Now this post is going to get me killed, all the ardent fans of Enterprise Risk Management (ERM) will take their knives out and I will have to duck under the table to save my skin. However, as I am a dedicated risk activist, I shall ignore that discretion is better part of valor and commit the folly of putting my thoughts in public domain. So here are some of my radical thoughts about ERM not addressing Strategic Risk Management (SRM). For the sake of convenience and familiarity, I am using COSO ERM framework for putting my opinion forward. Let us start with the definition of ERM
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
As the definition contains “applied in strategy setting” and “reasonable assurance regarding achievement of entity objectives” it appears that COSO framework is addressing strategic risks. Now let us consider the definition of Strategic Risk Management as given by Risk and Insurance Management Society (RIMS) recently:
“Strategic Risk Management is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.”
The SRM definition clearly states that it relates to strategy formation and implementation. Secondly, it is talking about the upside of risks and not the downside of risks.
1. Confusion about meaning of SRM
The prevailing perception is that ERM is equivalent to SRM or these are terms which can be used interchangeably. However, from the definitions itself it is evident that these are absolutely two different things.
Secondly, some state the ERM facilitates in viewing risks from a strategic perspective. Even if you read research papers, there is a lot of confusion on the term. For example, in the survey of RIMS “Excellence in Risk Management VII Elevating the Practice of Strategic Risk Management” the top risks mentioned are business disruption, regulatory compliance and property. These risks can help in forming a risk management strategy for an organization. These are not risks relating to formation or implementation of a business strategy hence cannot be equated to strategic risk management. An example of strategic risk is the Swiss Air case, where the company decided to adopt a strategy of becoming a global airline and failed. In a more recent example Tata group purchased Jaguar and Land Rover to build international dominance in automobile industry and the strategy hasn’t yielded much results.
2. ERM focus is on operational, compliance and financial reporting risks
A detailed analysis of ERM frameworks indicates that they are focused on addressing tactical and operational risks. The negative aspects of risks are discussed elaborately for risk mitigation purpose. The four risk mitigation guidelines are –treat, transfer, tolerate and terminate risks. The risk avoidance strategies are mentioned in detail. The focus is normally on operational, financial reporting and regulatory risks.
3. ERM frameworks do not give methodology for exploiting upside risks
The ERM frameworks mention upside of risks but they do not give a methodology, tools or an approach to exploit these risks.ERM is considered a holistic framework, which addresses all risks. In my view, it is now become hackneyed term where all possible risks are put without appreciating the finer differences in them.
Most of the ERM frameworks do not provide detailed guidance on risk managers’ involvement at strategy formation and implementation stage. The link between business strategy and ERM is weak. Aaron M. Konarsky in his research paper – ‘Linking risk management to business strategy, processes and operations’ stated that “four in ten companies do not have formal processes to align risk management with corporate strategy”. Generally, risk management strategies are formed after business strategies are decided. The business strategy is taken as a base for risk management strategy. It indicates that frequently business strategies and risk strategies are not worked on concurrently. The risk management strategies do not explore risk as a business opportunity.
My observation is supported by the paper “Top Ten ‘Next’ Practices for Enterprise Risk Management- 2010 AICPA Survey Results” which specifies one of the bigger trends in risk management is to incorporate ERM into strategic planning process. Clearly, results are indicating that SRM is not being addressed properly.
4. Identifying Strategic Risks
For clarity purpose, conduct two mental tests to assess whether a risk comes under SRM:
1. Does the risk relate to business strategy of the organization? That is, either business strategy formation or implementation.
2. How does the information relating to the risk impact strategic decision-making of the organization?
Examples of strategic decisions are – deciding to outsource or offshore processes, acquiring an organization, developing a new product line, changing financial structuring etc. Taking the example of offshoring processes, when risk managers provide to the CEO and board information about offshoring risks, then they are doing strategic risk management.
The finer differences between ERM and SRM need to be recognized. Although the focus on ERM has increased after the financial crises, there is still a long road ahead. Major challenges said for ERM implementation is financial resources and management commitment. These two are interlinked, if management does not see demonstrated value, resources will not be allocated. Risk managers need to explore the idea of first focusing on SRM and then gradually moving to ERM. The logic behind this suggestion is that SRM is focusing on adding business value. With a good SRM initiative, management will see business value and it will become easier for risk managers to present a business case for full-fledged ERM.
A complex topic and definitely requires a few more blog posts for further discussion. In your opinion, are ERM and SRM same or different? How do you think these should be approached?
- Book: Perspectives on Strategic Risk Management – Torbun Juul Anderson
- Risk and Insurance Management Society -Excellence in Risk Management VII Elevating the Practice of Strategic Risk Management
- Top Ten ‘Next’ Practices for Enterprise Risk Management- 2010 AICPA Survey Results