Although, I recently posted one on this title but I think it needed more work, hence this one.
Convergys, a Cincinnati-based Relationship Management services company
with $2.8 billion in 2008 revenues, followed a similar path in erecting its ERM
structure. In its case, business leaders across the organization were
identified and asked, “What risks keep you up at night and how do they impede
your ability to meet strategic and operational objectives?”
Risk
Management Defined
The identification, analysis and
acceptance or mitigation of uncertainty in decision-making is Risk Management. This
decision-making can pertain to operations and/or an investment in stocks, business
expansion or closing down a
division/product or altogether leaving one market for another. Essentially, risk
management occurs every time a business owner or for that matter an individual analyzes
and attempts to quantify the potential losses that could flow from a specific
decision and then takes the appropriate set of actions given the business or investment
objectives and risk tolerance or risk appetite as it is better known and understood.
Risk management is determining what
risks exist on one hand and answering the question of how to handle those risks
in a way best-suited to the business objectives on the other. Risk management
occurs everywhere. It occurs even when a low-risk government bonds are
preferred and bought over a more riskier corporate debt or when a fund manager
hedges the currency exposure with currency derivatives and more so when a bank
performs a credit check on an individual before extending a line of credit.
Inadequate risk management can
result in severe consequences for companies as well as the individuals
involved. For example, the recession that began in 2008 was largely caused by
the relaxed credit risk management of financial institutions.
With the instability from the
economic crisis (of 2008-2009 and we are still going through it), the spotlight
is on risk management more than ever before and whether or not organizations
are assessing strategic and operational risks, the onus, however, is on all
organizations to erect a systematic reporting structure for analyses of their
risks and develop more comprehensive risk monitoring tools and devise
strategies to manage them while taking enough calculated risks and it is these
calculated and risk-managed risks that often separate the winners from the
losers.
The last couple of years have seen a
strong corporate drive towards the development of a methodology to better
identify, assess and quantify strategic, financial and operational risks across
all functions of the business. It’s called Enterprise Risk Management ‘ERM.’
Most large public companies have implemented ERM, in some cases because of
government regulations (as an extension to SOX for those operating in the US. In
Europe, upon the passage of the European Union’s 8th Company Law Directive on
Statutory Audit (Directive 2006/43/EC), European and non-European companies
listed in any country of the European Economic Area have to comply with this
directive). Many others have executed the strategy simply because it makes
tremendous sense (Australia, France, Germany, Italy, Japan, Turkey and others
that have developed regulations as a derivative of SOX).
ERM is a framework for managing
every possible risk and practically confronting it so as to enable the
enterprise to achieve its business objectives and minimize unexpected operational
volatility that could or may adversely affect earnings. Since companies hold
capital to absorb the risk of loss — e.g. hedging, absorbing or transferring
the risk — there is effectively lesser capital to invest in the
profit-producing activities. ERM helps companies determine the right amount
they should direct towards risk.
ERM Process
The steps involved in an ERM
process are essentially the same, however, having said that, since each
organization has its unique way of doing business based on its vision, mission,
corporate culture and philosophies, it will certainly have its own flavor to
the style of implementation. Nevertheless, a solid ERM framework should have
four key components:
- Governance Structure, Policies and Process flows
- Risk Analytics
- Risk Management Strategies
- Dashboard Reporting And Monitoring
Organizations that have implemented
ERM now pass on their best practices to others, having first adopted ERM and
now assisting others to do the same by conveying risk insights and solutions.
The toughest leg in the ERM journey
is the first step: a course of action in which risk overseers from across the
enterprise come together to share the respective risks within their own spheres
of influence. Depending on the operational structure, a company can opt for a
top-down process. It begins with an understanding of the company’s strategic
priorities coming from the top of the pyramid; the board of directors and C-level
suite.
Likewise, contrary to the above, a
company may adopt a bottom-up approach wherein, the primary risk managers in
each business unit assemble to examine the strategic objectives, the
operational solutions to achieve them and the risks these raise. Once this
consensus is reached, the risk drivers are aggregated and rolled up for C-level
and board review. Senior management now has the ability to determine where best
to allocate resources to achieve business objectives, completely aware of where
the risks reside, their cost, and the mitigation strategies in place.
Knee Deep
Risk identification is not particularly a very simple task to
accomplish. Strategic risk identification process alone can require a very big
number of people from different functions of the organization. A review of
operational risks, both top-down and bottom-up and also to conduct and
subsequently review process and sub-process interviews to identify operational
risks. The company’s risk management
department may then prioritize these risks in terms of their probability and
impact.
Measuring Acceptance
Identifying a risk does not
constitute ERM. Companies must understand risks. Once a risk contour is determined,
ERM calls for companies to quantify risks in several metrics, such as the
potential frequency of an event occurring, the potential severity of financial
loss if the event occurs, and whether the risk may start a chain reaction into
other areas of the business or also calculating if one risk might actually
offset another.
One can argue that the subprime
mortgage disaster was undoubtedly a failure of prudent risk measurement. While
providers of mortgage-backed securities may have had an understanding of their
own commitments, they had failed to act diligently by quantifying the ripple
effect of the impact of the credit crisis involving other organizations on
these commitments.
Confronting The Risks
After a company has identified and
measured strategic and operational exposures, an unfailing strategy for
managing and monitoring the risks is required. Bringing technology to use,
particularly dashboard-type reporting; a warning system that will help keep
track of all operations but then like all technology, the system is only as
good as the data within and the processes created to report this data.
Many organizations have given the
responsibility for monitoring enterprise risk to a Chief Risk Officer (CRO) or
another high-level executive like a CFO or a CGRCO unlike the previous approach
to risk management, wherein individual risks were catered to individually, like
for example, the insurance risk managers
- hazard and liability risks, internal audit - financial and operational reporting
risks, business units -project risks, treasury - foreign-exchange risks and so
on.
Line Of
Attack
Acceptance is the key, accepting
the fact that the risks exist makes it easier for the company to plan for it.
The better the understanding of the risks the better the plan and effective the
strategy. As said earlier, technology is as good as its data, likewise,
strategy is as good as its effective implementation. In addition to strategy, management
buy-in is equally important. The strategy could be the best in the world but if
there is no management buy in, not only is the entire purpose is defeated it can
also lead to stricter regulatory interventions.
No comments:
Post a Comment