Achieving financial goals and objectives and maximizing performance are the primary focus for most organizations.
However, in today’s business environment, stakeholders are increasingly looking to boards and senior management to better manage strategic, regulatory, and other risks – while they make decisions that impact performance.
This was the focus of the New Jersey Chapter of the CFO Leadership Council at its May 2017 panel discussion titled “How Much Risk Is in Your Risk Management?” Moderated by Angela Tise of the CFO Leadership Council, the panel included Claire Doherty, Director of the Risk Consulting Practice at KPMG, Brian J. Hall, Area Vice President and Director of Surety at Arthur J. Gallagher, and Renee Yozzi, Director, Strategic and Enterprise Risk Management at Benjamin Moore & Co.
Here’s what the panelists had to say about enterprise risk management (ERM), based on their most current experiences.
Why Is Risk Management Important?
Most companies are doing risk management anyway, maybe just not in a formalized ERM program. It’s really about factoring risk into decision-making. It starts with defining the goals, objectives, and strategy of the business and, as part of that, identifying enterprise risks and prioritizing them as a team.
In doing this, executives need to understand the risk appetite of the organization. It’s more than just surviving a crisis – it’s getting ahead of the risks and being proactive in mitigation. Insurance is also part of risk management. It tends to focus on known risks. The problem is the unknown risks, things like supply-chain disruptions or store closures caused by natural disasters.
What’s the Right Number of Risks to Focus On?
The chief risk officer (CRO) should be involved in organizational strategy discussions and planning, and help the executive team factor in the risk perspective. Examples might include the risks of entering emerging markets, extending the supply chain, or introducing new products. There’s no magic number – it’s more important to align to the strategy, prioritize risks, and focus efforts on the most critical areas.
One example given was an organization that started off with 30 identified risk factors, then prioritized them down to 10 key ones. The CRO should also be involved in quarterly business reviews (QBRs) to track progress, changes in strategy, and impact on risks.
Moving from risk strategy to implementation is challenging for many organizations. The key is to focus the efforts and fit the program to the culture and organization. Identify key risks and the related mitigation plans. Risks need to be owned by key executive staff members.
Risks can be identified at corporate, department, or location level. It’s critical to meet with operational teams and work through a questionnaire to identify all potential risks. Risk managers should make themselves visible and accessible to line managers, engage regularly to raise awareness, be a resource, and help people work through issues.
Best Practices in Monitoring Risks
A “risk heat map” should be developed and used as a living document, with programs and governance built around it. The risk management strategy can fail if the executive team is not aligned on the risk program, or if the culture doesn’t support the program.
Ranking risks using a low, medium, high heat map can be a good starting point. Assigning quantitative key risk/performance indicators (KPIs/KRIs) can be a next step. Quarterly is the most common frequency of gathering and reporting risk information. Risk-based, data-driven decisions is where the KPI link comes into play. Organizations need to define tolerance levels on KPIs/KRIs.
Where Does Risk Management Report?
In most organizations, risk management falls under Compliance or Legal. In some cases, it’s moving out of these functions and into internal audit, but is generally owned by the CFO or COO. But a key point is that the CRO doesn’t own the risk. Line managers need to own and manage the risk.
The risk management group helps raise awareness and manages the program. Whoever owns it needs to be connected to the CFO and needs to have a strong sense of how the business runs, including operational expertise. The risk team may need outside subject matter experts as well.
What’s the Value of ERM to the Enterprise?
The main value is when risk management becomes integrated into the culture and the organization’s decision-making processes. Just getting a risk management thought process in place can be helpful. There needs to be a top-down culture of factoring risk into decision-making, which can bring other benefits. For example, another benefit of risk management is that it keeps insurance rates down if a company is actively mitigating potential risks.
How to Get Started
Focus on the issues that could have the biggest impact on the organization. Think about the organizational culture and what makes the most sense. Match the ERM program to the appetite of the organization. One size doesn’t fit all. Start small, focusing on what’s achievable in the short-term. Prove success. Then expand over time in bite-sized chunks.
Aligning Risk and Performance Management
This was an interesting panel discussion, one that may have opened the eyes of many in the audience to the need to think more strategically about risk management. As a professional focused mostly on enterprise performance management (EPM), I was reminded of the need for risk and performance management to be thought about in parallel and closely aligned.
Both processes start with the establishment and communication of corporate goals and objectives, development of strategy, and cascading this down through the organization. And as plans and programs are established and approved for execution, the related risks should also be identified and tracked, along with performance results.
As KPIs are established for monitoring performance, KRIs should also be identified and monitored, whether these are qualitative or quantitative. And these KRIs should act as early warning signals to potential programs. Examples include key financial ratios in banking, staff overtime in manufacturing, customer complaints or billing errors in a Telco, staff turnover in HR, or virus attacks in IT.
As with EPM – which relies heavily on the collection, consolidation, and reporting of a wide variety of financial and operational data and metrics – effective ERM is also dependent upon the regular, systematic collection and consolidation of data related to enterprise risks.
Today’s modern, cloud-based EPM platforms are well-suited to collecting and reporting financial and operational metrics that can be used as KPIs or KRIs. Whether this data originates in GL/ERP systems, HCM, CRM, Supply Chain systems, or a data warehouse – the data integration capabilities of an EPM platform can automate the collection, consolidation, and reporting of these metrics in whatever form is needed for management.
To learn more, check out our white paper titled: Introduction to EPM in the Cloud.