Attended the Lean Startup Summit in Berlin this past February. In my view, ERM needs to play a bigger role because the risks must be identified and managed in innovation just as in daily objectives. One thought at the conference that got discussed was that the really big strategic risk is related to different dimensions. Those dimensions are revenue (not new) but also how the new idea/project/innovation might transform the organization. See the map here. Organizations feeling more disruption might want to map their projects using a similar approach. The most important place is probably location 1. This perspective can help organizations consider which projects to prioritize.
Once we’ve got the risk risk identified, a key question for leadership and the board is do we have the right talent to manage this risk?
Collin’s “Good to Great” highlighted the importance of getting the right people. The same thing applies in managing risks. I’ve seen this show up in several companies and know of others who have closed this loop. A few example questions:
If your organization is facing massive disruption and digital changes and no one on the board or in leadership has a good understanding of this then the risk could be higher.
If your organization plans on opening new locations but hasn’t thought through the implications of not having the talent already in place and trained, then the likelihood of not meeting the objectives goes up.
Our current and preliminary data analysis in the tech industry shows:
half of value killers are strategic setting
half of value killers are strategic execution.
The big ones:
Almost 90% of big value killers are strategic setting
The agility link:
the strategic setting mistakes and losses take 2.5 times longer to recover.
ERM around strategic setting risk can pay off in big ways.
I’ve seen all those studies and slides from so many organizations and consultants that state that strategic risk is the most important risk out there that leads to lost value. I don’t think anyone disagrees with those general findings.
My academic brain keeps wanting to know more. If COSO has strategic risk in 3 dimensions is it possible for us to know which of those is the problem? In other words, is the lost value because of strategy setting, strategy alignment, or strategic execution? To me, that’s the bigger question.
Well, i’ve got this one bright graduate student helping me trying to answer this question.
Very very preliminary but the interesting finding (so far…) is:
most value killers that are small are strategic execution related.
the largest value killers? they are primarily strategy setting.
If we want to really help our organizations with strategic risks then we must get involved in the questions around whether we have the right strategy set!
I heard a talk in Berlin recently that inspired me to think of risk in new projects this way. Take all the disruption or new projects and map them as follows:
Vertical axis is new growth
Horizontal axis should include transformational/blue ocean dimensions like:
improved relationships with customers
future new business model to make you more competitive
High growth projects with high transformational / blue ocean possibilities are the key in a disruptive / ultra competitive world. That doesn’t mean we don’t identify the risks in those projects - we still should do that because it may be even more important. But here’s a lesson from long ago in my career. Identifying the risks takes serious thought and the most important risks come up at the end, not in the first 5 minutes. It takes deep thinking.
Again, from the white paper:
Only 33% agreed that the CRO or ERM leader has been involved at the appropriate level.
But 55% agreed that it is one of their “top risks.”
43% agree that they have identified the risks in the efforts but only 38% were confident in their risk identification efforts.
54% acknowledge that their testing, adoption, and implementation of their digital disruption efforts was “too little” or “far too little.”
Only 32% agreed that they are “ready” to address digital disruption.
Although the final white paper is forthcoming, it seems wise to share some of the interesting findings:
85% of ERM leaders agree that digital disruption and transformation will have a significant impact.
The # 1 reason companies are moving forward with digital disruption efforts is because they believe their business model is at risk. 76% listed “remaining relevant” as the reason for making a change.
I recently attended the Lean Startup Summit in Berlin. A few ERM/startup takeaways:
First, use an ERM approach to identify the risks in the startup. Instead of COSO’s risk categories or strategic objectives, consider using the dimensions of usability, feasibility, and value. Use these prompts to get the team to identify and map the risks on impact and likelihood. Manage the big ones right away. The startup may depend on it.
Second, identify the critical success factors in the launch of the startup (at the Summit this was applied to a product launch). Using those factors, attempt to reduce the risk of each product launch factor via testing. As the tests prove successful, the risk is lowered. Document the test results and (hopefully) reduced risk.
Third, once the product or company is launched the next steps are focus, focus, focus. This was labeled horizon one and the focus seemed to be on selling that product/idea and getting it out. But according to research done by this company on scaling companies, a considerable amount of effort must be put into new products. Stated differently, they suggest that true long-term success must focus on the next product and time must be continuously allocated to the new ideas even while focusing on the current success.
Note we have a white paper on the ERM - innovation connection that has valuable additional content.
First, read your strategy document. I can’t emphasize this enough. We’ve got to know our own vision, mission, strategy, etc. Note that sometimes an understanding of this will cause a repositioning of certain risks.
Second, read what they read. Boards and executives are not necessarily reading COSO’s ERM Framework or the ISO Framework. Therefore, to understand their world and problems, read what they read. Some of my favorites in this area are:
o Business Model Generation (Osterwalder & Pigneur)
o Value Proposition Design
o No Ordinary Disruption (Dobbs et al.)
o Big Bang Disruption (Downes & Nunes)
o Your Strategy needs a Strategy (Reeves et al)
o Create Marketplace Disruption (Hartung)
o Superforecasting (Tetlock and Gardner)
Strategy (more general)
o Strategy beyond the Hockey Stick (Bradley et. al.)
o Blue Ocean Strategy (Kim & Mauborgne)
o The Lean Startup (Ries)
o Playing to Win (Lafley and Martin)
o Brand Resilience (Copulsky)
o Discovery Driven Growth (McGrath and MacMillan)
o Upside (Slywotzky)
o Innovator’s Toolkit (HBS)
o Geography of Genius (Weiner)
o Achieving the Execution Edge (Bart & Schreiber)
o When Strategy Execution Marries Risk Management (Ow)
o Seven Strategy Questions (Simons)
o Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)
And from the book above “Strategy beyond the hockey stick” I found the authors had an interesting favorite list of their own:
Strategy: A History
The Innovator’s Dilemma
Good Strategy/Bad Strategy
The Art of War
Coopetition: a revolutionary mindset…
The Lords of Strategy…
Antifragile: things that gain from disorder
The signal and the noise…
Thinking fast and slow
Decline and fall of the Roman Empire
The strategy of conflict
The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey". While navigating strategy and disruptive risks gets many headlines some fundamentals are still necessary for ERM to be effective. The study shows:
33% of ERM executives do not agree that their assessments are accurate,
48% do not look at risk connections/correlations,
58% have had unidentified risks impact them (surprises?), and
only 46% agree that decision making involves explicit consideration of risk.
The lesson? Get better at how you identify, how you assess, and get involved early (if possible).
There has been talk about key risk indicators, bow-ties, etc. for some time. However, one extra reason to at least set up these risk driver scenarios is that it can help:
identify new risks, and
help get better metrics.
When forced to not just identify metrics but to first think through the drivers and consequences of the risks, executives begin to see new risks as their minds work through what’s causing the risks. Additionally, as they consider the final and most probable drivers, they then, and I would argue only then, can get the best possible metrics to manage the risk.
The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey". One interesting result in that study is the number of programs that have ERM assessed in some way.
The study shows:
61% of organizations assess or benchmark their ERM process, and
65% have their management or board evaluate their ERM process.
The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added. But the key to understanding that value are insights into some of the why it adds value. A couple of reasons stand out:
54% of ERM executives believe they add value because they helped their organization identify previously unknown risks.
76% of ERM executives believe they add value by helping their organization understand the real risks.
Discovering new risks and finally understanding risk is all about moving some unknowns into the known area. It’s got to add value.
The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added.
One obvious answer is to build the ERM infrastructure. Table 1 shows that high performing ERM companies have a higher percentage of agreement with the statement “We have the necessary infrastructure to support the ERM process.”
A second method is to integrate ERM better and in the right areas. Table 2 shows that high performing ERM companies have higher percentages of ERM integration in strategy, operations, and finance.
A third method shows up in Table 3. While building and integrating are important, some of the big ERM wins come from helping the culture become risk aware, building a relationship with risk owners, bringing “ah-ha” moments, and things like having business leaders promote and embed risk in their areas.
Adaptive Governance & Challenge. “In the Commission’s view, this will require boards to build… adaptive governance, which we define as… active involvement by directors in setting and maintaining a boardroom culture that is centered on open discussion, constructive challenge…” (NACD, 2018).
- ERM Reaction: practice a challenge culture or contrarian view when risks are presented. Encourage boards to do the same. The goal is for the greater good of the organization.
Question Legacy Business Models. Allegiance to legacy business models with reluctance to question their future viability is a red flag according to board guidance (NACD, 2018).
- ERM Reaction: include business model risk analysis in your risk assessment.
Boards assess emerging risks. “The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company’s business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur.” UK Corporate Governance Code 2018.
- ERM Reaction: First, strengthen your emerging risks process. Two, include business model risk analysis in the process. Note, if you’re not in the UK you might be tempted to ignore this UK Guidance but it captures the growing pressure on boards over emerging risks and business models.
Exogenous Risks. “Boards have concerns about less controllable, exogenous risks.” 2019 NACD Corporate Governance Outlook.
- ERM Reaction: Convince the board how you’ve done this. Use black-swan or disruptive workshops to attempt to pull out these risks.
Trigger risks. “Trigger events or risk thresholds are not always clear in advance: even if their causes are relatively familiar, these risks may “develop in a non-linear manner,” as a result of “tipping points that might be detectable only in retrospect,” Board Oversight of Disruptive Risks (NACD, 2018).
- ERM Reaction: Identify which risks could be the tipping point or the trigger. Develop key risk indicators, risk drivers, or mind maps to help see the triggers. Managing/monitoring the non-trigger risk could be too late.
Assess vulnerability to Disruptive Risks. “Establish time on the board agenda, at least annually, for a substantive discussion of the company’s vulnerability to disruptive risks. Consider using approaches such as scenario planning, simulation exercises, and stress testing to inform these discussions.” NACD, 2018
- ERM Reaction: Just do it.
Skills to Navigate Disruptive Risks. Boards should invest in the skills—within the organization and on the board itself—needed to navigate disruptive risks. (NACD, 2018).
- ERM Reaction: lead or train your board on how to identify disruptive risks and link them to the business model. Ask them to include ERM and Board Risk Oversight training as part of the new board member onboarding/training.
This interview with Christensen points out that companies must address disruptive innovation (his first book) but his latest work also discusses problems and opportunities.
“His solution is simple, profound and right in front of your face: See big problems as big opportunities. Look for the intersection of non-consumption and what he calls “jobs that must be done.” Then create products—and processes—that serve those needs. By doing so, you’ll harness what he terms “market-creating innovation”—by far the most profitable, disruptive force in business (think electric light, iPhones and the Model T).”
For the practicing ERM executive or board member there is a valuable insight here. Look at your biggest risks on your map or register and seek the opportunity and upside of that risk instead of just identifying the risk and developing action plans. In other words, challenge management to think through the risk and find the opportunity. I’ve met one CRO that does this on their top risks in designated risk opportunity workshops.
A company’s annual report offers a description of that organization’s business and the risks it faces. Risk disclosures are an important part of that report and should provide external stakeholders with valuable information about significant risks.
This research study represents an analysis of risk factor disclosures from large manufacturing companies on both the Tokyo Stock Exchange (TSE) and the New York Stock Exchange (NYSE).
At one of our recent Center for Excellence in ERM Summits participants were asked to list their greatest ERM challenge. Their list is below. Perhaps others can learn from their wisdom.
Senior leadership socialization
Integration into the Strategy Formulation process.
Measuring the value of ERM.
Benchmarking the thoroughness of the program.
Applying consistent and/or universally-accepted risk assessment criteria across different business units/contexts.
Building awareness of the integration between ERM and Strategy
Consistent implementation of new ERM-related policies and procedures
Credit for the work that is done
Deepening organizational understanding of risks, and framing such in a way that facilitates Decision making
Determining the purpose and "value add" of the ERM program and gaining C-Suite level support for ERM initiatives
Differentiation between ERM level risk and operational risk.
Education on ERM to middle management
Ensuring the business actively monitors risk.
Ensuring underlying assumptions, modeling and forecasts are adequate to meet our short and long-term obligations and regulatory mandates.
Establishing an ERM system
Formalizing ERM throughout the organization.
Getting involved in strategy setting and decision making.
Getting the attention of staff at all levels of the agency
Keeping the appropriate balance between profitability and growth
Maintaining a regular cadence of engagement - engagement tends to vary by the risk stakeholders
Moving from an ERM program that has a higher focus on reducing negative outcomes and managing risks to one that is fully integrated with the business and strategies, increasing the range of opportunities linked to performance ... creating, preserving and realizing value.
not enough resources around model, vendor and ops risk functions
Responsiveness from several business units
Showing or proving how we add value
siloed risk activities; no CRO
Standardize ERM governance across all regions. Insert ERM or its principles into the strategic planning process across al regions.
Time to work in ERM to decision making process.
Too many silos
There is no official certification (that I know of) for ERM at this point. But how would a board know or an ERM leader determine that their ERM process is set up in a way they’d want? There are the obvious signs such as too many surprises, not seeing risks, not correctly assessing, etc. There is also a program review that can be done.
First, some organizations can and do benchmark with other programs to get feedback.
Second, other organizations hire outsiders to review their program and provide feedback.
Third, ERM leaders can do this on their own. An unofficial approach might be:
Review your program for all COSO Components
Review your program for evidence of all relevant principles (the word relevant) is critical.
If your program has evidence of relevant principles, COSO components, and the components interact/work together then you’d unofficially have a good program.
Keep in mind:
It can be very valuable to do this.
This is unofficial; but if some senator gets mad at U.S. businesses again, they could make this the law (like they did with internal control / SOX).
Tread lightly. Choose wisely. Make it an TQM opportunity for improvement thing instead of a do or die ERM thing. It works better, you get to the same place (since this isn’t 100% the law), and management sees it as a positive thing about performance, etc.
Finally, if I were a board member I’d ask every ERM leader I know to do this.