Successful ERM tells a good story

My Feb. 19 column in Business Insurance identified three problems with ERM. Two were:

Problem 1. Various ERM definitions focus on processes that become complex. Solution: ERM simply is an effort to coordinate management of the risks facing an organization. Problem 2. Most efforts to categorize risk do not align the risk areas with the organizational business model. Solution: Match the categories with areas such as production, marketing, finance, technology and administration; recognize the role of major business units; and include key initiatives as individual risk categories.

The third problem and solution are the focus of this column.

Problem: Not telling a good story

Most stories are complex, building on traditional risk management and the benefit of coordinating all risks across an enterprise. Then, they encourage a process with five to seven steps, typically: identify risks, evaluate risks, develop a plan to manage each risk, implement a program and monitor results. This works nicely for traditional risk but falls short in the perspective of ERM. We need a different story. We need to tell about a new risk structure that will work with the existing business model. That story should identify the structures where goals are pursued and risk is managed. It also should show the benefit of adding a centralized risk function to augment business goals and risk management efforts.

Solution: Telling a good story

Let's illustrate a story of ERM. Assume a company has a CEO, COO, chief production officer, chief marketing officer, CFO, chief technology officer, European division president, Asian division president and chief legal counsel. Each manages risk in a specific area, while the CEO is responsible and accountable for all entity risk. If the entity is successful, each must do a good job of risk management. What's the need for ERM?

We start by identifying exposures that cross unit and functional boundaries. In addition to exposures in specific operational processes, the organization faces exposures that affect everyone. These are:

• Compliance, arising from legal or regulatory requirements.

• Internal controls, when the entity fails to implement effective, efficient processes for conducting business.

• Hazard risk, or events that disrupt operations, harm individuals, or cause monetary or other losses.

• External risk, or changes or activities in the economic, political, environmental, or other areas outside the entity that need to be identified today to avoid unwanted future consequences.

• Cultural risk, or behaviors of individuals or units inside the entity that must be identified today so operating units can avoid negative future impacts.

Prior to identifying risks, consider a risk structure as shown in Figure 1. Reporting would be determined by various factors, and this is just one structure. In our approach, production, marketing and technology report to a COO who is also responsible for administration risk. The COO, CFO, chief legal counsel and division presidents report to the CEO.

"Central Risk" is an area to coordinate the targeted risks shown in Figure 2. The compliance function ensures Sarbanes-Oxley and other requirements are met. The company has continuous review of internal controls. A risk manager works on insurance buying, loss control and claims management. The two remaining boxes show the essence and value of ERM. We create a function to scan the horizon for exposures and opportunities and identify and assess internal cultural risks. External risk arises when an organization is not looking for external developments and trends. Examples are vision, resources and competition. Cultural risk reflects exposures arising from an entity's values, structure and employment practices. It arises from internal factors that are unlikely to be managed in separate units. Subcategories include: subculture, life cycle and human resources risks.

Continuing the Story

An organization really does not have ERM if it lacks a centralized program to identify external and cultural risks. Two industry examples are automakers, which failed to foresee the impact of defined benefit plans and lifetime health care for retirees; and airlines, which failed to be competitive in the event of low-cost carriers and rising oil prices.

We can hardly blame these industries' CEOs, though. Their watch is often as little as three years. Instead, we could ask the board to insist on centralized risk identification. General Motors shows the need clearly.

Roger Smith was named CEO of GM in 1981, when it was losing market share and facing lawsuits over faulty products. He led GM into joint ventures with Asian automakers, created a semi-autonomous Saturn division, invested in technology and changed key managers. In the process, he fought with GM's largest shareholder and biggest critic. Those efforts produced inconsistent profits but CEO magazine named him CEO of the Year in 1986.

Would it have helped if the board had a centralized risk identification function? Would someone have noticed the problems of an underfunded pension plan? Would it have seen the impact of expensive retiree health care? Would it have seen the shrinking pool of active employees, market share drop, and obsolescence of business practices and assets? GM's problems were indeed deep, but Mr. Smith still became CEO of the Year.

GM's story shows the consequences of failing to identify and make changes. This is a board's fiduciary responsibility. Figure 3 shows one way for directors to exercise a role in ERM. The CEO, external auditors and compensation committee already report to the board. How about a central risk function? It is common for internal auditors to have direct links to a board member or committee. Is risk identification and coordination less important than internal audit?

Concluding the story

We conclude our story with the recommendations: Don't spend too much time on ERM definitions. Align risk categories with the business model, recognizing functional areas, major operating units and key initiatives. Some risks should be managed as part of a central risk function. These are exposures in compliance, internal control and hazard risk. A major component of ERM should be centralized risk identification. Tell a good story. Help key managers and stakeholders understand how an effective ERM program increases the likelihood of identifying emerging exposures and opportunities that threaten or ensure long-term sustainability.

John J. Hampton is the KPMG Professor of Business and Dean of the School of Professional and Continuing Studies and Graduate Business Programs at Saint Peter's College in New Jersey. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of RIMS. To read Mr. Hampton's columns and interviews, visit www.BusinessInsurance.com/ERM.