Skip Ribbon Commands
Skip to main content

The ERM Tipping Point


​This release was originally published on the IIA site and has been reproduced with permission.​​

​With growing business disruption from natural and deliberate causes around the world, what will it take to tip the scales from professionals constantly promoting enterprise risk management (ERM) to leadership teams demanding ERM programs that drive material incremental value? When will we reach the tipping point where the majority of Canadian companies see ERM as essential to strategic success?

A number of recent Canadian and American surveys show a minority of companies believe they have reached a high level of ERM maturity. What these surveys often do not capture is the perception of how well the ERM value proposition is being achieved in the eyes of the board of directors and senior executives. I know several ERM success stories that have added tremendous value to stakeholders; quite often these companies also lead in their industry and have great leaders throughout. However, I also continue to see many ERM attempts fail to achieve their true potential.

Over the last 15 years I have directly or indirectly overseen ERM initiatives for a global consumer packaged goods and a high growth utility. I must admit that in the early years I witnessed more failures than success stories. Experience has taught me some valuable lessons in how to optimize the value of ERM.

The ERM Value Proposition—The Sweet Spot

There is a definite sweet spot in enterprise risk management, where three things intersect. The first is having your executives and board buy into the ERM value proposition. The second is having expertise in the art and science of ERM. The third is when ERM practitioners develop a strong comprehension of the strategy and operations of the business.

Here are some secrets to ensure your enterprise risk management program succeeds:

Negotiate support before you take the ERM leadership role

If you join a company with leadership or a board who are not sold on the value of ERM, you have a small window of opportunity to pitch your value proposition. In fact, the best ERM leaders do this in the interview process. If you join a company with a senior executive or board sponsor who believes in your value proposition, you will have more time to deliver value — but be careful not to take too much time.

Create an ERM plan that maps strategy to risk, to your value proposition and to continuous wins over the short term and long term.

I have seen great ERM leaders lose support from leadership and the board because they put too much focus on initiatives that are either not perceived as value-added or that are so complex that the return will take too long to deliver. When you create your ERM plan, make sure you can deliver on your value proposition in some way each quarter. This may be by emphasizing the enhanced preparedness to mitigate strategic risk, or how this has enhanced your capability to take even more intelligent risk. For example, oil and gas companies that planned how to deal with a $30 a barrel oil price are much better prepared than those who did not even think about the possibility. Also those who invested in merger, acquisition and integration capability also could be able to take intelligent risk to acquire and integrate other energy companies at a discounted price.

Always quote strategic imperatives in ERM communication

You will never go wrong when you remind leadership and the board of what they already know is critical to success. The best ERM practitioners I know proactively research and benchmark to discover insights related to risks that are impacting their particular industry and competition. Then they provide this information to leaders to help them make better decisions.

If your ERM function is too focused on the how versus the what, it may fail.

I have attended events where the presenter spends the entire time explaining how the organization created a great process or system implementation without once mentioning what this did to add value to the business. Enterprise risk management leaders need to make it as easy as possible for executives and the board to recognize the value being provided to the business. This requires you to constantly market your value-added work. Never assume that anyone really understands the value that risk management can provide a business.

Most leaders must take risks, but many don’t proactively prepare for what to do when things don’t go as planned

It is very important for ERM practitioners to constantly remind themselves of this. The more we learn about the science of risk management, often on the heels of failure, the more we know about the advantages of being prepared. I believe seasoned business leaders, who have witnessed failure several times, are the best risk managers. They will never forget failures or near misses and intuitively invest in being prepared. So never assume a new recruit from university will have the same level of risk management wisdom. Many universities still don’t teach students how to manage risk effectively and efficiently.

The best ERM leaders know how to always keep the executive and board alert and focused on optimizing agility to deal with emerging risk

I think one secret to success is spending the majority of your time identifying new, value-added ways to manage and address future strategic risk, versus thinking about what has already happened. In today’s world, there will always be new and emerging risk we are not prepared for. Cyber security is a great example of an emerging and constantly changing risk that will impact companies for the foreseeable future. Effectively mitigating cyber risk usually requires a different strategy for every type of business, and often many layers of controls are required for protection.

Businesses with mature risk management programs find it easy to define risk appetite and tolerance.

Many companies have failed in the past because leadership undertook more risk than the board or the average company in the industry would have approved. However, if the board does not define risk appetite and tolerance, the leadership may not know how much is too much. One of the most famous examples of this is the Lehman Brothers collapse in 2008. The market crash was linked to the housing crisis and sub-prime mortgages. Lehman's Brothers went bankrupt because the firm’s leadership were taking more risk than the board was even aware of or would have approved. Since then, all U.S. banks must have a board-approved risk appetite statement. I believe risk tolerance will become easier for companies to define as they develop mature enterprise risk management functions. A mature risk management program means leadership has built ERM into how they build strategy and make decisions. Also, the more education board members receive on ERM, the easier it will be for them to define risk appetite and tolerance.

Promoting and marketing the value of risk management must be a conscious and consistent strategy.

Assume all leaders and board members do not truly understand or value enterprise risk management. To help educate them on the value of ERM programs, provide concrete examples of value-added wins and find opportunities to discuss relevant, but material risk management opportunities with them. A very successful Canadian business leader recently asked me why there wasn’t a course on ERM when he went to university 30 years ago. My response was that risk management has always been part of decision-making, but enterprise risk management has just evolved as a formal business practice over the last decade. In the past 30 years, the world has seen many new risks emerge such as disruptive technology and terrorism, and the pace of change is faster than ever. He agreed and added that it would be critical for enterprise risk management to be taught in all universities going forward. This would definitely help achieve the tipping point.

Richard Arthurs is an MNP Partner and National Leader of Governance and Risk Management in the Enterprise Risk Services group. He is the Chair of the Institute of Internal Auditors (IIA) Canadian Thought Leadership Committee. Richard is also a facilitator of the ERM course for the Institute of Corporate Directors, Directors Education Program.