A new enterprise

Simply having insurance to cover your
property, employees and other potential liabilities used to be enough. In today’s global economy, companies are facing more than just fires and lawsuits. New
threats include intangibles such as geopolitical instability, new regulations and legislation, supply chain interruption and more.

In the post-Sarbanes-Oxley world, where
industries, the government and investors are
taking closer looks at companies’ risk management processes, today’s businesses need
to embrace enterprise risk management
(ERM), a more holistic approach that
addresses tangible and intangible threats to a
business’s finances, operations and strategies, according to Chris Smith, senior vice
president of Aon Risk Services Inc.

“Many organizations use ERM for compliance purposes, but rarely does a company
use ERM to its full capacity,” says Smith.

Smart Business spoke to Smith about how
a business can utilize ERM techniques to
address risks in all areas of an organization.

Why is it necessary to employ ERM?

The biggest incentive for public companies
to start seriously embedding ERM within
their organizations is Standard & Poor’s
upcoming plan to include ERM as part of a
company’s credit rating. This will be used as
one of the many criteria to evaluate companies with public debt. The inclusion of ERM
in credit ratings makes sense when you consider how globalization has made the definition of ‘risk’ broader for companies.

What are the biggest risks businesses face?

Threats can happen for a number of reasons, including product recall, investor litigation, regulatory sanctions, supply chain interruption, competitive challenges, union
unrest, political instability, financial fraud,
pandemics or natural disasters. The major
risks are things like:

 

  • Damage to reputation

     

     

  • Business interruption

     

     

  • Third-party liability

     

     

  • Distribution or supply chain failure

     

     

  • Regulatory/legislative changes

     

     

  • Failure to attract or retain staff

     

     

  • Market risk

     

     

  • Physical damage

     

     

  • Merger/acquisition/restructuring

     

     

  • Failure of a disaster recovery plan

     

How does using ERM address these risks?

An ERM is a process that helps a business
understand the risks facing it and how those
risks are interrelated. It can also be used to
develop a plan to mitigate these risks should
they happen. The blend of risks is unique to
each business. The solutions on what to do
when confronted with these risks are also
exclusive to a company. For example, a business might have many different answers to a
problem when a supply chain is disrupted in
an overseas operation. It can opt to just monitor the situation until it changes, find new
sources of materials, buy insurance, simply
tolerate the risk or opt to close down that
part of the business if the situation gets dire.

Who should oversee an ERM?

Many times, the executive sponsor is the
CFO or the CEO. Larger companies may
have a CRO, or chief risk officer. Some companies appoint board members to champion
the process. Other times, it is the risk manager or internal auditor. However, the ERM
process must be delegated by someone with
a broader perspective — the higher up you
get in the C-level, the better.

Before embarking on ERM, what do businesses need to consider?

Businesses can’t and shouldn’t try to implement an ERM strategy overnight. It is a slow
process that needs to be realized in stages in
order for it to be successfully embedded
within a company’s culture. Some businesses
already have some components of ERM in
place but don’t have a formalized plan. A
good starting point for formalizing the
process is evaluating where you are in the
ERM continuum and developing a process
tailored to your company’s culture.

That said, there are certain commitments
that must be in place before beginning:

 

  • Personnel commitment. Senior management needs to be supportive of the
    ERM process and dedicated to ensuring
    staff activity and accountability.

     

     

  • Collaborative effort commitment. If a
    business hires consultants to help guide
    ERM, there must be a collaborative environment with open and honest communication.

     

     

  • Time commitment. ERM is a long-term
    process — not a project. Each organization
    will be different on how quickly ERM gets
    integrated into the culture, but measurable
    progress should be achieved at regular steps
    along the way.

     

What does ERM look like when it is fully
embedded into an organization’s culture?

Generally, employees have an awareness of
what the risks are and know how they must
be managed. For example, a manager sees a
business opportunity and presents the
upsides to pursuing that opportunity. If that
manager is ERM-savvy, he or she will look at
the risks that may impact the opportunity,
both on the upside and downside. While the
new business venture might bring in revenue,
what will it do to the reputation of the company’s existing brands? The key is for everyone to understand the big picture.

CHRIS SMITH is the senior vice president for Aon (www.aon.com), a risk management, human capital and reinsurance consulting firm.
Reach him at (216) 623-4101 or [email protected].