Thanks to the global financial meltdown, we now know what a “black swan” is. But do we know from which direction the next one will swim into view, and what to do when it does?
Black swans are, of course, those highly improbable but painfully consequential events that strike from the blue — or from the streets of Cairo, or from an offshore oil rig, or from a poorly designed car part. They can destroy a company’s reputation, cripple its financial performance, and perhaps even kill it outright. Because they are rare and almost impossible to predict, black-swan events tend to fall outside the scope of most companies’ risk-management programs (assuming a company has such a program at all).
But hope springs eternal for the proponents of enterprise risk management (ERM), a 10-year-old integrated approach to managing a broad spectrum of risks. A recent spate of black-swan events, combined with an equally long list of regulatory imperatives, will now, they say, spur widespread uptake of ERM.
ERM is, above all, a strategy for overcoming the once-common siloed approach to risk management in which different people within a company focused on different kinds of risk, with little to no interaction between them. In contrast, ERM offers a “holistic methodology” for identifying, assessing, quantifying, and addressing strategic, operational, market, financial, and human risks in order to optimize the risk-return profile.
Three trends are converging that may, in fact, propel ERM to a new level of acceptance and maturity: corporate boards are under regulatory pressure to address risk management explicitly; proponents of ERM are making progress in having it acknowledged as a best practice for overall risk management; and new technologies are enhancing companies’ ability to evaluate, measure, and prioritize risks, and to test and report on their potential impact.
James Lam, president of risk-management consulting firm James Lam & Associates, has been spouting the benefits of ERM from its infancy. His prediction? “We’re going to make more progress in ERM implementations and its standardization in the next couple of years than we did in the last dozen.”
According to Lam’s research, almost 90% of global organizations with more than $1 billion in revenue are either putting an ERM program in place or, in 25% of those cases, already have a program up and running. (The figure among small companies is much lower, however; according to a 2010 survey by the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 45% of companies with a median revenue of $50 million have no ERM program in place and do not plan to implement one.)
For large companies, there is little choice. “There is enhanced [regulatory] scrutiny of how organizations manage risk,” says Henry Ristuccia, a partner with Deloitte & Touche and U.S. leader of Deloitte’s governance and risk-management practice. “Sitting by idly is not a solution.”