Introduction to Enterprise Risk Management
Risklet's get this straight up frontis good. The point of risk management isn't to eliminate it; that would eliminate reward. The point is to manage itthat is, to choose where to place bets, and where to avoid betting altogether.
Thomas Stewart, Fortune 1
As businesses worldwide enter the twenty-first century, they face an assortment of risks almost unimaginable just 10 years ago. E-commerce has become ingrained in society with amazing speed: Companies that cannot keep up are doomed to obsolescence in record time. Technology is driving business models to be retooled in months instead of years. The traditional gatekeepers of information are being supplemented with the Internet democracy in which anyone with a PC can disseminate information widely and quicklyfor good or bad.2 Derivatives, which were originally intended to help manage risk, have themselves created whole new areas of risk.
It is probably axiomatic that well-managed businesses have successful risk management. Over time, a business that cannot manage its key risks effectively will simply disappear. A disastrous product recall could be the company's last. A derivatives debacle can decimate staid old institutions over a long weekend. But historically, risk management in even the most successful businesses has tended to be in "silos"the insurance risk, the technology risk, the financial risk, the environmental risk, all managed independently in separate compartments. Coordination of risk management has usually been nonexistent, and the identification of new risks has been sluggish.
This study looks at a new modelenterprise-wide risk managementin which the management of risks is integrated and coordinated across the entire organization. A culture of risk awareness is created.
Farsighted companies across a wide cross section of industries are successfully implementing this effective new methodology.
An Abundance of Uncertainty
Uncertainty abounds in today's economy. Every organization is, to some extent, in the business of risk management, no matter what its products or services. It is not possible to "create a business that doesn't take risks," according to Richard Boulton and colleagues. "If you try, you will create a business that doesn't make money." 3 As a business continually changes, so do the risks. Stakeholders increasingly want companies to identify and manage their business risks. More specifically, stakeholders want management to meet their earnings goals. Risk management can help them do so. According to Susan Stalnecker, vice president and treasurer of DuPont, "Risk management is a strategic tool that can increase profitability and smooth earnings volatility." 4 Senior management must manage the ever-changing risks if they are to create, protect, and enhance shareholder value.
Two groups have recently emphasized the importance of risk management at an organization's highest levels. In October 1999, the National Association of Corporate Directors released its Report of the Blue Ribbon Commission on Audit Committees, which recommends that audit committees "define and use timely, focused information that is responsive to important performance measures and to the key risks they oversee." 5 The report states that the chair of the audit committee should develop an agenda that includes "a periodic review of risk by each significant business unit." In January 2000, the Financial Executives Institute released the results of a survey on audit committee effectiveness. Respondents, who were primarily chief financial officers and corporate controllers, ranked "key areas of business and financial risk" as the most important for audit committee oversight.6 With the speed of change increasing for all companies in the New Economy, 7 senior management must deal with a myriad of complex risks that have substantial consequences for their organization. Here are a few of the forces creating uncertainty in the New Economy:
Technology and the Internet
Increased worldwide competition
Freer trade and investment worldwide
Complex financial instruments, notably derivatives
Deregulation of key industries
Changes in organizational structures resulting from downsizing, reengineering, and mergers
Higher customer expectations for products and services
More and larger mergers
Collectively, these forces are stimulating considerable change and creating an increasingly risky and turbulent business environment. Perhaps no force on the list is having as great an impact on business as the Internet. As the Internet comes of age, companies are rethinking their business models, core strategies, and target customer bases. "Getting wired," as it is often called, provides businesses with new opportunities, but it also creates more uncertainty and new risks.8 In his book The High Risk Society, Michael Mandel states, "Economic uncertainty is the price that must be paid for growth." To be successful, businesses must seek opportunities "where the forces of uncertainty and growth are the strongest." 9 The mismanagement of risk can carry an enormous price. In recent years, the business community has witnessed a number of risk debacles that have resulted in considerable financial loss, decreased shareholder value, damaged company reputations, the dismissal of senior management, and in some cases the destruction of the business. Consider the impact of the following events:
Companies selling poor-quality or defective products, or unnecessary service, coupled in some cases with severely mishandling the crisis surrounding the product recall or service problem
Environmental disasters and inadequate attention to the resulting crisis
Rogue traders lacking oversight and inadequate controls assuming enormous risks
Organizations trading in complex derivative instruments without understanding the risks involved
Mergers destroying shareholder value
Insurance salespeople churning customers' accounts
Sexual harassment of employees
Racial slurs by management and discrimination against employees
This increasingly risky environment, in which a debacle can have major and far-reaching consequences, requires that senior management adopt a new perspective on risk management. The new perspective should be one that not only prevents debacles but also enhances shareholder value. Indeed, the New Economy calls for a new risk management paradigm.