Guest Post by Bill Pomfret (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
We see the value of enterprise risk management everywhere we look. We see it in the news, we can see it in our customers’ success, We can even see it on the roads in speed limit signs. We know that risk management is deeply enmeshed in both the success and failures of the corporate world and beyond.
However, as you lobby for the support your ERM program needs, you may find yourself battling a more skeptical outlook. When we think about how to justify risk management, we’re often reminded of an old saying: “How many ships have I saved by erecting a lighthouse?” It’s hard to quantify the value of a preventative measure, which is exactly what a risk management program does.
In this article, I’ll take you through some examples and studies, to help you demonstrate the return on investment, otherwise known as ROI, of ERM and get the buy-in you need from various stakeholders.
The See-Through Economy we’ve taken note of an irreversible trend becoming more pervasive every day. We call this trend the see-through economy: a fast-paced age of transparency where consumers are empowered to impact a company’s reputation. The increasing adoption of social media and advanced technologies have granted consumers multiple platforms to express their expectations of the companies they choose to do business with.
With these platforms centrally contained in the palm of your hand, consumers are empowered to record and disseminate any message they want, from a good customer experience, to a horrible one. The bottom line is that the general public has the power to monumentally impact a company’s reputation at any time. Intangible assets — such as intellectual property, goodwill, proprietary ‘know-how,’ user base, customer experience, brand, and reputation — account for 87% of the net worth of the S&P 500. 81% of millennials expect their favorite companies to make public declarations of their commitment to ethical behavior. 90% of customers read online reviews before visiting a business. So, what does this have to with enterprise risk management?
A recent report states, “firms are under extreme pressure to mitigate risks, innovate at breakneck speed, keep pace with changing regulatory requirements, identify areas for growth, and shift to digital business practices.” The see-through economy has left companies with nowhere to hide when scandals, missteps, and failures materialize. This means reactionary measures are no longer enough to preserve a company’s reputation. Rather, companies need to take a proactive approach to managing risk before it materializes.
Proactively managing risk requires an agile risk management infrastructure that can connect reputational risk to each area of the business and therefore address it from every angle. Governance, Risk, and Compliance Platforms.
United Airlines felt the effects of the see-through economy when a video surfaced that showed local law enforcement physically removing Dr. David Dao from an overbooked plane.
With 66,000 passengers involuntarily bumped from United flights in 2016 alone, it would be naïve to assume this is the first time this situation escalated to conflict. In truth, this was the first incident caught on tape, or rather, caught on smartphone. The aftermath of the video, and pending investigation into United Airlines’ policies, cost the company $250 million of its market value.
Preventing this type of incident and resulting reputational damages is an enterprise risk management issue. United Airlines only offered Dr. Dao $800 to give up his seat before forcing him off the aircraft, while their policy specifically stated a limit of $1,350. Why was the policy not followed? What if United had leveraged a system that measured the effectiveness of policies in place?
Scandals
As the business world becomes increasingly transparent, companies will need to integrate risk management into the decisions they make at all levels of the business, across all departments, in order to reduce their exposure to unnecessary risk. High profile companies like Wells Fargo, Chipotle, Equifax, and Uber are a few in a long list of those who have captured the attention of consumers worldwide.
Their failures were not one-off incidents; they stemmed from a systematic failure to implement effective risk management and governance programs. We’ve seen countless examples of poor operational risk management, and how such events could have been avoided with adequate risk management.
Risk Management Failure: Climate Change Disaster
What do the power outages in Texas in 2021 and the ones in California in 2018 and 2019 have in common? Although the crises are different – one faced fire, the other an ice storm – in both cases, the power utility industries were negligent in climate change disaster risk management.
Investments
The see-through economy is also fundamentally changing the relationship between corporations and investors. ESG investing is a growing trend in which investors consider a company’s environmental, social, and governance impact when deciding whether to support an organization. The popularity of ESG investing has grown dramatically over the past few years
A) The number of investment products with ESG criteria has compounded by 29% a year since 2010.
B) $22 trillion of assets were managed under responsible investment strategies globally in 2016, up 25% from two years before
C) The number of investment products with ESG criteria has compounded by 29% a year since 2010.
D) $22 trillion of assets were managed under responsible investment strategies globally in 2016, up 25% from two years before.
Another reason this trend is on the rise, besides the increasing popularity of social media, is the growing recognition that good governance is systemically important. The financial crisis of 2008 was a wake-up call for public and private sectors, demonstrating how issues of culture and conduct could have systemic importance. Improving corporate governance to mitigate impending financial and reputational risks is therefore becoming a top-priority for investors and regulators.
As this trend continues to grow, investors will be looking for proof, as opposed to blanket statements, of ESG-consciousness. ERM platforms are the single most effective way for companies to measure, prove, and present their environmental, social, and governance sustainability to investors.
The correlation between mature ERM programs and increased market valuation has long been proven. An independent research study, “The Valuation Implications for Enterprise Risk Management Maturity,” scientifically proves that a mature risk management program, as defined and measured by the Risk Maturity Model (RMM), delivers a 25% increase in an organization’s net worth.
It’s important to note that our definition of ERM, and the definition in the RMM, includes leveraging all risk information that is already known, though probably not explicit, across governance areas. This is best done by creating a common risk language and structure throughout the organization, so areas can better transfer knowledge to each other were beneficial.
Compliance
Boards are now held accountable for failures in risk management. The Securities and Exchange Commission has held corporations to this standard since 2009, while the Federal Reserve is starting to double down on this expectation, a message clearly sent by the sanctions imposed on Wells Fargo in 2018.
The SEC Proxy Disclosure Enhancements rule defines ERM compliance in a way that extends the board’s role in risk oversight to the threshold of material impact of the risk regardless of level. Boards of directors were previously only responsible for CEO-level risks, activities, and decisions. But this rule extends the accountability mandate to the business process level where material activities takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt. “Vigorous enforcement of the federal securities laws is critical to combat wrongdoing, compensate harmed investors, and maintain confidence in the integrity and fairness of our markets.” Enforcement of this rule is simple and powerful. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.
Fiscal year 2017 was a successful and impactful year for the Enforcement Division. The Commission brought a diverse mix of 754 enforcement actions, including 446 standalone actions, and imposed $3.789 billion in disgorgement and penalties.
Most lawsuits that result from failures in risk management are grounded in negligence, meaning, companies failed to see what was right in front of them, and failed to take action against impending risk events that harmed their customers, employees, shareholders, and communities. This concept of negligence inherently suggests that these events were entirely preventable had the board and management taken the time to assess their company’s operational risks.
The beauty of ERM is that it not only ensures a reduction in risk, but a reduction in lawsuits and financial penalties, as well. Let’s take cybersecurity as an example. Say you’ve taken every precaution to mitigate cyber risk and a breach still occurs. Because you’ve implemented an ERM program and have thoroughly documented your efforts, your company will be able to avoid the punitive damages of negligence. Proof of this is offered in the Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims if they provide evidence of effective risk management.
Efficiency
On average, risk managers spend 62% of their time on tactical, rather than strategic, activities. In a 40- hour work week, that’s over 24 hours spent aggregating and mining data, building reports, and tending to disparate spreadsheets and SharePoint files. That’s time that could be spent managing risk!
In contrast, studies of our customer base indicate that time is cut by over three quarters to about 6 hours per week. That’s 18 more hours developing mitigation strategies for high priority risk, tending to areas of non-compliance, and improving the efficiency of your operations.
If an average risk manager has a fully burdened salary of over $100k, that means your company is spending an extra $45,000 for every employee that isn’t equipped with enterprise risk management software. While traditional GRC software can cost upwards of $200,000 dollars, you can get started with ERM software that supports most young programs for only $30,000. If you’re tasked with enterprise risk management but expected to succeed armed only with shared drives and spreadsheets, consider these numbers when making your proposal to senior management. ERM software won’t just add value to your work, it will largely eliminate the burden of managing big data so you can spend your time strategically managing risks and preventing the next loss event.
Operational and Strategic Alignment
The role of the enterprise risk manager is to close the gap between strategic level risks and the operational risks faced at the activity level. Despite being a relatively new corporate discipline, expectations for ERM value are already very high. A recent poll shows us why corporations are desperate for ERM managers to be successful.
The poll, conducted by Harris Interactive of 23,000 corporate full-time employees within key industries and functional areas highlights some of the challenges ERM is up against. Namely, the inability of corporations to focus on and execute their highest priorities.2
Consider a few of their most stunning findings:
Only 37% had a clear understanding of what their organization is trying to achieve and why.
Only 1 in 5 were enthusiastic about their team’s and organization’s goals
Only 1 in 5 said they have a clear “line of sight” between their tasks and their team’s and organization’s goals.
Only 15% felt that their organization fully enables them to execute key goals.
Only 20% fully trusted the organization they work for.
Getting an accurate pulse on strategic objectives is challenging, as these goals are cross-functional and effect-oriented in nature. Strategic goals are extremely valuable to the board and senior executives, but they are impossible to take action on without first breaking them down into root-cause, actionable, silo-specific activities within an operational process.
This is where risk management plays a pivotal role. ERM software is built on making connections between departments, across all levels. An organization’s ERM infrastructure should be capable of drawing a line between operational activities and strategic objectives so that everyone understands how their piece of the puzzle contributes to the bigger picture, and therefore how risks they face can impact overarching company goals.
Bio:
Dr. Bill Pomfret of Safety Projects International Inc who has a training platform, said, “It’s important to clarify that deskless workers aren’t after any old training. Summoning teams to a white-walled room to digest endless slides no longer cuts it. Mobile learning is quickly becoming the most accessible way to get training out to those in the field or working remotely. For training to be a successful retention and recruitment tool, it needs to be an experience learner will enjoy and be in sync with today’s digital habits.”
Every relationship is a social contract between one or more people. Each person is responsible for the functioning of the team. In our society, the onus is on the leader. It is time that employees learnt to be responsible for their actions or inaction, as well. And this takes a leader to encourage them to work and behave at a higher level. Helping employees understand that they also need to be accountable, visible and communicate what’s going on.
Leave a Reply