The first truly global financial crisis has revealed the inherent weaknesses in the traditional approach to enterprise risk management, and the extent to which companies' current ERM processes and controls continue to place them in jeopardy.
Just as poorly planned and executed risk management capabilities contributed to the collapse, so now are they impeding the recovery. Effective risk management has always been about finding the right balance between prevention and proactive value generation.
Risk management processes failed on both counts. Not only did they fail to prevent the snowballing economic crisis; once that crisis set in, the balance shifted too far in the other direction. From taking too many risks, companies decided to take none, and the credit markets essentially ceased to operate.
The goal of a new generation of ERM solutions must be the full integration of risk management with the operating model, performance goals and decision-making frameworks of a business—the layers of day-to-day accountability within the organization as well as the bigger rules and governance structures by which it operates. Enterprise risk management and enterprise performance management are really two sides of the same coin, and they need to be held together in a kind of constructive tension.
This tension frequently tests the limits of the entrepreneurial spirit each company needs to drive growth. To be sure, those limits must be firm and unambiguous. But there are times when a strong risk management capability should encourage a company to probe those limits. With closer integration, the risk and performance sides of the organization are kept in sync, working together toward a common goal.
What Went Wrong?
How and why did supposedly sophisticated risk management processes and systems fail so badly? There is no single explanation. Instead, a number of factors came into play.
1. Complexity and Speed
If there was anything unique and unprecedented about the market collapse of 2008, it was the speed at which events occurred, completely outpacing the ability of companies' internal systems and risk management capabilities to keep up. Companies tracked risk, to be sure. But like a home with old wiring, organizations with out-of-date risk management circuitry were overloaded by market events as the situation spun out of control.
2. Fragmented, Incomplete Information
An effective response to a certain kind of risk—market, credit, liquidity or operational—depends on rapidly gathering, aggregating and making sense of information from both internal and external sources. Most companies, however, struggle to derive insights from their internal information systems and to evaluate the impact of external events on their operations and business.
Leading organizations today are seeking ways to improve their ability to use internal information to drive more effective decision making and also to monitor external events to evaluate "contagion risk"—things happening with markets, business partners or other companies whose problems might then ripple into their own organization.
3. Non-integrated ERM Capabilities
Fragmented information that impairs a company's ability to identify and mitigate risks in a timely manner is, in part, a reflection of the fact that few companies have truly integrated ERM capabilities.
Just 8 percent of the companies surveyed in the recently published Accenture High Performance Finance Study indicated they have a fully integrated risk management capability that is used uniformly across the enterprise. Slightly more than a fifth of them (21 percent) reported that their approach uses few risk management tools or a largely decentralized, standalone and manual process that relies primarily on spreadsheets ( see chart).
One of the effects of a non-integrated ERM approach is redundancy, which leads to increased costs. Indeed, the expense of meeting risk management challenges is rising at a time when budgets are tight already.
Respondents to a second recent Accenture ERM study—this one on enterprise risk management and based on a global survey of more than 250 CFOs, chief risk officers and other risk executives across multiple industries—feel that the costs of their risk management capabilities have increased dramatically.
More than a quarter of the executives noted cost increases of between 25 percent and 50 percent; 14 percent cited increases of greater than 50 percent (see chart ).
Companies need a more integrated approach to ERM—one that closely involves the business units in defining the risk management services that will enable better business decisions and support business strategies that are both bolder and less risky.
4. Inadequate Enterprise Performance Management Capabilities
Just as most companies have been slow to provide integrated ERM, so do they struggle to deliver effective and integrated enterprise performance management capabilities. Only 20 percent of respondents to Accenture's most recent High Performance Finance study described their enterprise performance management capabilities as "advanced."
What that means from a risk perspective is that companies cannot adequately focus the risk management organization on what exactly it should be doing to drive better business performance. If a company can't effectively manage performance, it can't adequately measure and manage the risks associated with that performance.
5. A Compliance Mindset Regulatory compliance is certainly a critical component of good risk management. But if compliance becomes the only or dominant mindset of a company when it comes to risk management, it may compromise the company's ability to respond to today's marketplace risks. Accenture's ERM study shows that the vast majority of executives do indeed see the value of their risk management function primarily in terms of its impact on compliance (see chart).
But compliance alone cannot effectively define the risk management function or derive optimal value from it. Compliance tends to breed a top-down risk management environment and a merely reactive culture focused on ticking boxes on a checklist rather than proactively looking for ways to improve performance.
6. Inadequate Governance Structures and Risk Cultures
In a world of chronic volatility and data overload, it is not enough just to have information systems generating data. At the onset of the current economic crisis, the data was there. What was lacking was the judgment, governance and effective escalation processes capable of translating the data into action.
There must be management processes in place that establish effective controls and oversight so that risk mitigation is not the responsibility of just a few individuals, but actually expresses the will of the entire organization.
The New ERM
The risk management challenges facing companies around the world are clearly multifaceted. That means the solution must also be broad—covering not just an organization's processes and technology but also its leadership and culture.
A new and more effective approach to risk management must be both comprehensive and cost efficient. It must have the kind of reach and specificity needed to restore public trust and enable business growth, while also delivering the cost savings that are critical during these challenging economic times. It must support the constructive tension needed to simultaneously set limits on entrepreneurial activities and encourage that sense of entrepreneurship—helping people take reasonable risks to fuel growth and better business performance.
1. Taking a More Comprehensive View
In light of the lapses that contributed to the crisis of 2008, the best word to describe the new approach to risk management needed to protect and advance companies is perhaps pervasive.
Risk management must pervade the operating model of the business: into the kinds of meetings and reviews that are held and the questions that are asked; into governance and decision-making processes; into the training people receive, the management and leadership behaviors expected throughout the organization, and the rewards structures in place.
Effective enterprise risk management departs from the fragmented and compartmentalized solutions already in place at many companies. It offers a holistic view of the enterprise designed to identify and understand a variety of risks, and then feed that understanding into the growth engine of the company.
The new ERM embraces the two critical facets of any risk management activity: loss prevention and risk mitigation, the control-based aspect that focuses on negative events; and the strategic and entrepreneurial aspect, which focuses on aligning risk and reward to better evaluate risk in pursuit of business advantage.
Such a pervasive and integrated ERM approach is the exception today and not the rule. About 8 percent of the companies that responded to Accenture's ERM survey say they have attained such a goal. Information technology architectures are one significant constraint here. About 40 percent of the respondents use standalone technology solutions for risk management that are often mutually exclusive. Only 23 percent have a fully integrated IT architecture to help manage risk (see chart).
According to the Accenture High Performance Finance Study, an integrated ERM approach drives better business value. Companies that have successfully implemented this approach are more likely than their less-successful peers to say that their risk management capabilities have a high or extremely high positive impact on their enterprise's financial performance (35 percent versus 27 percent). These companies are also significantly more likely than laggards to be satisfied or very satisfied with their company's overall management of financial and non-financial risks (79 percent versus 33 percent).
2. Achieving Better Focus and Specificity
One risk management strategy that sounds compelling is the effort to quantify risk through a metric or index, but this can take a company down the wrong path. Such an approach can decrease a company's risk management awareness because it does not provide the level of specificity needed to guide an organization toward specific risk areas. To know that your "risk management index" has risen 2 points may be interesting, but that kind of information is seldom actionable.
Indeed, one of the lessons of the subprime crisis is that many investment banks focused on a single performance measure—the firm's ultimate business performance—instead of on how the company was performing across the various risk areas identified. Companies need more transparency into their overall portfolio so they can diversify their risk capital needs and improve their performance.
One way to achieve this transparency is to use more diverse and sophisticated key performance indicators than just return on investment or return on equity. A series of risk-adjusted performance measures are also now critical to linking risk and performance. These measures help managers at the corporate and business-unit levels to act as shareholders by explicitly linking their decision making to value creation.
With a richer, more detailed risk profile, a chief risk officer can work with the business units to set priorities and, even more important, to put in place the staff and structures needed to work within the boundaries set by the risk identification process. Risk management must be articulated down to the actual behaviors required of relevant people in the organization.
Simply creating a risk inventory isn't enough. Risk management must be embedded in the organization's structures, roles and accountabilities. When it is, then a monitoring system or dashboard has meaning: One can look at various scores and take action, because they are at the necessary level of specificity.
3. Providing Better Data
All effective controls depend on the quality of the data provided: "Garbage in, garbage out," as the saying goes. In our experience, companies that have achieved risk management mastery have attained a high degree of granularity in their data. Again, this is in part a matter of operating according to the necessary level of specificity. Companies need the right information, in the right granularity, at the right moment to assess risks and take action.
One technique used by Accenture is what we call Continuous Controls Monitoring, or CCM, which uses information technology to mine the full range of a company's transactional data to assess risks and provide business insights. CCM improves compliance efficiency, but also can reduce costs and increase profitability by measuring the efficiency of internal processes and identifying such things as payment errors.
Continuous Controls Monitoring also improves overall risk management capabilities, because the monitoring process is based on 100 percent of transactional data instead of just a small sample. Typically, auditors—both internal and external—manually sample and review only a small portion of the total transactions and then use that data to project the overall results. CCM executes controls against the entire end-to-end business process. The result is a higher level of confidence and a reduced level of risk.
4. Creating a More Effective Risk Management Culture
A risk management organization is essential, and the work of the executive in charge—a chief risk officer or the equivalent—is now more important than ever. If risk management does not have a prominent place within the overall corporate agenda, and if it is not regularly reinforced at the highest levels of the company, it will not have sufficient power to drive the business in the appropriate direction. The chief risk officer should be a trusted and empowered member of the executive team.
At the same time, the market collapse of 2008 should also serve as a warning to companies that simply having a chief risk officer in place isn't nearly enough. The entire organizational culture must support the kind of detailed awareness needed to effectively manage risk. Successful risk management depends on an organization's people—all its people.
Companies must become much more rigorous in the analysis necessary to set a baseline cultural assessment and then measure progress toward a more effective risk culture. One asset at organizations' disposal is a more detailed framework for creating role-specific risk profiles.
This framework enables comparative assessment of the risks associated with any role—both the risk inherent in the role itself and the level and degree of risk managed. The risk assessment then helps identify those roles within the organization with which there is the greatest degree of risk associated, and therefore those for which controlling and remedial actions are most needed.
Another specific area to be addressed is the performance management structure, especially with regard to incentives. One pervasive problem in organizations is that performance targets are focused on the short term and thus do not encourage behaviors that create long-term, sustainable value.
The answer is to achieve a greater level of specificity—actually charting a new set of desired behaviors against the operating procedures needed to encourage those behaviors. The total rewards package can then be recalibrated to reflect a better balance of base and at-risk pay, lengthening the timescale over which deal quality is assessed and rewards paid out.
With a stronger culture and with better processes, technologies, controls and leadership in place, the chosen level of risk tolerance can be implemented consistently across the enterprise. When people know that a foundation of risk controls is in place, they have a better sense of their limits but can still be appropriately venturesome.
Effective risk management is more than simply a matter of mitigation, compliance and control, as important as these processes are. Risk and reward optimization must be embedded into the business lines and into the transaction and portfolio management processes so that companies can meet their long-term business goals.
By balancing risks and rewards—balancing enterprise risk management and enterprise performance management—companies link risk and profitability objectives, which can improve strategic capital decisions and increase shareholder returns. Companies can better coordinate risk measurement, capital allocation, performance assessment and management across the enterprise. Today, more than ever, organizations must be able to use the information derived from their risk management capabilities to make better decisions and drive high performance.
About the authors
Mark Foster is Accenture's group chief executive of Management Consulting and Integrated Markets. In addition, he oversees the company's industry programs and High Performance Business Integration initiative. Mr. Foster, who is a member of Accenture's Executive Leadership Team, leads the company's involvement with the World Economic Forum. He is a member of the board of the International Business Leaders Forum of the Prince of Wales Trust, which supports business development in the developing world. Mr. Foster is based in London.
Daniel T. London is the managing director of Accenture's Finance Performance and Management service line. Mr. London, who is based in Atlanta, has extensive experience in strategy, business architecture, systems integration, business transformation and outsourcing engagements across multiple geographies and industries.
Eva Dewor leads Accenture's global Risk Management group. With a background in the insurance sector and more than 14 years' consulting experience, her client work focuses on enterprise risk management, risk and regulation, reinsurance, finance and performance management, and financial transformation. Ms. Dewor is based in Munich.
How Vale Centralized and Integrated Risk Management
Vale, one of the largest private-sector companies in Latin America and the second-largest diversified metals and mining company in the world, has successfully implemented an integrated ERM program. Through an aggressive program of mergers and acquisitions, Vale altered its revenue composition and increased its total debt exposure from $4 billion in 2004 to $20 billion in 2007. The new ERM processes and systems were designed to address three areas in particular: market risk, credit risk and operational risk.
Market risk is managed by an effective governance structure involving the board of directors and an executive risk committee. This was a quick win that helped gain executive buy-in for the more difficult activities that were soon to come. Credit risk management was centralized, giving the function more control over company cash flow; a single tool to measure and monitor credit risk was also put in place.
Finally, to mitigate operational risk—the source of most risk for non-finance companies—Vale needed to improve its system for allocating and sharing resources across the enterprise and enhance its ability to monitor the risk exposures that might translate into financial losses within its operations.
The solution was to align business strategy with operations, provide for a centralized allocation of capital to cover expected losses, define a corporate insurance policy, and control and monitor performance through an iterative and continuously improving system.
Vale's CFO was the primary sponsor of the centralized and integrated risk management program, which has enabled the company to manage multiple levels of risk under the same structure.
Its new ERM program has given Vale stronger compliance capabilities while enabling the company to avoid succumbing to a narrow compliance mentality. Improved, integrated risk management has bolstered Vale's operating performance, resulted in better capital allocation and enhanced the company's reputation and brand value.