The Dos and Don’ts of Enterprise Risk Management
March 13, 2006 | Boston, MA:
Companies realize the business value of managing risk across the enterprise effectively in different ways. Some rejoice as their reputations and stock prices rise. Others experience, often in a very public way, the negative impact of failed risk management: lost revenue, fines, litigation, damaged public images or worse.
In corporations around the world – particularly those in highly regulated industries – the connection between risk management and business success is an accepted concept. Enterprise risk departments are being established at record speed, led by risk staff with impressive analytical capabilities and risk certifications.
So why is there still so much confusion about enterprise risk management? Why are risk departments still having so much difficulty achieving demonstrable results?
At the Global Association of Risk Professionals (GARP) annual convention held recently in New York City, several speakers and attendees zoomed in on key points that companies and risk officers need to address head-on in order to fully reap the tremendous rewards of effective enterprise risk management.
Here are the do’s and don’ts of Enterprise Risk Management:
DON’T sit in your office all day, crunching numbers and sifting through data. The ability to analyze data in order to spot trends or hot spots is, of course, an important skill for risk officers. At the GARP conference, however, Ronald Burtnett, Executive Director of Operational Risk at Morgan Stanley recalled the efforts of medieval alchemists who tried mightily to turn base metals into gold. Though unsuccessful, some were broad-minded enough to embrace their unexpected discoveries, which ultimately became the mainstay of modern chemical and metallurgical industries. Risk managers, likewise, are right to study intricate data patterns, but often the most important discoveries will come directly from the people who own the risk: front line management.
“It’s about communication versus analysis,” concurred Bill Martin, Risk Executive, Bank of America & Chairman of GARP Board of Trustees. “In the end, what matters is not how accurate the risk assessment is but what impact that assessment has on decision-making. Enabling process owners to assess their own risks will increase their understanding of the risk and their buy-in to the prevention of those risks from occurring.”
DO communicate with others in the organization, especially those on the front line. Successful risk management involves collaboration at all levels of the organization, beginning with the front line to senior management and back again. It requires risk managers to actively engage the operations teams in the entire risk management process. Since line management are the ones who ultimately own the risk, it only makes sense to have their participation in assessing risk impact and identifying the solutions. When risk is presented in terms that relates to their own jobs versus analytical buzzwords and formulas, they will be far more likely to assume responsibility for addressing the risk.
“The role of risk management is often as a facilitator, coordinator and organizer to front-line managers,” agreed Brenda Boultwood, Senior Vice President and Head of Risk Management for Treasury Services at JPMorgan Chase.
DON’T expect consultants to do your work for you. Consultants, like car salesmen, often get a bad rap. Car salesmen can be smart, helpful people who provide a wealth of information while they try to influence you to see things their way. But in the end it is up to you to do your own research, validate the information you receive, assess it against your needs and objectives and make the final decision.
The same holds true for consultants. Certainly, they can be knowledgeable resources who have had exposure to risk management in a variety of organizations. But too many companies look to consultants to provide them with answers about loss data, compliance and program policies. Consultants are a helpful source of information, but as just Freud thought that “jokes reveal something important that we might not want to consider directly”, consultants are defined as “someone who borrows your watch to tell you the time and then keeps your watch”.
DO accept the role of a decision-maker. It’s up to the risk manager to gather the information, do the research, talk with their stakeholders and analyze the data. Consultants may help kick things off or provide expert opinion, but it is the risk manager function to draw the conclusions and make the decisions that will shape the company’s risk management strategy. The bottom line: consultants should never assume the role of a risk manager.
DON’T build your own risk management software. This is a trap that many companies have fallen into out of necessity. Until recently, enterprise risk management technology was woefully inadequate and companies that wanted more had little choice but to develop homegrown solutions.
Today, this is a bad decision on many levels:
- Homegrown systems are costly to build and maintain where software companies can spread the development and market research costs across dozens of customers. JPMorgan Chase, which has created its own internal enterprise risk management system, indicated to GARP members that while the system is successful, JPMorgan Chase employs 55 development and support personnel full time to maintain it. Multi-million dollar annual maintenance expenses may be something that a giant like JPMorgan Chase can absorb, but for most firms it is unacceptable.
- Enterprise risk management technology is evolving at a rapid pace. Solutions developed internally meet specific functionality, however become quickly outdated as needs change. Solutions developed internally are often too geared toward compliance and audit and not focused on delivering business value. ERM solutions must meet the needs of the folks who directly manage the largest source of risk in the organization. Get line managers involved in the risk analysis software selection and use rather than development and administration.DO invest in innovative enterprise risk management technology. New risk analysis tools coming to market provide risk managers with the robust analytical capabilities they need, while at the same time are intuitive and easy enough to facilitate communication between multiple layers in the organization. They enable business managers to understand risk and performance in the context of business operations and allow senior management to understand the risk management strategy with solid business case assessments.
Enterprise Risk Management software must manage the complexity for an ERM program and have the following characteristics:
1) Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.
2) Motivation: Functionality to help line managers achieve process improvements to reduce costs, bottlenecks and unnecessary risk translates into their embracing risk management.
3) Process driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.
4) Reporting: Features to deliver insightful analysis with interactive risk dashboards to drill down or cut across silos to identify cross-functional risk.
5) Operational Controls: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.
6) Pervasive: Supporting a risk culture perspective from enterprise-wide board room strategy to tactical mail room operations.
7) Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities.
The greatest rewards come from Enterprise Risk Management when used to affect the way all our decisions are made. The key is in knowing what to do and what not do to. Bolstered by the right technology, smart companies really can turn risk into gold.
Caitlin Seele: firstname.lastname@example.org | (617) 530-1208