Graduate ERM enrollment continues to rise this Fall 2018 at St. John’s University. We have almost 50 graduate students in my intro ERM course (including about 30 MS and MBA ERM students).

Great blog here from the Harvard Law School Forum. Those that work with boards should read the entire thing but here's two key paragraphs with my emphasis added:

Take-Aways

For as long as Caremark continues to be the law, directors should ensure that they at least meet the Caremark standard in connection with the #MeToo movement and other issues relevant to their businesses, but they should not be too concerned about new liability risks, even in the current environment. Meeting the Caremark standard includes periodically assuring that there is a system for information and problems to come to the board’s attention. The application of the Caremark standard to today’s issues does not require novel efforts.

However, reputational risks for companies and directors, distinct from liability risks, deserve to be highlighted in the current environment. The enterprise risk approach that many companies and boards take should be re-examined to ensure that they are designed so that reputational risk concerns will bubble up to the board. In our experience this adjustment has already happened at many companies.

Some ERM habits of high-performing organizations:

High-performing organizations are:

- more likely to factor risk into decisions than non high-performing companies

- twice as likely as low performers to be involved in decision making up front (instead of afterwards or never) 

- three times more likely to have "engaged" leadership on risk than low-performers

Preliminary data analysis based on the Center for Excellence in ERM at St. John's April 30th ERM Summit- The ERM Journey. Final analysis and white paper is forthcoming.

ERM: Tools & Techniques for Effective Implementation has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. This updated report highlights:

* Risk identification techniques

* Analysis of Risk by Drivers

* Risk Assessment Tools, and

* Practical Implementation Considerations. 

Enterprise Risk Management: Frameworks, Elements, and Integration has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. The report includes 

* a review of ERM Frameworks

* ERM Foundational Elements, and

* a section on Integrating ERM into Ongoing Management Activities.

According to the IMA, "SMAs present IMA’s position on best practices in management accounting. These authoritative monographs cover the broad range of issues encountered in practice."

Recent work at the Center for Excellence in ERM focused on the ERM Journey. As part of the work, companies were asked about the drivers of their ERM program. The traditional answers came up about value, incidents, board requests, etc. For the first time that I have seen culture showed up as a top driver of ERM. 

Winning strategies are full of risk. So are losing strategies. Companies must get better at seeing the risk and uncertainties in their strategic choices. Read how major organizations see the challenges and the best practices in connecting the dots between strategy and risk in our Center for Excellence in ERM at St. John's University white paper. 

Recent work at The Center for Excellence in ERM at St. John's University shows that only 38% of ERM executives agree that they are confident that all strategic risks are identified. This work was part of the October 2017 ERM Summit survey. Although the sample is small the results are still quite interesting. Other early highlights show that ERM executives believe that only 19% of the their leaders are very effective at both setting strategy and executing strategy.

Our next risk summit is all set. The them is the ERM Journey. We'll focus on how PepsiCo, ADP, Estee Lauder, and ConEdison built, grew, sustained, and even today, challenge and assess, their ERM programs for better success. 

Guest speakers include:

Byron Stephen and Diane LaCosta, ADP

Rich Muzikar, Long Island Power Authority and formerly Con Edison and Zack Wolff (Con Edison)

Denise Treacy, PepsiCo.

Frank Fronzo, Estee Lauder

Organizations looking to step up and improve ERM might want to consider "culture." The new COSO ERM Framework highlights and emphasizes the link between culture and ERM in the following ways:

• There are 124 mentions of the word "culture" in the ERM framework.

• The first Component is called "Governance and Culture."

• Principle 3 is called "Defines Desired Culture."

• Principle 20 is called "Reports on Risk, Culture, and Performance."

Quick Ideas for Getting Ready to Answer Board and Management Questions about the ERM-Culture Connection:

— Find your resources to dig deeper on culture. For example, read the NACD Blue Ribbon Commission on Culture as a Corporate Asset. I'm still a fan of our Risk Challenge Culture study we did for the IMA and ACCA. The IIA has a lot of good material too. 

— Read Principle 3 and 20 and determine how your organization compares to the Principle. Does your board and management define the desired culture? Is culture embraced by all personnel? Do you know the factors that drive culture in your organization? Do you know how culture is influencing your ability to identify risks or properly assess risks? Is risk an afterthought to strategy and other big decisions? Do you have escalation policies? Do you have a risk aware culture (this will most likely require training employees and management on ERM)?

Our research (which won an award) is published in the Spring 2012 Management Accounting Quarterly, Vol 13, No 3. The implications from that empirical paper state:

"The results suggest that an ERM framework and an ERM implementation can help companies improve performance by enabling executives to manage the company better. From a practical standpoint, companies ask how ERM adds value. Our results show that value comes from implementing the process, which then enables the company to make better decisions. Given that implementing the components takes time, compa- nies should be patient with finding immediate value. "

Yes! Of course it does! If you need academic evidence to confirm the obvious... here it is. 

Farrell and Gallagher's peer reviewed empirical paper in one of the highest ranked risk journals has the following abstract. See the full paper in the Journal of Risk and Insurance, September 2015, Volume 82, Issue 3, pages 625-657. 

Abstract

Enterprise Risk Management (ERM) is the discipline by which enterprises monitor, analyze, and control risks from across the enterprise, with the goal of identifying underlying correlations and thus optimizing the risk-taking behavior in a portfolio context. This study analyzes the valuation implications of ERM Maturity. We use data from the industry leading Risk and Insurance Management Society Risk Maturity Model over the period from 2006 to 2011, which scores firms on a five-point maturity scale. Our results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value, as measured by Tobin's Q. We find a statistically significant positive relation to the magnitude of 25 percent. Upon decomposition of the maturity score, we find that the most important aspects of ERM from a valuation perspective relate to the level of top–down executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and correlations across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey ceteris paribus.

Center for Audit Quality

Published on Dec 23, 2017

Sound corporate culture is a cornerstone of fraud deterrence and detection. This December 2017 webcast, hosted by the Anti-Fraud Collaboration, highlights leading practices on assessing and strengthening a company’s corporate culture. Hear from an expert panel, who share actionable recommendations that organizations can implement to deter fraud and misconduct. The panel also addresses oversight responsibilities of audit committee members, company management, and internal auditors. Expanding on insights contained in a 2017 National Association of Corporate Directors Blue Ribbon Commission report, Culture as a Corporate Asset, the webcast covers how culture impacts strategy, risk, and performance.

Panelists:

Mark Carawan Citigroup Chief Compliance Officer

Cindy Fornelli (Moderator) Center for Audit Quality Executive Director

Brenda J. Gaines Tenet Healthcare Corp. Audit Committee Chair

Gilly Lord PwC Head of Regulatory Affairs and Audit Strategy & Transformation

Paul L. Walker St. John’s University Schiro/Zurich Chair in Enterprise Risk Management

Watch the video replay of this webcast using the following link:

https://www.youtube.com/watch?v=wOzQ1RFOgic&feature=youtu.be 

Found this in the National Security Strategy of the United States of America.

"IMPROVE RISK MANAGEMENT: The United States will improve its ability to assess the threats and hazards that pose the greatest risks to Americans and will prioritize resources based on the highest risks. "

Today’s uncertain environment poses constant threats to the most valuable asset of colleges and universities--their reputation. Taking action to identify risks that could impact your institution’s reputation, and finding ways to prevent or mitigate those risks, is essential to long-term sustainability. A recent study by United Educators and the Center for Excellence in ERM at St. John's University provides insights into reputation risk in higher education and provides separate toolkits. 

The Center for Excellence in ERM at St. John's University and United Educators did a study on reputation risk in higher education. The infographic reveals how the largest reputation risks are changing. 

Regular and increasingly sophisticated conversations about how noise, change, and disruption impact the business can make a prodigious difference. Based on our Center for Excellence in ERM at St. John's University Risk Summit, read how leading companies are trying to get ahead of the game. 

A recent Risk Summit by the Center for Excellence in ERM at St. John's University focused on how to review noise and emerging risks.  Numerous tools and methods were also discussed, as well as the sources of risk. 

To best identify noise and emerging risks a wide variety of sources should be used. The sources mentioned included:

Operational incidents

RSS feeds

Political timelines and stories

Where startups and angel investors are focusing

News

Industry reports

Customer complaints

Social Media

Academic studies

New implementations

Published risk surveys

NGO agendas

Customer satisfaction surveys and metrics

Annual plans 

Internal risk assessments

Macroeconomic news

Strategic plans

Employee feedback

SMEs

Surveys

Industry conferences

Client input

Regulator and competitor actions

Value shifts appearing in the market 

One tool all risk and strategy professionals should have is creating new businesses. After all, if you are on the leading edge of uncertainty then that should create an advantage and view point that enables you to see new opportunities (perhaps) better than others. Thus, one way to manage strategic risk is to create new business models. In our graduate ERM degree the students and working professionals learn how to identify the heart and soul of the business and how to search for ways the business could get destroyed or seriously disrupted. Armed with this knowledge they go on a new business model search. In this week's class we created 36 new business models for Netflix (see attached list of business model creative ideas). 

Managing strategic risk helps avoid the downside:

- 66% agree that "A key destroyer of value in my organization is strategic risk and uncertainty."

Managing strategic risk improves the upside:

- 92% agree that "A major key to success for our organization is managing strategic risk and uncertainty." 

The results are based on the Center for Excellence in ERM Fall Risk Summit that focused on moving from risk to strategic risk. The Summit included a pre-Summit survey.