The 2017 ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) highlights the importance of integrating risk management in setting strategy as well as in driving performance. We recently coauthored a paper for COSO titled “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management” based on the COSO ERM Framework to help boards and executive teams understand the role of ERM within the organization.
Reflecting our continuing work at DePaul University’s Strategic Risk Management Lab, as well as our work with boards and executive teams, the paper includes overall guidance and an outline of tangible steps that can be used by CFOs to help develop an effective ERM program and to develop effective briefings on ERM initiatives for boards of directors.
SF: Your paper describes a strategic risk assessment process. What are the key advantages for a company in using this process for CFOs, boards of directors, and executive teams?
MLF/RJA: The strategic risk assessment process aligns risk assessment directly with the key strategies of the company (see Figure 1). The process uses the Return Driven Strategy framework in step 1 to understand the strategies of the organization, the Strategic Risk Management framework in step 2 to gather data and views of strategic risks, and strategy maps in step 6 to communicate the strategic risk profile and action plans. This brings significant benefits to the executives and board members. First, it makes the risk assessment process very clear and understandable for executives and boards by clearly showing the relationship between the risk assessment and key strategies of the company. This positions the risk assessment as a valuable and practical undertaking, rather than a theoretical or conceptual exercise.
Source: Adapted from Mark L. Frigo and Richard J. Anderson, "Strategic Risk Assessment," Strategic Finance, December 2009, bit.ly/3m1b4vv, and Strategic Risk Management: A Primer for Directors and Management Teams, 2010.
Second, the process results in the identification of a manageable number of key risks rather than a laundry list of all possible risks facing the company. In our work, we would often find ERM functions had produced long lists of risks, which are difficult for executives to have to prioritize and address. The strategic risk assessment process not only produces a manageable number of risks, but it also facilitates prioritization as the risks can be directly related to the key strategies of the organization. We also find that the types of strategic risks identified by this process merit the attention of boards and executives.
The strategic risk assessment process is also fully consistent with the 2017 COSO ERM Framework, adding credibility to the process and providing a practical way for an organization to implement and adapt the 2017 COSO guidance on ERM.
SF: What are some examples of companies using effective ERM that you think would be most relevant to today’s turbulent environment?
MLF/RJA: One of the best examples for today’s environment is the case we titled “Thinking the ‘Unthinkable.’” If we’ve learned anything over the past 10 years, it’s that extreme risk events occur much more frequently than any models have predicted. Given that, boards and executives need to spend time thinking about the potential impact of extreme risk events on their companies, such as we have experienced during the recent pandemic.
Our COSO paper reviews how an audit committee faced the prospect of low-frequency/high-severity risks. They added four annual meetings to focus on risk and ERM: one on cybersecurity, two on selected risk topics as circumstances dictate, and a fourth devoted to a discussion of “unthinkable risks.”
Another example is titled “The Strategic Planning Group as Owner of ‘Black Swan’ Risks.” The process discussed in that example shows a strategic planning group responsible for a formal process to identify black swan risks. There are two key aspects of this process. First, there is a formal process for assessing and identifying these risks, not just periodic guesswork. Second, this risk identification process is aligned directly with the strategic planning process.
Our COSO paper discusses a major manufacturer’s strategic planning group for its black swan risk process: “The planning group identifies and assesses ‘improbable’ risk events. The risks identified are then communicated and discussed with their internal risk committee. The strategic planning group also considers the possible impact of these risk events on the organization’s long-term strategic plans. Finally, the risks, possible impacts on the organization’s strategies and business activities, and the related risk management actions are then reported to and discussed with the Board.”
A third case in our paper is titled “The Integration of Strategic Planning and ERM.” Many organizations are now rethinking their strategies in response to the pandemic. This will inevitably introduce new risks and opportunities to the organization. Accordingly, it’s even more important for organizations to integrate their ERM process with strategic planning to identify, assess, and manage the new risks that will result from their new strategies. The COSO paper discusses one such integration: “[E]ach executive risk owner prepares a risk map of the risk(s) that they are responsible for. The strategic planning group then reviews the risk maps and considers the risks as they relate to the organization’s strategic plan. The risk maps are updated prior to updating the organization’s strategic plan so that the risks can be considered as management and the strategic planning group update the strategic plan.”
SF: What are the barriers to boards and executive teams in implementing the 2017 COSO ERM Framework, and how can they overcome those barriers?
MLF/RJA: The biggest barrier we’ve seen in advising clients was the lack of understanding of the true value and benefits of ERM. Or, as executives would ask, “What is the real benefit we will get out of an investment in ERM?” Often, behind this question was a view that ERM is a separate staff function not really involved in the business of the company. These views can raise significant barriers to successfully implementing an ERM initiative.
The 2017 COSO ERM Framework directly responds to these issues and provides an opportunity for executives and directors to better understand ERM and its related benefits. Our COSO paper includes a section on “Keys to Success” that details seven themes for executives and boards to leverage in forming the foundation of a successful ERM initiative.
The real value of an ERM program is in adding value to an organization by assisting management and the board to make better decisions about the strategies and related risks facing their organizations. The ERM process can provide valuable information on strategies and associated risks, helping executives make better decisions to increase positive outcomes and reducing negative surprises.
ERM isn’t a stand-alone staff function but rather a process that must be integrated fully into organizations’ existing budgeting, planning, and performance measurement processes. As our paper notes, an ERM effort can be initiated with existing staff without the need to staff a separate function.
SF: What are some common mistakes executive teams and boards make in understanding and implementing ERM, and what can be done to help avoid those mistakes?
MLF/RJA: A common mistake is for management to create a separate, stand-alone function that isn’t really integrated into the organization. In some cases, management or the board may feel that they need an ERM person or function to show appropriate diligence, but then the function is left as a separate staff function. Often, in these situations, management can also put in place a head of ERM who isn’t at a high enough level in the organization. The lack of stature of the head of the risk function will reinforce the view that the activity is just another staff function, unrelated to the real running of the business.
Another common mistake is to focus excessively on the technical aspects, such as modeling, of an ERM function and to overlook the value of the actual output. Some view ERM as a checklist of activities or just a process to identify risks and not a core process of the organization. Finally, another error is to try to implement someone else’s ERM processes or to simply try to implement a model, such as the frameworks by the International Organization for Standardization or COSO, without any tailoring or modification for their specific organization (see “Risk Management Frameworks: Adapt, Don’t Adopt,” Strategic Finance, January 2014).
An effective ERM leader is essential—someone who is widely respected in the organization and knowledgeable about the business and its strategies, and who has the resources and support from management and the board to accomplish the ERM effort. We also note that while ERM technical processes and modeling may be useful for certain risks or larger organizations, technology or quantitative models aren’t necessary to launch an effective ERM initiative.
Effective implementation requires an iterative, step-by-step process that is carefully tailored to fit the culture of the organization. Our experience is that taking a heuristic step-by-step approach allows the organization to understand at each step what works or not and to then tailor the ERM to ensure its success.
SF: Given the recent pandemic and work-from-home trend, there has been greater concern about cybersecurity risks facing companies. What’s your advice to boards and executive teams in this area?
MLF/RJA: Cybersecurity risks are important issues at the board level, especially during the recent pandemic and with the increase in cybersecurity breaches worldwide. While these risks have attracted a lot of attention, many companies still see it as simply an IT problem. We believe a process for assessing and managing cybersecurity risks as part of the strategic management of an organization is needed. Forces of change in information technology and the ever-increasing cybersecurity threats facing organizations create major challenges for understanding how to identify, assess, and manage these risks as part of the strategic management processes of an organization. For this, we recommend applying the seven-step strategic risk assessment process in our COSO paper and related frameworks to develop a cybersecurity risk profile and cybersecurity risk action plan.
THE ROLE OF THE CFO
CFOs and the finance organization have a great opportunity to lead successful ERM initiatives that can truly help the company create long-term sustainable value. Using the strategic risk assessment process, they can take the necessary steps in aligning ERM with strategy and performance, thereby developing a more resilient organization.
This article is part of the Creating Long-Term Sustainable Value series launched by the Strategic Finance October 2018 article (see Mark L. Frigo, with Dominic Barton, “Creating Greater Long-Term Sustainable Value”).
January 2021