In times of great upheaval for industries or financial markets, organizations often turn to the formal discipline of enterprise risk management. After the 9/11 terrorist attacks and the 2008 financial crisis, for example, ERM gained traction as many organizations realized the significant drawbacks of a traditional siloed risk management approach. But widespread ERM adoption remains stalled. It is not for lack of awareness of risk’s increasing complexity. According to the 2019 State of Risk Oversight report from North Carolina State University’s Poole College of Management, 59% of business executives believe the volume and complexity of risks are increasing extensively over time. The report also found that 68% of organizations have recently experienced an operational surprise due to a risk they did not adequately anticipate.
While companies are aware that risk is an enterprise threat, many are not adopting an enterprise-wide approach to managing it. Indeed, just 31% of those surveyed said they have a complete ERM process in place, and a mere 23% described their risk management as “mature” or “robust.”
The issue may be how organizations perceive the discipline of risk management. The report found that fewer than 20% of executives think that their risk management processes provide important strategic advantage. Just 26% said that their board substantively and formally reviewed top risk exposures when discussing the organization’s strategic plans.
This perception has had a negative impact on many organizations. According to the Global Board Risk Survey EY released earlier this year, just 21% of board members believed their organization was “very prepared” to respond to an adverse risk event like the COVID-19 pandemic.
Now, as the pandemic continues to cause prolonged disruption in nearly every industry, risk management is under the microscope, and success has never been more critical. Organizations may finally be ready for widespread ERM implementation.
The problem with many ERM implementation efforts is that organizations do not understand how to create an ERM strategy, and make it more complicated than necessary. “People have made it too bureaucratic and process-oriented,” said Carol Williams, ERM specialist and owner of Strategic Decision Solutions. “They have not really looked at how ERM practices can simply be concepts of mindset and approaches to how people conduct business today.”
Too often, companies create layers of committees and procedures that they then have to wade through to make a decision. “By the time you get through all those steps, it has been days, weeks or months,” she said. “And by that point, the time to make the decision is long passed.”
Coupled with stories of how other companies have been unsuccessful at deploying ERM, this approach lends the impression that ERM is expensive, complex and ineffective. For every five stories of ERM success, Williams said it takes just one story of failure for companies to back away from implementation.
At the outset of the pandemic, as a significant number of workers around the world went home to work, many companies abandoned ERM initiatives. They were simply more focused on trying to stay in business, said Dolores Atallo, managing director and North American leader of enterprise risk management for Protiviti. When they were still trying to gain their footing, implementing anything new just seemed like a step too far. It was difficult to overcome communication hurdles and get people together to develop an effective ERM framework. But now that many organizations have become more comfortable working and communicating remotely, she believes this is an ideal time to develop and adopt an ERM program.
It is also the right time for the board to become involved in formal risk discussions, according to Barton Edgerton, associate director of governance analytics for the National Association of Corporate Directors. However, the way risk is communicated presents a common roadblock. Risk professionals will often attempt to convey the entirety of the company’s risks to the board, making it “challenging for a director to understand which are the most important risks, and where the board can most effectively support management’s discussion about the risks,” he said.
Risk professionals should think beyond just reporting their activities to the board and focus instead on helping the board and management partner with them for the good of the business. “A lot of people focus on how we are going to communicate what we do in ERM to the executive leadership and to the board,” Williams said. “But it is not necessarily about making presentations. It’s about the business.”
The Case for ERM
A good ERM process can help the organization and its board identify opportunities and the accompanying risks, allowing them to change strategies as the market shifts and evolves. “It’s an opportunity to stand on higher ground and look across the organization,” Atallo said.
Thanks to a 2016 mandate requiring certain agencies to adopt ERM, parts of the federal government have been able to take advantage of the flexibility ERM can bring to organizations. “Every federal agency that is a part of a CFO Act organization builds an ERM program, implements it, and creates a risk profile,” said Cynthia Vitters, managing director for Deloitte’s government and public services practice. That has allowed government agencies “to leverage existing infrastructure and build on it to help solve some of the COVID-19 problems, or have a seat at the table,” she said. During the pandemic, these agencies were able to quickly reassess their risk scoring and reevaluate mitigation strategies.
A successful ERM program can do the same for companies by helping them understand their most important risks in any given situation. This can aid with scenario-planning and tabletop exercises, as well as planning for the future, particularly as the impact of COVID-19 continues to evolve. “Scenario-planning plus a framework can equal some sense of ability to project or think about what could be next so that you can be prepared for it,” Atallo said. “These are all ways to help you plan and execute and provide the services or products that your company provides, with more of a sense of understanding and controlling the moving parts.”
Adopting an ERM Mindset
Effective ERM adoption requires C-suite support to set the tone of the organization’s approach, and now is a good time to broach the subject of ERM implementation with stakeholders. “There is not a day that goes by where you don’t hear the word ‘risk’ and need to consider how things are being managed and how much appetite you have for risk,” Vitters said.
People are also starting to ask the right questions, such as, “Did we think about these threats?” “Were we prepared?” and “Did we incorporate scenario-planning and tabletops to assess the risk?” Risk management is now a vital part of many business conversations. “We’ve been preaching all of these things for years,” she said. “Now people understand why they should have done them because it is impacting their lives in a million different ways.”
Organizations are now approaching ERM with the right mindset, which Williams believes is how a good ERM process should work. “You challenge assumptions, you ask questions, and you provide the tools to be able to ask the right questions,” she said. “It could be that you have your answer by the end of that conversation—it doesn’t need to be this drawn out process.”
Companies can get to that point in the ERM process by giving people the authority to challenge assumptions and ask questions while focusing on the organization’s objectives. “It’s not just about the minute risks that exist, but about what the organization is here to do,” Williams said.
That focused risk conversation can bring about more effective mitigation. Working across the organization, risk managers can identify the risks that will have the largest financial or consequential impact. This context can help risk professionals get things done and allow others in the organization to more clearly see the progress that is made, Atallo said.
Implementing ERM now allows companies to address current issues as well as those that are likely to continue or worsen going forward. “What you need to do is put some pegs in the four corners of your problem and say, ‘We want to get to the end of the year and we want to achieve these things, so what are the things that are going to get in our way?’” Atallo said.
As long as risk professionals can channel this focus toward a conversation about risk, Williams believes the goal of ERM will be fulfilled. That may take a change in how the risk manager approaches the risk discussion. “You act as an advisor,” she said. “You are a sounding board. If someone wants to bounce an idea off of you, it is not about documenting and doing a full-blown risk assessment—have a conversation. You should act as a consultant that just happens to work for the company.”
The fact that organizations are once again having serious conversations about ERM is a sign of progress. Smart organizations will take advantage of the urgent focus on managing risk to improve all processes, Vitters said. “The time is now because of the renewed interest and the renewed chorus of people just thinking more about risk on a daily basis.”