Recently I had the privilege of leading a forum of senior executives experienced in risk management in a discussion of the challenges of developing, implementing, and gaining the benefits of ERM.
The event was hosted by OpenPages*, a maker of governance, risk, and compliance software, and attended by executives of large companies from a cross-section of industries. The participants were chief risk officers and heads of operational risk at the managing director, vice president, and senior vice president levels, as well as OpenPages CEO Mike Duffy and Sales and marketing chief Gordon Burnes. All of them have the knowledge and experience to discuss what works and what doesn’t in ERM; the participants have seen both pitfalls and success in how their organizations have managed risk.
The session revolved around several key topics: managing risk through uncertain times, making the business case for ERM, and providing effective guidance to boards of directors. I’m devoting this column to sharing the insights gleaned from the forum.
Managing Risk in Uncertain Times
A question on everyone’s mind is to what extent an enterprise risk management process, once installed, will remain relevant in changing times bringing new challenges. This is precisely what occurred with the sub-prime mortgage and collateralized debt obligation markets. Here are some of the key points that came forth:
At one (non-financial services) company, an ERM process was already in place, implemented when times were good. The disciplined thinking around risk mitigation has served the company well, especially in dealing with the recent huge rise in prices of commodities key to business operations. Because of the care taken initially, the ERM process not only enabled management to manage the commodity price fluctuations, but also has exposed risks emerging in the new economic environment.
An executive of a financial services company outlined how the sub-prime crisis taught a tough lesson about handling information generated from risk-management processes. In many cases, managers have good information about what the risks are—but ignore the warning signs. In more than one firm, huge profits were made in originating and processing non-conforming loans, but as competition increased, the companies stretched further, taking on greater and greater risk. Managers were aware of what was happening, but no one put on the brakes.
Another financial services executive added that a significant cause of the current credit crisis is failure to align individual compensation to risk-management goals. His organization found that an aggravating factor is misalignment of compensation structures with risk cycles. A positive (though after-the-fact) result of the sub-prime crisis is the general reconsideration of how the organization “prices” risk.
Another executive noted that the recent crisis has really been a failure of business management. Risk management should be the guardrails (framing the scope of business activity conducted), not the speed bumps (representing how fast the activity is pursued). In many cases, businesses were ignoring the guardrails. As such, risk management really must be combined with business strategy.
Following on those thoughts, it was noted that everyone in a company must manage operational risks, since there is little distinction between risk management and business management. Business managers must be responsible for positions they take, and be accountable for everything in the business: revenue, risks, and people. Avoiding surprises should be the responsibility of the business leaders, not a centralized risk management function.
Centralized vs. Distributed Risk Management
The discussion moved to the positioning of organizations’ risk management functions, as well as the responsibilities of such functions and related best practices. Some interesting insights emerged.
One executive’s experience supports the view that decentralized risk management results in inconsistent application of risk-management processes, as well as difficulty in aggregating risks across the enterprise. In his company (financial services) a centralized approach has served reasonably well, but some significant bumps have appeared in the road. They’re now moving from a purely centralized approach to a “central-led” approach, with greater responsibility at the business unit level.
Another financial services executive emphasized how risk management really becomes an exercise in behavior management, where having the right incentives in place is critical. For example, the incentive structure in place during sub-prime mortgage origination was entirely counter to the company’s risk management goals. Risk management functions need to understand what incentives drive behavior on the front line.
Another industry executive expanded this notion, outlining how failures associated with the recent market turmoil had to do with a breakdown in incentive systems. One contributing factor was that the organization’s protection mechanisms are too narrow, and he offered liquidity assumptions as a key example. A third industry executive posed the rhetorical question: “How do we influence the decision process on the front lines, where people have to be provided an incentive to avoid the downside so they will make the right decisions?”
Similar views held sway in the non-financial services world. In one company where the risk function is centralized, a major challenge is thinking through the motivations for someone to do things incorrectly. Recognizing that business units have both a “heads and a tails,” the risk function is exploring how best to build a structure exposing the downside when everyone focuses so much on the upside. Another executive highlighted the importance of using scenario analysis, and how it can help managers understand different potential outcomes.
What the Board Wants and Needs
The discussion then migrated to what a board wants, expects, and needs to see in terms of a risk-management process. I outlined boards’ responsibilities for oversight of risk management. In summary, a board needs to be comfortable that management is managing risk, with an effective process in place to identify, manage, and assess risks; that the company’s risk appetite is appropriate; and that the board is receiving relevant information on significant risks and steps management is taking to manage those risks.
The roundtable participants focused on the following question: What happens when the board recognizes a need for an improved risk management process but management doesn’t? One executive noted how a board gains interest when the company has a “heart attack” (hopefully a mild one), and then puts risk management at the top of the board’s agenda. In a similar vein, it was noted that bad things happening to other companies provides sunlight on the risk-management function. In many instances senior management indeed needs help from the board to change management’s thinking and behavior.
Another question: If there’s been a spectacular risk-management failure (which of course there has), then how can we think that the board really has had visibility into the key risks in the business? Management can put together a good story for the board, but does this mean the board really is on top of how risk is being managed?
It was noted that the New York Stock Exchange requires, and best practice calls for, boards to have private sessions with the company’s internal auditors and external auditors, which can help provide information on risks and risk management. Some boards also meet privately with the chief risk officer, chief compliance officer, and other senior managers, which provides channels for additional risk-based information.
Making the Case for ERM
Most of the organizations represented at the forum already have substantive risk-management processes in place; a number have moved to full ERM. Participants’ experiences provide interesting advice to readers who might not be as far along:
In considering how to position ERM with more senior executives, it can be helpful to focus on lost opportunities and eliminating redundant activities. This should be a forward-looking exercise, to deal with emerging risks.
Be clear about how you define risk and what you’re trying to accomplish, with a clear vision that can be communicated across business units. And it’s helpful to begin with tactical areas to prove out value.
Consider what some of the more significant motivating factors in the organization are. For example, if the board or senior management is not happy with the quality of reporting or how capital is allocated, that’s where to focus initial attention and then expand from there.
Recognize that moving to ERM can be problematic for many companies because it involves establishing a higher degree of discipline to risk-management processes already in place. Managers might not be open to recognizing or embracing the many benefits of ERM. In those cases, clearly laying out the benefits of ERM is particularly important.
For a number of the participant organizations, ERM was not a large investment, with much of the effort involving educational and strategizing sessions with senior managers. Getting support for the OpenPages software was not hard, as there was a clear need for an automated solution to standardize and support authorities, responsibilities, and accountabilities and to enable communication, monitoring, and reporting of risk information.
Ultimately the risk management process should include risks throughout the enterprise, and enable identification, analysis and managing of the interdependencies existing among significant risks.
Also noted were the role of infrastructure for supporting an ERM process, the degree to which a qualitative versus quantitative approach is preferred, and focusing on technologies that provide needed views across units and rolling up to a portfolio perspective.
A Successful Forum
Feedback evidences that even these executives experienced in ERM found the forum very useful, providing new insights and knowledge enabling them to strengthen their organizations’ risk-management processes. Hopefully this brief summary of what transpired will serve a similar purpose for all Compliance Week readers.
* Editor’s Note: Richard Steinberg is a member of the advisory board for Open Pages.
No comments yet