In Search of Standards
Governance issues aside, ERM would get a major boost if it were widely regarded as an industry standard for best practices. “We are not talking about a one-size-fits-all standard, since risk management is part art and part science, and organizations differ by geographies, markets, business lines, and organizational structure,” Lam says. “It can, however, be an industry-by-industry standard, customized by companies within a given industry.”
Leung bemoans the current lack of an ERM standard. She points out that if a company decides that ERM is the responsibility of the audit committee, you end up with an ERM strategy that is functionally oriented to audit; if it decides to hand over the responsibility to the chief operating officer, then ERM is functionally oriented to operational risk. “One of the struggles is a need for a standard — not a regulatory standard, but something that defines what ERM is and what its goals are,” she says. “Without this, we have too many varying definitions. Consequently, at Alliant Credit we have had to create our own standard.”
Having a standard for ERM would allow comparisons against competitors. “A CFO who goes to the board and says, ‘I need $5 million to reduce our exposure to cyber-risks,’ will have a much better case to argue if he or she can also say, ‘This is what most of our competitors are spending and it is a best practice,’” says Wharton’s Michel-Kerjan. “The beauty of standards is they help you to think more comprehensively. The challenge is, who is going to be responsible for establishing them? Will we see big consultancies establish them? Establishing accounting standards is easy compared to establishing risk standards.”
“Clearly, we will have a framework to help the C-suite make better decisions,” says Deloitte’s Ristuccia. “As business analytics improve and a clearer sense of the risk dimensions emerge, this creates a framework for discussions within organizations that they can apply to their own strategies.”
By having a standard and adhering to it, companies will be more attractive to investors, lenders, and even buyers, says Bill Ingram, director of construction risk engineering at insurer and risk-management services provider Zurich Services. “If you can demonstrate that you have identified and analyzed risks according to a best-practice standard, you have an advantage over competitors that do not closely hew to the standard,” he explains.
WorldPay’s Donner cites the COSO ERM framework as a good place to start. “It’s really just best practices broken into two parts — a process for identifying, evaluating, and prioritizing risk at the enterprise level in a particular industry, and agreed-upon principles for managing these risks on an ongoing basis.”
Lam says that one key to spotting the next black swan is to conduct more stress testing and
“what-if” scenarios using the newest business-analytics technology.
Leung uses such software to model risks and quantify their impact from a frequency and financial severity standpoint. “You can’t do this manually; you need a tool,” she says, with a caveat: “Even the best modeling technology is useless if you haven’t first figured out what your risks are across the enterprise.”
Figuring them out is one thing, monitoring them is another. “Things are never static, so you need business intelligence on risks that flows in real time to senior stakeholders to enhance their decision making,” says Ristuccia. Michel-Kerjan agrees: “We’re living in a just-in-time world, where we want and need everything at our fingertips. Anything that has risk dimensions needs to be plugged into a BlackBerry and made viewable in a dashboard.”
Country Financial’s business-analytics system does just that. The insurer worked closely with Aon Global Risk Consulting to develop a toolkit that supports data-gathering, analysis, and reporting. The toolkit includes an approach for determining tolerance for key risks from an individual and an enterprise perspective. It supports quantitative approaches to understanding risk, as well as the risk transparency and oversight responsibilities of management and the board. “We collect enterprise-level risk data by the minute so we can formulate a plan accordingly,” says CFO Magers.
Finally, for companies that manage to get all the aforementioned aspects of ERM into place, Lam has one more suggestion: link executive pay to specific risk metrics. “It’s rare to see a tight linkage between compensation and risk management,” he says. “One of the key proposals in Dodd-Frank is to tighten this linkage. It’s coming.”
And so, no doubt, are other black swans.
Russ Banham is a contributing editor of CFO.