January 22, 2006
What do terrorism and regulatory compliance have in common?
The dramatic shift in the way American businesses define risk. Traditionally, risk has been divided into three categories: market, credit and "other." Suddenly, risk management is no longer just about preventing bad loans or dealing with Mother Nature. The wake up call of September 11th and high profile indictments at Enron and others have spurred feverish activity in disaster planning and raising the bar on fraud. However, some of the most important lessons on how to create a culture of risk management have yet to be learned.
What is the cost of not asking the right questions?
The World Trade Center attack dealt a devastating blow to many financial institutions and made an impact on the nation’s economy when it shut down the New York Stock Exchange. The grounding of airlines temporarily stopped the flow of paper checks. The industry responded by spending billions of dollars to protect themselves from future incidents based on the effects of risk. The bad news, however, is that a reactive approach to focusing on preventing the disaster that just passed may be causing people to ignore other equally devastating risks.
At the Securities Industries Association’s recent Risk Management Conference, keynote speaker Thomas Russo, Vice Chairman and Chief Legal Officer, Lehman Brothers, Inc. got attendees buzzing when he told them that potentially catastrophic risks are still being overlooked. The bird flu or similar epidemic could be extremely problematic for businesses that concentrate key people in geographic locations, Russo pointed out. While the likelihood of a bird flu epidemic hitting this country is up for debate, what if your outsourcing facility in India or supplier in China was hit by bird flu? It illustrates precisely why every company (not just those in financial services) needs a comprehensive program of risk management.
A bank with all its wealth management specialists in a single region that suddenly gets hit with a fast-moving virus could be severely impacted. If a medical epidemic was not even on management’s risk radar screen, what happens when the data is fine, but the people are gone? How to do you make an action plan for so many things that have not happened yet?
What is the cost of not establishing a risk culture?
Companies learned how to survive a terrorist attack by living through 9/11. Enterprise risk management (ERM) provides organizations with that same valuable knowledge without the pain of experiencing a difficult event. With ERM, companies move to a proactive mode to assess the impact, likelihood and effectiveness of controls related to risk and develop mitigation plans. ERM is a proven discipline that provides hard numbers and invaluable assessments, which often yield results that surprise even the most hands-on managers.
That’s because ERM embraces all aspects of operations - the people, the systems, the processes, external factors, relationships with customers and suppliers - and the way they interact with one another. It provides employees at multiple levels of the organization with a framework to incorporate risk factors into every aspect of business operations. In addition, it facilitates collaboration between functional "silos" of operations. This cross-functionality risk management monitoring is invaluable, because it ensures all departments are working toward a common goal, even as each focuses on their own expertise. And, since risk is always shifting, it allows adjustments to be made along the way. How do you set your priorities? How do you allocate resources?
How to cover cross-functional risk?
In the 1990s, the automobile industry discovered the value of cross-functional risk management the hard way as it strived to conform to tightening government regulations on emissions. Catalytic converters at the time depended on an expensive precious metal, platinum with high volatility in both price and availability. An unfavorable price or shortage could affect the entire sale and directly impact the bottom line. To ensure a stable price and supply, the purchasing department at Ford Motor Company chose a strategy to stockpile large quantities of the metal needed for their production. In the meantime, the company’s research department was just as aggressively developing new catalytic converters that did not need the expensive metal. Both groups were doing exactly what they should and doing it well.
Unfortunately, they were working within their own silos. When the research department brought the new catalytic converter to market, the price of the metal plummeted in 2001, leaving the company holding nearly a $1 billion of the near-worthless component. Had a cross-function risk management program been in place, the company could have decreased its purchasing as the new converter drew closer to release.
What is the difference between tracking cause versus effect?
As the concept of ERM has begun to take hold, tools have become available to make this process easier and faster. In addition to helping managers prioritize and individual departments to collaborate, these solutions provide firms with the ability to delve below the surface to accurately identify the causes of certain risks. This is critical, because so many organizations simply react to the end result of a problem without getting to the root cause. A company beset by lawsuits, for instance, may be consumed with resolving the lawsuits but is never able to determine the cause of the legal action. Is there an improper business practice somewhere? Is it a customer service issue or a product flaw?
"It’s very simple. Happy clients don’t sue," said Robert Mooney, First Vice President, Business Risk Management at Merrill Lynch.
It’s far less expensive to go upstream to find out why people are complaining than to fight it out in court. With an ERM framework you can be certain you are driving your risk programs by cause, not effect, so you will ultimately reduce the number of lawsuits being filled. ERM software includes wizards that ask the right questions and categorize the answers to help you zoom in on the real causes of risk very quickly.