Monday, November 3, 2008

Rethinking ERM

The world has changed irrevocably over the summer of 2008. The world’s banks have gone through the most traumatic period in living memory. As a consequence, governance and risk management are back on the agenda (see what the EU’s Charlie McCreevy has to say on the subject). Hector Sants of the FSA has linked remuneration with “sound risk management systems and controls” (see here for details). Gordon Brown has reminded bankers of the need for morals (see here). And in the meantime, Standard & Poor’s, who, along with other rating agencies are under some pressure as the consequence of market turmoil, are introducing ERM as part of their review of credit ratings for non-financial organisations as well as banks and insurance companies (see here).

Perhaps we should also take this opportunity to review just what part risk management played in the turmoil – or even, what part it failed to play. Many might argue that ERM has its own problems: it only scratches the surface; it is difficult to keep up to date; it does not add any value; it is too bureaucratic; the CEO doesn’t care; it only ever gets lip-service; there are insufficient funds available; it is not my problem and it does not help me do my job better? These may be some of the reasons that it did not work in Northern Rock (which of course had a fantastic Corporate Governance statement just before they collapsed), Bradford & Bingley and others. Surely a well functioning approach to ERM should have rung warning bells that would have allowed institutions to override what seems now with hindsight to have been a reckless and dangerous pursuit of ever more risky instruments and paths to profitability.

There are concerns that in many banking organisations, risk management was relegated to financial models and spreadsheets. Important as they are, once they come from their hothouses and are face to face with the chill reality of people, they seem to have fallen apart as rapidly as you can say credit-crunch. There are several keys that boards and risk practitioners should focus on:
  • Where are their risk obsessions (for example the financial risk modelling) and where are their risk omissions (for example looking at human behaviour, or pulling the whole picture together so that proper inferences can be drawn)?
  • Is there an appropriate balanced approach to engaging with risk?
  • Does the approach to risk taking and risk avoidance fit with the organisational strategy?
  • Has the board and senior management fostered a proper risk culture?
  • Is there a language of risk that is shared across the organisation?
  • Once risks are identified are appropriate strategies developed to respond to them?
    Is everyone who needs to know kept in the loop?
  • Does risk management reach right across and through the organisation – as an enabler rather than as a dampener of entrepreneurial spirit? And
  • Do the tentacles of risk management reach out into the value chain as a whole so that systemic risks can be identified and addressed?

Perhaps the watchword, for risk management, coming out of the credit crunch is: “don’t forget the people”. The question we must ask is whether ERM failed our businesses because profit trumped caution almost every time? Was ERM only in place to demonstrate compliance with the Combined Code? Now is the time to introduce a new model of ERM, which we might call ERM2.0, and this is the Risk Management that will be implemented by organizations that have learned from the crisis.

A new model of risk management
We need a new model of risk management: one where some of the key issues that we come across in working with risk management at organisations are dealt with; one where the human interface is not forgotten. Virtually everyone has had a stab at implementing risk management – some have stuck with the Combined Code guidance, many have gone a lot further. Plenty have done some of it very well, but just like major ERP systems, managers are asking themselves if they have driven the maximum value from their risk management programmes. The answer is almost always "no".

So, just like ERP systems, we are beginning to see managers asking how they might drive better value from the enormous investment of time and money that they made in ERM. And we are differentiating between two forms of ERM:

  • ERM1.0 was heavy on risk management processes, was limited in its scope and paid lip service to the risk management culture – through Turnbull's "embeddedness".
  • ERM2.0 on the other hand recognises these shortcomings and addresses the risk management culture in depth, acknowledges a full scope, identifies the context for risk management and rectifies some of the errors inherent in old-style risk management thinking. It does what it says on the tin: it helps managers to manage risk throughout the enterprise.

The rest of this document sets out some of the major opportunities for real gain by adopting ERM2.0

  • Obsessions and omissions: Does the organisation address all risk areas, including for example Strategic, Compliance, Disaster and Operational, or is there an excessive focus on one area of risk, one process, one department or one type of risk which leads to an imbalance, the loss of perspective, lost opportunities and increased exposure to unwanted risks. On the other hand balanced attention to risk, across all domains, in a unified approach minimises misunderstanding, releases management time and effort and allows a better focused approach to achieving goals.
  • Engaging with risk: Is the organisation’s engagement with risk all to do with avoidance, or does it include risk taking. Does it look at the performance culture and corporate ethics and behaviours? Focussing on the downside alone can make risk management very negative and is unlikely to enthuse managers.
  • Linking to strategy: Are risks linked to strategy? Is the strategy clearly articulated? Does the strategy set out how it will impact on the key value drivers? Aligning risks to the strategy is key to ensuring that risk management has a focus on the business context.
  • The risk management culture: Is the organisation a risk intelligent organisation, or does it just do the risk management process for the sake of compliance? Does it deal with risk systemically throughout the organisation, with partners, is it nimble with new issues and can it leverage risks to its own advantage? Does it have top level buy-in, does it link risk management to strategic and operational management, does it aim for simplicity and action, not bureaucracy and is it constantly conscious of risk management performance? If it does these things, then it will be able to take more, better managed risks, it will be hit by fewer surprises, it will live by established principles and it will expect excellent performance from everyone.
  • Risk definitions: Are risk definitions capable of being interpreted by anyone (with appropriate local knowledge) who picks up the risk register? Better risk definitions (context, event, consequence) are contrary to a lot of current thinking in risk management which has been to abbreviate risk descriptions to the smallest number of words possible – that really does not work.
  • Responding to risks: Lots of risk registers dump everything, including the kitchen sink into responding to risks. In fact there are five key dimensions to consider. Strategy: by which we mean do you want to prevent a risk from happening or allow it to happen and deal with the consequences, by, for example devising an appropriate contingency or disaster recovery plan. People: by which we mean do you want the risk to be managed by specific individuals, or is it something that needs to be managed throughout the organisation.
  • Detail: by which we mean do you want to manage general risks or specific risks. Tasks: by which we mean the activities of gathering information, devising plans, procedures or approaches to managing the risk and then the actions, including implementing the plans, and looking for assurance that the proposed action has been taken. Drivers: by which we are referring to the need for someone or something to make sure that the whole process takes place. These drivers include managers in the organisation, outside regulators or the culture of the organisation.
  • Stakeholders and guardians: Does your risk management approach recognise the importance of people who are not directly involved in the management of a given risk, but who might be impacted if you change the way it is addressed?
  • Scope: Does your risk management deal with all parts of the business, and all aspects of risk: for example geography, business units, climate change, the US Federal Sentencing guidelines, Corporate Governance and Solvency II?
  • The extended enterprise: Are there important parts of your value chain that are outsourced to others, or where you depend on key suppliers or joint venture partners? Do they manage risk as well as you do, and in a manner which is compatible with your approach?

What is to be done?
There are two answers to this: firstly for regulators, governments and professional bodies, we must ensure that models of risk management are sufficient for the job; and secondly, there is an answer for organisations, which do not have to wait for others. For these organisations they need to implement ERM2.0 as soon as possible.

There are five stages to successful implementation of ERM2.0:

  1. Review: what does your current ERM look like: ERM1.0 or ERM2.0? What are its aims? What does it achieve? What does the board think about it? What do those who have to implement it think about it? How much do people at the coalface actually bother about it? We normally do this by a combination of interview and survey, using our RM3 approach (see here).
  2. Design: how can you improve what you are doing so it achieves the advantages of ERM2.0? Will this feed in to your strategic thinking? Can you hit compliance requirements as well as targeting business benefits? Can you address business disasters as well as operational risks?
  3. Implement: how do you train your people and migrate to the new ERM2.0 approach without losing the strengths of your previous approach or cutting against the grain of your culture? What (if any) software do you need to support ERM2.0?
  4. Operate: Having rolled ERM2.0 out through pilot studies to the full organisation, do people continue to work with it, or does it begin to fade away? What needs improving or fine-tuning? Is ERM2.0 providing the expected benefits?
  5. Monitor: On a continual basis, review, refresh and renew so that ERM2.0 stays at the forefront of mind and risk management becomes the norm.

For more information on how we can help you to implement ERM2.0 in your organisation, contact us here.

3 comments:

David Lodge said...

That's a very nice summary, and ties into my experience with a major Investment Bank. Risk processes, even when well implemented, still tend to have the objective of "stopping bad things happening", which by and large they do. By and large I say, because risks tend to be discrete risk items, not linked to business objectives very well, and fail to consider tail risks properly. What needs to happen is for risk frameworks to allow management to take calculated risks that tie in with business objectives and strategy and make the risk framework a true "business enabler". Unfortunately I think this thinking is somewhat ahead of its time, by about 3-5 years.

scientificleader said...

I really like your ERM2.0 idea; and especially the under-focused areas of leadership decision making, culture and other forms of "intangible" risk that are addressed deeply by other non-financial organizational sciences (e.g. Industrial/Organizational Psychology and Psychometrics).

Ian Hord said...

I have experienced a similar evolution. Initial ERM frameworks have been too process focussed and failed to deliver against expectation. I have been working on ERM 2. A simple process that exposes strategic risk at the exec level and operational risk at middle management levels.