Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Assurance and Advisory
Enterprise Risk ManagementAn emerging model for building shareholder value
7874Mkt ERM Cover 22/09/2003 11:44 AM Page 2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The current environment: How risk management is evolving . . . . . . . . . . . . . . . . . . . 4
How organisations are deploying ERM: Tools and techniques in use today . . . . . . . . 6
An emerging model for deriving value from risk management . . . . . . . . . . . . . . . . . 10
Implications and opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Appendix I: Interviews with leading risk management specialists . . . . . . . . . . . . . . 19
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Contents
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 1
As business leaders seek new ways to build shareholder value, they have begun
to think in new ways about how risk management is tied to value creation. Across
industries and organisations, many are recognising that risks are no longer merely
hazards to be avoided but, in many cases, opportunities to be embraced. “Risk in
itself is not bad,” asserts Suzanne Labarge, chief risk officer at Royal Bank
of Canada. “What is bad is risk that is mismanaged, misunderstood, mispriced,
or unintended.”1 Indeed, many are realising that risk creates opportunity, that
opportunity creates value, and that value ultimately creates shareholder wealth.
How best to manage risks to derive that value has become the critical question.
In this context, enterprise risk management (ERM) has emerged as an important
new business trend. ERM is a structured and disciplined approach aligning
strategy, processes, people, technology, and knowledge with the purpose of
evaluating and managing the uncertainties the enterprise faces as it creates
value. “Enterprise-wide” means the removal of traditional functional, divisional,
departmental, or cultural barriers. A truly holistic, integrated, future-focused, and
process-oriented approach helps an organisation manage all key business risks
and opportunities with the intent of maximising shareholder value for the
enterprise as a whole.
Leaders face a variety of new challenges in their drive to maximise value.
Globalisation, e-business, new organisational partnerships, and the increasing speed
of business activity are rapidly changing and expanding the risks organisations face.
One significant result is that risk management must now extend well beyond
traditional financial and insurable hazards to encompass a wide variety of strategic,
operational, reputation, regulatory, and information risks. As a means of identifying,
prioritising, and managing such risks across an enterprise or division—and linking
them to value creation—ERM has the potential to provide organisations with a new
competitive advantage.
Most organisations, however, are uncertain about how, exactly, to translate the
concept of ERM into concrete action steps that will help them enhance shareholder
value. Leaders agree that as important as ERM might be in theory, it will never be
valuable in practice unless it enables organisations to use risk information to drive
business value in a way they could not do otherwise.
2
Introduction
ERM has the potential to provide
organisations with a new
competitive advantage.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 2
This white paper describes ERM as it has begun to evolve today, emphasising that
organisations may be able to benefit more fully from their ERM efforts than they
may have done thus far. It addresses how leaders should seek to analyse their
critical risks—balancing them with their objectives for improved returns—and then
use that information to drive business value. To that end, this document outlines
a new ERM model, one that can provide organisations with new action steps they
may use to enhance business decision-making and, potentially, shareholder value.
3
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 3
As risks change and proliferate, managers in a variety of industries are seeking
to ensure that they are taking both the right risks as well as the right amount of
risk—compared with their own organisations’ risk tolerance or “appetite” and
benchmarked against others in their markets and industries. An organisation
determines its risk appetite, and its capacity for taking on additional risks, in
much the same way individual investors balance their own tolerance for various
risks against their desire for greater returns and use that knowledge to diversify
the portfolio of stocks, bonds, and other financial instruments they hold
(see box below).
4
The current environment: How riskmanagement is evolving
An organisation’s “appetite” or tolerance for risk will vary with its strategy as well as
evolving conditions in its industry and markets. Each organisation’s risk tolerance is
unique, and it will vary according to organisational culture as well as external factors.
A critical aspect of management’s responsibility is to determine which risks, and how
much of each of them, the organisation should take and then to re-evaluate those choices
as circumstances change. Unlike Total Quality Management (TQM), which tolerates
no failures, ERM maintains that a defined number of failures can be tolerated if the cost
of guarding against them is more expensive than the risks they impose.
Consider the perspectives of a government buying computer chips for use in cruise
missiles and a computer manufacturer buying the same chips for use in personal
computers. Both entities have high standards for the quality and integrity of the
computer chips, but widely differing tolerances for failures in them. The cruise missile
manufacturer can tolerate no chip failures. The likelihood of such failures may be low,
but the magnitude of the consequences is too high for all organisational stakeholders.
That manufacturer must thus test every chip to ensure that it fully meets the high
standards the organisation has established.
The PC manufacturer, on the other hand, need not test all its chips because it can,
in fact, tolerate a few failures. It can bank on the limited likelihood of such failures,
because the magnitude of the consequences is considerably lower than with chip
failures in cruise missiles. This difference in risk appetite will drive differences
in resource allocations and other management choices.
Defining Risk Appetite
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 4
“Globalisation has completely changed both the risks organisations face and their management
of those risks. When you’re no longer making things in Lancaster, Pennsylvania, for example,
but in Bangladesh, or Marissa, or Hong Kong, you’ve got risks, along with opportunities,
along the entire value chain. A large portion of our product is sourced overseas, so as with
all retailers, we have to work hard to be sure that working conditions are what they should be.
What do the plants look like, and do we own them? How do we ensure that they are safe and
humane and that workers are appropriately compensated? Failing to pay close attention to the
risks related to those issues can result in tremendous liabilities, not the least of which is
degradation of the brand.”2
Vice President Financial OperationsSpecialty Retailer
Thus, risk management is moving well beyond the tradition of risk mitigation
(using controls to limit exposure to problems) toward risk portfolio optimisation
(determining the organisation’s risk appetite and capacity among a group of risks
across the enterprise, seizing opportunities within those defined parameters, and
capitalising on the rewards that result). As a consequence, risk management is
beginning to be perceived as a new means of strategic business management,
linking business strategy to day-to-day risks.
Enterprise risk management is evolving in this context. It is an important means
of identifying the critical risks the organisation faces—for example, reputation,
ethics, e-business, or health, safety, and environmental risks (not just financial
or insurable hazards). It is also important for managing and optimising that
portfolio of risks in a way that realises financial rewards. Interpretations
of ERM vary widely by industry and among organisations. Consequently,
definitions of ERM also vary widely—but many agree that it is a top-down
approach, based on and supportive of organisational strategy, that is focused
on new ways to manage and optimise the risks of highest importance to the
board and management.
Depending on how they perceive ERM, organisations are using it in a variety
of ways, with varying results, as described in the next section.
5
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 5
Intrigued by ERM, organisations are using risk management concepts to consider
a number of questions:
■ What risks am I facing, and how do they compare to those of my peers
or competitors?
■ How are these risks changing based on changes in my business environment?
■ What level of risk should I take?
■ How should I manage those risks?
To help answer these questions, many organisations are collecting and analysing
risk information using a variety of basic tools such as one or more of those
described below:
■ Identification/Assessment tools enable a management team to collectively
identify and assess the risks facing the organisation. These tools also enable the
team to evaluate each risk according to its “likelihood” (that is, the probability
that the risk will occur) and its “magnitude” (the impact the risk would have
if it did occur). (See Figure 1.)
6
How organisations are deploying ERM:Tools and techniques in use today
Like
liho
od
Reduce
Risk
ReduceControl Pass On
Accept
Terminate
5%
25%
50%
75%
95%
Extreme
High
Moderate
Low
Impact<$X <$X to $X<$X to $X <$X to $X <$X to $X
Management can derive considerable power from augmenting its knowledge about risk
likelihood and impact. Through this process they will make judgments on the likelihood and
impact of various risks, creating an analysis such as that depicted above. Once such an analysis
is done, some risks will require no action, but when a risk has a potentially high likelihood and
substantial impact (such as those in the upper right quadrant), management should take action
to move that risk into an acceptable range or even eliminate it altogether, based on a risk/return
analysis of the effects of such action on the entire organisation. Risks in the lower left quadrant
may be candidates for reduced controls.
Figure 1: Business Risk Matrix
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 6
7
Strategic Risk
Operational Risk
Reputation Risk
Regulatory orContractual Risk
Financial Risk
Information Risk
New Risks
■ Are the critical strategies appropriate to enable the organisation
to meet its business objectives?
■ What are the risks inherent in those strategies, and how might
the organisation identify, quantify and manage these risks?
■ How much risk is the organisation willing to take?
■ What risks result from e-business developments?
■ What are the risks inherent in the processes that have been
chosen to implement the strategies?
■ How does the organisation identify, quantify, and manage these
risks given its appetite for risk? How does it adapt its activities
as strategies and processes change?
■ What are the risks to brand and reputation inherent in how the
organisation executes its strategies?
■ What risks are related to compliance with regulations
or contractual arrangements—not just those that are
financially based?
■ Have operating processes put financial resources at undue risk?
■ Has the organisation incurred unreasonable liabilities to support
operating processes?
■ Has the organisation succeeded in meeting measurable
business objectives?
■ Is our data/information/knowledge reliable, relevant
and timely?
■ Are our information systems reliable?
■ Do our security systems reflect our e-business strategy?
■ What risks have yet to develop? (These might include risks
from new competitors or emerging business models, recession
risks, relationship risks, outsourcing risks, political or criminal
risks, financial risk disasters (rogue traders) and other crisis
and disaster risks.)
The CEO and the board of directors should consider a number of questions during risk
identification and assessment. Such questions include:
Identifying and Assessing Risk from an ERM Perspective
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 7
Typically, users plot risks in a matrix that depicts risks in categories, thus
determining how particular risks compare to the organisation’s defined risk appetite.
Multiple tools provide a structured framework for identifying and assessing risks.
They may also assist in identifying risk “owners” (those to whom organisations
assign responsibility and authority for the management of specific risks).
■ Categorisation tools help organisations group and prioritise their risks, by
industry or within an entity. Such tools help management to ensure that they
have captured all categories of organisational risks, not just traditional,
financial hazards (see Figure 2 below).
■ Financial quantification tools help organisations understand the potential impact
of risks. A number of sophisticated models are available to evaluate risk in
financial areas. These models—encompassing, for example, value-at-risk
and options theory—have been most commonly applied in financial services
organisations, in which credit and market risks, among others, are highly
quantifiable. In addition, risk-adjusted returns on assets or equity have been
quantified by many organisations to better manage and balance the inherent
differences in their divisions or product lines. How to model other categories of
risks is less well understood, although some organisations have attempted to do so.
Having systematically assessed and categorised their risks—and perhaps having
tried to understand their impact—many organisations try to determine which risks
should be managed at the corporate level and which risks should also be pushed
down into the structure of the organisation.
8
Organisational Risks
Compliance
Governance Integrity
Information
Financial
HumanResources
Operational
Figure 2: Risk categories
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 8
Organisational approaches to risk management may be centralised at the corporate
level or decentralised among divisions or processes, depending on the nature of the
risks in question and the organisational preferences of management. While there
is no right or wrong way to organise, organisational principles are emerging
as follows:
■ Centralised risk management tends to focus on risks that affect the achievement
of key corporate objectives and strategies and significantly affect most if not all
functions and processes (e.g., reputation). These risks may be referred to as
enterprise-wide risks. Accountability for enterprise-wide risks may reside with
the CEO and the board of directors (although responsibility for these risks may
be dispersed throughout the organisation). Other risks that may be managed
centrally include those that require specialised skill sets that cannot be
duplicated at the division level or those that require partnering or contracting
at the corporate level.
■ Decentralised risk management pushes the responsibility of risk management
to those who live with it day to day. Risks that may best be managed in this
way are division or process-level (PL) risks, which are those that are significant
only within a particular process but nonetheless affect the organisation’s ability
to successfully implement its strategies overall.
Regardless of whether risks are managed in a centralised manner, in a
decentralised manner, or with a hybrid of these structures, a new organisational
trend is to create ERM “program offices” and appoint chief risk officers (CROs),
who are responsible for developing and managing risk management strategy. Notes
Pamela G. Rogers, assistant treasurer, risk management with Sears, Roebuck &
Co., “Just as companies have revenue and profit strategies, there’s got to be a risk
strategy, and the CRO needs to set it.”3
In summary, experience shows that many leaders believe ERM is important—and
potentially a competitive differentiator—but many of them remain largely unable
to translate risk information into the action steps that can drive business value.
They may have learned a great deal from the information they have collected,
but they are seeking new ways to use and derive value from it. The next section
describes a new ERM implementation model designed to further the value
enhancement process.
9
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 9
Organisations are engaged in a wide variety of risk assessment and monitoring
efforts, but many of them remain largely unable to point to the specific value
they derive from these activities. The emerging models for risk management are
integrating how leaders think about risk with how they manage their businesses
and are designed to monitor how risk management provides value. Leaders can
participate in this ERM evolution by broadening and expanding the tools and
concepts used today, as shown in Figure 3.
Figure 3: Risk Management is evolving…
Tying ERM to Business StrategyEarly models of risk management viewed risk as a market imperative—something
to be understood and analysed for its own sake. The new models maintain that
ERM should be intrinsically linked to the entity’s business strategy—which
encompasses an organisation’s established vision, mission, and objectives; its
process for defining operational imperatives; and its philosophies, policies,
plans, and initiatives for growth and development (see Figure 4).
10
An emerging model for deriving value fromrisk management
Risk as individual hazards
Risk identification and assessment
Focus on all risks
Risk mitigation
Risk limits
Risks with no owners
Haphazard risk quantification
Risk is not my responsibility
Risk in the context of business strategy
Risk “portfolio” development
Focus on critical risks
Risk optimisation
Risk strategy
Defined risk responsibilities
Monitoring and measurement
Risk is everyone’s responsibility
From To
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 10
Aligning ERM resources and actions with the business strategy is necessary
to maximise organisational effectiveness. What’s more, by linking ERM to the
strategy, risk processes can be carried out in the context of where a business is
headed, not solely based on where it is today. This differentiator is critical in an
environment in which many organisations are changing their business models and
strategies with increasing speed, driven by influences such as the rise of e- and
m-commerce, the globalisation of business, and changing consumer expectations.
In the course of this process, an organisation may find that it is unsure of its
actual risk appetite. By developing measurements to evaluate levels of risk, an
organisation may determine how it may need to adjust its risk appetite, based
on business outcomes and assessments. Linking the business strategy to ERM
can also provide a context for setting risk appetite and risk measures so that they
are linked to a long-term view of the entity. Otherwise, if appetite and related
measures are established inappropriately, leaders may make decisions that tolerate
more or less risk than the strategy establishes as ideal. Newer models of ERM
establish a link with business strategy, which can increase ERM’s relevance to the
organisation as a whole.
11
Business Strategy
M e a s u r i n g a n d M o n i t o r i n g
R i s k S t r a t e g yR i s k O p t i m i s a t i o n
R i s k S t r u c t u r e
R i s k Po r t f o l i o
Figure 4: A new ERM model
Risk strategy is built around and supports the business strategy. Risk portfolio development,
optimisation, and measuring and monitoring take place in the context of these strategies,
based on an established structure for ERM that provides the means of embedding it in
organisational culture.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 11
Deriving Action Steps from Risk AssessmentRisk assessment has proved to be a highly useful process for identifying,
categorising, and assessing critical risks based on their likelihood of occurrence
and magnitude of impact. The key issue that has arisen, however, is what to do with
the information when the risk assessment is finished. In some instances, entities
find that the process has identified so many risks that they cannot possibly track
them all. In others, they find they have not been able to translate the risk assessment
into specific action steps—in the context of management’s risk appetite—that drive
value for the organisation.
To address these issues, the new models of ERM are taking the concept of risk
assessment several steps further to encompass a risk portfolio. The concept
of a risk portfolio assumes that various risks share certain characteristics and/or
interdependencies. Risks are considered in groups, based on how they relate
to each other, and within these groups one or more risks may rise or fall when
other risks rise or fall. In addition, when one risk is transferred, another may arise.
For example, by outsourcing a non-core function to mitigate performance risk,
an organisation assumes credit and supply-chain risks. By understanding and
mapping such interdependencies, leaders can begin to parcel risks into broad
categories that will influence how these risks are managed and optimised.
12
Re t u r n
O b s e r v e dR i s k
R i s k - f r e eRe t u r n
( + / - 4 . 5 % )
1 2 3 4 5 6 7 8- 4
8
0
4
16
12
Risk Capacity
Value "Curve"
Risk Appetite
(expressed as % variation of return: SD/Mean)
Figure 5: Benchmarking performance indicators to understand risk management
Measuring risk based on the performance of an organisation and comparing it to
industry-based returns may point out opportunities to optimise risk.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 12
Another key concept of the risk portfolio is that it acknowledges organisational
limitations. Management has time and resources to focus on a limited number
of risks. Evaluating risks in a portfolio enables leaders to perceive impacts and
interdependencies, allowing management to proceed through the ERM process with
a better understanding of which risks are critical and thus may require their increased
focus—driving a better return on management’s time and resource investment.
Optimising RisksAt this point in the ERM process, organisations understand their strategy, have
identified their risks, have defined the interrelationships of those risks within
a risk portfolio, and have made preliminary decisions as to which risks require
the most management attention. The next step is to optimise the risk portfolio.
Risk optimisation embodies the concept of choice. Just as an investor adjusts
the mix of investments based on defined targets for risk and return, a risk portfolio
manager chooses among tactics to manage risk based on the entity’s appetite for
risk and its ability to absorb it. These choices can include adding controls or limits
for risks that may exceed the entity’s risk appetite. Such choices also may include
reducing costs related to excessive controls or taking action to expand risks in
areas where existing controls provide additional risk capacity. Thus the manager
must continually balance the cost/benefit of taking such action with the need to
optimise risk in the organisation. By applying a variety of tactics, risk managers
can begin to affect corporate performance and thereby affect shareholder value.
A key part of the optimisation process is to make sure that the risk “limits” are
understood and that the risk appetite is apportioned appropriately, so that the limits
managed separately do not exceed the entity’s risk appetite as a whole. This is a
key step in the process, as a risk manager’s point of view may affect what he or
she deems an acceptable level of risk. For example, a corporate CFO may
understand that the total dollar amount of risk acceptable in futures trading could
be $20 million. Within a division, however, that has $2 million in total sales and
the only futures trading in the entity, the division manager may believe that only
$1 million in risk is acceptable. The organisation’s overall performance could be
enhanced if the division manager understood that he or she could take more risk.
Conversely, if the division undertook a position of risk for $30 million, it is putting
itself and the entire corporation in an unacceptable risk position.
13
Risk optimisation is an iterative and
ongoing process: as one tactic is
implemented, others should be
reassessed.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 13
Risk optimisation is an iterative and ongoing process: as one tactic is implemented,
others should be reassessed. While reassessment is typically not possible for every
action, entities are beginning to track actions related to the organisation’s most
important and material risks.
Measuring and Monitoring to Enhance ValueAt this point in the process, all of the actions related to ERM should be having
an impact on the organisation. Measuring and monitoring these actions now
becomes necessary, as an ongoing means of understanding and reporting on the
status and impact of risks. Many organisations are devising ways to perform these
activities on both an enterprise-wide and a process level.
Monitoring at its most basic level can be embedded in an organisation’s systems.
By defining risk limits in terms of specific attributes or measurements, real-time
monitoring can occur and, if limits are exceeded, actions can be taken. Achieving
this result requires thoughtful definition of performance measures (both
quantitative and qualitative) that can embody risk characteristics. Other monitoring
methods include the use of internal and external auditors, benchmarking against
market or other data, and retroactive review of risk results. Companies should
define the monitoring and measurement systems that best serve their management
styles and characteristics.
Risk Strategy and Structure Complete the ModelRounding out this ERM construct are two additional concepts. The first is that of
a risk strategy. Just as a business strategy indicates the direction of the business,
a risk strategy provides guidance for the risk activities within a company. It can
set the tone for aggressive or conservative risk management activities, dictate how
measuring and monitoring activities can be carried out, and provide the “bird’s-eye”
view needed by management and the board. Indeed, it is the risk strategy that
provides the backbone for embedding ERM within the culture of the business.
The risk strategy should be executed by the risk structure. Many organisations
today are designing integrated structures that define how ERM is embedded into
the organisation. This endeavor will not require a bureaucratic reinvention of the
business structures already in place, but rather an enhancement of such structures
that will embed and align risk management within existing strategies and business
planning efforts.
14
Risk strategy provides the backbone
for embedding ERM within the culture
of the business.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 14
The structures will encompass the roles and responsibilities for managing
risk. They will also define accountability as well as clear reporting lines, which
will empower managers to act within defined boundaries linked to risk appetite.
The effective integration of these structures calls for the board to develop ownership
of the effort and demonstrate its strong commitment to it. To achieve this
commitment, the board will need both education and ongoing assurance that
ERM is providing value.
Communication of the risk strategy and structure is essential. Such communication
should be designed—using appropriate technology and common language and
concepts—to ensure that all employees and stakeholders understand the board’s
vision and objectives. Leaders must clearly demonstrate the relevance of the
ERM strategy, providing success stories to maximise the value of the
communication process.
Having defined responsibility and accountability, leaders should also take careful
steps to ensure that individuals have the skills necessary to execute effectively.
The level and type of skills required will vary considerably; consequently, all
relevant business and personal training should encompass ERM principles.
In many cases, the CRO is at the center of this structure and is responsible
for driving it as well as fine-tuning it based on organisational performance.
Implementing such an ERM model within an organisation can produce a business
risk management process that results in a systematic workflow for addressing risk
within the organisation.
15
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 15
16
Board activities■ Provide ERM education at board level
■ Establish buy-in at board level for risk appetite and risk strategy
■ Develop “ownership” of risk management oversight by the board
■ Review a risk report of the enterprise
Management activities■ Create a high-level risk strategy (policy) aligned with strategic business objectives
■ Create a risk management organisational structure and ensure clear reporting lines
■ Develop and assign responsibilities for risk management
■ Communicate board vision, strategy, policy, responsibilities and reporting lines
to all employees across the organisation
Establish a common risk culture■ Use common risk language and concepts
■ Communicate about risk using appropriate channels and technology
■ Develop training programs for risk management
■ Identify and train “risk champions”
■ Provide success stories and identify quick wins
■ Align risk management techniques with company culture
■ Develop a knowledge-sharing system
Create risk accountability/responsibility■ Include risk management activities/responsibilities in job descriptions
■ Incorporate ERM concepts into personal goals
■ Empower managers with defined risk boundaries
Embed Risk Activities into Ongoing Business Processes■ Align and integrate risk management activities within business processes
■ Embed real-time controls related to risk into digital systems as appropriate
■ Develop continuous improvement processes related to risk
Measure and monitor risk■ Identify key performance indicators and critical success factors related to risk
■ Establish success measures for risk strategy and activities
■ Provide a periodic process for measuring risk/return
■ Identify and implement monitoring processes and methods of feedback
Key Actions to Help Embed a Risk Structure in an Organisation
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 16
Whether ERM can drive change in an organisation ultimately depends on whether
management implements ERM in an integrated way. When risk is used as an
organising principle, in the context of a risk strategy, management can take action
in a coordinated and synergistic manner. Using ERM to optimise its risks can
help the organisation perceive potential structural and/or strategic adjustments
that can help enhance organisational effectiveness in building shareholder value.
Ultimately, ERM requires the support of the CEO and the board, who drive it
through the organisation. For any leader, however, undertaking all of the ERM
process at one time can be daunting. The key is to start somewhere. The checklist
below can provide a place to begin.
17
Implications and opportunities
Organisational leaders should ask themselves a number of questions to help determine
whether they are effectively using ERM to optimise their risks:
1. Do I know what our risks are?
2. Have I evaluated non-traditional risk exposures?
3. Do we understand the interrelationships of our risks?
4. Do I know what our risk appetite is?
5. Do I know who our risk owners are? Do they have systems in place for measuring
and monitoring risk?
6. What is the perspective of the person(s)/department(s) overseeing risk?
7. Do we have systems in place that promote risk optimisation?
8. Do we regularly look for new markets, partnering opportunities, and other risk
optimisation strategies?
9. How do our incentive systems affect risk management?
10. Does our understanding of risk permeate our organisation and culture?
11. Does each individual understand his or her role and responsibility for managing risk?
12. Is risk a priority consideration whenever business processes are improved?
A strategic checklist for business leaders
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 17
Enterprise risk management can become a strategic competitive advantage if it is
used to identify specific action steps that enhance performance and optimise risk.
It can also influence business strategy by identifying potential adjustments related
to previously unidentified opportunities and risks. Used appropriately, ERM thus
becomes a means of helping the organisation shift its focus from crisis response
and compliance to evaluating risks in business strategies proactively, to enhancing
investment decision-making and to improving shareholder value. Organisations that
develop an ERM framework for linking critical risks with business strategies can
become highly formidable competitors in the quest to add value for shareholders.
18
Conclusion
ERM can become a means of helping
the organisation shift its focus away
from crisis response and compliance.
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 18
In order to further explore ERM and how it is impacting on some leading
organisations we interviewed the senior risk executives of a selection of multinational
companies. We selected our interviewees using our knowledge of organisations that
are particularly advanced in risk management, and who are considered by their peer
organisations to be leading exponents of risk management.
Fiona Bennett Formerly Vice President, Risk Management & Audit BHP Billiton
1.How do you see risk management developing in the future?
In the light of recent high-profile corporate collapses and the economic downturn,
there is likely to be more explicit direction from regulatory bodies. Good Corporate
Governance should include a holistic, structured enterprise-wide risk management
program. Whilst the ASX Listing Rules suggest that this should exist, it is not yet
mandatory for publicly-listed companies.
As insurance costs increase because of the recent events in the US, there is also
likely to be a drive by companies to mitigate their risks by implementing effective
risk management programs.
2. How do you ensure a company takes a holistic approach to risk management?
In order to develop an effective holistic approach to risk management, it is vital
that there is demonstrated commitment and support from the Board, the CEO and
senior management. The extent and consistency of the communication that comes
from the Board and senior management is vital to ensure that the holistic risk
management framework is understood and readily applied across the company.
Time needs to be taken to ensure that business leaders within the company
understand firstly, the benefits that the program can bring to their individual
part of the business and secondly, how to use the results to achieve their strategic
goals and planned business outcomes. To effectively “embed” the approach in the
organisation, the management incentive and reward structure needs to support such
an approach.
19
Appendix I: Interviews with leading RiskManagement specialists
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 19
3. What impact has risk management had at BHP Billiton?
The greatest and most sustaining impact that risk management has had at BHP
Billiton is in the area of Capital Projects decision making. This does not mean
that capital project decision making is risk averse, rather that there is full
awareness and understanding of the risks that are associated with a particular
project. A structured risk management process is undertaken as part of the Capital
Projects review procedures, whereby different specialists covering project
management, HS&E, technical, financial, tax and so on, are involved in the
process, thereby leading to better decision making. In turn, this leads to effective
allocation of resources and better use of management time and effort.
4.How do you measure the benefits of your risk management program?
Benefits to date, have been measured qualitatively, rather than quantitatively.
Businesses may identify new risks, reprioritise existing risks and get the whole
team focused on issues that are important to the business rather than issues in their
individual areas. By getting the management team to appreciate the context of the
broader spectrum of business risk, the team can then allocate resources (time and
money) more effectively to achieve their business outcomes.
5. What drives the success of a risk management program?
The success of a formal risk management program is driven by leadership and
enthusiasm from the Board and executive management. This is critical to ensuring
that risk management becomes embedded as part of the culture of an organisation.
The program also needs to be a valuable experience to the individual businesses.
If it is seen purely as “another Head Office initiative” it will surely fail.
The other important factor is that the framework and language used needs to be
readily understood and transferable across the company using concepts that can
be applied to all facets of an organisation, from projects to functions to full risk
assessments across individual businesses/sectors/units.
20
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 20
Ernestine RozarioGroup Manager, Risk Management & Assurance Telstra
1.How do you see risk management developing in the future?
Enterprise risk management will be a seamless process integrated within all
elements of a company’s activities such as strategic direction, corporate planning
and merger and acquisition activities. In fact, risk management capabilities will
be across all levels of management, so much so that an organisation’s need for
a Chief Risk Officer could be debatable. Evolution of risk management is likely
to lead to it becoming part of management’s accountability.
Once risk management has reached this level of integration in an organisation,
it will result in more conscious risk taking. What I mean by this is, as knowledge
of risks increase, management will be in a better position to make informed
decisions and will be able to capitalise on opportunities.
2. How does Telstra ensure it is taking a holistic approach to risk management?
Telstra began the introduction of a holistic approach to risk management in 1995/96
with a focus on strategic and operational risks. The initial investment in education,
training and the development of a common language across all levels of the
organisation was quite substantial but very worthwhile.
The introduction of our approach also coincided with a number of changes
at Telstra and came at a time when management were receptive to change
and we were able to demonstrate the benefits to the organisation in taking
a holistic approach to risk management.
On an on-going basis, we have been able to remain focused on our approach
by continual reinforcement of the framework through effective communication
and demonstrable benefits of risk management.
3. What impact has risk management had at Telstra?
Risk management has had an impact across the whole of Telstra. The investment
made in establishing a common language and the focus on a simple and easy
to understand control model, has meant that the framework, when applied,
is in a consistent manner across all businesses and down to project level.
21
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 21
Although this is happening on a consistent basis, the bigger challenge for Telstra
is to bring new employees and management up the same level of knowledge as
those that have been with the organisation since the introduction of the framework.
4.How do you measure the benefits of your risk management program?
The most effective way to measure the benefits of our program is the fact that
the Board is satisfied with the information it receives in relation to the risks
faced by Telstra. Risk is a consistent item on the Board agenda and most steering
committees have a regular focus on risk management. The degree of questioning
and analysis on risk issues has increased as the awareness and risk culture at the
top of the organisation increases.
5. What drives the success of your risk management program?
A holistic risk management program will not be successful without the direction
setting and support of the Board and senior management which clearly we have had.
In addition to support from the top, the other factors which have contributed to the
success of our approach has been the fact that the framework is easy to understand.
We use simple language which has resulted in all levels of the organisation being
able to relate to the concepts and have been able to apply the framework across all
aspects of the business.
The other major aspect that has driven the success of the program has been the
consistent and constant communication of the framework throughout the company.
22
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 22
Mike MerrifieldFormerley Head of Risk ManagementRolls Royce
1. How do you see ERM developing as a business trend?
I would like to see it emerge as a fundamental building block in the way
businesses are managed, but not all companies embrace the idea enthusiastically.
There always will be a heavy focus on financial and operational issues—and too
much effort expended on reporting statistical and financial data, very little of
which is grounded in an understanding of risk issues.
Rolls-Royce is addressing this issue. I have recently agreed with our financial
controller that we should amend our finance manual, which explains our financial
policies and authorisation requirements for obtaining project funding. (At Rolls-Royce,
a project could be anything from launching a new aero-engine or installing an
industrial engine in a power project to relocating a business from one country
to another.) The finance manual explains how to compile a business case for
a project; it tells you which forms to submit for authorisation, and it asks for
extensive information about financial variables. But nowhere does it ask for
a qualitative or quantitative assessment of potential risks and what effect they
might have on outcomes. I’ve now provided our controller with language to
insert in the manual, so that when someone proposes a project, they must attach
a “risk register” that analyses the key risks and their potential consequences.
That is a major step forward, and I would like to see that kind of risk orientation
become more widespread, because an inadequate risk focus has two significant
impacts. First, resources are not allocated to those areas of the business where
the best returns can be achieved, because decisions are based on marketing data
and similar analyses, not on risk data. And second, an inordinate amount of time
and money is wasted on non-added-value activities—for example, the wording
of a contract affecting an issue that is not significant when analysed from
a risk perspective.
23
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 23
Therefore, I see ERM evolving, but it has to be thoroughly integrated in the
business, particularly in financial and operational control reporting. It should
be a key aspect of management control and information.
2. Is ERM a worldwide movement, or is it embraced only in particular countries?
It’s not worldwide. In my experience, ERM is largely an Anglo-Saxon
phenomenon. It’s American, it’s British, and to a degree, it’s Australasian. I believe
the Europeans have a lot to do to catch up, which will largely happen through the
influence of subsidiaries of American and U.K. companies that operate in Europe.
3. How has risk management developed at Rolls-Royce?
Manufacturing aircraft engines is our primary business, which means we are
heavily focused on safety and regulatory compliance. We began to expand our risk
focus, however, beginning in the mid-1980s—prompted by a new chairman, a new
insurance broker, and, later, the acquisition of a troubled business. We started
to touch on ERM in the late 1990s in part because our financial director served
on the committee of the Institute of Chartered Accountants, that supported the
development of the Turnbull recommendations on corporate governance. (Those
recommendations were developed for the London Stock Exchange, but their risk
focus has made them widely influential.)
One result has been the appointment of a director of operational risk, to whom
my old job as head of risk management now reports, and he’s just one level below
the main board. (I reported to the director of treasury, which is a traditional risk
management reporting arrangement, and focused largely on risk financing and
insurance issues.) The new director has commercial and operations manufacturing
experience, in addition to finance skills, which gives him a wider perspective on
the business. It’s perceived as a different job, at a higher level, with a wider risk
management approach. It’s a great development, but I’d like to see the director of
operational risk become a main board job—not just the conscience of the other
directors. That person should encourage the other directors to manage risk in their
own businesses, while he ties the whole thing together at the corporate level.
24
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 24
5. Are all organisational risk management activities centralised at Rolls-Royce?
We do have a centralised risk management activity, but our business risk
management process applies across the organisation—at the task level within our
projects, and across our five business sectors—Civil Airlines, Defence, Energy,
Marine, and Finance.
Each business compiles risk registers, which they submit periodically for review
and consolidation at the corporate level, by the director of operational risk.
He weeds out what’s irrelevant and identifies aggregate or similar risks in different
businesses. The risk registers are reviewed as part of the normal quarterly review
of business performance.
The director of operational risk also performs a corporate review of risk, which
is entirely independent, and may pick up on additional risks. The central risk
operations group also helps each business compile and update the registers, advises
on specific risk issues, and supports risk management education and training.
So it’s not yes or no, centralised or decentralised. It’s both. That’s particularly
important in a business like Rolls-Royce that is very widespread, both in its
activities and geographically. If you manage risk only at the center you miss too
much, and you’d soon have a problem that you didn’t see coming. In any business
that is diverse—in terms of activity, product, or geography—you have to get
the businesses managing risk themselves as well as the organisation doing it
at a higher level.
6. What impact has risk management had at Rolls-Royce?
Over the past 10 years, it has helped management understand which businesses
weren’t performing, and Rolls-Royce has derived many benefits from that
approach. In addition, we make it clear to the businesses that risk is not solely
a cost—but like most companies, we’re a long way from measuring risk in terms
of opportunities or in comparison to our competitors. To do those things, you have
to change the culture of management, which will require new skills and retraining.
When that broadened perspective does develop, however, it will greatly enhance
the benefits of risk management.
25
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 25
7. How does Rolls-Royce measure the organisational benefits of ERM?
If we achieve our business objectives, we’ll be very successful. If we don’t, poor
risk management will be one of the reasons. That message is starting to filter
through, but the actual technical ability, knowledge, and capability of management
to perceive and realize all the potential benefits of ERM will take time.
8. What drives the success of an ERM effort?
First, Turnbull’s efforts here in the United Kingdom are certainly welcome, but
people must not take a regulatory compliance approach to ERM. I have observed
that approach, particularly in the utilities and some of the banks and building
societies here, and it won’t make a difference, ultimately.
Second, the key to ERM’s success is in the people doing it, whether they are at the
central level or in the business units. They’ve got to step up to the plate, educate
others and demonstrate the benefits when they’ve got the models to do so. And,
they’ve got to get the buy-in of senior management. In the final analysis, senior
leadership’s commitment is really the key.
26
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 26
1 Suzanne Labarge. “Chief Risk Officers: Should Your Organisation Have One?”
speech delivered at The Conference Board 2000 Enterprise Risk Management
Conference, May 3, 2000.
2 Telephone interview with Vice President Financial Operations, Specialty
Retailer, December 14, 2000.
3 Douglas McLeod. “New Chief Risk Officer Role Coordinates Risk Strategy,”
Business Insurance, April 26, 1999, p. 3.
27
Endnotes
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 27
AustraliaNational Partner in Charge,Management Assurance ServicesJoAnne Stephenson
Phone: +61 3 9288 5458
Email: [email protected]
National Leader,Enterprise Risk ManagementMaurice Pagnozzi
Phone: +61 2 9455 9129
Email: [email protected]
AdelaideLaurie Kozlovic
Phone: +61 8 8236 3167
Email: [email protected]
BrisbaneJoanne Baldwin
Phone: +61 7 3233 3163
Email: [email protected]
MelbourneMike Ritchie
Phone: +61 3 9288 5082
Email: [email protected]
PerthJeff Powell
Phone: +61 8 9263 7339
Email: [email protected]
SydneyMaurice Pagnozzi
Phone: +61 2 9455 9129
Email: [email protected]
New ZealandNational Partner in Charge,Management Assurance ServicesJeremy Bendall
Phone: +64 9 367 5800
Email: [email protected]
WellingtonGraeme Falloon
Phone: +64 4 381 8078
Email: [email protected]
Visit our website at www.kpmg.com.au
or www.kpmg.co.nz
28
Contacts
6314Mkt ERM Whitepaper 22/09/2003 11:39 AM Page 28
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or
entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as
of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate
professional advice after a thorough examination of the particular situation.
7874Mkt ERM Cover 22/09/2003 11:44 AM Page 4