METHODOLOGY TO DIAGNOSE THE STATUS OF ERM IMPLEMENTATION
The sources used in this article come from:
• Research performed by the authors on approximately 100 companies in 2006 and with 300 managers in 2010.
• The POLRISK Risk Management Association, with 100 members, at various workshops, conferences, seminars, and training courses where ERM has been challenged, questioned, and openly discussed.
• Participation in the creation of an ERM program in the telecommunications industry.
• Exchanging practical knowledge, experience, or training about ERM among the Polish practitioners (various managerial positions, CEOs, boards, experts, and specialists) of the following industries: telecommunications, energy, logistics (road, post, railway industry), oil and gas, consulting, insurance, banks, hospitals, and construction.
We would like to share our observations by pointing out areas of weakness, as well as the challenges of demonstrating ERM's value per se for boards, managers, and operational employees. There are 3,000 companies in Poland with more than 250 employees that would potentially benefit from ERM implementation. Assuming that ERM is justified for companies with at least 250 employees, then our studies deal with about 10 to 20 percent of such companies in Poland. The research includes only private companies, excluding the financial industry (i.e., insurers, banks, investment funds, etc.), and not public administration.
We use the following three definitions of ERM:
1. Enterprise risk management can be defined as an integrated approach to credit risk, market risk, operational risk, business risk, and economic capital management. This includes risk control, mitigation, and risk transfer to maximize the value of the company (Lam 2003).
2. In ISO 31000, risk management is defined as coordinated activities to direct and control an organization with regard to risk (ISO Guide 73:2009, definition 2.1).
3. Enterprise risk management is a process, effected by the entity's board of directors, management, and other personnel, applied in the strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO II, 2004 definition).
An important issue at the top of the risk management activities is value creation. What creates a company's value are vision, strategy, knowledge on how to commercialize ideas, innovation, implementation, managers' and employees' attitudes, and decisions influencing specific value sources and drivers. To create shareholder value, a company has to take on the right risks, retain them, and manage them within its boundaries. The major risk management activities here are as follows (Antikarov 2012):
• Identify the strategic risks associated with each strategic alternative and select the strategy with the best risk/reward characteristics.
• Build and apply strategic flexibility/agility to take advantage of new strategic opportunities and protect against materialized strategic risks.
• Build and apply operational flexibility and resilience to manage ongoing business environment volatility.
• Build and apply financial flexibility allowing the company to survive, execute its strategy, and not transfer ownership during periods of financial distress.
• Build full risk assessment into the performance evaluation of existing businesses and the corresponding rewards and compensation of management and employees.
• Build full risk assessment into the evaluation, ranking, and selection of new investment projects.
In Exhibit 33.1, we display the general framework of the methodology we use for the analysis of the case study. We will present the status of ERM implementation in Poland relating to the four stages of risk management maturity described by Purdy (2010): increasing levels of maturity for (1) management of specific risks, (2) the approach to risk driven by governance, (3) risk management driven by the changes within the organization, and (4) the integrated approach. In the applied methodology, the characteristics proposed by Antikarov (2012) fit more or less to Purdy's "Integrated" stage 4 shown in Exhibit 33.1. Exhibit 33.2 displays the main components of risk management proposed by ISO 31000.