The Business Case for Enterprise Risk & Assurance Management (“ERAM”)

It seems everywhere you look these days there are calls for better and more effective approaches to risk and assurance management.  These calls for change have intensified in light of the events of September 11^th, the failure of Enron and other major businesses, banking sector failures, and ongoing public sector scandals.

The benefits of “holistic” ERAM are intellectually appealing and difficult to refute.  International studies are increasingly concluding that it results in better overall corporate governance, reduced earning volatility, higher price earnings ratios, more defensible capital allocations, heightened risk awareness and improved response time, better disaster preparedness, and a host of other benefits.

Enterprise Risk Management in a recent research study on the subject from the Institute of Internal Auditors is defined as:

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks. (IIA Research Foundation 2001)

In light of these benefits, an obvious question would appear to be - If integrated enterprise risk and assurance management is so much better than traditional approaches to risk and assurance, why isn’t everyone rushing to implement it?  The reasons are complex and, like many things in life, linked to the normal human aversion to change.

Barriers to implementing ERAM include:

1.   Fiercely defended “specialist silos”.  

2.   Strong emotional attachments to traditional approaches to risk assessment that rely heavily on specialist assurance groups and require only limited senior management and work unit involvement.

3.   New skills will have to be learned by senior managers, work unit personnel and specialists of all kinds.

4.   There is no hard “evidence” that this new approach is better. 

5.   An aversion, particularly in litigious cultures, to documenting and disclosing the basis for risk acceptance decisions.

6.   Risk information and assurance services customers have been generally happy. As a general statement, Boards of Directors and senior managers have not been demanding more and better data on risk status.

7.   An absence of tangible, urgent reasons to change the status quo.

Of all of the barriers listed, number 5, 6 and 7 are the most significant.  In the banking industry these barriers are being tackled through global regulatory reform.  Stock exchanges, the public sector oversight agencies, and other oversight bodies are contemplated similar reforms.

Although regulatory pressure to change is certainly building, I believe there are also tangible and persuasive business reasons to adopt ERAM. Business drivers include:

1. 20-30% annual cost savings on assurance/inspection spending.  Spending on assurance groups like internal audit, safety, environment, compliance, and others can be radically reduced through integration of effort and data, use of new, more effective planning and risk assessment approaches, strategic use of technology, and increased involvement of work units and senior managers.

2. Reduced cost of control.  New ERAM software tools now available are designed to help work units eliminate expensive, low impact controls, reallocate resources to higher risk/impact issues, and simulate the impact on residual risk of cost reduction initiatives and new business ventures.

3. Optimized risk transfer/risk financing/risk retention.  ERAM software provides better information to make decisions on insurance, control design strategy and risk transfer options.

4. Reduced cost of deploying corporate policy.  ERAM software provides the perfect platform to cost effectively deploy and link corporate policy to relevant business units, business objectives, risks and/or control descriptions.

5. More payback from consultants and specialists.  Enterprise risk software provides a tool to capture findings, observations, and recommendations from consultants and other specialists brought in to look at particular problem or concern areas.

6. More rational capital allocations and measurement.  An effective enterprise risk management system provides better data to allocate capital and measure “risk adjusted” return on capital employed.

7. Integration savings.  Holistic enterprise risk management, by definition, means integration of the planning and objective setting processes and risk assessment and assurance processes.  This can lead to tangible cost savings by elimination of overlap and duplication of effort

The business case for moving from traditional risk and assurance approaches to a holistic enterprise approach to risk and assurance is irrefutable, much the same as the claims advanced by the anti-smoking movement were 20 years ago.  Realists, however, also recognize that both campaigns involve overcoming human addiction and difficulty with change.  The good news is that some people, when shown the logic of making a change, can change their behaviors overnight.  The challenge for the enterprise risk movement is that many people need all kinds of assistance and personal incentives to change. Unfortunately, the bad news is that some people, organizations and even entire countries are often unable to change - even in the face of massive evidence in favor of change and high risk of death or massive disaster if the status quo is kept.

Only time will tell how well we all do, personally, corporately and nationally, at improving our ability to change and better manage risks of all types.

Tim Leech is CEO of CARD^®decisions Inc. based in Mississauga, Ontario, Canada