Protect “crown jewels” by integrating risk management into strategy

In an environment where risks are growing – and growing in complexity – few companies are fully considering risk in their business strategies.

The percentage of companies adopting enterprise-wide risk oversight has almost tripled in three years but remains small; implementation has yet to take place in more than three out of four organisations, a recent survey done for the American Institute of CPAs shows.

Fewer companies still have integrated enterprise risk management (ERM) into their overall business strategy. Just 15% of chief executives and senior executives surveyed believe “mostly” or “extensively” that their organisation’s risk-management process is a proprietary strategic tool that provides a unique competitive advantage.

Almost half (49%) of the organisations in the survey fail to meaningfully consider existing risk exposures when evaluating new strategic initiatives. And just 35% have “mostly” or “extensively” articulated the organisation’s appetite or tolerance for risks in their strategic planning.

The survey of 618 US executives was conducted for the AICPA’s Business, Industry and Government team by North Carolina State University’s ERM Initiative. Mark Beasley, CPA, Ph.D., a professor of enterprise risk management who directs the ERM Initiative at the university, said that, at many organisations, the paths of risk management and strategy seldom cross.

“What they’ve forgotten is the fundamental relationship of risk and return,” Beasley said. “They’re hand in glove.”

Protect the “crown jewels”

Beasley recommends that businesses implementing an ERM process start from a strategic perspective. He said a senior executive team should begin risk management by listing the “crown jewels” of their organisation – the products or services that generate the most revenue. Then they must determine the biggest risks to those crown jewels, and adjust their strategy accordingly.

“If that’s all I did, I would be way ahead of a lot of companies,” Beasley said.

Instead, he said, many companies begin a risk-management implementation by focusing on the risks themselves. They start by listing the things that keep them awake at night, or by creating a list of risks to each element of their enterprise – legal risks, supply-chain risks, technology risks, etc.

They end up with a list of perhaps hundreds of risks that seem impossible to manage, and they do not know what to do about them. The importance of specific risks becomes more apparent, Beasley said, when the crown jewels are taken into account first.

Yet the first step for a company, he said, is to make the commitment to start an enterprise-wide risk-management programme. He said companies often spend a lot of time debating whether to start ERM without making a decision. But the percentage of businesses using comprehensive risk oversight is increasing.

About one-quarter (23%) of organisations reported that they have complete ERM processes in place. That’s up from 9% that reported complete ERM implementation in 2009. In 2012, 47% of organisations with more than $1 billion in revenue and 46% of public companies surveyed reported having complete ERM processes in place. This represents a significant increase in just a year. In 2011, 32% of organisations with more than $1 billion in revenue and 24% of public companies reported having complete, formal ERM processes in place.

These processes are helping organisations face an increasingly dangerous business environment. Sixty-two per cent of respondents said the volume and complexity of risks have increased “extensively” or “mostly” in the past five years. More than two-thirds (68%) said they were caught off guard by an operational surprise “somewhat” to “extensively” in the past five years.

New risks, growing awareness

Beasley said the uncertain economic environment, cybersecurity concerns, increased regulation and political uncertainty play roles in the greater volume and complexity of risks.

Despite the environment, 39% of the organisations surveyed do not have enterprise-wide risk management in place and do not have plans to implement ERM. Beasley said that does not mean most other businesses are not conscious of risk management. But many executives say they are managing risks in an ad hoc or informal fashion, and Beasley said that can lead to trouble.

“I think people are placing confidence in that kind of [informal risk management] when maybe it’s not warranted or could be overstated,” he said.

Although the percentage of ERM implementers remains low, Beasley is encouraged by their increasing numbers. But much work remains to be done, especially with regard to connecting ERM to strategy.

Beasley has talked to bank executives whose overriding objective for ERM implementation is to satisfy regulators’ demands. He advises them to think more strategically.

“Unfortunately, they’re just doing something to get the regulator off their back,” Beasley said. “And what we’re trying to do is say, ‘OK, you can do that. But you may also find some real advantage to this, in running your business.’ That’s where there’s a huge opportunity still out there, to help people see that strategic advantage.”

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine senior editor.