Risk-Taking in Challenging Times: Why Risk Management is Essential to Business Strategy
Corporate & Finance Alert
June 2, 2009
What is ERM? Enterprise Risk Management, or ERM, is essentially a risk-based approach to operating an enterprise. At its core, it is a method to identify and understand the broad range of risks that face a particular organization, develop the organization’s risk profile, and integrate this risk identification, assessment and monitoring into the organization’s strategic plan.
Why is ERM necessary? The economic crisis and its widespread effect on all industries has brought into sharp focus the importance of risk management. In recent months, the public has scrutinized and focused on the failure by management and boards of directors to properly identify their companies’ risk profiles and understand the far-reaching ramifications of these risks on their decisions.
Stakeholders, such as owners and investors must know that the entity in which they have invested has adequate procedures in place to identify risks to their business, and to monitor and manage these risks so that decisions are made based upon a thorough understanding of the effect of these decisions on the entity’s business. Stakeholders must know that there is a process in place that will provide accurate and complete information to management from each of the company’s business units so that all risks can be identified and assessed. A sound ERM policy does not increase management’s or the board’s aversion to risk; rather, it provides a fully-developed system so that decisions of management and the board are based upon a thorough understanding of the risks inherent in each decision made.
What is the role of Management and the Board of Directors? Management in any organization deals with risks on a day-to-day basis and is best positioned to identify and manage these risks. Logically, the responsibility for the design and implementation of a risk management process rests with management. Management must do a comprehensive review of all aspects of the company and identify all material risks affecting its business including operational, financial, liquidity, legal, compliance and reputational. Then, management must establish a process to manage and monitor these risks. To be successful, an ERM policy must be a fundamental part of an organization’s overall corporate strategy. Management must ensure that the risk management policies and procedures designed and implemented are effective so that adequate, accurate and complete information from all areas of the organization is received by management and, as necessary, the board.
The board’s responsibility is one of oversight. The directors should not be involved in the day-to-day tasks associated with risk management. Boards should review the processes designed by management and should do whatever the board determines is appropriate to confirm that all relevant risks have been identified and that the processes and the monitoring and testing of these processes are adequate and fully integrated into the company’s long-term strategy. Above all, the board must be satisfied that management’s strategic decisions and the board’s discussions and review of these decisions consider fully the information developed and received from this risk identification and assessment process.
What type of ERM policy is best? There is no standard definition of ERM, no established procedure for implementation, no “one-size-fits-all” model; however, regardless of the type of industry or size of the organization, ERM should be an integral component of every organization’s strategic plan. It provides the necessary framework for management to deal effectively with uncertainty, recognize opportunity and appreciate the risks that come with this opportunity. Regardless of the particular framework chosen by management, the ultimate methodology remains quite constant: (1) identify all material risks facing the organization, (2) implement effective risk strategies that respond to the risks identified, (3) integrate risk management into company-wide decision making practices and (4) develop procedures that convey relevant information concerning the risks to management and, as necessary, the board of directors. An effective and comprehensive policy should provide information to management and, as appropriate, the board, so that together they can develop and implement a long-term business strategy based upon fully informed, prudent decisions.
Is there an effective approach to implementing an ERM policy? Studies now show that a traditional, segmented approach to risk management is not as effective as a holistic approach. A segmented approach to risk management, or a “silo” approach, treats categories of risks separately. Executives and management are now implementing integrated approaches to risk management, which recognize the overlap and interdependence of the various components of the company’s business including industry and community, the different risk categories inherent in each of these components and the effect each risk may have on the company’s business. It provides an enterprise-wide framework within which management and the board can decide to take risks with full knowledge of their short-term and long-term effects.1 In short, management is no longer left assessing various risks in separate vacuums.
Which type of organizations benefit from ERM policies? Risks threaten businesses of all sizes and today’s volatile economic environment only heightens these risks. Large or small, public or private, an organization’s ability to anticipate problems, shift strategies and thrive in changing economic environments is directly related to the efficacy of its risk management procedures. ERM is not about eliminating risks. Prudent risk-taking is essential to creating stakeholder value. Decisions must be made with a full knowledge of the risks inherent in these decisions. So long as an organization’s business faces risk, a risk management policy is critical to its long-term success.
1 For a detailed discussion on the shifting approaches, see Committee of Sponsoring Organizations on the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework, September 2004, www.coso.org, New York, NY.