So who really needs ERM?
Prioritized, focused plans are essential to successfully mitigate risks
At April's RIMS 2008 conference in San Diego, a considerable buzz existed around the topic of enterprise risk management. At the same time, the question persisted, "Who needs it?"
My answer is, at least four people within an organization: the chief executive officer, the chief financial officer, the internal auditor and the risk manager.
If ERM means listing the 2,000 to 3,000 or so risks that face an organization, no one really needs it. An undisciplined approach to identifying risk and integrating risk mitigation into a single program will bog down after much expenditure of time and money. On the other hand, a disciplined ERM structure is just what is needed by the CEO, CFO, auditor and risk manager, among others.
The disciplined structure has four components:
To illustrate, let us use a lightly disguised and somewhat simplified public utility. Central Power & Light is a regional power producer with three main subsidiaries: Central Fossil, which operates natural gas, coal and oil-fired electric generating units; Central Nuclear, which operates two nuclear generating stations; and Central Energy Trading, which buys and sells electric and gas commodities, trades in environmental credits, and is responsible for all planning and risks involved with long-term generation.
Figure 1 shows the top-level risks in its ERM program using (with permission) the Riskonnect Visual Risk Cluster Tool.
Figure 1. CP&L ERM program.
The company wants to develop a new nuclear power plant that has possible wetlands impact. The project is critical to the future of the company. The risk was assigned to the energy trading company. Although a critical risk, it is far down the hierarchical ERM structure:
The four individuals have different interests in the risk if the EPA were to deny permission to build the critically needed nuclear power facility:
The CEO and CFO seek transparency and accountability. The Sarbanes-Oxley Act requires the CEO and CFO of public companies to verify internal controls and reliability of financial statements. Rating agencies require risk programs to achieve favorable ratings on debt issues. The internal auditor is responsible for monitoring compliance with company policies and directives. The risk manager needs to present the wetlands exposure to insurers and others as part of risk management and the purchase of liability coverage.
All four individuals can go into the ERM structure and work down to ground pollution as shown in Figure 2.
Figure 2. Risks from the top to EPA
The questions common to all parties are: What is being done to mitigate risk? What are the plans, the activities and the timetable?
Mitigation activities can be stored in the ERM knowledge warehouse and accessed directly. Over time, a complete history of risk activities and mitigation will be created, stored in one place and be accessible to authorized users. The user can open and read the documents.
The original question was who needs ERM. The answer is that an ERM program with hierarchical risks and risk owners, visual risk clusters and a high-tech platform can serve the needs of many users. The logic is inescapable. Companies need enterprise risk management. It just has to be done right.