Resilient, dynamic and relevant: ERM in a new risk environment
November 2020 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
November 2020 Issue
Perhaps one of the very few benefits the coronavirus (COVID-19) pandemic has bestowed upon the corporate world is to illustrate to companies the business benefits of managing risk from an enterprise-wide perspective.
Such is the role of enterprise risk management (ERM) – the importance of which has become increasingly clear these past months as COVID-19 wrought havoc across the globe and brought companies in many countries to their knees.
Prior to COVID-19, too many companies paid little more than lip service to the notion of ERM. But now, as umpteen businesses go to the wall, solutions are being sought to help facilitate more effective risk management between and across disparate functional areas. ERM allows companies to both manage risks and seize opportunities.
“ERM takes a holistic view of risk,” explains Jahmiah Ferdinand-Hodkin, a partner at Gowling WLG. “It ensures there is a corporate-wide focus to the identification, assessment and mitigation of risk. It does not rely on silos when it considers organisation risk or needs. It also has an extremely broad definition of risk that does not limit the risks considered to those with purely negative consequences. This allows organisations to consistently review and revise their risk tolerances and risk appetite for various kinds of risk while considering how risks compile or interact.
“This is especially important given the way COVID-19 illustrated how one event can impact multiple types of risk,” she continues. “ERM allows companies to plan for and implement policies and procedures that promote the corporate goals for the specific period and readjust as goals change, for example income stability progressing to aggressive growth.”
Ken Radigan, chief executive of the Professional Risk Managers’ International Association (PRMIA), believes that COVID-19 has also highlighted the importance of undertaking scenario analysis to fully understand how an event like a pandemic may impact various aspects of a business. “ERM tries to understand all of the risks faced by a company, including emerging risk,” he says. “Each risk is carefully analysed to understand potential exposure, likely loss given the occurrence of the risk and probability of the risk occurring. One of the biggest challenges in this analysis is in fully understanding how the risk may impact various aspects of the business.”
In Mr Radigan’s view, for the majority of companies, COVID-19 will likely lead to losses in the following areas: (i) business continuity costs, including any additional cyber security costs associated with working in a remote environment; (ii) financial losses associated with an economic downturn; (iii) financial losses associated with a decrease in equity and bond markets; (iv) health and life insurance costs for any employees impacted; (v) cost to refit office space to allow for social distancing, masks and hand sanitation; (vi) potential directors and officers lability exposure; and (vii) potential general liability exposure.
“Unfortunately, it often takes a major risk event to make risk real,” opines David Tattam, founder and director of research and training at the Protecht Group. “The difficulty is being able to provide a dynamic, real-time view of risk. In my experience, many companies suffer from ‘it will not happen to me’ syndrome. A comprehensive and truly integrated ERM system provides the ability to capture, map and report risks in real time and, most importantly, involves one source of data truth and multiple uses of that data at each level of an organisation.”
ERM: key principles
When adopted as a mechanism through which risk can be managed, ERM provides companies’ risk practitioners with a suite of principles, tools and techniques to respond to COVID-19-related disruption. According to Mr Tattam, the following key principles provide the bedrock for an effective ERM programme.
First, by being enterprise wide, a complete view of the organisation is obtained. This aids in a complete view of the impact of disruption rather than a siloed view. In addition, using a common library of risks across the organisation allows relevant risk information to be aggregated for board review, while allowing a more granular view within divisions and business units.
Second, the interconnectivity between risk is critical to understand in a crisis. COVID-19 was not a risk in itself. The issue was how it impacted many existing risks, such as cyber, workplace health and safety, and human resources, among others.
Third, when performed correctly, ERM should have a strong linkage to the organisation’s critical processes and, in turn, the strategic and business objectives. Understanding how a crisis such as COVID-19 will impact a range of risks and how those risks will impact critical processes and the objectives of the organisation will ensure that critical risks are managed effectively.
Fourth, a strong ERM framework should include the tracking of leading risk metrics, such as key risk indicators and key control indicators. These are critical in making sure risk management is proactive and forward looking, which is vital if a company is to be adequately prepared for the next disruption.
Fifth, business disruption type events such as COVID-19 have a low likelihood of occurrence yet very large potential consequences, and in order to understand these potential disruptions and ensure a company is adequately prepared, a strong scenario analysis process is required. This explores potential extreme scenarios and tests whether a company will be resilient against each type of disruption.
Sixth, the controls assurance component of ERM is often poorly executed, yet is one of the most important components to ensure that controls are in place to make companies resilient to disruption and provide confidence that key controls will work when called upon.
Finally, a company’s ERM reporting needs to be dynamic and integrated in order to give employees and all stakeholders an up-to-date and comprehensive view of extant and emerging risks.
“Scenario analysis is useful in identifying areas that would have the most significant impacts and to see if there is anything that the company can do in advance to try to mitigate those impacts,” suggests Mr Radigan. “Economic capital modelling can also help a company to understand if it has sufficient capital for the aggregate risks it is facing. It allows the company to study, in advance of the occurrence of the risk, how it may be able to adjust its risks or adjust its capital.”
Avoiding tick box
To combat risk, as well as identify new opportunities for innovation, companies need to develop an ERM programme that facilitates more effective risk management between and across disparate functional areas.
“Pre-COVID-19, many companies had very robust ERM programmes that went well beyond a tick-the-box activity,” says Ms Ferdinand-Hodkin. “Unfortunately, some did not. However, I have been impressed by many of the programmes that companies have had in place in the years prior to COVID-19. From my perspective, one of the key ingredients to a functional and effective programme is the demonstrated level of importance management places on the programme and how integral and prominent a position the programme has in the corporate culture.”
For Mr Radigan, a correctly implemented ERM programme should never be just about ticking boxes. “The reason for a risk management analysis is to gain insight and make changes to operate more efficiently,” he explains “Every company realises that it faces risks, and that those risks may actually lead to an insolvency. And while no company can protect itself from every possible risk, ERM helps to answer some of the most fundamental questions.”
CRO perspective
Despite the volume and types of risk (geopolitical, regulatory, cyber and technology among them) having risen exponentially in recent years, the role of a chief risk officer (CRO) still has something of a low profile. However, for many, the CRO may now be the most important person in the company.
According to Mr Radigan, the CRO role is essential. To be effective a CRO needs to be: (i) someone who has ultimate responsibility and accountability for the company’s risk management; (ii) a single depository where the various risks that are faced by the company can be identified, analysed, mitigated and monitored; and (iii) a single area that can study how the various risks that are faced by the company may be correlated.
“I would argue that a CRO is on par in importance with any other executive management position,” says Mr Tattam. “When one considers the required mandate of the role, to be able to independently review and challenge every material decision made across the business at every level, a CRO is vital.”
ERM: post-pandemic
Such has been the impact of COVID-19 on companies across the globe that the need for ERM is now unquestionable. It should be an essential component of any company’s risk management toolbox, both now and in a post-pandemic world.
“Nothing creates appreciation of the benefits of a programme better than an example everyone has experienced,” believes Ms Ferdinand-Hodkin. “COVID-19 has illustrated the benefit of planning for compounding risks and has highlighted the importance of an agile programme. I predict that companies will have a renewed interest in their risk management programmes and will be looking to find creative ways to improve efficiencies, speed and processes in order to utilise ERM as the building block to a comprehensive risk programme.”
And while still a relatively young profession, ERM can certainly be said to have matured considerably in 2020. “Most companies did not have a dedicated risk department 25 or 30 years ago,” notes Mr Radigan. “However, every financial crisis that we have faced over the last 30 years has highlighted the need for proper risk management. We now understand the losses which may have been avoidable. We also understand how we can take certain actions to mitigate the risks that we are exposed to.”
Clearly, at a time of immense disruption, there is consensus that the business case for ERM has been made. “COVID-19 has thrust risk management to the front of the world’s eyes and the world is listening,” says Mr Tattam. “ERM has an opportunity to engage and become more embedded in the day-to-day operations of our organisations, rather than being an afterthought or a separate function.”
© Financier Worldwide
BY
Fraser Tennant