Four foundational elements frame what executive management and directors need to consider when implementing ERM – process, integration, culture and infrastructure. We discuss integration below.
The relevance of the risk management process increases if it is integrated with core management processes that truly matter. The idea is to integrate risk management with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.
The nature and extent of integration varies from industry to industry and company to company, and is highly dependent on the organizational structure and management’s operating philosophy and style. The scope of integration could include one or more of such core management processes and activities as strategy setting, annual business planning, performance management, budgeting, capital expenditure funding, and M&A targeting, due diligence and integration. Three integration touch points are discussed further below.
Start with an Effective Governance Process
Effective “corporate governance” provides a flexible corporate structure that manages the balance between the entity’s value creation objectives and performance goals on the one hand with the policies, processes and controls it puts in place to preserve enterprise value on the other. The objective is to position risk management to enable the organization to attain “early mover” status when the company arrives at a crossroads where its market position and enterprise value could be harmed significantly if the imminent opportunity is not recognized timely by the right people andacted upon timely. An “early mover” is a firm that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options before the opportunity or risk becomes widely known.
A crossroads can be encountered as a result of any number of factors including: technological advancements; a major product launch; a decision to enter unknown markets; or pursuit of a major acquisition in a different line of business. When viewed in the context of achieving balance, the risk management process clearly augments the governance process. The global financial crisis provided powerful lessons in this regard.
Integrate Risk with Strategy Setting
Unfortunately, many organizations do not integrate risk management with strategy development. It is critical to define the soft spots, loss drivers and incongruities that are inherent in the enterprise’s strategic objectives and that could dramatically affect performance and adversely impact execution. These are the risks that really matter.
Together, the two activities of strategy setting and risk assessment facilitate the articulation of the critical assumptions underlying the strategy. These assumptions often relate to such things as the global and domestic economy, competitor behavior, the regulatory environment, physical phenomena (e.g., weather), customer behavior, supplier performance and availability of effective channels.
Once these underlying assumptions are understood, management must consider relevant risk scenarios that could invalidate the assumptions and thereby impact the viability of one or more components of the strategy. This analysis identifies the vital signs that must be monitored over time.
Integrate Risk Management with Performance Management
Combining strategic aspirations, differentiating capabilities and the infrastructure needed to deliver those capabilities, as articulated by the corporate strategy, with an understanding of the risks inherent in the strategy provides inputs to the determination of key metrics and targets. It is at this point where risk management begins to intersect with performance management.
The metrics selected must enable the organization to track progress toward the achievement of strategic objectives, monitoring and mitigation of risks, and compliance with internal policies and external laws and regulations. Traditional key performance indicators (KPIs) and key risk indicators (KRIs) should converge to create a single basket of metrics.
KPIs are measures of performance developed to monitor progress toward the achievement of the strategy and the ultimate creation of stakeholder value. KRIs provide lead and lag indicators of critical risk scenarios, resulting in a more balanced mix of forward-looking indicators to complement the usual metrics around customer and employee satisfaction, quality, innovation, time and financial performance. For example, accumulated deferred maintenance in a manufacturing plant or refinery may be a lead indicator of environment, health and safety risk.
These are three examples of integration. There are others. Effective integration of risk management with the core management activities that matter can instill in the board, CEO and executive management greater confidence that the organization will be successful in achieving its strategic objectives and performance goals. Balancing aggressive value creation strategies with appropriate protection measures can and does make a difference over the long term. A concerted effort to integrate risk management with strategy setting and the management and monitoring of enterprise performance will go a long way toward helping companies strike the appropriate balance between creating and protecting enterprise value.
About the Author
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.