Ever-changing and ever-expanding business needs prompt a thorough reconsideration of the risk oversight process. A recent update to the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) enterprise risk management (ERM) framework offers new ideas as to how a business's value can be preserved, or even enhanced, by incorporating and examining risks right from the strategy formulation stage.
This approach elevates ERM from an operational- and compliance-focused information-gathering and reporting model by making it much more strategy focused so it can add value for organisations. Implementing the change poses a challenge in itself, as organisations, especially larger ones, tend to be reluctant to redefine their existing ERM process without a clear cost/benefit analysis with manifested added value. (See the sidebar, "From Theory to Practice," below for a list of steps that can help guide the implementation process.)
This raises the question of how risk management professionals can persuade decision-makers to integrate risk management insights identified through the organisation's ERM process with strategic planning, particularly when the added value cannot be quantified, as is the case with risks prevented or averted.
Many would agree that corporate governance is improved in organisations that adopt more sophisticated ERM systems and that there is a direct correlation between the maturity of the ERM system and the robustness of the entity's oversight and governance.
The outcome of maintaining the status quo — that is, not connecting ERM with strategy and performance and not changing any business processes accordingly — could be to cause a critical failure that proves too costly for any company to bear, even on the most remote basis. Examples abound of corporate strategic crises caused by emerging risks that disrupted the organisation's core business model. In other cases, surprising low-probability but catastrophic events — "black swans" — have proved fatal to companies when they do materialise.
Companies find integrating risk into strategy to be a significant challenge, according to research conducted as part of the Association of International Certified Professional Accountants and North Carolina State University's Enterprise Risk Management Initiative for the 2017 Global Risk Oversight Report. Fewer than 20% of organisations in Europe and the UK or in the US surveyed for the report believe their risk management processes provide a unique competitive advantage. Only about 50% of respondents from around the world agreed with the statement, "Risk exposures are considered when evaluating new strategic initiatives."
Globally, there is a disconnect between enterprise risk oversight and strategy execution, the research concludes.
Foreseeable events and risks are best addressed at the start of the strategy and business planning process. Leaders need to take into account the company's risk appetite and the external business context as strategic opportunities are considered. For example, if my risk appetite for global expansion is high, then I will be willing to pursue my strategy for expanding into a particular country even if there is political instability there. A company with a lower risk appetite might decide to reframe the strategy to limit expansion to a "safer" group of countries.
The updated COSO framework recommends coordinating the ERM process with the strategy formulation dimension. Predefining and integrating risk at the strategic planning level would be truly preventive in nature as it would spotlight risks at an early stage before they become much bigger problems. New business models or major corporate initiatives would have to be evaluated to see not only if they fit the company's risk appetite, but also whether they are aligned with its mission, vision, and values. It would be important to consider "what if" scenarios at the inception of the new business model to tally up all risk considerations that could potentially materialise given the chosen model or initiative.
Implications to consider
Let us look at the example of entering a new market, which would be considered a major strategic initiative. What would that decision entail? We will focus here on implications for the chosen strategy and prospects for deviations from the company's set objectives if significant risk considerations are not handled properly.
Geopolitical and economic
What is the political and business environment that the company would be operating in, and what are the consequences of such a venture? Is the country considered to be a high or low political and/or economic risk? If entry into this market is ultimately deemed viable, what are the next steps required to examine these risks further and develop appropriate responses? Risk considerations might include the potential for shifts in political ideology or trade policy, among increasing geopolitical uncertainties.
What is the true cost of doing business in the given environment? Take, for example, a country that has an unfavourable score in Transparency International's Corruption Perceptions Index. How would a foreign manufacturing company set up end-to-end supply chain manufacturing processes to minimise or avoid risk to reputation and the brand? What is the country's security risk? What steps are required to ensure employee safety in high-risk countries?
Depending on the circumstances, the new market entry proposal might get the go ahead, with the company accepting identified risks and/or minimising them to the extent possible.
It is important to integrate both the tangible and intangible risks of market entry into the strategic decision-making process to ensure that the right and holistic business decision is made and that the appropriate action is taken upfront to handle those predefined risks accordingly. If this does not happen, mitigating risks on a post factum basis is likely to involve much greater effort and investment.
Key issues and challenges
In practice, elevating the ERM programme and embedding it in the strategy formulation process requires the following conditions to be in place:
The first step would be to convince decision-makers that this enhancement is indeed a step in the right direction for the company. Whoever is responsible for governance in the organisation, including risk management, would have to present a business case, setting out the incremental changes, and receive proper approval for its implementation from top management. The challenge here would be to demonstrate and persuade that the tangible and intangible benefits will indeed outweigh the perceived cost of that change. It boils down to demonstrating that unique competitive advantage.
Each significant change will impact the way employees conduct their activities, and processes would have to be adjusted. One important element of this could be the creation of a direct interface between the strategy and ERM functions to establish and promote structured and regular interaction and the sharing of risk and strategy information. This would require those departments to collaborate on an ongoing basis and, thus, also help overcome the silo mentality.
Tone from the top
Senior management's sponsorship of and commitment to the change will be crucial to the proper implementation of the process. Without the right tone from the top, the integration of risk and strategy is unlikely to succeed, with potentially damaging consequences. What is even more important is to repeat messages, and follow them up with actions, that management is not only committed to embedding explicit risk considerations in critical business areas related to strategy, but it is also serious about the programme and its ongoing success. This is by far the most important aspect of a successful implementation.
But what happens when you encounter roadblocks involving lack of co-operation from management? "We need to be bold and utilise different available escalation mechanisms when a matter has a seriously detrimental impact on the business as a whole," said Bob Hirth, COSO's chairman emeritus.
Collaboration and transparency
Without an open-book policy and sharing of relevant and adequate information, the system will not achieve its full potential. In organisations that are spread all over the world, the information flow between key employees could be impeded, posing a further challenge for risk managers. The ERM and strategy functions would have to closely collaborate to share knowledge and competencies and, consequently, become undivided business partners. Similar collaborations need to be advocated at all levels of the organisation to promote an open-book policy and culture.
From theory to practice
The following steps outline how to implement incremental changes in an organisation's strategic planning and risk management processes:
Step 1: Stakeholder analysis
Identify stakeholders to the strategic planning and risk management processes and align their interests early in the process. This will facilitate smoother implementation of risk and strategy and help prevent hiccups in later stages. Consultations with stakeholders and subject-matter experts will ensure a well-thought-out process that will have a greater chance of success. Agree to have regular discussions focused on resolving issues or removing roadblocks throughout the process.
Step 2: Communication
Communicate the benefits of proactively considering risks when designing strategies, and provide regular updates on the implementation of the process. If communication regarding embedding ERM in the strategy formulation process can be reinforced with signals from the top, this will give the need for risk and strategy integration additional credibility and a necessary sense of priority. Engaging employees from affected departments will help to crystalise the final process concept.
Step 3: Policies and procedures
Review existing policies and procedures, if any, and make necessary adjustments to help encourage the flow and timing of risk and strategy information to key stakeholders. If existing documentation is out of date, an overhaul might be needed. This is a good opportunity to take a fresh look at the written version and how that might differ from current practice.
Step 4: Training
Training should also be offered to ensure that all employees understand the enhancement and the rationale behind strengthening the integration of risk information generated by the ERM process with strategic planning. This can reinforce what is required during the execution stage and when.
Step 5: Revisions and execution
Before setting things in motion, a sanity check might be needed to ensure that the updated approach to integrating risk information with strategic planning will work. Surprises often crop up at every stage of the implementation, even after a successful execution phase. Once the upgraded system is working smoothly, a consistent and systematic feedback and quality-review process can ensure its sustainability. If the ERM process enhancement is not providing the desired outcome, corrective action will be needed.
Mike Skorupski, CPA, CGMA, is corporate head of ERM at Siemens Gamesa Renewable Energy in Denmark. To comment on this article or to suggest an idea for another article, contact Jack Hagel, an FM magazine editorial director, at Jack.Hagel@aicpa-cima.com.