Improve Your Odds with ERM

In an increasingly global business environment, risk management is topping the agenda. Enterprise risk management (ERM) has emerged as a potential solution for organisations looking to get a grip on their exposure as the complexity and nature of risk continue to evolve ever more rapidly.

Organisations have shown a greater appetite for ERM as they sense greater risk to their strategy and operations as supply chains stretch to span diverse, fast-moving markets.

‘The business world is getting riskier,’ says Paul Hopkin, technical director of the Association of Insurance and Risk Managers (AIRMIC). ‘The credit crunch is the most obvious factor, but there are all sorts of other risks. Consumer expectations are higher, supply chains are increasingly complex, there is globalisation and there are many regulatory frameworks to comply with – the list goes on.’

With almost 850 members, AIRMIC represents the insurance buyers for around 75% of the FTSE 100. Its members control some £5 billion of insurance premium spend each year, and are responsible for the payment of insurance claims from their company finances to the value of at least £2 billion annually. The responsibilities of AIRMIC members also encompass broader risk management activities, including ERM.

‘The risk profile of our members is changing,’ says John Hurrell, chief executive of AIRMIC. ‘Outsourcing adds complexity, too, and doesn’t take risk away. Every year we ask our members what keeps them awake at night, and we have seen their responses change.’

The changes are shown clearly in a major research study recently completed by AIRMIC, which examined the effectiveness of ERM to see whether it is delivering on its promised benefits. Members now seem less concerned about manufacturing processes and more worried about softer risks, especially as their operations cross more international boundaries and confront different regulations in each jurisdiction. Their perception is of growing risk and complexity in their supply chains.

‘They’re thinking about brand and reputation, which can collapse overnight, or about intellectual property and technology. Of course they then have to overlay Sarbanes-Oxley and the compliance agenda,’ adds Hurrell.

A study in success

Built on detailed case studies of organisations such as law firm DLA Piper, BT, Nestlé, Solvay and a department of the UK government, AIRMIC’s study has identified many key elements of effective ERM implementation.

Its key findings show that ERM can successfully deliver many important benefits, including better decision-making, reduced risk exposure, better corporate governance and compliance through the delivery of risk assurance. These appeared, however, only when an organisation develops a sustainable risk aware culture, implements risk management policies and adopts a structured approach to implementation.

Sponsorship from the very top of the organisation is also key to success. ‘It needs a light to go on in the boardroom. The board needs to see the business benefit of better operations, more efficient projects, the ability to deliver on strategy and to meet customer expectations. ERM is not a leap of faith now. When that light goes on the benefits become real,’ says Hopkin.

Another key theme to emerge from the study is that as attitudes mature, forward-thinking companies are looking at ERM as more than just a compliance exercise. ‘Those companies with proactive management want benefit out of their compliance activity. They want to take risk management further. Many organisations feel ERM is worthwhile and have a framework to embrace ERM. They can see its positive benefits,’ says Hopkin. ‘Our members have achieved compliance and shown the effectiveness of risk management policy and processes. Now they are looking to get a return on their investment. The question of how you measure that return was the driver for our research project,’ he adds.

Tracking cases over time, the study suggests increasing evidence of strategic use of ERM, at least among leading organisations. ‘I sense, however, that these are the minority. Most firms are still to make the move beyond compliance,’ notes Hurrell. But he also points out that the need for ERM is growing. ‘The speed at which the competition can overtake you is frightening, so companies have to move faster than they did even five years ago. Business resilience is more under threat. There is also the nature of risk to consider. The more forward-thinking organisations want to tie risk management to their customers to increase resilience. They are more aware of the interdependence of companies in the supply chain.’

Hopkin draws the analogy of a pharmaceutical company, which needs to ensure constant availability of prescription drugs. It builds in customer expectations, the availability of resources, and the destination of each product to create an end-to-end view of the supply chain. ‘With ERM, analysis of risk helps ensure that there is constant availability of medication to alleviate risk.’

PACED – a model for ERM

A large-scale implementation of ERM in a high-risk organisation will no doubt demand a higher degree of change in its business structure. The quality of information within the organisation is crucial, so there is no room for a silo mentality.

Hopkin stresses that all business functions from sales and marketing to finance must be involved in any ERM project. The level to which an organisation must transform, however, depends very much on its business model and the industry in which it operates. The model for implementation backed by AIRMIC, therefore, begins with a focus on proportionality.

'Proportionate' is the first of five keywords in the PACED model. It reminds organisations to embrace the right level of structural change to reduce risk exposure. The second keyword is 'aligned', which brings a focus to three timelines in which ERM can be implemented – operational, project-based and strategic. These involve different planning horizons and different targets, so ERM must be implemented in the right timeline in order to align with business objectives and deliver value.

‘Companies must understand these timelines and build ERM in at the right point in the right timeline,’ says Hopkin.

The need to address wider network risk is addressed with the keyword ‘comprehensive’. Companies can use ERM for better regulatory compliance, but as a result they may miss out on a full risk profile. ERM can help them complete a picture of strategic risk exposure and, therefore, influence planning.

‘Even the lowest common denominator in the business could affect its overall performance. Look at every feature of the business or you may miss killer risks,’ adds Hopkin.

To ensure ERM is 'embedded', the fourth PACED term, there must be effective communication to ensure all stakeholders are engaged in risk management and there is a clear trail of accountability. Confidence in the risk structure grows when everyone knows their responsibilities, and companies can more easily delegate risk management to the right level.

‘Everyone knows that managing risk has to be a good idea. The important thing is that it should be explicit risk management, and ERM is a structured approach to that,’ says Hopkin.

The final component of PACED is ‘dynamic’, which reminds organisations that risk management is a constant process that must reflect the rapid changes in technology, supply chains, manufacturing locations and customer expectations.

‘The bedrock of the practice of risk management or ERM is the risk register,’ Hopkins explains. ‘This can’t be static, it should be dynamic. Failure to be dynamic may result in an unwanted risk-averse business culture, which curbs ambition and innovation. A dynamic approach ensures that risk is embraced in a thoughtful way.’

AIRMIC will continue to bring more clarity to ERM but, for now, it has obtained insight into successful approaches to ERM implementation, which holds lessons for any organisation.

The advantages of ERM

AIRMIC’s study reveals that successful ERM initiatives yield a broad array of benefits:

• Better decision-making, especially in the development of corporate strategy, because of the availability of more reliable risk information.

• Implementation of targeted actions to reduce the level of risk associated with operations and projects.

• Greater efficiency of operations, including reduced disruption to routine operations and activities.

• Successful delivery of projects and enhancements, resulting in more effective business processes.

• Improved corporate governance and compliance standards by the delivery of risk assurance.

• Increased scope for delegation, due to the assurance that risks will be managed effectively.

Key elements of a risk-aware culture

Purpose

• Objectives should be established and communicated
• Significant internal and external risks should be identified and assessed
• Policies should be established, communicated and practiced
• Plans should include measurable performance targets and Indicators

Commitment

• Shared ethical values should be established, communicated and practiced
• HR policies should be consistent with these ethical values
• Authority, responsibility and accountability should be clearly defined
• Mutual trust should be fostered to support the flow of information

Capability

• People should have the necessary knowledge, skills and tools
• Communication processes should support the values of the organisation
• Sufficient and relevant information should be identified and communicated
• Control activities should be designed as an integral part of the organisation

Learning

• Decisions and actions within the organisation should be coordinated
• Assumptions behind objectives should be periodically challenged
• Information needs and related information systems should be regularly reassessed
• Procedures should be established to ensure appropriate actions are taken