ERM: SLOW MOVEMENT OR NO MOVEMENT?

Rough Notes, May 2005 by Moody, Michael J

Companies need to move apace to set up ERM programs to reassure investors and raters

Over the past several years, Rough Notes has documented the rise in the enterprise risk management (ERM) concept. We have attempted to report on the many benefits that can be achieved by moving away from the traditional silo approach of risk management to a more holistic view. Central to this evolution is the ability to view risk from both a risk and opportunity standpoint. Such a long-term view makes it clear that ERM can provide a value creation aspect that is simply not available under the silo approach to risk management.

We have also chronicled some of the roadblocks to successful ERM implementation. Among the critical issues that appear to be holding ERM back from attaining its ultimate value are:

* Lack of a common definition of ERM

* Lack of appropriate tools and technology

* Lack of appropriate leadership

Obviously, all three of these items are necessary to provide the measured growth needed to advance the ERM concept. It should be noted however, that the past few months have seen a number of advancements and solutions for mitigating several of these issues.

ERM assistance

Among the most helpful advances has been the publication of the COSO "Enterprise Risk Management-Integrated Framework." While there has been some resistance to the approach that COSO has outlined in the Framework, it's time to face reality. This is a complete, wellthought-out ERM foundation and when combined with the "Application Techniques Manual," provides a good starting point for any organization's ERM efforts. And as the document's authors point out, it was intended as only a starting point. Further refinement will need to be completed at an industry or individual company level. In addition, a variety of software products have been introduced subsequent to the release of the COSO document. Many of the software applications can assist with one or more critical tasks associated with successful ERM implementation, thereby accelerating the implementation phase.

Despite these advancements, it appears that ERM is still suffering from only modest growth. Certainly, the lack of leadership has hampered the growth of ERM, but it appears that another roadblock continues to stall ERM efforts. This issue is management's inability to move past the concept of insurability that is intertwined with traditional risk management. Historically, corporate risk managers have limited their focus to the insurability silo. As a result, many C-Suite executives as well as corporate risk managers still think of risk management in terms of insurable risks. Obviously, this view is quite narrow and extremely limiting since it puts risk management in the "chance of loss or no loss" category. This is one of the key reasons why corporate risk management has rarely gotten the attention in the boardroom that it deserves.

Movement must occur

Despite some initial setbacks, the time is at hand for ERM to flourish. While it is obvious that ERM is still a "work in progress," organizations must begin to embrace the concept and begin to adapt the ERM model into their corporate culture. In fact, the time has passed for simply adopting the ERM model; corporations must now advance ERM to a strategic imperative. Worldwide there is ample evidence that additional regulatory and legislative initiatives directed at corporate wrongdoing will continue. In the United States, the Sarbanes-Oxley Act of 2002 (SOX) offers a glimpse into the future direction of regulatory efforts. Over the past few years, many major corporations have made a significant commitment, both from a time and money standpoint, to SOX compliance. Unfortunately, some companies believe that SOX compliance is the end of the journey. Actually, SOX compliance is just the starting point and ERM is the end of the journey.

In addition to the federal SOX regulations, there has been a flurry of regulatory activity within the major stock exchanges, most notably the NYSE. The NYSE has drafted regulations that will require senior management and corporate directors to certify their knowledge regarding the organization's current and future risks. The regulations go one step further by requiring certification regarding the specific programs that are in place to manage those risks. Most experts agree that it will be very difficult to provide such certification without the benefit of an ERM program.

Despite its slow acceptance, ERM is finally taking its place as a foundation for strategic risk management. While hard numbers are still difficult to come by, management consultant Deloitte has stated that Fortune 500 companies are now addressing their ERM requirements. They estimate that somewhere between one-third and onehalf of all Fortune 500 companies are in various stages of ERM implementation. These figures would indicate a major movement of the concept beyond the financial services sector where ERM principles were introduced.

A life preserver

The well-publicized events surrounding corporate wrongdoing over the past several years provide a clear indication of the trend toward making corporate officers and directors personally responsible and accountable for their actions. Without question, corporate America should consider these legal actions as a warning shot across their bow. While some people may believe that jail time for Martha Stewart was just some kind of a PR stunt, it shows just how serious these actions can be. And as several recent settlements with outside directors illustrate, these actions can be costly. While directors and officers liability coverage has provided some protection in the past, since these are now considered excluded acts, coverage will be limited. The future trend is clear: Corporate wrongdoing will result in personal monetary penalties and/or jail time for those convicted.