Stephen Roberts, Eddie McLaughlin and James Maxwell describe the elements that make up best practice

Enterprise Risk Management (ERM) has developed over the years to mean widely differing things to different people, and there are a multitude of standards and guidelines.

Marsh has considered these and the experiences of the hundreds of clients we have worked with to arrive at a comprehensive definition of ERM: ‘A structured and embedded approach that supports the alignment of strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties an organisation faces as it creates value. An effective ERM framework equips the organisation with quality management information to enable risk-aware decisions to be made with more confidence.’

ERM is therefore fundamentally about the pragmatic use of risk management as a tool to increase management effectiveness. In the current economic climate, the demand for a more comprehensive approach to risk management to ensure that risks and opportunities are systematically identified and responses are developed has never been greater.

Issues to which ERM seeks to respond include:

• business planning and strategic objective setting

• new market entry including country/political risk

• product launch

• acquisitions and joint ventures

• major projects

• decisions around outsourcing

• key contracts

• sub-contractor relationships and supply chain considerations.

What are the building blocks?

There no single consensus on what steps are required to achieve effective ERM. The implementation of an ERM approach usually means progress over time, and can be considered in terms of a position along a maturity curve. As organisations move along the curve, their risk management practices become more sophisticated, embedded and integrated into business decision making.

For a variety of reasons, organisations may not strive to reach the highest level of maturity along the curve. These may include budget or resource constraints, or the organisation’s risk management culture. However, there are elements of best practice across all three phases of development that organisations should look to deploy where appropriate:

1. The organisation’s risk tolerance (risk appetite) is formalised

Unless an organisation considers its ability and willingness to pay for deviations from expected expenditure as a result of risk-related events, it is difficult for senior management to understand the point at which a risk becomes ‘material’. Understanding the risk appetite level enables informed decisions as to whether there is any particular need to initiate or escalate a risk mitigation action, change an approach to a business issue or re-allocate capital, resource or investment. This should occur for all logical organisational levels, such as group, division and business unit.

2. Scope of risk register is group wide

Risk registers have a tendency to be heavily operational in content and coverage. But for an organisation to understand the entire risk footprint it faces, identification and documentation of risks needs to be comprehensive in nature, and cover strategic, operational, financial and hazard risks. In this light, risks that must be considered to achieve such comprehensive coverage include those relating to joint venture participation, significant contracts, key customers, key suppliers and subcontractors. All are needed to ensure that the board understands the true risk profile of the business.

3. Top risks quantified

More and more companies are using statistical modelling to quantify risks both along a probability curve as well as, where appropriate, calculating a financial value for the risk should it transpire. Being equipped with a tangible value for impact and probability of risk allows not only a more accurate understanding of how to manage it (capital allocation, risk financing strategy, reserving), but also for better communication of the risk across the organisation. It should of course be borne in mind that all risks are not readily quantifiable. The outcome of any statistical analysis should carefully interrogate underlying assumptions and not act as a substitute for management judgement.

4. Responsibilities and action plans assigned to top risks

A common failing in improving risk management is that the process can become dormant relatively quickly if it is limited to the creation of risk registers and the production of a report. As the organisation builds its risk management practices, a vital means of embedding risk management is through systematically allocating responsibility for risks, confirming an agreed mitigation response and following up rigorously to ensure that necessary actions have been taken. The board should receive appropriate updates on how the risk is being managed on an on-going, pro-active basis, and the board’s views on what is reported to them should be fed back to the business as a matter of course.

5. Risk management framework tailored / embedded and communicated

To ensure that the ERM framework becomes an embedded management tool that gives the organisation confidence that both existing and emerging risk are being captured and managed, it is essential to establish risk reporting policies, procedures, formats and communications channels. The key to success is that the framework is consistent with the existing organisational structure and appropriate to its needs. Some organisations have purchased off the shelf risk management frameworks in an effort to meet their risk management and reporting objectives. This approach can be attractive, but in practice, simply using a ‘bolt on’ will not ensure that risk management and reporting practices become embedded as required.

In alignment with this principle, the organisation may choose to adopt a risk management information system (RMIS) to further enable its risk management activities. While a RMIS can be an efficient tool to enable uniformity in approach to risk management across an organisation, technology should be not be viewed as a panacea for risk management within the company. Implementation of technology must therefore be supported, by effective communication channels and processes, underpinned by the appointment of individuals (sometimes known as ‘risk champions’) who have the time, resources, training and organisational sponsorship they need.

6. Use of key risk indicators

As key performance indicators are an everyday methodology in monitoring the success of the company against set objectives, key risk indicators (KRIs) are a highly effective method to monitor the status of a particular risk as well as the success of the chosen mitigation strategy. KRIs are therefore a way of either predicting (through leading indicators), or detecting (through lagging indicators), a change in the likelihood or impact of a risk, or that the effectiveness of controls has changed. By establishing KRIs the organisation becomes more agile in its preparedness and response to the risks it faces. A comprehensive system of KRIs and triggers (sometimes called a ‘risk dashboard’) can give senior management and the board the confidence they need that risk is monitored on an ongoing basis, and also that appropriate escalation procedures are in place.

7. Risk management policy statement

In order to efficiently govern the risk management process, a formal risk management statement which describes the positioning, approach and application of the company’s risk management is required. This is then used as a method to communicate the board’s risk management expectations within the organisation. Some organisations also choose to make public disclosure of their risk management policy, the key risks they face and how they are managed. This is of increasing importance as stakeholders are using the existence of risk management as one litmus test for effective business management.

The key message

The key message for any organisation is to ensure that ERM does not become a separate exercise to the dayto- day business, but is rather integral to normal business management and decision making processes. In this way risk management can be used as a proactive tool, helping the organisation to have a better chance of achieving its objectives.

The ERM maturity curve and best practice criteria in Figure 2 highlights an approach to ERM decision making. Organisations that actively move themselves towards a state of readiness in this regard should be well positioned to reap the rewards.

Standard & Poor's (S&P) begins to incorporate ERM into its credit ratings process

S&P announced in early 2008 that it had completed a consultation exercise and would begin developing a methodology for considering ERM within its ratings process for application from mid to late 2009. 'we expect that deterioration or improvement in a company's ERM quality would potentially drive rating and outlook changes before the consequences are apparent in published financial results. Companies with superior ERM should have less volatility in earnings and cash flow, and will optimise the risk/return relationship.' Standard & Poor's Ratings Direct. The major challenge in the interim has been arriving at a definitive view of the ERM practices that S&P will be looking for, and these are expected during the coming summer. Meanwhile, S&P has issued examples of the questions it expects to ask during management meetings with issuers.

This development may have several implications for public companies, including:

There will be independent assessment of the strength of ERM practices within organisations, and the results of such assessments may be publicly disclosed.

Organisations will be closely benchmarked against peers within their own sector, and indirectly, other organisations and sectors.

The relationship between investment in an effective ERM process and its tangible value to an organisation will become far more acute (and measurable) than in the past, as the financial effect of a ratings downgrade or upgrade may be dramatic and far-reaching.

Organisations that are prepared for and can take advantage of these changes will enjoy a significant competitive benefit over their peers.

A trusted, independent assessment of ERM capability would be of interest to many other stakeholder groups.

The sample questions that S&P have indicated they will be raising are:

What are the company's top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?

What is management doing about top risks?

What size quarterly operating or cash loss has management and the board agreed is tolerable?

Describe the staff responsible for risk management programmes and their place in the organisation chart. How do you measure success of risk management activities?

How would a loss from a key risk impact incentive compensation of top management and on planning/budgeting?

Tell us about discussions of risk management that have taken place at the board level or among top management when making strategic decisions.

Give an example of how your company responded to a recent 'surprise' in your industry and describe whether the surprise affected your company and others differently.