MAIN ISSUES IN POLAND'S ERM IMPLEMENTATION
There are many issues faced by companies in Poland in the process of ERM implementation. The main systemic natural obstacles are:
• There has been little attention paid to ERM among nonfinancial sectors, although the level of interest has slowly increased since 2004, approaching the highest interest around 2009 to 2011.
Exhibit 33.1 Risk Maturity Levels Used in Methodology.
Source: G. Purdy, "How Good Is Our Risk Management? How Boards Should Find Out," Risk Watch, Conference Board of Canada, December 2010.
Exhibit 33.2 ISO 31000:2009 Relationships between Principles, Framework, and Process Source: ISO 31000:2009.
There are few domestic companies that can be used as examples of good ERM and as a benchmark for the Polish business community. In other words, there are few examples that can be used as good references regarding risk management matters such as financial results, reports, management discussion and analysis (MD&A), and communication of risk within the investor relations process.
There has been a relatively short time for gathering experience from companies on ISO 31000 implementation; only two years have passed since the publication in March 2012 of PN-ISO 31000:2012, Risk Management – Principles and Guidelines. The Polish Committee for Standardization reports that there is interest in ISO 31000, but there are common misunderstandings of what ISO 31000 really is. One of the examples is in using the term risk mitigation instead of modification or treatment. Also, there is no guidance on ISO 31000 in the Polish language. These translation issues are delaying adoption of various guidelines because all those activities need sponsorships for funding. The same holds for risk management books; some of the classics, such as works by James Lam, are not translated into Polish, and this is blocking widespread practical knowledge on ERM. Any meaningful guidance remains within the advisory services industry, with no guarantee that risk management is done coherently or correctly with the approach prescribed by ISO 31000. In contrast, Australia and New Zealand have had more than 17 years of experience with standards of risk management, and there are many publicly available guidelines being applied by public and private companies in those countries, creating stronger fundamentals there as compared to in Poland. That is what we can call the "experience gap."
There are very few domestic experts in Poland who have had the opportunity to implement ERM as a real change management process instead of a governance-driven one. There are few companies interested in building the value of the company through effective risk management. However, there are some ERM implementations in Poland in logistics, energy, oil, gas, telecommunication, mining, insurance, and the public sector. Risk management becomes a more important topic due to investors' requirements in the construction industry and the European Union directives for the railway industry.
The POLRISK Risk Management Association needs further development in order to become a strong, recognizable body for legislative initiatives related to governance and risk management for the good of the business community. In Polish enterprises there is a need for building the risk manager profession, which would have to be built almost from scratch. The issue of the scope of duties of a risk manager is often discussed in the European forum because a risk manager's responsibilities are perceived differently from country to country. In the FERMA bylaws the responsibilities of the risk manager are not addressed, but FERMA is considering covering that issue in the requirements for the certification of risk managers. This all presents big challenges to the harmonization of educational programs with expected skills for risk managers in European countries. When this is done, it will be a big step in the promotion of the profession and risk management itself in Poland and elsewhere in Europe.
• MBA programs and higher education in Poland do not include enough enterprise-wide risk management topics. There are one or two exceptions of postgraduate studies including ERM standards. One way to promote ERM is to integrate ERM studies with strategic management and value-based risk management courses and executive MBA programs.
• The tradition of risk management became broken under the various socialist economic systems between 1945 and 1991. For example, there are at present only a few captive insurance companies in Poland. Before World War II, there were around 300 captives and mutual insurance companies. The use of such risk management techniques by many organizations was an important part of the culture then relating to managing risk. Risk managers in international companies are now managing captives together with coordinating ERM. We are in the process of rebuilding the number of captives and that culture. The POLRISK Risk Management Association also supports this process.
Apart from the aforementioned systemic issues in Poland, there is also confusion among proponents of ERM in Poland about what are regarded as weaknesses of the ERM concept itself, concerning the tools, models, terminology, publicly available materials, and articles. Examples of concerns are:
• In most of the cases, the risk matrix or heat map does not show the efficiency of controls.
• There is also a lack of references to or use of historical data or simulation as justification for the respective risk level to support decision making. Greater use of actual data is considered necessary to assure a high quality of risk management.
• There seem to be two schools of holistic risk management currently struggling with each other on the pros and cons of the setting of risk appetite or concepts like inherent and residual risk.
Due to a lack of understanding by those involved and the apparent confusion over the foregoing concepts, these differences do not help the followers of ERM, because in many cases, they are not able to clearly and in a convincing way explain or translate those different concepts into decision making processes and value creation. Problems arise if executives who are trying to properly understand ERM are asked to explain why the concept of risk appetite is needed. Executives, managers, and directors expect a clear message about whether this exercise with ERM can increase performance, reduce costs, optimize margins, or make good decisions on current resources and capital allocation. All of these issues, both at the international level and at the local level, only confirm that ERM as a concept itself still is not stabilized or is not ready to be used. As a result, managers we have spoken with indicate that they are not going to implement ERM because of these problems.
Risk management terminology, principles, frameworks, and processes in Poland are orientated primarily toward either internal controls or governance.
Some companies are making efforts to influence value via risk management. ERM is viewed by managers in Poland as an optimizing activity in achieving objectives and therefore is perceived as integrally related to strategic management. The major question stated by practitioners in Poland is: "What is the real added value of ERM?" The partial answer to that question can be obtained by referring to the meaning of good performance or good execution of strategy and goal achievement. In Exhibit 33.3 we offer an answer in the form of comparative statements of good practices of the execution and performance of the strategy applied from classic books on the topic. ERM is frequently commented on by Chartered Institute of Management Accountants (CIMA)-designated experts, CEOs, CFOs, financial controllers, and other top managers as something they are already doing, which they perceive as:
• Strategy development and its execution by risk management
• An idea that is perhaps worthy to apply and utilizes various risk criteria focused on efficiency and performance or risk controlling as part of business controlling
Using three of the best books on strategy execution (Kaplan and Norton, Bossidy and Charan, Welch) and one on performance (Peters and Waterman), we put together the comparative statements indicating some ideas and sources of ERM principles being used in management mainstream practice and literature. Since many Polish executives refer to these books, ERM must be shown in the light of which practices should be part of a company's management framework, as is also recommended in ISO 31000. Exhibit 33.3 shows the relationship between ERM concepts and strategy execution and performance.
From these comparisons, there are important conclusions that may be applied to the case study of ERM in Poland. Suboptimal efficiency of management may result from the fact that ERM is a missing link between strategic management (SM) and value-based management (VBM). Selling ERM in isolation from strategy and value-based management creates a risk of unsuccessful ERM implementation. Selling the triple package of SM, ERM, and VBM together and creating the adequate educational program increase the chance that the value proposition related to ERM will be accepted by the boards of directors at enterprises in Poland.
Moreover, in the view of Polish CFOs and CEOs, a properly defined strategy is in fact a reflection of a new or updated arrangement of a company's capital and assets/resources allocation. Therefore, the risk management function must be close to strategy and produce a strategic portfolio of initiatives, programs, projects, and processes. Thus the reporting line of the risk management department should always be where decisions are made on capital and resources allocation – that is, in the strategy department or in CFO-managed business units such as value-based financial controlling and budgeting (i.e., operating expense [opex] and capital expenditure [capex]). If these functions were supported by various tools applied for risk assessment, monitoring, and modeling, then most of the CEOs and CFOs would be interested in applying such approaches into their daily management practice.
Exhibit 33.3 Comparative Statements of Good Practices in Strategy Execution and Performance
Robert S. Kaplan and David R Norton, The Execution Premium (2008)
Jack Welch, Winning (2005)
Larry Bossidy and Ram Charan, Execution (2002)
Tom Peters and R. H. Waterman Jr., In Search of Excellence (1982)
Management system linking
strategy to operations:
1. Develop the strategy (strategic analysis, SWOT, risk assessment of strategy, how best to compete). Here we should know at least the type of strategy and related risk. Risk taking is related to type of strategy and its flexibility in Michael Raynor's (2007) sense: low cost, differentiation, diversification.
2. Plan the strategy (strategy maps – links with risks. How we measure our plan: setting objectives – basis for risk assessment of the objectives, stress testing of assumptions, strategic project, programs, portfolios, initiatives, who will lead execution of strategy?) Establish the context. Here is a place for risk limits, (appetite) tolerances against targets in strategic plan.
Strategy is a game, vital, dynamic. No scientific approach to strategy is needed; overloading strategy with science is unproductive.
Jack Welch defining strategy as "allocation of resources"; "strategy is what remains after removing big words related to it." "Strategy is making choices on how to be competitive. (As for strategy, you should think less and act more. In other words, this is again about execution.) Strategy is simple – you choose general destination and pursue it with your best effort." Forget about scenarios, plans, whole-year research and 100-page reports, recommendations, and so on. To be number one or two in each industry – to reach this goal you have to repair/restructure, sell, or close the companies."
Execution: Three core processes
of execution of any business:
1. Strategy process – link people and operations. Strategy review.
2. Operations process – link strategy and people.
3. People process – link strategy and operations.
Three blocks of execution:
1. Seven essential behaviors of leaders: Know your people and your business. Insist on realism. Set clear goals and priorities. Follow through. Reward the doers. Expand people's capabilities. Know yourself.
2. Framework for cultural change – operationalizing culture: Behaviors are beliefs turned into action (principle a) reward performance (compare Lam  – "Pay for the performance you want"), allow robust dialogue. Behaviors deliver the results. Social software of execution, leaders get the behaviors they exhibit and tolerate.
• A bias for action, active decision making – "getting on with it."
• Close to the
customer – learning from the people served by the business.
• Autonomy and entrepreneurship – fostering innovation and nurturing "champions."
• Productivity through people – treating rank-and-file employees as a source of quality.
value-driven – management philosophy that guides everyday
practice – management showing its commitment.
• Stick to the knitting – stay with the business that you know.
• Simple form, lean staff – some of the best companies have minimal HQ staff.
Align the organization (it is in fact "design of risk management framework" and "establish the context" phases of risk management process in ISO 31000).
Plan operations (and include risk management plan). Monitor and learn (is our strategy working? it isn't too late?). These questions should be asked first at the "develop the strategy" phase (will our strategy work? are assumptions credible? is our strategy feasible?). Similar to monitor and review in ISO 31000.
Test and adapt (that is, what should result from "monitoring and review" phase). (Continuous improvement in ISO 31000 – part of framework.) What is missing? Principle (d) from ISO 31000 – RM explicitly addresses uncertainty.
Three stages of strategy execution:
1. Elaborate big idea – Big Hairy Audacious Goals (BHAGs) for business, smart, realistic, feasible, relatively quick way of generating competitive advantage.
2. Assign right people to right tasks to successes with implementation of idea. (We could say to the right risk management framework and pay key attention to "establish the context phase" as in ISO 31000.)
3. Continuously with persistence seek best methods of implementation of idea, adapt it, improve
it – in company or outside of it. (Continuous improvement in ISO 31000 – part of framework.) What is missing? Principle (d) from ISO 31000 – RM explicitly addresses uncertainty.
3. The job leader should not delegate – having the right people in the right place.
All of the above are risk management framework activities as in ISO 31000 if looked at from a risk perspective and implementation of the process. We see also the risk management principles "add value, include human and cultural factors." What is missing? Principle (d) explicitly addresses uncertainty.
• Simultaneous loose-tight properties – autonomy in shop-floor activities plus centralized values.
(All of the above can be seen in principles of risk management and framework scope and have to be a tailored in establishing the context in risk management process and framework level.)
What is missing? Principle (d) from ISO 31000 – RM explicitly addresses uncertainty.
Source: Author's research, S. Pijanowski.
-  The need for evaluating the quality and extent of risk treatments, including controls, is essential, and the techniques for including this in risk assessments are described in Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives, edited by John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010), on pages 162, 163,166, 173, and 174.