The business world is fraught with risks that have the potential to upend strategy. These vary in nature, but they all tend to emerge more quickly and pack a bigger punch than ever before. What's more, there are new kinds of risks posed by fast-moving innovations in technology, science and the ever-evolving realm of social media.
The bad news is that many organizations are ill-prepared. According to a recent study by business research firm APQC, only 26% of those surveyed described their ERM program as having an extensive reach. Only 43% reported moderate organizational involvement, and the remaining third is either just getting started or doing little.
There are several plausible explanations for the lack of progress. According to Rob Torok, a partner with BetterVu, "At some companies, there is a commonly held-although rarely expressed-sense that, for an organization to look good in front of stakeholders, it cannot admit to having risks." There may also be a sense that ERM process owners lack the clout or creativity needed to keep risk owners engaged in knowledge-sharing, or sometimes the ERM leader simply cannot get board members and/or the CEO to care that the current process does not measure up to best-practice standards.
Managing New Risks
Another concern underscored by the survey findings involves new forms of risks. Only 19% of organizations believe that their ERM process is effective when it comes to identifying risks that they may encounter in the future. Although more than half of respondents indicate that they are somewhat effective at imagining new types of risks, the risks that are easily dismissed as remote can inflict severe damage if they materialize.
This is why best-practice organizations develop group exercises to prompt decision-makers to think unconventionally. Saret Van Loggerenberg, the ERM leader at Exxaro Resources Ltd., a large South African mining company, explained why shifting the culture away from perfunctory risk assessment is so vital: "Exxaro is working to break silos not only in terms of functional areas, but also in terms of seniority levels. Our main vision is to teach people that risk management is about active thinking and not about checking boxes."
Frank Fiorille, Paychex Inc.'s senior -director of risk management, explained that his company's ERM program is effective because it not only identifies risks, but also leverages risk management apparatuses, tools and skills in ways that help the whole organization create value. "Company-wide, we're always thinking about the risk in a strategy or situation, as well as the downsides and the unknowns. Whether it's an emerging risk, something we've not dealt with before, or the chance that something will go wrong, we look at it and ask if there is an opportunity there."
In all, ERM leaders agree that their primary job is keeping the board and top executives abreast of changes involving known risks and engaging them in productive conversations about new types of risks.
More Effective Processes
The survey results also emphasize the need for more effective processes to identify new types of strategic risks. Participants were asked to describe the primary approach they use to identify strategic risks of all kinds. The research team then sorted the responses into two categories: 1) organizations that are effective or somewhat effective at identifying new risks, and 2) those that are barely effective or not effective.
A high percentage of organizations employing structured and rigorous risk identification processes generally find their ERM processes to be effective at identifying new strategic risks. For example, 88% of companies that rely on their ERM process owners to guide business unit leaders through a structured assessment process are more successful at spotting new forms of risk than those using more casual approaches. Companies that use committees to discuss risks and keep top management appraised or have structured discussions during top management planning meetings are similarly effective. On the other hand, those that rely on ad hoc discussions are largely unsuccessful at identifying new risks. This data may be helpful for risk managers who are trying to explain the need for more effective processes to skeptical business leaders.
Removing the Barriers to Sound ERM
|