Printed from BusinessInsurance.com

ERM programs need input across organization to succeed

Posted On: Feb. 26, 2012 12:00 AM CST

Many companies seeking to embrace enterprise risk management stumble when it comes to identifying and measuring key risks across the organization, often because of the challenge of dealing with unknowns or focusing more on compliance than risk, according to some ERM experts.

To understand risks across the organization and how they might affect one another or pose systemic threats, it's necessary to involve stakeholders from across the organization, they say.

James W. DeLoach, managing director of consultant Protiviti Inc. in Houston, noted that traditional approaches such as creating risk maps have been the baseline. But other, more specific approaches could add more value, he said (see related story).

Steven Minsky, CEO at ERM software and solutions provider LogicManager Inc. in Boston, said that, at the highest level, the ERM risk assessment process is not unique from one organization to the next. “But finding out how to apply it is unique,” he said.

Mr. Minsky cited four factors that speak to an organization's ERM risk maturity in terms of identifying and measuring risks.

The first is the number of systemic risks identified, he said, noting that if a risk starts having an impact across the company, “it's indicative of a bigger problem. And that's actually measurable.”

The second is the percentage of the organization's process areas involved in risk assessments. “If you're not identifying risks in a whole area, you've got a blind spot,” Mr. Minsky said.

The third factor is key risks identified. Organizations should be able to match their risk mitigation activities against those key areas, Mr. Minsky said. The process should involve identifying key risks in each process, he said. “Then you say, "What happens when you start to put all these processes together?'”

The fourth factor is the percentage of key risks monitored. “You connect your monitoring activity to your control activity to your risks,” Mr. Minsky said.

“In the risk maturity model sense, what most companies have is a bunch of tests that go against those controls,” he said. “And most of those tests have been implemented for compliance purposes.”

But, in taking a compliance-focused approach to those monitoring efforts, too often companies have no sense of how their monitoring might match up against the organization's actual risks, Mr. Minsky said. What's more, compliance tends to be reactive rather than proactive, he said. “Basically compliance is behind whatever was the last disaster,” Mr. Minsky said.

Mr. DeLoach noted that in ERM risk assessment, the proper mindset involves focusing extensively on what you don't know. And, he added, “Recognize that your worst-case scenarios may not be extreme enough.”

Useful tools in the process include contrarian analysis, “what if” analysis and stress testing, and competitive intelligence, he said.

%%BREAK%%

“At the end of the day, trying to identify and quantify risk is all about trying to look into the future,” Mr. DeLoach said.

Larry Warner, staff officer of risk management at food maker Mars Inc. in McLean, Va., described the process his company went through as it embraced enterprise risk management late last year at the Risk & Insurance Management Society Inc.'s inaugural ERM Conference.

Mr. Warner said Mars' interest in ERM was based in a desire to take risks and grow. Mars leaders wanted a tool that would enable Mars units to know what they could achieve in terms of the company's overall objectives, that would improve alignment and accountability around pursuit and execution of business unit goals, foster a “risk discussion mentality,” enable managers to knowledgeably and comfortably take on risk, and objectively track performance, he said.

To find out key exposures, Mr. Warner started rolling out unit-specific workshops in Australia, China, Russia and Europe in 2005, with a full rollout of the workshops in 2006. The company used the “Delphi method” to identify risks, by which experts from the units present risk information “and basically by group think they're able to come up with better decisions” than individuals alone.

Now business units are responsible for submitting summary quarterly reports to corporate, and in each quarterly report must note the unit's progress in dealing with its five most significant risks and five most important risk treatments.

“Most units want to do this,” Mr. Warner said. “We get called all the time for help around this.”