by Gary Cokins
Governance and compliance awareness from government legislation such as Sarbanes-Oxley in the US and Basel II is clearly on the minds of all executives. Accountability and responsibility can no longer be evaded. If executives err on weak compliance, they can go to jail. As a result internal audit controls have been enhanced. The popular acronym that addresses this is GRC for governance, risk, and compliance. From the perspective of enterprise performance management, one can consider governance (G) as the stewardship of executives to behave in a responsible way, such as providing a safe work environment or formulating an effective strategy; and consider compliance (C) as operating under laws and regulations. Risk management (R), the third element of GRC and often referred to as enterprise risk management (ERM), is the element more associated with enterprise performance management (EPM).
Some organizations are beginning to integrate ERM and EPM. In a little under two weeks’ time I will be presenting this topic as a keynote speaker on November 10 in Las Vegas at the SAP Conference for Financial Planning, Consolidation and Controls. I shared some of my thoughts about technology and reasons for speaking at this conference in an interview recently, but as I shall be covering a broad topic area in my conference presentation concerning the integration of ERM and EPM, I decided to write a little more about this now, before heading to Las Vegas, as a scene-setter in many ways for what I’ll speak about there.
You may think that this theme is a little out of step with the themes running through my recent blog series, as this blog is the final one of 8 blogs in the 2015 Summer/Fall series of my SAP blogs. I hope you’ll see however that there is merit for bringing this topic to the forefront of thought again, as to my mind there’s a very clear link between innovations in planning and analytics in the Cloud and how these might be integrated with an approach to risk management. A limitation to this integration to date has not necessarily been owing to a lack of interest, understanding or willingness to do this, but rather that the actual methods have been cumbersome and sometimes complex, especially when viewed from a technology standpoint. But that’s changing. Technology is becoming easier, simpler to use and the once distinct disparity between functional capabilities in Analytics, EPM and ERM are starting to blur and fade away, to be replaced by clear lines of vision, collaboration and unison. So if we can remove the “how” as a barrier to integration, let’s consider the “why”, because this is how we’ll stimulate businesses to invest serious time and energy in taking risk informed planning decisions as a part of their normal business processes. For this let’s go back to basics.
The integration of ERM and EPM
EPM is now more correctly being defined as a much broader umbrella concept of integrated methodologies – much broader than its previously misperceived narrow definition as simply being dashboards and better financial reporting. What could possibly be an even broader definition? My belief is the EPM methods are only a part – but a crucial, integral part – of how an organization realizes its strategy to maximize its value to stakeholders, both in commercial and public sector organizations. This means that enterprise EPM must be encompassed by a broader overarching concept – enterprise risk-based performance management – that integrates EPM methods with enterprise risk management (ERM).
The “R” in GRC has similar characteristics with EPM methods. The foundation for both ERM and EPM share two beliefs:
- The less uncertainty there is about the future, the better.
- If you cannot measure it, you cannot manage it.
The premise here is to link risk performance to business performance. Whether EPM is defined narrowly or ideally more broadly, for most organizations it does not embrace risk governance. It should. Risk and uncertainty are too critical and influential to omit. For example, reputational risk caused by fraud (e.g., Tyco International), a terrifying product-related incident (e.g., Tylenol), or some other news headline grabbing event can substantially damage a company’s market value.
Is risk an opportunity or hazard?
ERM is not about minimizing an organization’s risk exposure. Quite the contrary, it is about exploiting risk for maximum competitive advantage. A risky business strategy and plan always carries high prices. For example, what investment analysts do not know about a company or they have uncertainty or concerns will result in adding a premium to capital costs and discounting of a company’s stock value. Uncertainty can include accuracy, completeness, compliance, and timeliness in addition to just being a prediction or estimate that can be applied to a target, baseline, historical actual (or average), or benchmark.
Effective risk management practices counter these examples by being comprehensive in recognizing and evaluating all potential risks. ERM’s goal is less volatility, greater predictability, fewer surprises, and arguably most important the ability to bounce back quickly after a risk event occurs.
A simple view of risk is that more things can happen than will happen. If we can devise probabilities of possible outcomes, then we can consider how we will deal with surprises – outcomes that are different from what we expect. We can evaluate the consequences of being wrong in our expectations. In short, ERM is about dealing in advance with the consequences of being wrong. Risk can be viewed as having an opportunity that can be beneficial in the future in addition to risks viewed as hazards. For example, a rain shower may be a disaster for artists at an outdoor art fair while being a huge break for an umbrella salesperson. What risk and opportunity both have in common is they are concerned with future events that may or may not happen, their events can be identified but the magnitude of their effect uncertain, and the outcome of the event can be influenced with actions.
Problems quantifying risk and its consequences
Risk is usually associated with new risk mitigation expenses because they may turn into problems. In contrast, opportunity can be associated with new economic value creation, such as increased revenues, because they may turn into benefits.
Most organizations cannot quantify their risk exposure and have no common basis to evaluate their risk appetite relative to their risk exposure. Risk appetite is the amount of risk an organization is willing to absorb to generate the returns it expects to gain. The objective is not to eliminate all risk, but rather to match risk exposure to risk appetite.
ERM is not simply contingency planning. That is too vague. It begins with a systematic way of recognizing sources of uncertainty. It then applies quantitative methods to measure and assess three factors:
- The probability of an event occurring
- The severity impact of the event
- Management’s capability and effectiveness to respond to the event
Based on these factors for various risks, ERM identifies the triggers and drivers of risk (measured as key risk indicators or KRIs), and then it evaluates alternative actions and associated expenses to potentially mitigate or take advantage of each identified risk. These actions should ideally be included during the strategy formulation and re-planning process and reflected in financial projection scenarios – commonly called “what if” analysis.
The three types of risk
There are three categories of risk. EPM is involved the second category as described next.
Preventable Risks – These are unauthorized employee actions or breakdowns in standard operating procedures. This category of risk can be reduced by:
- Communication of “Codes of Conduct” and mission and vision statements
- Strong compliance practices (e.g., internal controls like “segregation of duties,” internal audit, standard operating procedures, whistle blowing promotion)
Strategy Execution Risks – In this category risks are taken to execute the CXO executive team’s strategy to generate superior returns. Examples are: credit risk, R&D programs, and hazardous environments. These types of risk cannot be reduced to zero. Their likelihood of occurring can be reduced or effectively contained should they occur.
External Risks – This category of risk is caused from uncertain, uncontrollable external events that cannot easily be predicted or influenced. Managers often “don’t know that they don’t know.” Scenario exercises can identify risks. However, if these types of risks can be envisioned, then risk mitigation actions can be taken. Examples are: building earthquake or flood-proof structures; backup data centers in distant locations; and insurance, hedging, and diversification.
Risk managers – friend or foe to profit growth?
Unfortunately this topic has a dark edge. A report of The Economist Intelligence Unit sponsored by ACE, a global insurance company, and KPMG is titled, “Fall guys: Risk management in the front line.” In the report, a risk manager claims he was fired for telling his company’s board of directors that too much risk was being taken. Did management want to ignore a red flag of caution to pursue higher profits? The broader question involves how strategy planners view risk managers. Are they profit optimizers or detractors?
The Economist report was a result of extensive surveys and interviews. The impact of the 2009 global financial sector meltdown was clearly top of mind for the respondents. The report highlighted that risk management and governance policies and structures require increased authority, visibility and independence. However, planned increases in investment and spending for them are typically modest, if any. This is not a good sign. The reality is that the natural tension and conflict between the risk functions and a business’ aspirations for higher profit growth remains present.
Invulnerable today but aimless tomorrow
Will increasing interest in including to integrate ERM with EPM methods continue or be a temporary phase? Hopefully, the interest will be permanent, but there are impediments. Business line managers may continue to view the risk function as a mechanical brake slowing the gas pedal of sales and profit growth. Also, technical knowledge and experience by boards of directors and executives may be inadequate to fully understand how to integrate ERM with EPM.
On a positive note, risk management is gaining influence and using more structured modeling and analytics software. Managers are creating a richer organizational culture for metrics and risk awareness that considers opportunities, not just threats.
I continue to be intrigued by the fact that almost half of the roughly 25 companies that passed the rigorous tests listed in the once-famous book written in 1982 by Tom Peters and Robert Waterman, In Search of Excellence, today either no longer exist, are in bankruptcy, or have performed poorly. What happened in the 32 years since the book was published? My theory is that once an organization becomes quite successful, it becomes averse to risk taking. Taking risks, albeit calculated risks, is essential for organizations to change and be innovative.
Is the today’s risk manager going to continue to be the fall guy? Not if those responsible for strategic planning appreciate that they are not gamblers using investors’ money, but rather stewards of the company’s – and investors’ – financial futures.
Join us at the SAP Conference for Financial Planning, Consolidation and Controls in Las Vegas 10-11 November, where I’ll be delivering a presentation on performance and risk management. I hope to see you there!
About the Author: Gary Cokins, CPIM
Gary Cokins (Cornell University BS IE/OR, 1971; Northwestern University Kellogg MBA 1974) is an internationally recognized expert, speaker, and author in enterprise and corporate performance management (EPM/CPM) systems. He is the founder of Analytics-Based Performance Management LLC www.garycokins.com . He began his career in industry with a Fortune 100 company in CFO and operations roles. Then 15 years in consulting with Deloitte, KPMG, and EDS (now part of HP). From 1997 until 2013 Gary was a Principal Consultant with SAS, a business analytics software vendor. His most recent books are Performance Management: Integrating Strategy Execution, Methods, Risk, and Analytics and Predictive Business Analytics.