Enterprise risk management (ERM) should aim to fill the strategic advisor role, which is the most valuable role, said Jim Fitzmaurice, Executive Advisor at Corporate Executive Board (CEB), because “the strategic advisor focuses on improving risk-informed strategic decisions.” Fitzmaurice, who advises both CEB Audit Leadership Council and CEB Risk Management Leadership Council, was the first of two speakers at the August 26, 2014 webinar on Black Swans and Reputational Risk sponsored by the Global Association of Risk Professionals.
Fitzmaurice began by showing how the evolution of ERM has been a progression in the prominence of its role and a concomitant increase in the business value it adds. ERM was initially a simple information aggregator, which became a process steward, then a strategic controller, with a focus on measuring the risk profiles of products and business lines. The evolutionary apex is the role of strategic advisor.
Fitzmaurice presented results obtained in the wide-reaching CEB 2013 State of ERM Survey. This survey showed 78 percent of respondents said a top objective of ERM should be to “enable risk-informed strategic decision making”—in other words, ERM should aim to become “strategic advisor” within its organization.
But there’s resistance from other executives, Fitzmaurice noted. “We’re not going to bring [ERM people] into the room because they kill things!” was his paraphrase of one response. Another respondent, a CFO, said, “We do not include ERM… since [they] can reduce the creativity in business planning.”
It’s a misplaced sentiment. ERM can deal with the risks that matter most, Fitzmaurice argued. The top 20 percent of Fortune 1000 companies identified the top three risks they face: (i) decline in core product demand, (ii) poorly executed merger or acquisition, and (iii) competitor infringement on the core market. These are strategic risks, and Fitzmaurice argued that ERM needs to be welcomed as a strategic advisor, with commensurate power, to address these risks.
“Decision makers need support,” Fitzmaurice emphasized. Companies could double their growth rates if they could make better decisions.
The top two impediments to swift action to drive growth, the CEB survey found were: difficulty making the decision, and being unable to execute opportunities.
Fitzmaurice said that developing the organizational risk culture is an urgent priority. He noted, “according to KPMG only one-third of audit committees are satisfied that they truly hear dissenting views.”
The credit rating agency giant Moody’s concurs. In December 2013 Moody’s stated, “enhancing risk culture is one of the most credit-positive actions management can take, but is also one of the hardest things to implement and to observe.”
The risk awareness gap is substantial. “Employees show varying levels of risk awareness across the organizational hierarchy.” Only 30 to 40 percent of non-management employees responded positively to four risk awareness questions posed by CEB.
Fitzmaurice said it’s no wonder there’s growing volatility and interdependency in the interconnected risk landscape. There’s regulatory fragmentation, a greater intensity of information (think: big data), a shortening of the economic cycle, hyper transparency, and an enterprise that is widely stretched due to outsourcing and shared service agreements. “If this diagram looks confusing to you, that’s the point,” he said, regarding the complex schematic of the changing risk landscape.
What do the leaders in the ERM world do differently? He summarized the four-pronged winning approaches that CEB has identified:
Insight: improve the critical thinking and root-cause analysis skills of ERM staff “so they can identify and monitor leading indicators of risk;”
Influence: share best practices with customers, and align risk management clearly with company objectives
Informed: ensure that the next generation of leaders are highly risk-aware and “embed risk discipline into strategic processes;” and
Integrity: “increase employee trust in company response to misconduct.”
According to Fitzmaurice, an organization needs to clearly articulate the risk appetite, which he defined as “the overall amount of risk a company is willing to accept in pursuit of its strategic objectives.” It is distinct from risk tolerance.
A clear risk appetite leads to optimized business performance; it will help achieve expectations of external stakeholders; and it will support ERM. And a healthy ERM will improve the quality of strategic decision-making. ª
Click here to view the webinar, Black Swans, Reputational Damage and Strategic Risks: The 360-Degree ERM Solution. Jim Fitzmaurice’s portion covers slides 1 to 19.
Be sure to check out the CEB site for other interesting research papers.