to be based on absolute dollar figures. This can help simplify the ERM process and eliminate stumbling blocks that typically obfuscate the tracking of intangible risks. Instead, the calculations can be relative values based on qualitative attributes.

Calculating the probability of a non-financial risk occurring also can be very difficult. One way to achieve this is to ask employees to estimate probabilities on a scale. On a scale of one to ten, for example, employees can be asked how likely it is that the business development team in the Middle East might bribe an official to facilitate a sale, violating the Foreign Corrupt Practices Act. Companies must be careful and selective about how these questions are worded and to whom they are submitted, of course, but they can help raise red flags in areas where the rest of the company believes there might be hidden risks.

Once the estimated losses and probabilities are determined, they can be plotted on a grid to provide a visual representation of the relative value of the company’s risks.

Adding A Rich Dialog

Cynthia Schmitt, vice president of ERM at Pitney Bowes, began her company’s recent risk assessment by interviewing 120 senior-level employees regarding the risks they worry about, and the probability that those risks might occur.

Schmitt then took her findings to the individuals responsible for managing each risk, whom she calls “enterprise risk owners.” She gathered together each risk owner and the other employees with responsibility for mitigating the problems and asked them to come up with a value for each risk, based on a scale of one to five.

Rather than trying to calculate a risk’s potential profit or loss, Schmitt says she asked employees to estimate each risk’s likely disclosure level. By thinking about who would have to be notified if a risk occurred—such as the board of directors or the media—employees were better able to place financial and non-financial risks along one spectrum.

“It brought consistency to the risks you can measure and to the ones it’s difficult to put a number on,” Schmitt says. “By going to the disclosure level, enterprise risk owners clearly understood who they’d need to go to.”

Out of approximately 34 risks plotted on a grid, Schmitt took the top 15 to the company’s risk steering committee. Pitney Bowes’ governance model requires risk owners to come before the committee to discuss risks, which is “where the rich dialogue is added,” she says. “You're going to very high management, which is then getting very operational.”

Many ERM experts agree that measuring non-financial risks based on relative values gleaned from collaboration is more useful than spending a lot of time on precise calculations. However, others say the calculations can indeed be made.

Bohn

“There are a lot of risks out there that people think are too difficult to quantify,” says Christopher Bohn, director and actuary at Aon, a risk-management consultancy. One way to start, he says, is by mapping out a visual representation of the company’s operations. “It’s very complex, but we want to come up with a simplified view of the world.” After operations and risks are identified, they can be valued based on their financial impact.

Take personnel-related risks, for example, which by all accounts are some of the most complicated risks to measure. If the risk of a creative team leaving is a top priority, Bohn says, he would start by determining the value the team adds to the organization, possibly by estimating the percentage of growth driven by the team. Then he would add into the equation any other costs incurred if the team left, such as the time and energy required to recruit a new team. After that, Bohn suggests using a simulation algorithm to determine probability of the risk.

“What I like to tell people is all models are wrong and some models are useful. There are some risks you could build a model around, but it’s probably not worth your time.”

— Christopher Bohn,

Director,

Aon

Even Bohn, however, agrees that spending significant time gleaning risk calculations from complex models ultimately may not help a company better manage its risks, which is what ERM is all about.

“What I like to tell people is all models are wrong and some models are useful,” Bohn says. “You can build a model around pretty much anything. There are some risks you could build a model around, but it’s probably not worth your time.”

Communication And Champions

Bohn notes that, for an enterprise risk management process to be effective, companies need to keep sight of the real purpose behind assessing risks and must be sure that senior management backs up an explicit, formal mechanism for collaboration.

Charette

“No organization is better than its people,” agrees Robert Charette, a fellow with Cutter Consortium, an IT advisory firm. “ERM is really a process that you can drive all the way [through the organization] so decision makers understand that it is their responsibility to bring these risks up.”

That means communications and engagement are fundamentally critical to the success of an ERM program. Unfortunately, in many companies ERM is neither explicit nor formalized, and it takes a backseat to financial risk management. As a result, communication of goals and priorities becomes particularly challenging. Experts say changing that entrenched philosophy often requires a “top down” mandate from the audit committee, and a “bottom up” catalyst in the form of a champion at a particular business unit or department.

That champion could emerge from anywhere in the company. In many cases, members of the internal audit team pick up the mantle of ERM, especially at companies where the Internal Audit department has been asked to kick the tires on what COSO calls the “control environment”; namely, the company’s ethical values and integrity. In those companies, IA is already familiar with the criticality of non-financial risks and has likely begun to assess and codify its efficacy.

In other companies and industries, the CFO and even the general counsel have been known to drive the ERM strategy.

If executive support is lacking, senior managers can drive a high-level appreciation of the importance of assessing all risks by codifying its benefits and convincing others within the company. Pitney Bowes’ Schmitt suggests that risk managers start by finding one sponsor within the executive ranks and presenting examples of how that individual’s agenda could benefit from ERM.

And often those “benefits” don’t simply involve minimizing risks, but maximizing opportunities. “If you want to get people engaged,” Schmitt says, “you have to think about how you can add value to their organization or function.”