ON THE RIGHT PATH
By Denise Bedell
Enterprise risk management is now a central theme for treasurers at large corporates. Both regulatory changes and business benefits are driving the increased focus.
The financial trauma of the past few years has led to many big changes in the way companies operate. One of the more positive developments from a systemic perspective is the increased focus on risk management—and in particular on holistic risk management.
Once a byword tossed about by visionary treasurers with little hope of making the dream a reality, thanks to the increased fears, regulatory changes and a much stronger business case, enterprise risk management (ERM) is now a reality at many major corporations. Those that have not already realized the dream are taking a close look at how to do so.
“Until the hundred-year storm came about, risk was often thought of in terms of natural little buckets,” says John Jay, senior analyst at consultancy Aite Group. “Then it was rolled up in some sort of summary report and filed away.” But the catastrophic systemic events of 2008 changed everything, he says.
Suddenly, risk management was not just an afterthought: It was the key thing that a company’s stakeholders—from the board to shareholders—were asking senior management about.
Fast-forward to 2011, and holistic risk management is no longer just a catch phrase but rather a mainstream operation for many large and midsize companies. In part, the enterprise approach is being driven by stringent new regulatory regimes that put the onus on boards and senior management to be accountable for risk.
"If not managed, [enterprise wide risks] could close the company or put senior executives in jail"
"This is something that might cause some major pain down the road" – Mark Webster, Treasury Alliance
Mark Webster, partner at consultancy Treasury Alliance, explains: “Corporates are beginning to realize that this is something that might cause some major pain down the road. If not managed, it could close the company or put senior executives in jail. As a CEO or CFO, when your neck is on the line, you don’t want a junior clerk managing this.” That has driven companies to institute a distinct risk manager function—and move that function up to senior management level.
Aside from regulatory and compliance concerns, there are clear operational and financial benefits to the holistic approach. First, it gives companies comfort that risks are being well managed—and a view on where risks are not being managed effectively to provide a starting point for improvement.
Dunham, SAP: Use broader process reengineering to drive ERM
Plus, often companies hold sizable reserves of cash and liquidity specifically for dealing with the unknown, but with this added layer of security and risk visibility, those reserves can be reduced, freeing up that capital for other uses.
James Dunham, vice president at solution vendor SAP in their governance, risk and compliance unit, notes that looking holistically at risk is a natural extension of the process of transformation that is going on at many large corporations. “They are specifically aligning their business around strategic end-to-end processes in order to drive optimization and reduce costs.” He says it makes sense for companies to use process reengineering projects to push enterprise risk evaluation.
With ERM a company can start to break down silos, notes Helen Shan, vice president finance and treasurer at Pitney Bowes. “If you ask someone on the operational side about a risk, they may think it exists only in their world,” she says. “But taking it across the business, that risk may actually be much larger, or there may be emerging risks in one area that will affect existing risk in another.”
BUILDING ERM FROM THE GROUND UP
Global Finance speaks with Helen Shan, vice president finance and treasurer, Pitney Bowes
Shan, Pitney Bowes: Don’t start a project with preconceived notions
Global Finance: How did the ERM model evolve at PB?
Helen Shan: We began looking at it in 2005 and were hitting full stride 18 months later. We did not come into the project with any preconceived notions but began by interviewing everyone who had risk ownership. From there the natural risk owners and subrisk owners came up with a laundry list of risks. Then we narrowed the list down to those which we deemed “enterprise risks,” and that is what we based our model on. We review that list every year.
GF: How does PB evaluate risks?
Shan: We put together a risk heat map where each subrisk is judged on three main metrics: probability, severity and risk mitigation strategies. With severity, one of the things we find useful is to determine who we would need to report to if that risk were to occur. So if it is something that we would expect to see, for example, reported on the front page of the New York Times, that is clearly the highest level of severity. We found this methodology easier than trying to quantify the impact on revenue and EBIT, which can be debatable.
Once we have determined the severity, we look at whether we have the right risk mitigation strategies in place. We rate that on a scale including “not addressed,” “marginally mitigated,” “acceptable mitigation” (at reasonable cost), “optimal risk mitigation,” and “excessive risk mitigation.” By including “excessive mitigation,” it lets us look at where we could change mitigation strategies to reduce unnecessary costs.
GF: Why does PB use a heat map?
Shan: It provides a way to compare the subrisks and graphically show their metrics relative to one another. It’s easier for our board also to review the risks and ask questions. It also helps us see how much more our enterprise risk needs to be improved.
So, if there are 10 subrisks in a risk category where four are marginally mitigated and the rest are acceptably mitigated, we will evaluate how to make those four acceptable, and put a grade around the process and how quickly we are moving marginal risks to acceptable.
GF: What are the benefits?
Shan: It has highlighted certain areas where we do have risks that we might not have seen before, and how each risk touches on other parts of the business. For example, we now include our business continuity planning more integrally in our planning and budgeting process.