ERM In-Depth Series (Part 3): The Double-Edged Gift of ERM

When a corporation decides to embark on an ERM initiative, it often means a combination of risks and rewards for the risk management department. By B.G. YOVOVICH. Yovovich has written for national trade publications for more than 20 years.

The increasing corporate rollouts and expansions of enterprise risk management initiatives are producing a double-edged combination of risks and rewards for today's risk professionals.

On the one hand, the rising prominence of ERM in the corporate arena is opening unprecedented opportunities for risk managers who embrace the ERM initiatives.

"ERM provides an absolutely unbelievable opportunity for a risk manager to really develop an understanding of the foundation of your organization," says Richard Meyers, a veteran executive recruiter who specializes in risk professionals. "More than in any other department, the person or people who are going to be in charge of ERM are going to find out where the substance of the organization lies and where the biggest opportunities are."

On the other hand, ERM also can pose a threat for those risk managers who don't take advantage of the opportunities that the initiatives provide.

"Here is the danger," says Meyers. "I've seen situations where, instead of promoting the existing director of risk management into the position, a major company brings in an individual to head ERM from another area and eventually the risk manager ends up losing his or her job."

The problems arise because the new head of ERM does not see the incumbent director of risk management as bringing value to the new boss' priority, the ERM initiative.

"They bring that person to come in above you, and you wind up dead with that company," says Meyers. In fact, the early anecdotal indications so far suggest that risk managers often fail to get the lead roles in ERM initiatives."I have not done a formal survey, but, from what I have seen, companies appear to tend to choose to not have their ERM programs headed by risk managers," says Mark S. Beasley, professor of enterprise risk management and director of the Enterprise Risk Management Initiative at North Carolina State University.

For example, sometimes heads of internal audit are chosen to lead the initial launch of ERM, with the expectation that they would transition to a full-timechief risk officer. In other cases, the vice presidents of strategy get the call.

"In some industries, the person might even come from the legal side of the business," says Beasely. This can happen, for instance, in the pharmaceutical firms because of intense focus on the legal compliance processes required for getting drugs approved by the Food and Drug Administration.

When risk professionals do get chosen to head ERM programs, they often have audit or finance backgrounds, in addition to their risk management experience.

At Mars Inc., risk manager Larry Warner also had an M.B.A. in risk management and corporate finance when he was picked to head up the company's ERM initiative. Or consider the example of Continental Airlines, where the incumbent managing director of risk management, Peter Fahrenthold, not only had 20 years of risk experience but also had started his business career in public accounting as a CPA.

Even so, when the Continental ERM program was getting started three years ago, there was discussion as to whether ERM would belong to the risk management department or the internal audit department. Fahrenthold convinced the company that risk management should take the lead because "ERM encompassed new ideas and new procedures that we had not formalized yet, so it needed a little more of a flexible approach than an audit procedure might take."

This argument is echoed by others who maintain that risk professionals do bring a set of distinctive strengths to ERM initiatives.

"A risk professional thinks about risk differently from the way that, for example, a financial analyst might," says Carol A. Fox, senior director, risk management, at Convergys Corp. and chairwoman of the ERM development committee of the Risk and Insurance Management Society Inc. An individual with a background in, say, internal audit or compliance "starts with a set of standards and management systems--whether it is environmental or information security or whatever--and their view is that the risk controls are contained within these guidelines and standards. They assume that, if you do all of these things, that you will control the risk."

"They understand the numbers but not necessarily the processes behind the numbers," says Fox. In contrast, says Fox, "what we (risk managers) do that you do not get from the compliance folks and the strictly quantitative folks is to use our ability to ask questions" to elicit information and insights that can uncover latent risks or point toward alternatives that can mitigate the risks. "This is the quality that risk managers bring--and it is what can make them truly a business partner in achieving the organization's ERM goals and objectives," says Fox.

That said, ERM initiatives do require skills that are not standard parts of the risk manager's repertoire. The significant C-level and board involvement with ERM means that an understanding of and background in finance--the "language" of top management--is crucial.

In addition, "Change management skills are essential," says John Phelps, director of risk management at Blue Cross and Blue Shield of Florida Inc. and RIMS treasurer and finance director. "Bringing the ERM gospel to your organization is dependent on your ability to change your leaders' and managers' attitude around risk. Anyone who is trying to bring their organization to this new strategic level of managing risk has got to understand the principles and be able to apply the tools of change management," he says. One of those key change-management skills is the ability to create and effectively manage pilot projects.

When Mars began its ERM effort, one of the first steps was the launch of a set of "three pilot tests to find out how people (at Mars) looked at risks," recalls Warner. The tests gathered insights from a selected geographic region,  a business function and a business segment, and these findings were used to guide the next steps in shaping the Mars ERM initiative. "We knew we would have to experiment and modify things, and that we would have to be flexible and adapt," says Warner.

In addition, Phelps points to other skills that risk managers need to have in order to effectively lead an ERM initiative. These include a solid understanding of the business and what makes it work, a clear understanding of how the organization measures itself, and good generalist skills so that they can examine any business process and be able to better understand the risks and what can be done about them.

Put simply by Richard Meyers, the long-time executive recruiter: "The most important thing that I try to convey to my clients and my candidates that I am working with is that they have got to recognize that the technical skills that got them where they are today will not get them where they want to get tomorrow."

April 1, 2009

Copyright 2009© LRP Publications