The Strategic Benefits of Managing Risk

The rise in corporate scandals, coupled with recent legislation like the Sarbanes-Oxley Act of 2002, have made companies more focused on risk management. Thus, it’s no surprise that enterprise risk management (ERM), which provides a framework for analyzing and confronting risks, is a practice now widely accepted by business managers, according to a 2004 survey conducted by The Conference Board and Mercer Oliver Wyman (international consultants in financial services and risk management).

In the June 2005 Conference Board research report “From Risk Management to Risk Strategy,” authors Stephen Gates, a strategy professor at Audencia Nantes Ecole de Management, and Ellen Hexter, a longtime consultant for The Conference Board, found that 91% of those surveyed are positively disposed toward accepting ERM or are actively implementing the practice.

The researchers surveyed 271 executives, the vast majority of which (97%) are based in North America or Europe. Although the participants represent a variety of industry sectors, over half (56%) come from manufacturing or financial services. The respondents are also heavily invested in assessing levels of risk: 93% are financial or risk managers.

The survey results suggest that while executives are motivated largely by a need to comply with rules and regulations, they are also interested in the advanced uses of ERM — namely, the ability to diagnose and control risks. Over two-thirds of the board members and senior managers surveyed see risk management as an increasingly important priority. Asked what is driving them to implement ERM, 66% of the respondents cited the need to respond to corporate governance requirements, while 60% ranked understanding strategic and operating risks as important.

But despite understanding the benefits ERM offers, those surveyed say only 11% of their firms have fully adopted the practice. Why? Building an ERM framework can be costly, and it can take several years to implement — therefore, it’s understandable that many efforts are still in the earliest stages. The slow progress may also reflect competing priorities, especially for American companies responding to Sarbanes-Oxley. However, the authors believe that a lack of consensus about ERM’s benefits may very well be the biggest impediment to adopting risk-management practices.

Approximately 18% of those surveyed do take inventory of their critical risks —a basic element of the ERM infrastructure. And even such a limited risk-assessment program is helpful: Among those who do take risk inventory, 58% find ERM has helped them make better-informed decisions and 52% believe it has improved communication between its company and board.

Firms with fully integrated ERM practices are seeing even more benefits. The authors compared those in the “advanced” ERM segment to those in other companies. Both groups report that risk analysis assists them in making better-informed decisions. But the advanced group is much more likely to say that ERM also produces greater management consensus, understanding and agreement on key risks: 83% versus 36% for all other companies. Those in advanced-group companies also reported higher levels of increased management accountability and enhanced governance practices. The authors hypothesize that these advanced companies view risk management as a central discipline, as opposed to a rote process necessitated by regulations that could account for these advantages.

Companies all tend to begin measuring operating risks before they contemplate strategic risks. Financial risk comes first, Ellen Hexter explains, because “as business-people, we’re more comfortable when something can be quantified. But engaging in strategic risk management — doing scenario planning, for instance — helps us focus in on the ‘what if’ issues. These directional guides or indicators give us a sense of a risk’s likelihood, its potential impact and how critical an issue it is to a company.”

The case for using risk-management techniques to facilitate making strategic decisions is compelling for several reasons. An ERM approach helps communicate risk. One of its initial steps — identifying the top 10-to-15 risks within a corporation — lets managers understand that the same risk is often identified differently throughout a company.

And having consistently defined risks allows companies to build greater management consensus. Senior managers’ perspectives are heavily influenced by their units’ work, so they will often disagree when trying to determine which risks are most important. But since ERM allows them to define risks along the same parameters, they can then agree on which risks have the greatest companywide impact. For instance, Norske Skog, a Norwegian producer of newsprint and magazine paper, has an ERM framework that includes a modeling component that lets managers compare the likelihood of different projects succeeding. It helps group managers assess whether projects fit the risk profile of their individual group and, at a higher level, managers can evaluate the risk profile of a business unit and see how different units compare.

Finally, having greater consensus lets companies make better-informed decisions. This can lead to quantifiable results. One company, for instance, after it better understood the risk-reward tradeoffs involved in a venture decided to invest in something it had initially passed on. The venture turned out to be the company’s best-performing investment that year.

The question is how do you make ERM succeed? Even the most advanced ERM companies continue to face conflicting concerns and insufficient resources. Therefore, say the authors, it’s essential that executives or senior management champion the program, because their support will help employees take ERM seriously — to see it not as just another layer of bureaucracy but as part of the company’s operations and culture.

For more information, contact Sgates@audencia.com or Ellen.hexter@conference-board.org.