Enterprise risk management & organizational change in a non-risk static world Authored by Kedisa Johnson January 31, 2011 Thursday, August 25, 2011
abstract
This paper will attempt to disagree with the notion that risk is static, hence, the need for organizations to adapt the practice of enterprise-wide risk management as a core part of organizational culture.
Thursday, August 25, 2011
Enterprise risk management... “A rigorous and coordinated approach to assessing and responding to all risks”.
The Institute of Internal Auditors Research Foundation in its publication Enterprise Risk Management: Trends and Emerging Practices defines Enterprise Risk Management (ERM) as a “rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives” ( " E n t e r p r i s e r i s k m a n a g e m e n t : , " ). If this definition holds true, then risk can never be static--as an organization, to not be hindered from achieving its strategic and financial objectives, must constantly scan its environment for existing and emerging risks alike. The backlash of the global financial crisis and economic downturn has increased companies, across various industries and sectors, awareness to risk related issues. Ernst &Young in it’s Business Risk Report 2010 identified the top ten risks facing businesses globally across fourteen industry sectors and with insight from over seventy executives, ranging from CEO’s, strategy planning executives, heads of internal audit, to business unit directors--to name a few. All interviewees were asked to comment on why each risk was important, how each risk had changed since the prior year, and how firms could respond to each threat.
Thursday, August 25, 2011
Enterprise risk management... “A rigorous and coordinated approach to assessing and responding to all risks”.
The figure below represents the aggregated results within four core quadrants--financial, compliance, strategic, and operations--“compliance threats originate in politics, law, regulation or corporate governance; financial threats stem from volatility in markets and the real economy; strategic threats are related to customers, competitors, and investors and finally, operational threats affect the processes, systems, people and overall value chain of a business” ( " T h e t o p t e n , " 2 0 1 0 ) . The top ten business risks are as follows in sequential order: 1) regulation and compliance, 2) access to credit, 3) slow recovery or double-dip recession, 4) managing talent, 5) emerging markets, 6) cost cutting, 7) nontraditional entrants, 8) radical greening, 9) social acceptance risk and corporate social responsibility, and 10) executing alliances and transactions.
Thursday, August 25, 2011
Figure 1.1 drawing retrieved from T h e E r n s t & Yo u n g B u s i n e s s R i s k R e p o r t 2 0 1 0 .
Thursday, August 25, 2011
ERM: Risk has continuity and is rarely static in nature...
As indicative in Figure 1.1, only two out of the top ten business risks were unchanging in their position--cost cutting, just one after the half point mark, and slow recovery or double-dip recession, which held a constant position at number three. Interestingly enough, regulation and compliance, managing talent, and emerging markets moved up one from the previous year. It can be argued that these three heavy hitters are the main underpinnings of knowledge management within an organization and it can also be argued that when it comes to an organization’s realignment or reassessment of its ERM framework, the aforementioned are critical factors in addressing changes in approach. If it has been decided then that risk has continuity and is rarely static in nature, how do organizations move forward?
Thursday, August 25, 2011
ERM: Risk has continuity and is rarely static in nature...
With volatility and uncertainty being at the forefront of the risk management conversation, several multinationals, within the past year, have hired new Chief Risk Officers (CROs) to steer their companies in the right direction or back to straight street “amid a climate rife with corporate bailouts and collapses” (Jordan, 2009). American International Group Inc. (AIG) in November 2010, hired Sid Sankaran, a former partner at consulting firm Oliver Wyman, who headed the company’s Toronto office and conducted studies of insurers, banks and securities firms to assess risk as its new CRO. Sankaran, whom replaced 17 year veteran Robert Lewis, is said to have “broad-ranging risk management experience that an enterprise of this scope must have” (Son, 2010) according to AIG’s CEO, Robert Benmosche. Benmosche is reportedly bringing in a new management team “as he sells units to help repay the $182.3 billion rescue required after the company miscalculated the risk of derivatives tied to the housing market” (Son, 2010). Similarly, in July 2010, GE Capital, the finance division of General Electric, named Ryan Zanin as its new CRO, in hopes that Zanin, a 25 year financial services industry veteran and former CRO for corporate credit and risk management in international and capital markets at Wells Fargo, will aid in restoring GE’s AAA rating that it lost due largely to GE Capital’s unmitigated risky behavior in letting its “finance division grow too big” ("GE capital hires," 2010).
Thursday, August 25, 2011
ERM: Risk has continuity and is rarely static in nature...
Others such as ING North America Insurance Corporation and Wilmington Trust Corporation, also appointed new Chief Risk Officers to build ERM frameworks within their organizations. ING North America hired Prakash Shimpi as its new CRO, “to oversee the risk monitoring and management program for ING’s U.S. insurance operations” (Casale, 2010). Shimpi, who was the former global practice leader for enterprise risk management and President and CEO of Towers Watson’s capital markets, will also be “responsible for ING’s U.S. insurance operations including managing the framework for measuring, controlling, hedging and pricing risk, as well as compliance with all global financial reporting standards for the company” (Casale, 2010). Carol Baldwin Moody, former Chief Compliance Officer (CCO) at Nationwide Mutual Insurance Company (NMIC), was hired in August 2010 to serve as Wilmington Trust Corporation’s new CRO. Moody, who is now tasked with heading a “new, centralized enterprise risk management division” (Johnson, 2010) was also CCO at TIAA-CREF and “headed compliance and legal divisions at Citigroup Inc.” (Johnson, 2010) prior to her role at NMIC. It was noted that the “firm’s regional banking arm has been hurt by commercial real estate loans that have gone sour” and since then, has been focused on “improving its risk management processes” (Johnson, 2010).
Thursday, August 25, 2011
ERM: establishing a risk resilient organization takes strong leadership...
These examples were not to suggest that all organizations must employ CROs, but rather pointing to the fact that restoring or establishing a risk resilient organization, among other things, takes strong leadership. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in a January 2011 report entitled Embracing Risk Management:Practical Approaches for Getting Started ranked strong leadership highly in getting an ERM framework off the ground. “Finding a leader to head the initial ERM project is also critical for success. It is critical that the risk leader have sufficient stature and be at an appropriate senior management level in the organization to have a rich strategic perspective of the organization and its risks and to be viewed as a peer by other members of senior management” (Frigo & Andersen, 2011). Additionally, “management should identify a leader with the right attributes to head the ERM effort” (Frigo & Andersen, 2011). These include broad knowledge of the business and its core strategies, strong relationships with directors and executive management, strong communication and facilitation skills knowledge of the organization’s risks, and broad acceptance and credibility across the organization. These leaders, arguably, can also aid in changing an organization’s approach to risk management from a silos-based, business by business unit examination of risk, to a comprehensive integrated approach or ERM. Jordan (2009) argues that “with its holistic approach, ERM has been viewed as the gold standard of risk management methodologies, helping organizations identify, analyze, manage and monitor risk comprehensively. ERM focuses on the strategic analysis of risk throughout an organization, cutting across business units and departments, and considering end-to-end processes” (Jordan, 2009).
Thursday, August 25, 2011
ERM: establishing a risk resilient organization takes strong leadership...
This is a necessary value-added approach that will provide “better risk information for better decision-making and increase the likelihood of accomplishing objectives” (Jordan, 2009). Jordan’s (2009) cited Mark Beasley, Director of the ERM Initiative at North Carolina State University who argues that “by focusing on an enterprise-wide risk in a coordinated fashion, organizations are better equipped to prioritize the top risk drivers and are less likely to be distracted by lower-level risks that are less important to an organization’s strategy” (Jordan, 2009) and further enables an organization “to align its risk appetite with its overall business strategy, deciding how much uncertainty is acceptable and how much could actually add value” (Jordan, 2009). COSO’s January 2011 thought paper, Embracing Risk Management:Practical Approaches for Getting Started further drills down on why silos aren’t the best approach to risk management. “Any entity that is currently operational has some form of risk management activities in place. However, these risk management activities are often ad hoc, informal and uncoordinated. And, they are often focused on operational or compliance-related risks and fail to focus systematically on strategic and emerging risks, which are most likely to affect an organization’s success” (Frigo & Andersen, 2011).
Thursday, August 25, 2011
ERM: A silos approach to risk management is outdated...
In a point of view (POV) article published by Verizon entitled Verizon Perspective: The Business of Risk Management, the industry-leading IT, security, and communications solutions company discusses enterprise risk management from the standpoint of providing consulting services to multinational corporations across various industries. The article hones in on several key points. First, a silos approach to risk management is outdated and ineffective because it fails to look at the the “interplay between operational, financial, and strategic risks within a business unit” ( " V e r i z o n p e r s p e c t i v e : , " 2 0 1 0 ) . Enterprise risk management fills this gap as it examines risk with “an additional layer of insight that isn’t possible when risk is discussed and managed in functional silos” ( " V e r i z o n p e r s p e c t i v e : , " 2 0 1 0 ) .
Thursday, August 25, 2011
ERM: A silos approach to risk management is outdated...
The article further discusses that ERM is not about fancy software, but rather “transformative decision-making” with an ERM approach to a risk-based decision, risk identification and the management of that risk being “embedded throughout the organization” ( " V e r i z o n perspective:,"2010). Second, it places the burden of ERM on not just managers, but all personnel--“managers and even line personnel need to develop the ability to identify roadblocks, opportunities, or hazards that could interfere with strategic organizational goals. So, it comes down to training and incentivizing people in the organization to change the way they approach decision making” ( " V e r i z o n p e r s p e c t i v e : , " 2 0 1 0 ) . Furthermore, “teaching managers how to evaluate risk to the company, how to evaluate relative risk, and how to remove themselves from the equation can be an effective driver of both empowerment and increased success” ( " V e r i z o n p e r s p e c t i v e : , " 2 0 1 0 ) .
Thursday, August 25, 2011
ERM: A well implemented erm initiative takes strong leadership and cross functional support across the organization...
In conclusion, many of these sentiments are also echoed by COSO, with some additional pertinent factors that lend themselves to the successful implementation of enterprise wide risk management that will aid any entity, financial and non-financial alike, reassess its organizational risk management approach. COSO outlined a seven-step action plan for an ERM initiative. Step one is to seek board and senior management involvement and oversight. This is essential because there “has been a growing emphasis on the board’s responsibilities for overseeing an organization’s risk management activities” (Frigo & Andersen, 2011). Steps two and three-identify and position a leader to drive the ERM initiative and create and establish a management working group. This speaks once again to strong leadership and cross-functional support across the organization. Steps four and five--conduct an initial enterprise wide risk assessment and action plan and inventory existing risk management practices. An essential part of the process as, how can an organization safeguard against threats if it does not know its potential risks and what its risk-gaps are or have been in the past? Steps six and seven--develop risk reporting and develop the next phase of action plans and ongoing communications. These steps help build a risk culture within the organization and keeps everyone, including stakeholders, abreast of emerging risks.
Thursday, August 25, 2011
References Casale, J. (2010, April 23). ING announces new chief risk officer. Business Insurance, Retrieved from http://www.businessinsurance.com/article/ 20100423/NEWS/100429956 Enterprise risk management: trends and emerging practices. (n.d.). The Institute of Internal Auditors Research Foundation. Frigo, M.L., & Andersen, R.J. (2011, January). Embracing risk management:practical approaches for getting started. Commi t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e Tre a d w a y C o m m i s s i o n , R e t r i e v e d f r o m h t t p : / / c o s o . o r g / d o c u m e n t s / E m b r a c i n g E R M G e t t i n g S t a r t e d f o r We b P o s t i n g D e c 1 1 0 . p d f GE capital hires new chief risk officer. (2010, July 1). CNBC.com, Retrieved from http://www.cnbc.com/id/38045096/ GE_Capital_Hires_New_Chief_Risk_Officer J o h n s o n , H . ( 2 0 1 0 , A u g u s t 2 3 ) . Wi l m i n g t o n t r u s t n a m e s n e w c h i e f r i s k o f f i c e r. I n v e s t m e n t N e w s , R e t r i e v e d f r o m h t t p : / / w w w. i n v e s t m e n t n e w s . c o m / a r t i c l e / 2 0 1 0 0 8 2 3 / F R E E / 1 0 0 8 2 9 9 8 2 J o r d a n , B . ( 2 0 0 9 ). E n t e r p r i s e r i s k m a n a g e m e n t : a v o i d h i s t o r y r e p e a t i n g . C o r p o r a t e G o v e r n o r, ( Wi n t e r ) . R e t r i e v e d f r o m h t t p : / / w w w. g r a n t t h o r n t o n . c o m / p o r t a l / s i t e / g t c o m / m e n u i t e m . 8 f 5 3 9 9 f 6 0 9 6 d 6 9 5 2 6 3 0 1 2 d 2 8 6 3 3 8 4 1 c a / ? vgnextoid=d1c10274fe41e110VgnVCM1000003a8314acRCRD S o n , H . ( 2 0 1 0 , N o v e m b e r 8 ) . A I G h i r e s w y m a n ’s s a n k a r a n a s c h i e f r i s k o f f i c e r. B l o o m b e rg B u s i n e s s w e e k . R e t r i e v e d f r o m h t t p : / / w w w. b u s i n e s s w e e k . c o m / n e w s / 2 0 1 0 - 11 - 0 8 / a i g - h i r e s - w y m a n - s - s a n k a r a n - a s - c h i e f - r i s k - o f f i c e r. h t m l T h e t o p t e n r i s k s f o r b u s i n e s s : a s e c t o r - w i s e v i e w o f t h e r i s k s f a c i n g b u s i n e s s e s a c r o s s t h e g l o b e . ( 2 0 1 0 ) . T h e E r n s t & Yo u n g B u s i n e s s R i s k R e p o r t 2 0 1 0 . R e t r i e v e d f r o m h t t p : / / w w w. e y. c o m / P u b l i c a t i o n / v w L U A s s e t s / B u s i n e s s _ R i s k _ R e p o r t _ 2 0 1 0 _ P D F / $ F I L E / BusinessRiskReport_2010.pdf
Authored by Kedisa Johnson January 31, 2011 Thought paper on Enterprise Risk Management, BU 2011 Thursday, August 25, 2011