Ever since the financial crisis of 2008, when risk managers on Wall Street watched helplessly as their businesses melted down, increasing attention has been paid to enterprise risk management. Many companies have since launched new ERM programs or poured more resources into existing ones, prodded in part by increasing regulatory and rating-agency scrutiny of corporate risk management.
It’s no surprise that many ERM programs — which take a holistic view of a company’s myriad risks, identifying the material ones and devising ways to tame them — are focused on risk avoidance. But if some risk managers dream of black swans and fat tails, others have visions of lower costs and market share. At a growing number of nonfinancial companies, like Lego, Safeway and General Motors, enterprise risk management is a means of creating value and competitive advantage.
“Historically, risk departments have often been seen as the department that says no, brought in at the end of a decision process to validate a course of action,” says Steve Culp, managing director of Accenture Management Consulting’s risk management group. “But if you believe you need to innovate to grow, you must also understand that you need risk with you from the beginning, to understand what new challenges will come and how you can best mitigate those.”
Taking the “Right Risks”
In a 2010 study of risk management, Aswath Damodaran, a professor of finance at New York University’s Stern School of Business, breaks risk down into three categories: risks that firms can pass through to investors, risks they can avoid or hedge, and risks they can exploit more effectively than their competitors can. “Successful firms, over time, can attribute their successes not to avoiding risk but to seeking out and taking the ‘right risks,’” writes Damodaran.
He adds, “Risk taking that increases potential upside [risk] while minimizing or reducing downside risk can provide the best of both worlds: higher cash flows and lower discount rates.”
To ensure that the “right risks” are taken, ERM and strategy should be aligned, say experts. For example, says Culp, a company might want to enter China with the goal of having 30% of its revenues come from there in five years. But it stands a good chance of failing unless it understands the risks involved with entering that market — concerning tools, technology, staffing, competitors, changing customer needs and so on.
“If everyone is on the same page, they can maximize the potential value of enterprise risk management: to increase firm value,” says Kristina Narvaez, president of ERM Strategies, a consultancy. She cites Zurich Insurance Group and the University of California system as organizations that have leveraged ERM to create value. In its 2011/2012 annual report, the university’s Office of Risk Services reported that ERM had reduced its cost of risk by a whopping $493 million since 2003, a measure that includes self-insured losses, premiums, claims administration, and loss control and loss prevention expenses.
“Risk should be elevated in the organization, to the strategic, operational and tactical levels,” says Narvaez. “But too many times [the strategic level] doesn’t know what enterprise risk management is doing.” The value proposition of ERM is often ignored, she says. “Where can we take more risk? Where can we have controlled growth? Those questions are not usually part of the [risk management] discussion, and they should be.”
Safeway, the supermarket chain, also uses ERM to identify opportunities to lower the cost of risk, says Ward Ching, vice president of risk management operations. Risk, says Ching, can either be a negative in an organization — “something you transfer away”—or a positive, something that has an upside potential.
ERM at GM: Find New Risks
Another company that is finding the upside potential of risk through ERM is General Motors. If any company can be said to have put the “enterprise” in risk management, it’s GM. The giant automaker, which had 2012 revenues of $152 billion, has more than 212,000 employees in 396 facilities around the world. Leading its ERM program is Brian Thelen, GM’s general auditor and chief risk officer.
GM launched its formal program when Daniel Akerson became CEO in 2010, says Thelen. “As a board member, Dan had a strong opinion that the company needed a robust risk identification and management process,” he says. Akerson sponsored the establishment of the program and of the chief risk officer role. In both of his roles, Thelen reports to CFO Daniel Ammann and to Thomas Schoewe, chair of GM’s audit committee. As at other companies, the audit committee has oversight responsibility for ERM and internal audit.
General Motors has tailored its risk program to its particular needs. “We developed our model to align with our strategic objectives and company structure,” says Thelen. “Our risk-officer structure includes executive representatives from each function reporting to the CEO, as well as from each of our major geographic regions.” Product development, purchasing and supply chain, and finance teams also interact with risk management.
In addition to soliciting input from functional leaders about key and emerging risks, “we work with them to help develop risk-mitigation activities,” Thelen says. “We provide tools for decision support, such as war gaming, game theory, scenario planning, stress testing, and so on.” GM also seeks views about its risks from external parties, says Thelen.
Enterprise risk management at GM means monitoring and mitigating risk on one hand and finding opportunities in risk on the other. “Dan Ammann has challenged us to be creative in identifying emerging or blind-spot risks that we may not normally think about,” says Thelen, while “Dan Akerson is aligned with our view that risk is not always a negative.”
Indeed, Thelen says GM’s ERM program is providing a competitive advantage. Without going into specifics, the CRO says the program enables the automaker to spot certain risks that also affect its competitors, then mitigate them before the competition can.
Can GM translate the impact of ERM into broadly used financial metrics, such as return on capital or EBITDA? “Certain risks will better lend themselves to these quantifiable metrics, whereas others are harder to measure,” replies Thelen. “In stress-testing scenarios, we do tie our work to our established key performance indicators to help the company make informed decisions among alternatives.” And when an investment is needed to mitigate risk, he adds, “financial considerations are always part of the cost-benefit analysis to determine how much residual risk we are willing to accept.”
So far, it would be difficult to quantify the impact of the program on GM’s cost of risk, says Thelen. But he points out that it has helped the company make better decisions, which ultimately results in improved performance.
How successful has the program been in promoting and embedding risk awareness in GM’s culture? “We’re making progress,” says Thelen. “The individuals who represent almost all functional and geographic areas of the company are exposed to the objectives of the ERM program. Our goal is that they take this sensitivity to risk back to their normal day jobs.” In this manner, he says, “we have a greater opportunity to help individuals think about the upside potential of risk, versus the typical downside mitigation.
“We try to get the message across that risk can be a good thing—especially if we can react [to it] faster than our competitors can.”
The Evolution of ERM
Two surveys conducted earlier this year shed light on the evolution of risk management and ERM. One, Accenture’s 2013 Global Risk Management Study, surveyed C-level executives involved in risk management decisions at 446 organizations around the world. The survey revealed three broad ways that risk management is changing:
1. It has a direct line to top management. Ninety-eight percent of organizations have a chief risk officer, and 96% of risk management owners (9% of whom are the CFO) report to the CEO.
2. It plays a much larger role in budgeting, investment and strategy.
3. It enables growth and innovation.
As for ERM, 58% of the organizations surveyed have such a program, while another third plans to implement one in the next year or two, says Accenture.
Of the 1,095 risk professionals who responded to RIMS’ February 2013 ERM survey, 21% said they had a fully integrated ERM system and 42% said they had a partially integrated system. RIMS says these numbers indicate a “critical mass” has been reached in ERM as a management discipline. Fifty-six percent of ERM activities are directed by the risk management department, compared with 12% for finance, the survey found.
As for aligning their ERM programs with formal standards and frameworks, 23% said they used the international ISO 31000 standard and 22% used the COSO standard. Twenty-six percent said they did not follow a particular standard or framework. — E.T.