ENTERPRISE RISK MANAGEMENT: A DAILY EXERCISE
By Dave Lindorff
While the financial meltdown was a sock in the eye for risk management as it had been practiced, the crisis has also underscored the need for organizations to put in place a well-integrated and solid process according to a soon-to-be-released report from Marsh Inc.'s enterprise risk management (ERM) practice and GovernanceMetrics International, the corporate governance research and ratings group.
The report highlights the case of Tyco International, a $20-billion diversified industrial company, which seven years ago was a risk manager's nightmare. Its CEO indicted and later convicted of defrauding shareholders of $400 million and its books cooked beyond recognition, Tyco was often mentioned in the same breath as Enron and WorldCom. Today, broken up, restructured and under completely new management, Tyco has put risk management front and center in its strategic planning and operations.
"Today risk management is a component of how this company operates on a day-to-day basis," says John Jenkins, Tyco's corporate secretary. "So, for example, with strategic planning, it's not a matter of the risk manager sitting on the side and suddenly chiming in; it's just a component of the whole process."
That, Christie Kaufman, vice president of Marsh Risk Consultancy and one of the three authors of the Marsh/GMI study tells Treasury & Risk in an exclusive, is the way risk management ought to work.
David Charlot, assistant treasurer for capital planning at Tyco, says his company has weathered the credit crisis just fine thanks to having run a "bottom-up" risk study nearly two years ago to see how the company could survive a bear market . "We made a conscious decision because of that study not to raise our debt levels and to keep a strong capitalization. We decided to be self-funded, so whether credit markets are soft or hard is not relevant to us," he says. "We're in a good position now to take advantage of opportunities where other companies can't."
Other companies, not so much. In a survey of 149 companies, Kaufman says, 79% report having a formal ERM program, and of those about 52, or two-thirds, say they've had their programs for more than a year. Of the 21% that say their companies have no ERM program, 40%, or two in five, say they plan to develop one within the year.
However, half of the companies that did have ERM programs conceded that these programs were only partly integrated into businesses, says Kaufman. This was attributed to ineffective communications between risk managers and the rest of the business, a lack of influence for risk managers, or sometimes a lack of risk expertise at the board level. Also cited was a lack of metrics, program informality and a lack of risk tools (only 10% of companies with ERM programs have automated tools.)
"The biggest problem is integration," says Kaufman. "How do you get risk to be something everyone thinks of daily."