IMA Releases Updated SMA - Enterprise Risk Management: Frameworks, Elements, and Integration

 

Enterprise Risk Management: Frameworks, Elements, and Integration has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. The report includes 

* a review of ERM Frameworks

* ERM Foundational Elements, and

* a section on Integrating ERM into Ongoing Management Activities.

According to the IMA, "SMAs present IMA’s position on best practices in management accounting. These authoritative monographs cover the broad range of issues encountered in practice."

Only 38% are confident that all strategic risks are identified

Recent work at The Center for Excellence in ERM at St. John's University shows that only 38% of ERM executives agree that they are confident that all strategic risks are identified. This work was part of the October 2017 ERM Summit survey. Although the sample is small the results are still quite interesting. Other early highlights show that ERM executives believe that only 19% of the their leaders are very effective at both setting strategy and executing strategy.

April 30 Center for Excellence in ERM Risk Summit

Our next risk summit is all set. The them is the ERM Journey. We'll focus on how PepsiCo, ADP, Estee Lauder, and ConEdison built, grew, sustained, and even today, challenge and assess, their ERM programs for better success. 

Guest speakers include:

Byron Stephen and Diane LaCosta, ADP

Rich Muzikar, Long Island Power Authority and formerly Con Edison and Zack Wolff (Con Edison)

Denise Treacy, PepsiCo.

Frank Fronzo, Estee Lauder

ERM and Culture—Time to Step It Up?

Organizations looking to step up and improve ERM might want to consider "culture." The new COSO ERM Framework highlights and emphasizes the link between culture and ERM in the following ways:

• There are 124 mentions of the word "culture" in the ERM framework.

• The first Component is called "Governance and Culture."

• Principle 3 is called "Defines Desired Culture."

• Principle 20 is called "Reports on Risk, Culture, and Performance."

Quick Ideas for Getting Ready to Answer Board and Management Questions about the ERM-Culture Connection:

— Find your resources to dig deeper on culture. For example, read the NACD Blue Ribbon Commission on Culture as a Corporate Asset. I'm still a fan of our Risk Challenge Culture study we did for the IMA and ACCA. The IIA has a lot of good material too. 

— Read Principle 3 and 20 and determine how your organization compares to the Principle. Does your board and management define the desired culture? Is culture embraced by all personnel? Do you know the factors that drive culture in your organization? Do you know how culture is influencing your ability to identify risks or properly assess risks? Is risk an afterthought to strategy and other big decisions? Do you have escalation policies? Do you have a risk aware culture (this will most likely require training employees and management on ERM)?

 

Why Does ERM Add Value?

Our research (which won an award) is published in the Spring 2012 Management Accounting Quarterly, Vol 13, No 3. The implications from that empirical paper state:

"The results suggest that an ERM framework and an ERM implementation can help companies improve performance by enabling executives to manage the company better. From a practical standpoint, companies ask how ERM adds value. Our results show that value comes from implementing the process, which then enables the company to make better decisions. Given that implementing the components takes time, compa- nies should be patient with finding immediate value. "

 

 

Does ERM Add Value?

Yes! Of course it does! If you need academic evidence to confirm the obvious... here it is. 

 

Farrell and Gallagher's peer reviewed empirical paper in one of the highest ranked risk journals has the following abstract. See the full paper in the Journal of Risk and Insurance, September 2015, Volume 82, Issue 3, pages 625-657. 

 

Abstract

Enterprise Risk Management (ERM) is the discipline by which enterprises monitor, analyze, and control risks from across the enterprise, with the goal of identifying underlying correlations and thus optimizing the risk-taking behavior in a portfolio context. This study analyzes the valuation implications of ERM Maturity. We use data from the industry leading Risk and Insurance Management Society Risk Maturity Model over the period from 2006 to 2011, which scores firms on a five-point maturity scale. Our results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value, as measured by Tobin's Q. We find a statistically significant positive relation to the magnitude of 25 percent. Upon decomposition of the maturity score, we find that the most important aspects of ERM from a valuation perspective relate to the level of top–down executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and correlations across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey ceteris paribus.

Oversight of Corporate Culture Webcast

 

Center for Audit Quality

Published on Dec 23, 2017

Sound corporate culture is a cornerstone of fraud deterrence and detection. This December 2017 webcast, hosted by the Anti-Fraud Collaboration, highlights leading practices on assessing and strengthening a company’s corporate culture. Hear from an expert panel, who share actionable recommendations that organizations can implement to deter fraud and misconduct. The panel also addresses oversight responsibilities of audit committee members, company management, and internal auditors. Expanding on insights contained in a 2017 National Association of Corporate Directors Blue Ribbon Commission report, Culture as a Corporate Asset, the webcast covers how culture impacts strategy, risk, and performance.

 

Panelists:

Mark Carawan Citigroup Chief Compliance Officer

Cindy Fornelli (Moderator) Center for Audit Quality Executive Director

Brenda J. Gaines Tenet Healthcare Corp. Audit Committee Chair

Gilly Lord PwC Head of Regulatory Affairs and Audit Strategy & Transformation

Paul L. Walker St. John’s University Schiro/Zurich Chair in Enterprise Risk Management

 

Watch the video replay of this webcast using the following link:

https://www.youtube.com/watch?v=wOzQ1RFOgic&feature=youtu.be 

 

ERM and Reputational Risk in Higher Ed: More Talk Than Action

Today’s uncertain environment poses constant threats to the most valuable asset of colleges and universities--their reputation. Taking action to identify risks that could impact your institution’s reputation, and finding ways to prevent or mitigate those risks, is essential to long-term sustainability. A recent study by United Educators and the Center for Excellence in ERM at St. John's University provides insights into reputation risk in higher education and provides separate toolkits

Sources of Emerging Risks

A recent Risk Summit by the Center for Excellence in ERM at St. John's University focused on how to review noise and emerging risks.  Numerous tools and methods were also discussed, as well as the sources of risk. 

To best identify noise and emerging risks a wide variety of sources should be used. The sources mentioned included:

Operational incidents

RSS feeds

Political timelines and stories

Where startups and angel investors are focusing

News

Industry reports

Customer complaints

Social Media

Academic studies

New implementations

Published risk surveys

NGO agendas

Customer satisfaction surveys and metrics

Annual plans 

Internal risk assessments

Macroeconomic news

Strategic plans

Employee feedback

SMEs

Surveys

Industry conferences

Client input

Regulator and competitor actions

Value shifts appearing in the market 

 

Managing Strategic Risk by Creating New Business Models

One tool all risk and strategy professionals should have is creating new businesses. After all, if you are on the leading edge of uncertainty then that should create an advantage and view point that enables you to see new opportunities (perhaps) better than others. Thus, one way to manage strategic risk is to create new business models. In our graduate ERM degree the students and working professionals learn how to identify the heart and soul of the business and how to search for ways the business could get destroyed or seriously disrupted. Armed with this knowledge they go on a new business model search. In this week's class we created 36 new business models for Netflix (see attached list of business model creative ideas). 

 

 

 

Why we need to link risk to strategy

Managing strategic risk helps avoid the downside:

- 66% agree that "A key destroyer of value in my organization is strategic risk and uncertainty."

Managing strategic risk improves the upside:

- 92% agree that "A major key to success for our organization is managing strategic risk and uncertainty." 

 

 

The results are based on the Center for Excellence in ERM Fall Risk Summit that focused on moving from risk to strategic risk. The Summit included a pre-Summit survey. 

From Risk to Strategic Risk

Five strategy and risk leaders from prestigious organizations discussed how risk and strategy are intertwined at the Center for Excellence in ERM at St. John's University. Strategy leaders from Time Inc. (Erik Moreno) and Con Edison (Guru Nadkarni) shared their views of strategy, strategy frameworks, the acceleration of disruption, business models, etc., and answered questions from leading risk executives about the strategy link to risk and how ERM can help strategy leaders. Risk leaders from General Motors (Kristie Bidlake and Ken Shogren) and PepsiCo (Denise Treacy) shared their tools for strategic risk identification and analysis as well as wisdom they've learned from making the strategy risk connection.

Identifying Risk at the Right Spot and Time

Identifying risks to objectives has been a great approach for several years. There are extensions to this approach that are important to think about.

1. Consider identifying risks in major decisions. If ERM adds value and does this by improving decisions (we have empirical evidence to support this) then ERM should be applied to new decisions and not just historical decisions and the related (already set) objectives. Those are still good places to identify risk but more can be done. Other places to consider risk identification include: large transactions, large contracts, new initiatives (think Wells Fargo), technologies, new business models (e.g. Uber or Chipotle), and strategy. The point is to identify the risk earlier, up front, instead of later when the objectives are written. This may require the ERM team to become more visible and more involved up front. 

2. Don't wait for objectives. In our recent FEI research report, companies that were in fast-moving industries do not wait for objectives to be written down. They listen to the CEO to identify the strategies and objectives. Waiting until a workshop or quarterly assessment can be too late in some industries.

Is Leadership a Risk?

Is leadership or leadership structure a potential top risk? According to an article in Forbes the answer is yes. The key is how many companies would even look at leadership as a top risk when they do their own risk identification. The Forbes article states:

"2. Organizational Leadership and a Strong Pipeline Are Important

Leaders could learn from Uber’s former CEO about the importance of organizational leadership and a strong pipeline. Uber had a bare senior leadership bench, and that led to culture fiascos, management failures and performance flops. Strong leadership at and near the top, an independent board, and thorough enterprise risk management would position a company for success better than one leader acting alone. - Kelly ByrnesVoyage Consulting Group "