It is crucial for board members and senior executives to understand the genesis of the risks that threaten their company. Regulators must have realized this because they are now requiring companies to improve risk management. The Securities and Exchange Commission, for example, recently announced new proxy oversight rules that, for all intents and purposes, force organizations to use some form of enterprise risk management (ERM) that includes top-level risk oversight.
This is much more than an added layer of regulatory compliance. As senior executives and directors better understand the company's strategic risks, they also gain a deeper understanding of their businesses' drivers. Risk can then become something that is not viewed solely as a negative event to be avoided. Instead, it becomes merely an uncertainty that can be measured, monitored, mitigated and -- ultimately -- exploited.
A good example of a successful ERM program can be found at Caterpillar Inc., the global construction equipment maker. Here, ERM (or, in Caterpillar terminology, business risk management, BRM) includes operational, financial, strategic and compliance risks. Its objective is to identify, track and mitigate anything that would prevent Caterpillar from achieving its long-term, strategic objectives.
"The BRM process at Caterpillar boils down to having a strategic conversation with the businesses and divisions," said Dr. Eng Seng Loh, manager of corporate strategy and business risk management at Caterpillar.
Most important of all, the program's goal is not confined to risk avoidance. In the company's code of conduct, which Caterpillar calls "Our Values in Action," this is abundantly clear. "We see risk as something to be managed and as a potential opportunity," states the code.
This approach to risk was successfully applied in late 2008, at the height of the global recession, after Caterpillar reviewed its network of independent equipment dealers. Because a competitor would have difficulty replicating this network, it was -- and still is -- viewed as a crucial competitive advantage that must be protected. The risk in 2008 was the possibility that dealers could be burdened by unsold inventory. After the review, Caterpillar allowed dealers to reverse some of their orders, and the unsold inventory was absorbed on the corporate balance sheet.
Integrating Business Unit Risks into Caterpillar's Strategy
Caterpillar's example shows how ERM can integrate seamlessly with long-term planning, yearly planning and frequent business reviews. The critical factor is two-fold: the ERM process must extend across all business divisions and all those divisions must conform.
"We ask what is it that they plan to do, what could possibly go wrong and how they plan to mitigate their risks," said Dr. Loh. "The BRM team facilitates these conversations. We don't dictate, but we work with the business units to create a context for these strategic conversations."
Caterpillar incorporates risk assessment and discussion of mitigation plans into formal strategic planning activities and communications with the board's audit committee. Business-level assessments take place in the first and second quarters of each calendar year. They begin with a short risk survey, which is distributed in conjunction with other related information, such as each business unit's strategy and the output from prior-year assessments. Each business unit leader provides input on up to five risks key to their division's strategy in the next one to three years. Any perceived emerging risks are also discussed.
"Caterpillar has been honing this process continuously for 10 years," said Dr. Loh. "All senior business leaders are experienced with the process, which has been 'leaned out' to its essential pieces."
The key risk information identified during the assessment enables business unit leaders, who are the actual "owners" of the risks, to develop their risk mitigation actions and integrate them into their strategy. The business-level work is methodically rolled up to the level of the group presidents and debated during the enterprise risk assessment. The threats are then shared with the board.
After assembling the business unit survey input and preparing a preliminary assessment of risks, the BRM team brings the consolidated input to the business unit leadership team for discussion and evaluation. Through this dialogue, the leadership team determines the risks that matter most to their business unit.
To determine the set of key risks for each division, the leadership group then discusses and evaluates individual risks across the following three dimensions (using a 1-to-10 scale): velocity (speed at which the risk will materialize), significance (magnitude of impact) and likelihood (probability of occurrence). The greater the risk, the more attention is given to determining how to manage it.
In the name of continuous improvement, the Caterpillar team also has expanded its reach by applying its BRM framework to the realm of asset integration. For example, Caterpillar is currently absorbing the largest acquisition in its history after having purchased a large mining equipment company formerly known as Bucyrus. Erica Baird, one of the company's two internal BRM consultants, is working with the business integration team to implement the BRM process into this major endeavor.
Looking to the Future
ERM is constantly evolving. The next level of sophistication may well be the development of rigorous models and analytical techniques. Such methods could help companies predict risk -- particularly those beyond the scope of the traditional financial arena -- and analyze their potential impacts by simulating human behavior. Detailed scenario analyses, game theory and other techniques could all be useful. Regardless of exactly which tools are used, the aim of ERM -- now and into the future -- is to reduce the "gut-feel" aspects of risk management that now prevail.
Renowned physicist Nils Bohr once said that "prediction is difficult, especially if it is about the future." That will always be true. But as ERM programs at companies like Caterpillar gain more maturity and experience, risk owners will increasingly be able to take the guesswork out of that difficult task. And to do so, strategy development and risk management must be two sides of the same coin.