When you consider all the bad things that happen to good plans, it’s not surprising how often CEOs blame poor performance on poor luck. Product launches flop when customer demand is weaker than expected. A brilliantly conceived merger becomes a value-destroying menace when integration fails. Plans to expand overseas stumble over regulatory issues.
But risk-management and planning experts say such failures are usually predictable, and frequently preventable. The problem is that most planners don’t think hard enough about what might go wrong before putting an idea in motion. “There’s a natural tendency for executives to focus on the positives of a plan and deemphasize the risks,” says Rick Funston, national practice leader for the governance and oversight group at Deloitte & Touche LLP in New York. “It’s like saying, ‘Let’s climb Mt. Everest this weekend because it will be great fun,’ without stopping to think that this will probably get you killed.”
A number of companies think they have found a way to create better-examined plans — by formally linking risk management and strategic planning, something risk managers have long advocated. Indeed, a stronger bond between risk and planning was one of the goals of enterprise risk management, introduced in the 1990s. But few companies adopted ERM, and when they did, the result was often better integration of some risks — such as credit and market risk — without a real connection to strategy.
Two things have sparked renewed interest in ERM: the terrorist attacks on September 11, 2001, and the new governance rules enacted after the corporate scandals. “There is no question that this is the hottest time for ERM since we started working on it in 1991,” says Michael Chagares, senior vice president at Marsh Inc. “Boards want to know if management has a corporate risk profile and a continuous view of the company’s risks. And they’re finding that the best way to look at risk from a corporate perspective is to integrate it into the planning process.”
As a result, the new ERM programs aim to create such integration from the start. “Our main focus over the past 18 months has been building a risk culture and linking it to the business-planning process,” says Kathryn W. Dindo, vice president and chief risk officer at FirstEnergy Services Corp., an Akron-based utility holding company that has implemented an enterprise risk program at the urging of its chairman.
A Gap in the Plan
There’s nothing new about considering risk when making plans, of course. In fact, most companies already have some way of doing this, and some do it very well. This is usually SWOT (strengths, weaknesses, opportunities, and threats) analysis, a venerable planning method still taught in business schools. The issue is that executives tend to focus on the strengths and opportunities, but gloss over the weaknesses and threats. “Where strategic planning falls down is that there’s not enough thought given to the barriers to execution — the risks,” comments Rick Machold, a former business consultant and currently chief risk officer at Certegy Inc., a financial transaction processing firm in Alpharetta, Georgia. “The idea is to choose the highest-impact opportunities with the greatest likelihood of success. Companies do a good job with the first half of that logic, but not the second.”