Enterprise Risk Management

What Is It?

Enterprise risk management, or ERM as it is called, uses an integrated or holistic approach to understand and manage all the risks an organization faces. Its primary purpose is to improve the quality of decision-making throughout an organization.

ERM started in the late 1980s, when financial and insurance companies began to understand that they were taking dissimilar, independent and sometimes competing approaches to managing a mounting number and types of risks they faced internally and externally. The uncoordinated, and sometimes conflicting, approaches to managing organizational risk led executives to ignore some risks while spending too much time managing others. The result was employees did not give senior management a complete picture of the risks they faced, thereby increasing the likelihood that the organization would be surprised by events that, in retrospect, were predictable.

During the past decade and a half, ERM has grown from being a good idea into a more formal discipline to manage an organization's risks. No universally accepted definition of ERM exists, so it's best to think of it as a common framework for managing four types of organizational risks.

• Strategic risks involve the organization's direction. Is the organization's current course and ability to adapt to market changes correct, or does it need to be changed to keep from stagnating or collapsing? Strategic risks include the organization's overall objectives, the assumptions that underlie those objectives, as well as the constraints the organization faces.

• Operational risks involve the people, processes and technology that are needed to carry out the organization's strategic objectives. These risks would include how well information technology systems function or the effectiveness of information security to protect confidential data.

• Financial risks involve the allocation of resources, including the organization's financial investments. For instance, are financial resources allocated so they create the best return for a public company's shareholders, or in the case of a government agency, do investments generate the best value?

• Insurable risks are amenable to be addressed by insurance (specifically, "pure" risks that involve only outcomes of a financial loss or no loss).

Of course, some risks include aspects of more than one of the four classes of risks. Some risks also evolve from one class to others. For instance, disclosure of personal information due to the loss of a laptop (an operational risk) may create both a reputational (a strategic risk) and monetary (a financial risk) consequence. The theft of a laptop from the Veterans Affairs Department in 2006 and the 2007 incident in which an Air Force B-52 bomber unknowingly flew nuclear-tipped cruise missiles across the United States are recent examples of operational risks that have strategic implications.

Managing Risk as a System

As more members of the federal workforce retire, staff turnover likely will move from an operational risk to a strategic risk in many agencies, including the Defense Department. These examples illustrate the importance of thinking about and managing risk as a system.

Managing risks as a system leads an agency to improve its situational awareness, which in turn will allow it to respond to risks more proactively and lead to fewer surprises. An agency also will have a better chance to achieve its strategic goals if it understands the underlying causes of failure. It will be able to create better value from resources by eliminating the need to rework projects after failures, which typically are caused by poor management and increased risk. That gives agencies more time to pursue other work.

For ERM to work, an agency should define and communicate its tolerance for risk (specifically the willingness to incur a loss in pursuit of an objective) to all employees and contractors. Think of this as akin to a manufacturing tolerance or control limit, the threshold of risk that the organization believes is within acceptable limits. For example, the Office of Management and Budget has issued guidance that agencies that manage their IT projects within 10 percent of their budgets generally are doing a good job. Without a definition, managers will not know which risks are too large and which are too small to address.

In addition, information about risks must flow seamlessly and blamelessly across the agency to decision-makers, which is problematic for most, for sure, but a necessary component to managing risk. Risk information often is perceived to be bad news instead of a call for action, which causes managers to filter or hide information when communicating with supervisors.

The NASA Challenger and Columbia space shuttle accidents are examples of filtering risk information. Working-level engineers identified critical risks before each accident, the severity or likelihood of which either were discounted or played down by more senior managers. As a result, top decision-makers did not have a true picture of the risks to either shuttle.

For ERM to be effective, an agency's managers and employees must value risk information, which typically requires a cultural mind-set for change so a healthy risk communication culture can take hold, ERM practitioners say. In addition, agency managers should assign responsibility for risks to those managers who can best oversee them. Risk without responsibility is a recipe for organizational disaster.

In its best form, ERM identifies and manages the individual, collective and cumulative effects of different types of risk on agency decisions. When done well, ERM helps an agency realize its full potential.

Why Should I Care?

While ERM was developed in the commercial sector, it has direct relevance for government -- for a number of reasons.

First, the fundamental role of government is to manage the public's risk. Government does so in three ways: as a regulator where individuals or businesses impose risks on others; as a risk manager where individuals or businesses cannot manage the risk themselves (for instance, providing for the common defense); and as a provider of services to the public, which themselves possess risks.

First, government should manage risk holistically, probably more than commercial businesses do. For instance, the conflicts in Iraq and Afghanistan have highlighted the need for all government agencies to act together to manage risks. By including the Commerce, Defense and State departments, the United States could provide an integrated risk management approach that involves diplomacy, intelligence, military, law enforcement and economic aid, all of which are required to increase the chance for a successful conclusion of any future conflict.

Second, many agencies find their missions -- and the public's expectation of what successfully meeting these missions mean -- are changing based on how well agencies manage performance risks. The Federal Emergency Management Agency, the Army Corps of Engineers and the Homeland Security Department managed risks poorly during their response to Hurricane Katrina, which led to major changes in their disaster management operations, for example.

Equally, the deaths caused by prescription drugs such as Vioxx and Avandia after they were approved by the Food and Drug Administration have caused the agency to look more closely at the safety risks inherent not only in its preapproval process, but also what happens after a drug hits the market. In addition, the recent Supreme Court ruling that grants Class III medical device manufacturers immunity from lawsuits once FDA approves a device places greater demands on the agency to ensure that all risks are assessed.

Third, the public expects agencies to generate good value for the taxes they pay. From a risk perspective, when large government projects are mismanaged, such as the Census Bureau's handheld computer project or the FBI's Virtual Case File system, trust in government and its leadership erode. Trust is further diminished when the public believes agencies do not manage fundamental privacy or security risks, as when government IT systems are hacked, sensitive information is disclosed or active-duty military and veterans do not receive adequate health care.

Every agency, as are businesses, is tasked with trying to meet old and new mission requirements using innovative methods with ever-decreasing resources. Government work has become increasingly high-risk, high-reward, with the public and Congress tolerating little room for error. A cornerstone for how the public and Congress judge them is how willing agencies are to show how decisions are made in the face of risks.

Last, with performance-based pay becoming more accepted across government, how well a federal employee manages risk will become a larger part of how a supervisor judges the employee's performance. The higher up the pay scale, the more important ERM will become in establishing raises.

What's the Latest on ERM?

For the past decade, ERM has been touted as how organizations should manage their risks. The subprime mortgage crisis and its ramifications, however, have created an open question of the value of ERM. Financial institutions, including Bears Stearns, HSBC, Merrill Lynch, UBS and many others, which before the crisis were touted as world-class best practitioners of enterprise risk management, have experienced tens of billions of dollars in losses because they did not understand the risks in which they had invested.

What the subprime situation has made clear is that many financial firms practiced ERM in only a pro forma manner. These organizations may have talked a good ERM game, but they definitely didn't practice one.

For instance, some institutions never questioned strategic risks related to basic market assumptions, such as housing prices would never fall dramatically. Nor did senior management understand the extent of the risks, such as in their size or complexity. Part of the reason was that managers were not concerned about long-term risks as long as short-term profits were being generated. A predictable, nasty surprise was a foregone conclusion.

The subprime debacle once again underscores the critical importance of creating a healthy organizational risk culture, in which senior managers want to know about risks, take action to mitigate them and not make overseers feel unwelcomed when they point risks out.

The subprime situation also highlights the importance of understanding the many ways risks are interconnected. Firms that believed they were immune from what was happening in the subprime market found to their surprise they were not.

One potential downside to applying ERM practices to an agency is that it can, if an agency's management is not careful, turn from being an instrument of helping manage the public's risk to managing the agency's reputational risk, at the cost of the public's interest. For instance, during the past decade, Australia, Canada and the United Kingdom have enthusiastically embraced ERM in government. One troubling aspect, however, as documented by Michael Powers, a professor at the London School of Economics in his book, The Risk Management of Everything (Demos, 2004), has been that ERM in the U.K. government has too often digressed into a means of saving face than managing risk.

Powers notes that government managers perceive reputational risk as their greatest danger, which tends to lead government decision-makers to become risk-averse. ERM has the potential to intensify this behavior, Power says, which can lead to an organization that is afraid to take risks and uses ERM as a tool to assign internal blame when something goes wrong. When used in this way, ERM is a source of more risk than a means of controlling it.

One final issue with ERM in government: Because of the nature the public sector (many stakeholders, the political environment, the high turnover of senior staff, the difficulty in measuring value quantitatively), ERM is not easy to implement. It is difficult enough in commercial firms; in government, it requires a great deal of persistence.

How Do I Get Started?

It is important to remember that we are talking about enterprise risk management, which means that it involves something large, long and not inexpensive to implement.

As has been true with other organizational change management efforts during the past 20 years, companies most successful at implementing ERM have concentrated on a single or small number of business units, finding out what works and what doesn't and then rolling the process out in a systematic way across the organization. Others have tried to build on their internal governance or compliance approaches, with some degree of success. Companies that have tried to implement ERM all at once using a top-down approach, however, have mostly failed.

Unfortunately, it is difficult to implement ERM in an organization without some kind of catastrophic event, which for corporations is usually a "near-death" experience. Very few companies have truly embraced ERM, which means having senior management support, without such an experience. The subprime crisis again has driven that lesson across to the financial sector.

The same is likely to be true in government. NASA, for instance, became a better enterprise risk manager for space flights after the 2003 Columbia space shuttle disintegrated over Texas, killing all seven crew members. The tragedy forced the agency to analyze how and why it made certain decisions. It is doubtful that NASA would have done so on its own without the accident.

Despite the obstacles, a federal agency can follow practical ways to introduce ERM. The best approach is to follow a middle out approach that concentrates on managing operational risks, which specifically are risks posed by people, processes and technology that are needed to meet an agency's mission. Chief information officers, in cooperation with their chief financial officers, are well-placed to begin the process because agency IT supports not only operational, but financial and strategic risks as well.

The CIO can help identify the different types of risk IT creates as well as mitigates for an agency in meeting its mission, and with the help of the CFO, begin to create the processes necessary not only to manage risk within IT, but the remainder of the organization.

Bob Charette is founder of ITABHI Corp., a risk management consulting firm, and has advised Fortune 100 companies and government agencies on the rewards and risks of high-technology programs and policies.

Related Links:

The Committee of the Sponsoring Organizations of the Treadway Commission. Developed an integrated ERM framework.

The Open Compliance and Ethics Group. Developed a framework for integrating governance, compliance, risk management and culture.

British Columbia government discussion of ERM.

Risk and Uncertainty document, United Kingdom.