Reading list to help make ERM become more strategic


Business Models

  • Business Model Generation (Osterwalder & Pigneur)

  • Value Proposition Design

 

  • Disruption

    • No Ordinary Disruption (Dobbs et al.)

    • Big Bang Disruption (Downes & Nunes)

    • Your Strategy needs a Strategy (Reeves et al)

    • Create Marketplace Disruption (Hartung)

    • Superforecasting (Tetlock and Gardner)

 

  • Strategy (more general)

    • Blue Ocean Strategy (Kim & Mauborgne)

    • The Lean Startup (Ries)

    • Playing to Win (Lafley and Martin)

    • Brand Resilience (Copulsky)

    • Discovery Driven Growth (McGrath and MacMillan)

    • Upside (Slywotzky)

    • Innovator’s Toolkit (HBS)

    • Geography of Genius (Weiner)

    • Strategy Beyond the Hockey Stick (Bradley et al.)

 

  • Strategic Execution

    • Achieving the Execution Edge (Bart & Schreiber)

    • Strategic Project Management Made Simple (Schmidt)

    • When Strategy Execution Marries Risk Management (Ow)

    • Seven Strategy Questions (Simons)

    • Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)

Are risk managers and auditors now going to be held personally liable for risk and controls mistakes?

It seems like that might be true in banking. Here’s an excerpt but you can read more in the document.

3) Ms. _________ as the Community Bank’s Group Risk Officer, failed to timely identify the root cause of team member sales practices misconduct in the Community Bank, failed to exercise credible challenge to the Community Bank’s head (_______) regarding risk management controls relating to sales practices, failed to timely and independently evaluate the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that threatened the safety, soundness, and reputation of ________ Bank, N.A. 20

4) Mr. _________, as the ____ Executive Audit Director assigned to the Community Bank, failed to timely identify the root cause of team member sales
practices misconduct in the Community Bank, failed to provide credible challenge
when evaluating the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that
threatened the safety, soundness, and reputation of the Bank. ..

New attitudes on risk around concentration and supply chain

From today’s WSJ:

Coming after a year of events that weakened China’s status as a stable manufacturing center, the upheaval means Apple no longer feels comfortable having so much of its business tied up in one place, according to analysts and people in the Apple supply chain.

In the past, people didn’t pay attention to concentration risks,” said Alan Yeung, a former U.S. executive for Foxconn. “Free trade was the norm and things were very predictable. Now we’ve entered a new world.”

Time to build a practice for identifying geopolitical and macro risks (or emerging risks)

At our Oct 2022 ERM Summit we asked a group of risk leaders about the importance of geopolitical and macro risks. Their responses are are:.Top risks

About 70% agreed that geopolitical and macro risks are a top risk and almost 70% agreed that these risks will have a major impact. What is surprising is that only slightly over 50% had a practice to identify these risks in a timely fashion.

My Risk Acumen takeaway is that ERM leaders should consider or reconsider their approach to identifying these risks in a timely fashion.

Boards and emerging risks (JOA Feb 1, 2020)

Assess emerging risks

"The board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. ... Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company's business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks, companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur" (UK Corporate Governance Code 2018).

ERM reaction: First, strengthen your emerging risks process. Second, include business model risk analysis in the process. This reaction captures the growing pressure on boards over emerging risks and business models. Recent work at the Center for Excellence in ERM at St. John's University's Tobin College of Business reveals that U.S. high-performing companies (as compared to those that are not high performers) are more likely to have an emerging risk process.

Board member reaction: There is no reason not to insist that companies push the dial higher than just doing risk identification, risk assessments, and risk ranking. Insist on an analysis of how the emerging and disruptive risks impact the business model. The future of the business could be at stake.

Why I first got excited about ERM.

OVERVIEW OF ENTERPRISE RISK MANAGEMENT

Enterprise risk management is a great, great process. I could not say more about it.

Mario Pilozzi, Wal-Mart Canada Chief Operating Officer.

Enterprise risk management is an iterative and disciplined process that can take many forms but often follows the flow identified in Figure 2. The key steps in the process include setting objectives, identifying risks, assessing risks, acting upon these assessments, and monitoring.  An unfeigned approach to managing risk first requires the identification of the objectives. The objectives can be the company’s strategic objectives if enterprise risk management is being applied to the company as a whole. Alternatively, the objectives can be a department’s objectives or a new project’s objectives (where enterprise risk management is being applied to either of these individually). For example, FirstEnergy Corporation used enterprise risk management to identify and manage risks around a new e-business initiative, as well as to identify and manage risks of the entire organization.

Management that approaches each day or project not knowing what objectives they are trying to achieve can usually only offer a shallow repartee when asked by board members, “How is the company performing?” or “Are we meeting our goals?” One of the early lessons companies glean from enterprise risk management is that many layers of the company (including senior management, operating managers and regular employees) do not know or understand the objectives of the organization and how the objectives relate to their daily job and tasks. Enterprise risk management forces companies to identify and focus on the organization’s objectives. Risks are defined broadly to include any event or action that will prevent the organization from achieving its objectives. Enterprise risk management reinforces priorities to everyone involved, and ultimately to the risks surrounding those priorities. Knowing the priorities and the risks is essential to creating value for the stakeholders and to managing the company successfully.

From our first book on ERM (Making Enterprise Wide Risk Management Pay Off).

Boardroom advice for handling disruptive risk

Question legacy business models

"Allegiance to legacy business models with reluctance to question their future viability" is a red flag, according to board guidance (Adaptive Governance: Board Oversight of Disruptive Risks, NACD, 2018).

ERM reaction: Include business model risk analysis in your risk assessment.

Board member reaction: Don't accept a risk map with a list of top risks. Ask if tools have been applied to examine the risks around the business model — in essence, the heart and soul of the business. Without a grasp of this, you are overseeing the wrong risk. Peter Drucker, a management consultant, educator, and author, wrote in "Theory of the Business" in the Harvard Business Review in 1994 that every three years we should challenge every product, service, policy, etc. — basically, every assumption about the business.

#1 Way to Make ERM Become More Strategic

In my opinion, it is to read what they read. Until we understand how the C Suite and Board thinks then we will always be on a steep uphill climb. One reading list:

·       Business Models

o   Business Model Generation (Osterwalder & Pigneur)

o   Value Proposition Design

 

·       Disruption

o   No Ordinary Disruption (Dobbs et al.)

o   Big Bang Disruption (Downes & Nunes)

o   Your Strategy needs a Strategy (Reeves et al)

o   Create Marketplace Disruption (Hartung)

o   Superforecasting (Tetlock and Gardner)]

o   Blue Ocean Strategy (Kim & Mauborgne)

 

·       Strategy (more general)

o   The Lean Startup (Ries)

o   Playing to Win (Lafley and Martin)

o   Brand Resilience (Copulsky)

o   Discovery Driven Growth (McGrath and MacMillan)

o   Upside (Slywotzky)

o   Innovator’s Toolkit (HBS)

o   Geography of Genius (Weiner)

o   Strategy Beyond the Hockey Stick (Bradley et al.)

 

·       Strategic Execution

o   Achieving the Execution Edge (Bart & Schreiber)

o   Strategic Project Management Made Simple (Schmidt)

o   When Strategy Execution Marries Risk Management (Ow)

o   Seven Strategy Questions (Simons)

o   Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)

Board risk oversight continues to be a concern

From today’s WSJ:

“In discussing an emergency safety bulletin the FAA issued after the Lion Air crash, the suit said that Mr. Muilenburg was more concerned with potential cash-flow disruptions than safety matters. “We need to be careful” that the FAA’s interest in the contents of flight manuals, he wrote to Greg Smith, the company’s chief financial officer, “doesn’t turn into a compliance item that restricts near-term deliveries.”

The risk-management update to the board after the first crash didn’t include oversight of airplane safety, according to the suit, nor did safety issues surface as part of a December 2018 meeting of the board’s audit committee.”

The headline of the WSJ story was “Boeing Board Failed to Challenge CEO, Lawsuit Says.”

Organizations may need to not only assess their ERM process but also revisit how they setup and practice board risk oversight.

New disclosure required by the SEC on a Change in (previously disclosed business strategy)

Disclose a Change in Business Strategy

Of note is this sentence in the new SEC rule (effective Nov 9, 2020): “However, we are adopting as a disclosure topic material changes to a registrant’s previously disclosed business strategy.”

My 1.5 cents? I’d read that section every year. Changes in business strategy change the strategic risks.  

New Item 1a risk factors rules become effective Nov 9 2020

Here’s an overview:

•Require summary risk factor disclosure of no more than two pages if the risk factor section exceeds 15 pages

•Refine the principles-based approach of Item 105 by requiring disclosure of “material” risk factors (From “most significant” to “material”). This will result in risk factor disclosure that is more tailored to the particular facts and circumstances of each registrant which should reduce the disclosure of generic risk factors

•Require risk factors to be organized under relevant headings in addition to the subcaptions currently required, with any risk factors that may generally apply to an investment in securities disclosed at the end of the risk factor section under a separate caption (i.e., so a “general risk factors” section)

The cost of not doing ERM is at least $400 million

I know this is banking but I thought you might find Citi’s $400m fine and consent order and the regulator comments interesting:

 

 

The Comptroller finds, and the Bank neither admits nor denies, the following:
(1) For several years, the Bank has failed to implement and maintain an enterprise- wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile. (2) The OCC has identified the following deficiencies, noncompliance with 

12 C.F.R. Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches,” or unsafe or unsound practices with respect to the Bank’s enterprise-wide risk management and compliance risk management program: 

  1. (a)  failure to establish effective front-line units and independent risk management as required by 12 C.F.R. Part 30, Appendix D; 

  2. (b)  failure to establish an effective risk governance framework as required by 12 C.F.R. Part 30, Appendix D; 2 

    (c) failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and 

    (d) failure of compensation and performance management programs to incentivize effective risk management

 

6 of 12. Oceans and Opportunities

This is not all bad news. Many will find these new business models, value propositions, and opportunities.

Consider what new blue oceans (yes, it’s a good read), customers, customer dimensions might exist in this world. Think about it. Spend time imaging the new possibilities and opportunities.

Tip: when allocating time, let’s say an hour, the best ideas come at the end. Rarely do they show up in the first 10 minutes. Be patient.