It has been a decade since the Great Recession hit our country, threatening to end the American way of life through an economic meltdown. In hindsight, the 2008 sub-prime loan crisis can go down as one of the greatest cumulative risk management failures in U.S. history. When rewards increase, the risks always follow suit, a simple fact of life. But with this event bringing significant attention to the importance of risk management, how has enterprise risk management changed the way we do business to prevent such another crisis from occurring?
A recent report from North Carolina State’s Enterprise Risk Management Initiative surveyed 474 organizations’ chief financial officers or equal senior executive on the state of enterprise risk management within their organizations. In 2009, the survey reported a 9% complete ERM implementation within the organization, this has risen to 31% in 2017. This data shows progress, but the question must be asked if this ERM adoption rate is keeping pace with the growing complexity of risks faced by organizations in a technologically advanced and globalized business environment.
Protiviti, along with NC State’s ERM Initiative, surveyed C-Suite executives who were tasked with ranking thirty risks their organization faces. Respondents ranked these risks from one through ten, one reflecting “no impact at all.” The results of the survey were organized into a chart of the top ten risks for 2018 according to corporate leadership. The results are below.
Scrolling the top ten risks you will notice a wide array of areas of concern for executives. From workforce talent management to cybersecurity to organizational culture, the results show a diverse portfolio of risks needing oversight in today’s markets. Furthermore, technology advancements and market globalization have made these risks even more complex and inter-connected. A fully implemented ERM framework and culture will allow these organizations to manage any risks that threaten the achievement of strategic objectives whether they be strategic, financial, operational, or hazard-specific.
Why is adoption moving at such a slow pace when it comes to ERM?
In the end it all comes down to value. Unfortunately, risk management has a stigma of being mainly a cost center and a way to meet legal and regulatory requirements in order to do business. According to Mark Beasley, CPA, the director of N.C. State’s ERM Initiative, “Enterprise risk management continues to be viewed more as a compliance exercise than one that produces strategic value.” A precise statement showing a lack of value and respect for ERM across all organizations. Risk practitioners are facing an immense challenge to change the narrative on how proper risk management can add value to the organization over the long term. Enterprise risk management, if implemented correctly, can add tremendous value to strategic decision-making occurring at all levels of the organization. Establishing a risk aware culture within an organization adds value that goes beyond the enterprise, going as far as having a positive impact on the entire economy, and it all starts at the top.
NC State’s report showed that only 76% of financial institutions surveyed report top risks to the board on an annual basis, compared to 82% of large organizations and 89% of publicly traded companies respectively. This shows roughly 33 financial service organizations that were surveyed do not discuss top risks with executives on an annual basis. Quite startling considering this industry was where the sub-prime crisis played a key role, we would expect more adherence to risk-averse practices starting with communicating present risks that could hurt the organization.
Why is ERM always seen as a stand-alone business function?
The financial crisis brought to light how big a role risk management plays or should play in corporate strategies. However, over a decade later the data is not supporting any of this. Big banks are still not getting the memo that risk management is imperative to stopping systemic risks from impacting society as a whole. Wells Fargo is a great example of such a blunder which resulted in a complete loss of public trust. However, the company has said they are ‘re-established in 2018,’ I do not know how many people actually believe this. In institutions where greed can cloud the mind and be as contagious as the winter flu, risk management is needed not as a stand-alone check the boxes function, but one that instills risk awareness across the entire enterprise.
Risk behavior within an organization can never be changed if ERM is viewed simply in place to meet legal and regulatory requirements to conduct business. It must be ingrained within the fibers of every inch of the company, from the lowest levels to top leadership. Only then can a risk awareness culture flourish that takes ERM from a stand-alone silo to an enterprise-wide tool which increases decision-making quality and intelligent risk-taking. The main goal of ERM, one that many overlook, is to help organizations meet strategic objectives by managing the uncertainty that follows every action towards those goals. This is where risk management turns from a stand-alone cost center to a value-add decision-making tool which aids in the achievement of objectives. Looking at ERM in any other way, can be simply foolish.
What can risk practitioners do to show the value ERM brings to the organization?
There are many ways that ERM can add value to any organization if implemented correctly. From lowering loss costs to improving decision-making, value can come in many forms when speaking on risk management. A few value-add benefits of ERM implementation include:
1. Building a risk-aware culture
When enterprise risk management methodologies are attached to decision-making processes, uncertainty specific to actions can be identified and treated. This promotes a risk-aware culture where everyone in the organization is mindful of how their actions can impact the organization overall. Viewing it as a quasi-butterfly effect if you will, small actions can lead to catastrophic failures if allowed to organically grow within an organization. A risk-aware culture can bring risk to the ears and eyes of leadership who can allocate the needed resources to control uncertainty’s impact on meeting objectives, regardless of its hierarchical existence.
2. Improving Decision Quality
When ERM is implemented it leads to improved decision quality at all levels of the organization. When employees and leaders make decisions with risk in mind, they lower the risks of adverse impacts to the organization, a value-add process no one can argue with. Decision trees, Monte Carlo simulations, and quantitative analysis can improve the quality of strategic decisions leading to greater success in achieving objectives and decreasing uncertainties impact on actions taken in pursuit of said objectives.
3. Decreasing Costs
An obvious perk of ERM implementation is lowering costs for the organization. Establishing a risk aware culture across the enterprise helps everyone identify, assess, and act accordingly when risks are present. When employees have risk on the brain they make smarter decisions, look out for the greater good of the organization, and remove cognitive biases that can be toxic in making quality decisions. Costs that are not allocated to fixing problems arising from poor management of risks can be allocated to helping the company meet strategic objectives, it goes much more beyond simply lowering the total costs of risks for the organization.
Risk practitioners have a long way to go to achieving acceptance of ERM within their own organizations based on the data presented. However, there is still time to make the needed adjustments to corporate strategy to rise to the challenges of a more globalized and complex business environment. Adding value is the key to getting ERM implemented at the highest levels of the organization, because without adding value, risk management is nothing more than a cost center that is brushed off as anything more than a check the box department. The challenge is here, now is the time for the risk leaders of the world to step up to the plate and create positive change.
