Enterprise Risk Management Programs in Rapid Development Phase
(June 2010) Enterprise Risk Management (ERM) programs are still in a highly developmental stage in many corporations, and interest in risk management has never been higher, according to a new Financial Executives Research Foundation research report by BMR Advisors.
Enterprise Risk Management: Insights & Operationalization explores the unprecedented levels of management and boardroom interest in ERM and identifies a number of operational trends. It also highlights significant variations in the interpretation of what ERM means in practice, what areas of risk should be its main focus and what role ERM should play in ongoing business management. Conducted in the spring, the report is based on detailed reviews of more than 40 ERM programs as well as qualitative interviews with 25 ERM leaders.
Among the key findings of the report:
ERM Objectives: Companies believe that ERM exists to make risks more visible before they impact an organization so that management decisions can be evaluated and challenged. There is a growing recognition that ad-hoc risk management approaches are no longer acceptable.
No Two ERM Programs are Alike: ERM programs must be designed on a “one-size-fits-one” basis – developed to match the culture of the business in question. Engagement with the business drives ultimate success.
Two Main Interpretations of ERM Focus: Programs that companies label ERM tend to fall into one or other of two groups – according to whether they focus mainly on strategic risks, measured and managed qualitatively, or more on operational and financial risks, measured and managed quantitatively. A relatively small number of ERM leaders have successfully married the two approaches in a more holistic framework, and among those who have not, most regard such integration as a desirable objective – principally because it will help to strengthen links between strategic vision and operational planning.
Strategic/emerging Risks Seen as Biggest Threat: Those companies whose ERM programs focus mainly on strategic and emerging risks generally do so because these are perceived to pose the biggest threat to the success of a business – or even its very survival.
Failure to Institutionalize ERM Introduces Risk of its Own: ERM programs are relatively new initiatives in many organizations and are typically resourced by small staffs – often by “armies of one.” While in itself not necessarily a problem, this can introduce risk if a program is not properly ‘institutionalized’ since, if a program depends too greatly on the personal equity of a single person or small group, ERM itself may cease to exist when that person leaves the organization or takes on other responsibilities.
Role of ERM: ERM programs must work alongside business management in a complementary, supportive role. Responsibility for risk must remain with the business itself. Debate remains strong as to whether ERM should play only a facilitative role, or should be given more “teeth” – but a consensus exists that ERM must never be allowed to be perceived as the “risk police.”