Paul Harwood considers enterprise risk management and discusses how to optimise the second generation of this method and make the right choices
Enterprise risk management (ERM) has become increasingly important to the running of firms over the past decade. It has been supported by regulators and other governance authorities, yet few practitioners appear convinced that ERM has added value.
Notwithstanding the assurances, attestations and certifications, do boards and managers feel they are running better businesses as a result? Given the resources, authority and access that has been afforded the risk management function, stakeholders should by now be feeling comforted by a well-embedded risk management process. Boards and managers have never had so much knowledge at their fingertips.
The IFoA's annual Risk and Investment Conference has never formally and thoroughly addressed the question of the value added by ERM. Under the surface, there are glimpses from those who question it, as commonly practised. In reflecting on these conferences,
I concluded that the first generation of ERM has established firm foundations that can now
be built on.
I suggest that second-generation ERM should consider a specific business plan first, and only then address the management decisions that ensure this is met in a range of varying circumstances. This allows a rehearsal of management decisions - 'When will we act? How effective can our intervention be?' - and an understanding of the plan's sensitivity. As time passes, the environment and the decisions can be tracked for their impact on the results.
The scrutiny of possible management decisions allows for their refinement in advance and an understanding of the extent to which risks can be managed. The tracking demonstrates whether management action is making a practical difference.
In summary, second-generation ERM is about 'better decision making' (BDM ERM) which adds value when its users, primarily boards and managers, are confident that they are overseeing, or making, quality decisions. BDM ERM connects risks and actions more directly than hitherto. It is a continual process.
The business plan
The anchor for BDM ERM is the business plan, the board's required outcomes on specified assumptions, which will be achieved because management makes good decisions. This plan reflects decisions already made (the business model, the strategy), decisions that are largely already made given the business's culture and organisation (how do we handle project X?), and decisions yet to be made (do we launch into a new market?).
The BDM ERM business plan may not be the standard profit and loss and solvency projections that regulators require, but should set out the outcomes that the board is commissioning its chief executive to deliver. Doubtless, the impact of many of the decisions will be sales/expense/profit related, but there should also be room for qualitative outcomes, for balance sheet outcomes, for outcomes that don't arise evenly.
Testing quality
How do you test, at plan stage, the quality of decisions already fully or partially made? Achieving an outcome depends on what managers decide and the prevailing environment. By considering how outcomes might differ from those planned, each accountable manager can focus on the outcome's sensitivity and sensitivity drivers: the causes, contingent management action and possible changes in the environment can be better understood. The manager can reverse engineer action plans to understand the impact on the outcomes and therefore gain a deeper understanding of the likely results.
How do you test new decisions? The expected impact of a new decision will either already be part of the plan, or part of the process of making the decision. The risk manager can work with the accountable manager to flex not only the assumption set but also the decision set, to understand the sensitivity of the decision and the factors that need to be managed to deliver the required outcome. Indeed, the McKinsey Quarterly in 2013 reported two interesting results on executive decision making. The first suggested that it was six times more effective when an alternative was considered alongside management's preferred decision. The second suggested that confirmation and overconfidence biases drive poor decision making, and that these biases can be addressed by assessing downside risk and stress testing (as per BDM ERM).
The risk manager's role in BDM ERM is crucial. In addition to working with individual managers with business plan accountability, the role includes the collation of the threats to the plan overall and the identification and challenge of weaknesses that span individual business plan areas. As a result, the risk manager can assert to the board, for director challenge, the circumstances in which managers are confident that they will achieve the plan, and when a different outcome will be achieved.
Once the BDM ERM plan has been agreed by the board, the risk manager tracks the progress of the plan and the key parameters. Hence, the business always knows the extent to which the plan will be met (or the extent to which the plan does not match the factors that actually drive performance). It should then be clear whether performance arises from quality decision making or is independent of management action.
The BDM ERM risk manager is the guardian of the decision-making process and is responsible for broadcasting the expected consequences of decisions made. The risk manager will be expected to know if the plan will be met. The analysis of this is likely to entail projection deficiencies, estimation errors, random positive and negative impacts.
Criticisms of BDM ERM
"This is simply a representation of existing ERM: good ERM systems do this already."
BDM ERM does rely on many elements of first-generation ERM: this is a strength. Where it differs is that it views risk exclusively through the lens of business plan outcomes. This approach anchors risk discussions to real things, and drives challenge and accountability, not just by the board and management, but by the risk manager, who now has to understand the plan will be met, or know why it will not.
"Some risks would not feature on the business plan."
This is an interesting point. If a risk would not affect the plan and has no impact on the business's outcomes, should it be considered at all? The obvious risks here are identified black swans, those that no one saw but that would be catastrophic. These should be covered in the assumption set: the board should see the impact of, say, a liquidity crisis on businesses outcomes.
ERM to date has generated information in volume. BDM ERM distils this information by focusing it through the lens of the business plan to establish the sensitivity of outcomes. As the plan is effected, the outcomes and assumptions are tracked, post decision. Thus, we will understand whether the decisions made supported the outcome or were irrelevant to it.
BDM ERM is a tool for non-executive directors to be assured that their business is managed to deliver the plan commissioned by the board. It also helps managers to review existing, and consider new, decisions to ensure outcomes. In both cases, the value added by BDM ERM should be evident.