Risk is everywhere: On your balance sheet, hiding within vendors and bubbling up in the employee lunchroom. One of the few tools available to financial executives to monitor these varied worries is an enterprise-wide risk management (ERM) program.
For many who lived through the economic crisis that engulfed global markets in 2008, a key lesson was that while ERM is an important strategic framework, it also requires skilled and tactical execution of its precepts. And that is much more challenging than originally thought, especially for having a plan in place for mitigating low-frequency, high-impact “black swan” events that can wipe out a balance sheet overnight.
This caused companies, and industry as a whole, to take a fresh look at ERM frameworks and review how they are applied. Combined with an increased regulatory focus on risk management, the roles of the chief financial officer (CFO), chief risk officer (CRO) and chief audit executive have been elevated as companies strive to fine-tune their risk management processes to support a more profitable business.
Janet Nasburg joined Intuit Inc. as CRO six years ago, following 16 years at Visa Inc., where she had served as senior vice president and controller. Upon joining Intuit, known for its flagship products QuickBooks, TurboTax and Quicken, Nasburg was given a mandate of implementing an ERM program at the company. Founded in 1985, Intuit’s annual revenues currently exceed $4 billion.
“Like most companies, Intuit’s ERM journey began with risk management practiced on an ad hoc basis,” says Nasburg, noting that ERM is now ingrained at the leadership level of the company. The company employed an “ERM Maturity” model to benchmark the progress of its ERM program.
The most effective ERM programs, says Nasburg, leverage the process to build a sustainable, enterprise-wide risk management capability that evolves to address emerging and changing exposures. “The process is foundational but will not enhance strategic decisions if risk management capability and accountability is not built into how leaders operate,” Nasburg adds.
“Fostering a culture of risk awareness and risk management goes beyond assessments and frameworks,” notes Nasburg. “At Intuit, we have incorporated performance measurement and innovation as critical components of Intuit’s ERM program to strengthen the link between risk management, decision-making, strategy formation and operational execution.”
Making ERM part of the fabric of the company is crucial, she adds. “Our business leaders have built a regular rhythm of risk management capability throughout the company.”
Renee Yozzi, strategic and enterprise risk senior manager at Benjamin Moore & Co., notes her company was proactive in creating an ERM functional lead to drive the development of a more formal and enhanced approach to ERM.
“The goal was to create a robust and sustainable program,” Yozzi says.
As a result, the ERM program at Benjamin Moore, a privately-held company owned by investor Warren Buffett, “has already had an impact in bringing the discussion of risks to the table regardless of whether or not it is in the context of a risk discussion,” says Yozzi. “It has become, and will continue to become, an integral part of the company DNA and culture.”
Cost — or Benefit?
Traditionally, some observers — generally those not directly responsible for ERM — have viewed it as a cost of business, aimed at what the company ‘can’t’ or ‘shouldn’t’ do, to avoid risk of loss.
But that is only part of the story, experts say.
“The objective of ERM at Intuit is not only to help the company avoid risks, but to help the company manage risk through action and to enable embracing uncertainty,” says Nasburg. Significantly, she notes, “In order to be successful, risk cannot be mitigated entirely. Managing risks intelligently allows Intuit to make better and quicker decisions considering both the risks and rewards of strategic decisions. “
“ERM creates and protects value for Intuit,” Nasburg adds. “Key performance indicators (KPIs) and key risk indicators (KRIs) are used to measure risk exposure and risk management progress against established targets,” with some of the benefits being:
• Providing visibility into business line risks to aid understanding of the cumulative impact of these risks on Intuit as a whole;
• Enabling the company to drive focus and allocate resources to the highest-impact work; and
• Driving the development and adoption of enterprise standards and best practices.
Intuit’s ERM program is integrated into strategic planning by design, says Nasburg, with principles such as ‘‘innovation’ and ‘customer delight’ used in an effort to engage senior management and other business leaders across the company. Feedback is also sought from internal customers on how ERM can add more value, and this internal feedback loop strengthens the framework, according to Nasburg.
Intuit conducts an annual ERM assessment, which feeds information on identification and assessment of top risks into the strategic planning process, Nasburg says. “Business leaders are expected to be explicit about the effect these risks can have on their ability to achieve business objectives and align resources to manage the exposure.
“Businesses must also ensure alignment with company-wide risk management strategies,” says Nasburg, who recommends that regular reporting on the status of top risks be provided to senior leaders and the board.
When Benjamin Moore looks at risk management, says Yozzi, “There is no question that the discipline is viewed as a value creator that will support the business in achieving its goals by thoughtfully weighing risks vs. rewards in the decision-making process.” She adds, “This cannot be done without full engagement of the senior leadership team, who has accepted ownership and been supportive in cascading this message and involving their teams throughout the process, all the way to planning of mitigation and resolution of identified risks.”
Asked about the top challenges for risk managers, Nasburg replies, “The most common challenges I hear from ERM leaders at other companies are integration of ERM into the strategic planning process and demonstrating the value of ERM.”
Yozzi adds a significant challenge is, “The perception that ERM is highly theoretical and cannot be brought down to a practical level for all levels within the hierarchy of the organization. It really can be used top-down.”
“Another struggle,” says Yozzi, “is how to manage all of the data. Without a systematic solution, which takes time to implement and can be costly, there is a lot of manual work required to document and aggregate the risks in order to prioritize and identify trends and get in front of them.”
Risk Then — And Now
The landscape for ERM has changed, notes Nasburg, not only the sources of ERM frameworks and insights, but also in response to enhanced regulatory requirements such as the U.S. Securities and Exchange Commission’s (SEC’s) required disclosure on the board of director’s role in risk oversight.
Secondly, there has been increased focus on management of, and disclosure related to, cybersecurity risk, centering on the National Institute of Standards and Technology’s (NIST’s) framework.
The SEC considered compliance with its current cyber disclosure requirements at a public forum last year, and President Barack Obama announced in January of 2015 plans to propose legislation to step up certain public and private disclosures, defenses, and responses to cyber threats.
With industry adoption of ERM programs at various levels of maturity, Nasburg observes, “Increased regulatory focus on risk management has added additional incentive for companies to ensure an effective program is in place.”
Asked whether outside vendors are needed to implement ERM, Nasburg emphasizes, “Leveraging expertise from external resources to develop and execute specific risk mitigation strategies is a common practice and can build knowledge and competency of internal resources.
However, she adds, “the ultimate objective is to build internal competency.” To help build this competency, Nasburg observes, “Sharing insights and best practices across companies also provides insights that can help to shape risk management strategies and accelerate execution.”
Yozzi’s view: “As with many things, it depends on your internal expertise and resources. If you have the capabilities in house, there should not be the need for a vendor to be involved. However, if you have a special concern or initiative that is more complex or creates new exposures where you may not be as comfortable, or you want to develop or enhance some of your modeling techniques and scenarios, you may want to engage an outside expert who knows your business and who you are comfortable with.”
Paul L. Walker, PhD, the James J. Schiro Zurich Chair in ERM and executive director, Center for Excellence in ERM, at St. John’s University, and a member of Financial Executives Research Foundation’s research committee, has substantial research and consulting experience with some of the world’s leading companies. Asked how much change has taken place in the field of ERM, Walker states, “I’d just say in the last 10 years or so, I think there’s been some huge changes.
“Like any deep subject matter, the expertise and talent development is going to take a while,” he observes. “Now, whether people have the expertise or not, they’re just not there. And I say that because I’ve been inside so many major U.S. organizations, and the expertise is not there, but the concept is there. So the next big thing we’re going to have to do is work on the expertise.
“And I would say there’s a big need for skill-sets all across enterprise risk management. That’s why we don’t see the sophistication yet. What we do see when you go into some advanced corporations, maybe Fortune 100 or Fortune 250 companies, is you see that they’re doing a lot of things related to risk and enterprise risk, but they’re not calling it that and they’re doing it in silos.”
Walker adds, “This whole idea of enterprise risk and culture and what’s the skill-set of the future CFO is really significant. A key question for CFOs today is what is their role in enterprise risk management? And what skill-set do they have now to help, and what will they need in the future?”
ERM Frameworks in Use
Walker notes that an early report he wrote for FEI was one of the leading publications looked at by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) when COSO published its ERM framework in 2004. COSO is currently updating that framework.
Asked what other major frameworks are in use, Walker notes ISO 31000 on Risk Management, published by the International Organization for Standardization (ISO).
There are some big differences between COSO’s and ISO’s risk management frameworks, Walker points out, “one of which is, the ISO one is pretty short. And executives don’t want to read a couple hundred pages. I don’t know if that’s the real reason why people might switch to ISO.”
However, in the U.S., Walker adds, “COSO has that brand name and I think they clearly deserve it and need to take advantage of it.”
Referencing COSO’s current project to update their 2004 ERM framework, Walker says, he believes there is an opportunity for COSO to engage in this exercise now.
“We’ve come through the financial crisis. I think it’s time for COSO to step back and ask some of the big questions and see what was good about the prior framework and what it should look like going forward. So I’m impressed that they want to not just rest on that framework, but to take a good look and see if they can improve it.”
“ERM is a very hot topic right now,” says Yozzi, with members of boards of directors and company leaders showing a great deal of interest. “The good news is there is a lot of information out there and available; and the bad news is there is a lot of information out there and available!” she adds, noting the current wave of webinar invitations and white papers on this subject.
“This is all good,” observes Yozzi, noting that as a practical matter, “I look to COSO and audit firm guidance primarily for information, tools and trends within the ERM space.”
In the ‘if you could fix one thing about ERM,’ category, Yozzi notes, “Risk management means so many different things to so many people and includes so many different sub-specialties, so the vernacular can be confusing at times.”
She adds, “I am excited about COSO’s updated Internal Control-Integrated Framework (“COSO 2013”) and have been focusing on that lately.”
Nasburg notes that in addition to the COSO ERM framework, useful insights can be obtained by benchmarking with other companies, and participating in advisory groups such as the Conference Board’s Strategic Risk Council, and Corporate Executive Board’s Risk Management Leadership Council. Participating with industry groups helps to continuously enhance Intuit’s ERM program, she adds.
Industry-Specific Issues
“The basics of enterprise risk management apply across all industries, however implementing an ERM program must be tailored to fit the individual culture of the company to optimize efficiency and effectiveness,” Nasburg says.
“The speed at which a company moves through each level of ERM maturity will vary, as it must be tailored to the individual needs and capacity for change of the company.”
Walker believes using either of the two major frameworks, i.e. COSO ERM or ISO 31000, “the process is the same,” but it is important to recognize risks can differ in different industries.
For example, says Walker, the risk profile of a major U.S. bank would show many of the larger risks to be financial risks, while for a manufacturing company, the largest risks are not necessarily financial issues. “The trick and the key thing,” says Walker, “is to change the perspective in the minds of executives and boards to understand the business and the strategic implications of financial risk. And that’s a mistake that I see companies make, unfortunately too often.”
Walker tells of a consulting engagement in which one company identified a ‘financial risk’ that was very large. “From a financial perspective, they thought they had it hedged,” he notes. “But there was heavy discussion about the fact that we needed to not look at it as a financial risk. We needed to look at it as a strategic operational risk. That was an incredibly valuable conversation for that group to stop and realize, even some of the financial risks, you’ve got to really open your eyes and think about where are the implications.”
Yozzi advises, “To be most effective every industry, and company within that industry for that matter, must take the basic “best practice” approaches and tailor them to their individual risks, size and cultures.
“There should not be a cookie-cutter approach or you will lose the ability to tap into what would work best for your industry, company and people. I have found that even within different business units, you may need to alter your approach to maximize your ability to create something that will work best for them and provide the most value. They should want to use the techniques and tools and they should not be perceived as adding an extra burden,” Yozzi adds.
The Role of the CRO Today
In the years since the economic downturn, the C-suite is paying more attention to risk, and has elevated the role of the CRO and other finance leaders charged with heading up risk management.
Nasburg notes, “As CRO, I partner closely with business leaders to drive business solutions that balance risk and opportunity.”
She adds that at Intuit, ownership and accountability for managing risk is the responsibility of business leaders across the company – not a central function. The goal, she says, is to align ownership with leaders driving Intuit’s growth strategies and operational priorities.
“My role is not to eliminate risk, but to work closely with business leaders to understand their business needs and priorities and work collaboratively to optimize business outcomes,” says Nasburg.
She adds, “This strong business partnership was built on the foundation of providing transparency into the broad landscape of risks in a continuously changing business environment and focusing business leaders on management of the most significant risks; those risks with the greatest impact on Intuit’s growth, product delivery and operations.”
Yozzi sees industry as having elevated the role of risk management. “There are more invitations to sit at the table, be part of the conversation and have input into any ultimate solutions,” she observes.
“I always gauge success of the program by the number of invitations I get to be involved in a project review or discussion and information being provided to me,” says Yozzi, “versus the number of times I have to reach out to find out what is going on and request information.”
“I believe that risk managers’ input can and should be seen as being important as every other key stakeholder involved in the process and that their concerns, if any, should be heard and assessed before any final decisions are made,” emphasizes Yozzi, adding that risk managers should have input into how risks associated with an event are managed and mitigated.
“For example, there are instances where we may want to retain a risk and it may be possible and make sense to purchase insurance to help finance that risk,” says Yozzi. “There may be other instances where it would be better to try to outsource the risk to a third-party vendor or other party. These are the types of discussions, where proper evaluation of alternatives and associated potential outcomes occur, that need to happen to achieve best results.”
Walker says of the current state of ERM, “I think we’ve come a long way, but I think we’ve got a long way to go. There’s a big difference between what I believe we should be doing and what we are doing.”
Some CROs or ERM managers, says Walker, are following a ‘check-the-box’ approach to risk management. Instead, he counsels, “What we should be doing is try to express and enhance our business intelligence about (1) the risks and how they drive the business, (2) how they drive the industry, and (3) how they drive profitability.”
Calling the gap between the risk conversations that typically take place today, and the enhanced, three-part model he described above as “a Grand Canyon-sized gap,” Walker strongly urges, “That’s the risk conversation that I think ERM directors should be having. I think that’s when they’ll step up and get even more acknowledgment and the respect that they deserve.”
This article first appeared in Financial Executive magazine.