Successful risk management hinges on strategic outlookPosted On: Apr. 22, 2012 12:00 AM CST
PHILADELPHIA—Risk management and enterprise risk management efforts often fail because risk management is not connected or integrated with an organization's strategy or execution of that strategy, according to one strategic risk management expert.
But, according to Mark L. Frigo, director of the Center for Strategy, Execution and Valuation and the Strategic Risk Management Lab at DePaul University in Chicago, “Strategic risk management is a necessary element and a necessary foundation for risk management.”
Speaking last week at the annual conference of the Risk & Insurance Management Society Inc. in Philadelphia on a panel examining how high-performing companies harness opportunities through strategic risk management, Mr. Frigo noted other reasons enterprise risk management efforts fail include focusing risk assessments on the wrong risks and not focusing on strategic risks.
Other causes of ERM failures include risk management efforts not being executed as a continuous and repeatable process or risk management silos creating barriers. “Rule 1 is don't create new silos,” Mr. Frigo said.
Looking at patterns of strategies in strong, resilient companies, “There was a natural evolution toward developing a risk framework,” Mr. Frigo said. Management and boards in those organizations naturally honed in on some of those companies' risk activities and that naturally led to the creation of a risk framework, he said.
“Risks are not independent. They are very interrelated,” Mr. Frigo said. “A supply chain risk is going to impact reputation risk.”
Another panelist, Brenda Boultwood, senior vp and chief risk officer at Constellation Energy Group Inc., stressed that, in order to succeed, strategic risk management efforts need support at the highest level of the organization. And those programs must be fully aligned and integrated across the organization, she said.
Developing a strong strategic risk management program at Constellation Energy—recently acquired by Exelon Corp.—also involved a convergence of various functions such as risk management, legal and human resources, Ms. Boultwood said. “We implemented a system and really gained a lot of operational efficiency,” she said.
In addition, “We asked management to write down their risk appetites,” she said. “It doesn't mean that you can't go beyond it. It just means there's governance.”
Strong strategic risk management also requires clear communications and deliberate thinking, Ms. Boultwood said. It's necessary for the risk manager to show how “risk management jargon” relates to the company's various business drivers, she said.
Business resiliency is also essential, she said. “You have to grow,” said Ms. Boultwood. “And growth only comes one way: through taking additional risk. So how do you react when something goes wrong? Are you all on the same page?”
Also, she said, the organization has to put a price on its risks. “If you get to that number and you can't be competitive in your market, then you have some real serious conversations with your business people,” Mr. Boultwood said.
Finally, the organization's risk culture is an essential element of a successful strategic risk management approach, Ms. Boultwood said. “Everybody's a risk manager and there has to be accountability at all levels of the company,” she said.
“We have to remember that a big part of risk management is making sure that we've got the controls in place,” Ms. Boultwood said. The first layer of defense is the business, she said, the second layer of defense is risk management, while internal and external audit provide the third layer of defense against risk.
“Every organization including your organization has some significant underlying business risks,” Mr. Frigo said. “They have to be honestly addressed and managed.”
It's important to “end the happy talk” and have the hard conversations about those exposures, said Ms. Boultwood.
Mr. Frigo described a seven-step “closed loop” process for strategic risk assessment. The process begins with assessment of the strategy itself, he said, followed by gathering data and views on strategic risk. Next the organization needs to prepare a preliminary strategic risk profile, then it must validate and analyze that strategic risk profile.
The fifth step is developing a strategic risk action plan for the organization, followed by communicating the strategic risk profile and action plan across the organization. The final step is to implement the strategic risk action plan, including using it to exploit opportunities the plan might help identify.
“There are barriers,” to implementing such a plan, he said, including communication and education.
“Strategic groups often do not like working with risk management types,” Mr. Frigo said. “They often view risk management as putting on the parking brake when they want to go 100 mph.”