ERM: What is Best Practice Now?

Everybody's talking about enterprise risk management (ERM). But is this just old wine in a new bottle? According to extensive research conducted earlier this year by APQC, no, it's not the same old thing. The recent buzz is not about possible business disruption, sexual harassment charges, pollution liability or even accounting fraud. Rather, more CEOs and CFOS see that a well-designed ERM program is a lever that allows them to compete with confidence. Given the complexity and unpredictability of global markets and geopolitics today, that's a reasonable stance.

It's also no coincidence that large public companies are upgrading their risk management regimes in response to the latest wave of corporate governance reform. Last year, public companies had to respond to new proxy disclosures rules (see SEC Rule 33-9089) that call for disclosure of risk oversight and risk reporting lines, risk assessment by business unit and assessment of the risk associated with compensation plans. Now, the Dodd-Frank Wall Street Reform and Consumer Protection Act is raising the bar by mandating risk committees and risk experts on those committees. Boards of directors, meanwhile, are aware of the growing threat of risk-related lawsuits. Adding urgency to the situation, there are several bills pending in Congress that would impose even stricter risk management requirements on boards of directors, including one provision that requires all publicly traded companies to form a board-level risk committee. "Regardless of whether these bills are passed, it is clear that greater shareholder action pertaining to risk management can be expected. This is huge, and corporations have to deal with it," says Kristina Narvaez, president of ERM Strategies, LLC, a consulting and research firm focused on ERM.

Understanding Risk

Leading-edge companies use ERM when on the offense and when on the defense. Risk is not viewed as just a potential cost or a negative event to be avoided pure and simple. Rather, risk is perceived as uncertainty that can be understood, measured, monitored, mitigated and ultimately leveraged. The best-practice ERM program allows decision makers to make well-informed decisions about the inherent trade-offs between risks and rewards. In addition, a mature ERM program recognizes that risks and risk mitigation plans change over time as any number of internal and external variables change.

What does such a program look like up close? How does it operate? Who's involved? Can you really identify and quantify a major business risk that has the potential to derail the overall growth strategy? These were among the questions the APQC research team posed when we screened and examined five bona fide pioneers in this arena. A few key findings follow.

First off, we learned this is a nascent trend. More 90% of companies responding to a quantitative survey fielded by APQC said they either have or are building an ERM program to manage strategic risks. The important point: two-thirds have been at this for less than three years—and many less than one year. That helps to explain why only 17% reported they have "greatly integrated" ERM with the strategic planning process. It takes time to get this right, and it's crucial to drive a culture change that trains and encourages mid-level people to ring an alarm if they spot an emerging risk that the ERM assessment team missed. What's more, at some companies, it takes time for senior management to see that they cannot fall back on the typical general counsel line of thinking: "We have no unmanaged risk, therefore we have nothing to monitor and disclose."