By Sam Elwell
We are seeing a growing recognition of the importance of Enterprise Risk Management (ERM). Businesses are increasingly deciding to carve ERM out as a standalone function. Even where ERM is not mandatory, businesses see the potential impact ERM could have on culture, behaviour and performance.
We aren’t just talking about small businesses. FTSE 250 equivalents are creating these roles. This is an encouraging trend for the risk profession but these roles present different challenges to those of established functions.
Newly created head of risk roles may be tasked with building an ERM function from scratch or inheriting an existing function. You may be introducing ERM to a business for the first time or the finance director, head of strategy, or even head of legal, was responsible for risk alongside their day jobs. They may have done enough to comply with regulation, if any exists, but ERM wasn’t integral to the business. Leadership may have seen risk registers before, but ERM itself may be a completely new concept. They may understand risk as “anything which could affect the viability statement in the annual report”, and you may need to re-educate them.
The point being, you could walk into a range of situations and political landscapes. The common thread is that leadership want to expand ERM, but they do not have a clear picture of what ERM involves. This is why they have employed you as a specialist head of risk! But how can you demonstrate the power of effective ERM with minimal investment? How can you convince the business to invest in expanding ERM?
So, you’ve walked into a business where ERM is brand new. Whether you are a consultant or work in-house, chances are your Board will ask:
“What are our biggest risks? Top ten please.”It’s a bread and butter question. You perform some top down and bottom up risk assessments and present the top ten gross and net risks.
“How are we managing our biggest risks?” Again, this is pretty straight forward. You capture controls and mitigations and report back.
At this point, you have laid the groundwork but haven’t added much value. Leadership are more risk-aware and they enjoyed the lively debates to reach a consensus top ten, gaining a deeper appreciation of the challenges their colleagues face. The current risk profile of the business is clarified, but risk management isn’t shaping its future. There is still a long way to go to influencing decision making or embedding a risk culture throughout the business. On the flip side, getting to this point does not take much resource.
The next questions are likely to bemore complex. Answering them becomes more demanding.
“Which risks should we put more resource into?”Sounds simple, but to answer this you need the business to determine its risk appetite. That can be a complex concept to grasp, particularly where ERM is new. You then need to establish where risk exposures exceed that appetite, then explore options to further mitigate these risks – then, present options with the highest expected returns on investment. That raises issues for risk management: how to measure potential payoffs consistently; how to assess financial and non-financial impacts of investment; how upside potential risks sit alongside downside risks. Significant work is needed to offer reliable conclusions.
“Should we enhance our GDPR compliance programme or invest in the health and safety function or invest in new technology to improve our service offering? We can only afford to do one.”This question is the same as the previous question, but more targeted. The business values your opinion, but you have put you on the spot. You could give an answer using gut feel and instinct (some call this experience) but you are trying to change this approach and incorporate risk into decision making. That means leading by example and putting in the hard yards before giving a recommendation.
“Can you show how our biggest risks interact and the interdependencies between their net impacts, along with the expected increase in impact if each current mitigation failed individually and in aggregate, and the expected decrease in impacts when further risk mitigations are introduced as planned across a one, three and five year horizon?”
This is a much more serious question. Such questions cannot be answered with workshops, spreadsheets and PowerPoint decks. Sophisticated technology is needed for ERM to truly support the business and drive change.You have engagement, the business is asking the right questions and supports ERM in principle, but now you need investment to meet business needs.
Building the investment case
Case studies invariably point to situations where ERM could have saved a business from catastrophic downside. High-profile examples are plentiful and varied – Lehman Brothers, Kodak and Enron, to name a few. You may find examples that relate to your own business, but they probably still feel abstract. It is all too easy for leadership to say, “that wouldn’t happen here,” or “nothing that bad has happened in the last 25 years”.
It is difficult to convince leadership of ERM’s value when considering downside risks.It is an unfortunate truth that ERM spend increases after something bad happens. That raises the problem of convincing leadership to invest in ERM before downsides materialise. It is more difficult to find positive case studies of ERM supporting the realisation of upside outcomes.
“Being associated only with negative events puts ERM on the backfoot”
A common pitfall of risk functions is to focus only on downside risks. Risk management methodologies are naturally negative. Common risk treatment options are avoiding or reducing risk. Risk impacts are often described as catastrophic or severe. There is power in negative thinking but seeing risk only as a negative can hamper growth, innovation. . . risk taking. A business which is too risk averse is just as vulnerable as one which takes too many risks.
Being associated only with negative events puts ERM on the backfoot. Too often ERM is seen by leadership as a blocker or business inhibitor, instead of an enabler or supporter of their strategy. Risk managers need to give businesses the confidence to take on manageable levels of risk. That entails being more positive, encouraging the business to take risks and demonstrating that you can create value as well as protect it.
So how can you demonstrate the value of ERM, with minimal investment? Select a risk with upside potential, then support the realisation of these benefits. Pick sensibly. You need to deliver tangible, positive outcomes. Use risk appetite as a green light, not a red. Focus attention on a small set of critical KRIs and KPIs which affect strategic objectives. Block out background noise and focus the business on what the business wants.
Before you know it, you have created your own case study where ERM has delivered tangible value, quickly, with little investment.The case study involves your business, and better still, you. Leadership see ERM in a positive light and trust you to deliver value. You secure the investment in technology and talent and can expand your approach across the full risk profile.
Leveraging the 99.5 per cent
Risk functions don’t manage risk. Risk professionals comprise less than 0.5 per cent of workforces. Risk managers exist to leverage the other 99.5 per cent to understand risk and make better decisions. The importance of technical knowledge is waning. Building trusted relationships, promoting risk culture and employing technology are the key enablers to embedding ERM throughout your organisation.
To get from a blank slate to an effective and trusted ERM function, one word springs to mind – persistence. Like the world cup winning England cricket team we, as risk professionals, must stick to our guns. Of course, you tailor your approach to your business, but don’t chop and change each time you have a setback. Have a clear vision of what you want ERM to be and drive towards this. We must consistently, convincingly and relentlessly articulate the value of effective ERM.We must lead by example, ensuring the needs of the business come first. Eventually, the penny will drop, and you won’t need to force ERM on your business. They will come to you wanting more.
Sam Elwell is UK risk and assurance director at the real estate services provider JLL. Opinions expressed in the piece are the author’s own and do not represent the official position of IRM