The Elephant at the Enterprise Risk Management Party

March 16, 2006 - For the past few years, it’s been a little lonely for the Enterprise Risk Management (ERM) proponents of the world, but suddenly we seem to have lots of company at the party. Regulators are pushing companies to implement better ERM strategies. Standard & Poor’s is advocating ERM as a lead indicator of risk and credit worthiness. Your colleagues are talking about it. ERM vendors and consultants are shouting from the mountain tops.

This mounting pressure to do something about ERM is one of the reasons "Chief Risk Officer" is the fast growing job title in corporate America according to Aberdeen Group research. It’s also why most companies have started, however haltingly, to incorporate risk management into their business decisions and operations.

The party is definitely underway, but there is a great big elephant in the middle of the room that no one seems to want to talk about. For all the acceptance about the need for ERM, the reality is that people are still confused and uncertain about what to do next. Embracing ERM with a tone from the top is just the first step; implementing it effectively is proving to be a little bit more difficult.

The answer lies in a new iteration of the proven Capability Maturity Model (CMM) created in the mid-1980s to provide a framework to guide and measure software development. The CMM has influenced the creation of similar models that successfully tackle other complex initiatives. The latest to emerge is the Risk Maturity Model (RMM), for Enterprise Risk Management which effectively breaks the issue of risk into its core elements to speed and simplify the implementation of ERM.

The role of the process.

According to the Software Engineering Institute (SEI) at Carnegie-Mellon University, the organization that pioneered the Maturity Model concept, "Everyone realizes the importance of having a motivated, quality work force and the latest technology, but even the finest people can’t perform at their best when the process is not understood or operating at its best." Enterprise Risk Management is a process and RMM is the framework to create clear and objective success criteria, facilitate thorough planning and communication and guide effective monitoring and control.

Bring the true risk picture into focus.

While the risk officer ranks are filling up rapidly, most are learning on the job. They are smart and willing, but they come to risk management with strong backgrounds in a variety of corporate functions, such as legal, finance, compliance and IT. As a result, the views of enterprise risk managers and their colleagues tend to be skewed to their backgrounds. Rigorous controls take precedence for the Internal Auditor, for instance, while the compliance pro says it’s all about conforming to the regulations and the marketing maven will declare it is all about the brand and company reputation.

The true risk manager sees all of those things, but has the ability to bring the team to balanced decisions based on the whole picture, not just part of it. The RMM makes the risk picture crystal clear through establishing best practices and allows the risk manager to build consensus about what is important and how to accomplish it. For both experienced risk managers and those new to the practice, the RMM is an incredibly valuable tool that can speed the implementation of a solid enterprise risk management process.

Top ten outcomes of using a Risk Maturity Model (RMM):

Define what improvement means for your organization
Establish a common language and a shared vision across audit, compliance and IT
Establish a framework for prioritizing actions
Balance qualitative and quantitative aspects of your ERM process
Adopt best practice indicators that address the issues you are facing
Build consensus, set goals and establish milestones for where you’d like to be
Streamline the ERM process to eliminate assessment duplication and connect support functions with core process owners
Quantify and measure ERM value in both strategic benefits and bottom line dollars
Benefit from the risk community’s prior experiences
Communicate effectively to the board, regulators, core process owners, support groups and other stakeholders

Elements of an effective RMM.

Best practices identification: The RMM framework distills elements of the risk management business plan down, first into root issue categories, then into best practice factors within each category, then even further into best practice indicators within each factor. This root issue approach makes follow-up action planning a straight forward activity and is a pre-requisite to enable model standardization and benchmarking.
Assessment scoring: First for the enterprise and then for each core process area, each factor can then be scored in a facilitated self-assessment based on standardized evaluation criteria. Standardized scoring is critical to enable to enable benchmarking and reports to be organized within various industry compliance standards such as COSO, Basel II, Sarbanes-Oxley, COBIT and those used by credit rating agencies among others.
Benchmarking: The RMM ranks Enterprise Risk Management in organizations in a hierarchy of five levels, each with a progressively greater capability as a leading indicator of preventing future problems. Assessment scores for each area make it relatively easy for management to place itself within this scale to identify realistic targets for improvement aiming towards the next level of capability and maturity. Regardless of the starting point, risk management is able to benchmark their ERM processes and compare it with others in the organization and industry.

Very quickly, everyone in the organization can see exactly where the company stands, where the company wants to be and how it can get there. Often, it is the process of collecting information that gives people the conviction to act, not the answer itself. With a RMM, all functions of the organization are directly involved in the process, which goes a long way in getting an organization to rally around the final results. ERM is not about attending conferences and hiring consultants, it is about challenging the management team to think about risk in a new holistic way.

Measuring the risk officer’s performance.

As practitioners of a function that is generally not fully understood within the corporation, risk managers often have a difficult time determining how to measure their own success. "After building a lighthouse, how do you measure the value of ships that did not crash onto the rocks?" asks Robert Mooney, First Vice President, Business Risk Management, Merrill Lynch & Co., Inc. in responding to the challenge of ERM program performance. The answer according to Mooney is measurement and benchmarking. An RRM can quantify the level of your ERM program, so that you can build a plan and measure progress.

Once again, a RMM eliminates that ambiguity. It quickly helps the team reach consensus and establish measurable goals and milestones. Because they are all involved in the process, they have conviction in the results. Because the data is indisputable, everyone buys into the performance measurements. Because the risk manager has the support of their team, they can focus on accomplishing the objectives and hopefully improve their compensation over time.

Establish a risk culture.

Think about how a company works, at the simplest form: Manageable functions are distributed throughout multiple departments, individual and departmental performance objectives are established and the business rolls forward. Risk is the same way. Rather than build a huge risk department, risk managers should use a RMM to get internal audit, compliance, information technology and core process owners engaged in the ERM process. As employees grasp the value of a risk-based approach, you’ll be surprised at how quickly you can build a strong risk culture that yields tremendous bottom-line results. So go ahead and invite your whole organization to the ERM party. Now that the elephant is gone, there is plenty of room.