LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT
ERM is a business management support process. For several years, proponents of ERM have been advocating incorporating the ERM process into strategic and business planning to increase its utility. Their goal is to promote risk-adjusted decision making that can better assist management in addressing the outside forces (such as political, economic, technological, legislative, social, and environmental) that will cause the variations from performance or planned outcomes that will inevitably occur over a multiyear time line. Some outside forces will inhibit success, while others will improve the operating environment. The specific purpose is to reduce the impact of adverse events and be ready to exploit emerging opportunities. The challenge is adapting the ERM process within the existing strategic and business planning methodology.
The word strategy has its roots from the Greek strategos (a compound of stratos, for an encamped army spread out over ground, and agein, to lead, which explains its initial definition of "the art of generalship"). Strategy can be defined as a careful plan or method for achieving a particular goal, usually over a long period of time, and the skill of making or carrying out plans to achieve a goal. Another definition is: "A company's strategy is a series of choices, to be effective it must remain consistent with what's happening in its competitive environment."
Organizations that view the ERM process as supporting business strategies should consider positioning it where the primary goals are both to grow the business and to protect value: corporate planning (longer range) and the business units (annual). Exhibit 16.1 is a model designed by the authors that can be utilized to incorporate ERM into the strategic and annual business planning process. However, before positioning can occur, the entire organization should understand the vision, mission, and purpose of ERM. This can be accomplished by creating a
Exhibit 16.1 Incorporating ERM into the Strategic Planning Process
Used by permission of John Bugalla and James Kallman, © Copyright 2013, John Bugalla and James Kallman.
formal ERM charter. The ERM charter serves as an internal blueprint for both executive leadership and middle management to follow. The optimal time to create the charter is in the ERM planning stage, before it has been implemented. The charter will set the tone at the top for ERM in one of two directions: (1) Risk management is a strategic support function, or (2) risk management is a control function. In Exhibit 16.1 risk management is a strategic support function.
The initial step comprises three internal scan elements: (1) surveying the C- suite about leaders' current perceptions about risks and their management, (2) surveying Internal Audit about their perspectives on the current level and effectiveness of risk controls, and (3) creating an ERM risk register. The surveys will enable a comparison between the current state of risk management activities and the corresponding risk control efforts. The ERM risk register is a tool for organizing the identified risks and their internal owners.
The external view serves several purposes. It begins to incorporate the ERM process into strategic planning steps. The external view provides an opportunity to identify the outside forces that present both risks and opportunities to the organization – the two sides of the business decision coin. Coupling risks and opportunities together provides a broader and more complete view that makes for a far better assessment process and decision making. The authors have indicated some of the tools and techniques that can be utilized to complete the assessment process, including a detailed description of a new tool that is presented later in this chapter.
If the ERM and strategic planning process have been merged, the results should be seamlessly incorporated and articulated into the longer-range strategic and annual business plans. Both plans articulate how the organization will achieve its business goals. However, neither plan provides certainty that the planned performance will be achieved – analogous to von Moltke's statement "No battle plan survives contact with the enemy." The goal is to reduce the impact of adverse events and exploit opportunities to achieve better outcomes around the planned performance objectives.