In our previous posts on Enterprise Risk Management (ERM), we defined ERM and addressed how to set up the program and use it to assess and treat risks. We have come a long way! In this post, we evaluate the program.
ERM is not a static program. An effective approach to evaluating and enhancing the performance is a three-part one: measure, monitor and, most importantly, evolve.Measure
A hallmark of ERM is that of linking risk management to business performance. ERM is not an added-on, check-the-box compliance function. ERM is the management of risk that leads to reward. Hence, a guiding principle for measuring in an ERM context is to choose existing performance measurements that relate to the risk:
- A given financial risk may be realized in changes in the weighted average cost of capital (WACC);
- A given strategic risk may be realized in changes in market share;
- A given operational risk may be realized in revenue per dollar of assets deployed.
One notable standard performance measurement is directly related to risk management. Total Cost of Risk (TCoR) is the combination of insurance premiums, losses and costs for risk-related services such as attorneys and safety engineers. This measurement tells you if your risk treatments are working according to plan and it is the key indicator of the overall progress of your risk management.
Another guiding principle is that of setting “Risk Thresholds.” In a previous post, we discussed Risk Tolerance as the maximum level risk you are willing to accept for given business unit, project, department, initiative, etc. Knowing that limit and planning around it is excellent but it is not an effective governance feature if you have no idea when you are about to reach or exceed it. You will need an early warning. That early warning is the threshold that still allows you time to react and effectively change the outcome. Using one of our examples above, the weighted average cost of capital (WACC), let’s suppose that you have decided that your Risk Tolerance is an increase of 0.5% in WACC. So, consider a Risk Threshold of 0.3% that triggers a warning to the CFO. Ask yourself if, at that point, if it is likely that the CFO and Finance Department can analyze and alter the drivers of WACC in time to confine any further increase to the remaining 0.2%? If so, then 0.3% may well be the appropriate Risk Threshold.
In the exhibit (Risk Threshold Illustrated), we show this example in its complete context and we also demonstrate an example of an enhancement to this threshold concept.
Monitor
Monitoring has four aspects: updating risk and treatment information; identifying new risks, assessing the effectiveness of treatments and, very important, communicating the results. (Why not take credit for your work?)
Update Risk and Treatment Information
We have previously observed that the Risk Register is the heart of ERM and described the Risk Register’s functions. Among those functions, the Risk Register serves as the workhorse of risk and treatment monitoring. To illustrate this, we can revisit our Risk Register illustration from the Risk Treatment post.
Consider that, at the time of introducing a Risk Treatment into the Risk Register, you projected the effect you expected it to have on Residual Risk. In the example, you can see by the uniformly green color that, for these sample risks and treatments, we projected very favorable residual risks.
Monitoring will not require you to invent a new tool. Instead, the monitoring process has you return to this Risk Register to replace the projections with what your actual experience of residual likelihood and impact is. Updating the risk and treatment information in the Risk Register answers the questions:
- Are the treatments working?
- Is management recommending alternative or additional treatments?
Identify New Risks
Our Risk Identification post described a total approach. We considered who to turn to: managers with expert knowledge in their respective departments or functions such as Finance or Supply Chain; staff of compliance functions such as Internal Audit and Regulatory Compliance. We also described the salient features and uses of an extensive array of Risk Identification tools: questionnaires, checklists, workshops, inspections, audits, flowcharts, dependency analyses, HAZOP, FMEA, SWOT, PESTLE.
Assess the Effectiveness of Treatments
This starting point may not be obvious: an assessment of the effectiveness of a treatment begins with asking the question, “did we use the best method to identify and assess the risk?” If there was a fault in the treatment, it may actually lay in the way that you framed the risk. After considering better ways of identifying and assessing risk, it is time to move on to considering how appropriate the choice of Risk Treatment was and how well the treatment worked.
In conjunction with evaluating Risk Treatments individually, a mature ERM program will also ask if TCoR is trending downward. If not, is it because of risks that we did not anticipate? Or is it because of treatments that are not working as well as planned? If it is because of risks we did not anticipate, how can we strengthen the systems of questionnaires, audits, analyses, etc.? If it is because of treatments that did not work well, did the early warning system of Risk Thresholds work? In other words, are the measurements we are using appropriate? And, in any case, what are the alternative treatments?
Communicate the Results
Monitoring is not monitoring until useful information reaches the right decision-makers. The monitoring process has to build in notification protocols that send very specific communications to specific people.
So, who are the people? One hint was captured by the “Schedule of Notifications” in the Risk Threshold exhibit above.
The level of impact determines what type of decision has to be made. For instance, in the example above, reaching the lowest threshold (read “warning level”), the 0.1% change, may be addressed by the Finance Director negotiating a re-financing to reduce the debt portion of the WACC, whereas, reaching the 0.2% threshold may require the Treasurer to adjust the investment strategy. If the change in WACC reaches the highest threshold, then perhaps the problem is that the demand for capital is too high and that can only be addressed by reorganizing operations or changing the purchasing/leasing strategy. At such a level, we are targeting communications to the Board to make corrective decisions on strategy and operations.
In addition to targeted communications, there are audiences that need an overall summary of the ERM program’s results. These audiences would include:
- The decision-makers: the Board, the officers of the company, the Risk Owners;
- The “risk workers:” the Risk Management Committee, the Workgroup, Internal Audit, other compliance staff and, again, the Risk Owners;
For these audiences, you will need a Dashboard. In developing the Dashboard, keep in mind that these audiences need information, not data. As your Dashboard summarizes risk data, it should be geared to answering very specific questions:
- What can go wrong? / what is going wrong?
- How bad can it get?
- What can we do about it?
These questions should direct the composition of every title, line of text and graph in your Dashboard.
How do these questions relate to our monitoring?
- What can go wrong? / what is going wrong? → Thresholds and Updated Risk Information
- How bad can it get? → Updated Inherent Risk
- What can we do about it? → Updated Risk Treatment Information
Finally, communicate results, especially positive ones, to the organization at large. Select a few certain overall statistics from the Dashboard. Then select certain illustrative risk and treatment success stories to breathe life into those statistics. Just as we discussed preparing the organization in order to get buy-in to ERM implementation, so to can we encourage continued and expanded participation by sharing the results. Also, communicating results periodically reinforces that ERM is active and vital and was not a “flavor-of-the-week” when it was introduced.
Evolve
What should we change as a consequence of monitoring? We saw obvious examples in the updates described above: updates to risk descriptions, updates to treatments, and identification of new and emerging risks.
Delving in a little further, we can ask if the measurements were the best ones? Can our monitoring be improved by more responsive measurements? Recall that we suggested three examples of measurements above:
- A given financial risk may be realized in changes in the weighted average cost of capital (WACC);
- A given strategic risk may be realized in changes in market share;
- A given operational risk may be realized in revenue per dollar of assets deployed.
Now consider evolving. Could each of these measurements be replaced by one with a different focus? Would that focus better address the given risk? Consider these hypothetical shifts:
And then delving still further, do we have indications that we need to adapt the ERM program? Consider whether or not you added risks to the Risk Register or whether or not your perceptions of existing risks changed. In a mature ERM program, new risks and perceptions reshape the program for greater effectiveness. Changes may take the form of:
- Adding or changing a Risk Category;
- Expanding or reorganizing the Risk Management Committee and the Workgroup to get better representation of the business units, departments, functions and initiatives;
- Adjusting the annual internal audit plan to better support the management of key risks.
The Guiding Principles
- As the title says, measure, monitor and evolve.
- ERM is not an added-on, check-the-box compliance function; ERM is the management of risk that leads to reward.
- Choose existing performance measurements that relate to the risk.
- A mature ERM measures Total Cost of Risk (TCoR).
- Establish and monitor “Risk Thresholds” – – the early warnings.
- Monitoring has four aspects: updating risk and treatment information; identifying new risks, assessing the effectiveness of treatments and, very important, communicating the results.
- Communicate to three groups: the decision-makers, the “risk workers” (RMC, Workgroup, Internal Audit) and the organization at large.
- “Evolve” includes re-shaping the program for greater effectiveness.
{{cta(‘ab967fa8-5382-431b-b668-19c41d199532’)}}