Risk management works - but what exactly is it? - Business Works

Risk management works – but what exactly is it?

Paul Hopkin

Enterprise Risk Management (ERM) is about encouraging enterprise and a unique research project recently found that it really can have far-reaching business benefits. Yet it is still used too often as a defensive exercise and is little understood in the boardroom. Paul Hopkin of AIRMIC (the Association of Insurance and Risk Managers) discusses the need to educate senior executives about ERM and how it can make any organisation more competitive.

« ERM can have far-reaching business benefits »

“Risk management” has become one of those buzzwords. Most people pay lip service to it, but what does it mean in practice?

A survey conducted by Marsh, the world’s largest insurance broker, at the AIRMIC conference in June confirmed what we already strongly suspected. It revealed that risk management has yet to be fully integrated into the decision-making process at Board level among top European businesses. Only 30% of respondents felt that risk management was always or consistently taken into consideration in the strategic decision-making process, while 22% felt that it never or rarely happened at all.

If that is the situation at the largest firms, it is fair to assume that understanding and implementation is even patchier once you go below the FTSE 250 and into the SME sector. Yet it is now possible to demonstrate that the benefits of ERM easily outweigh their costs: more of which later. It makes firms more resilient and helps them to make better use of their capital and other resources. Until this fact is widely appreciated at boardroom level organisations like mine, which champion risk management, still have a lot of work to do.

For ERM to become the force for good that it should be, it is important that Directors and other senior executives have a shared understanding of what it means and what it can do for their firms. Risk management has become such a hot topic that the concept is overused and, frankly, often misunderstood and misused. Ask ten different Directors what they mean by the term and you might well get ten different answers.

« the concept is overused and often misunderstood »

A key challenge for businesses everywhere, therefore, is to arrive at a common understanding about risk management, who is responsible for it, what it should set out to achieve and what constitutes best practice.

In December 2006 AIRMIC commissioned the global consultancy Det Norske Veritas (DNV) to conduct research into the effectiveness or otherwise of ERM. It was to be a warts-and-all study that would assess the usefulness of ERM and provide the hallmarks of best practice.

What made the research unique was that it was based on ground-up analysis. Instead of interviewing Board members, DNV studied 25 ERM projects at mainly UK-based organisations that were willing to share their experiences. Five of these developed into full case studies, which appear in our report, whilst DNV analysed the results of the other twenty in order to develop their conclusions. The public and private sectors were both well represented.

Before considering the results, let’s define what we are talking about. ERM is a strategic process involving the systematic identification of the risks an organisation faces so that it can mitigate them, work with them and exploit the opportunities they provide. To be truly effective, risk management has to be embedded in the culture of the organisation, starting with the Board, and must be ever-present at all levels from corporate strategy down to routine decision making.

That, at least, is the theory. In practice, very few organisations can claim to have employed genuine risk management. Often it is a misleading term, applied to health and safety or regulatory compliance or internal audit or business continuity planning or compliance or any number of other important functions that are part, but only part of ERM.

« it is neither posible nor desirable to eliminate risk »

In some instances, “risk management” means little more than someone trying to protect themselves in case things go wrong. And in far too many situations it is seen as risk avoidance, whereas we know that it is neither possible nor desirable to eliminate risk. The aim must be to understand risk, control it and take advantage of it. Just as a car’s brakes make it safe for the driver to accelerate, a strong understanding of a firm’s risk profile will give senior management the confidence to be more enterprising.

Consider two real illustrations of this principle at work, one small-scale, the other being the UK’s biggest-ever peacetime construction project. A hotel in a small French town discovers that a rival establishment is to be built just down the road. The owner could, of course, treat it as a threat. Instead, she sees the chance to promote the town as a tourist destination and so increase trade: positive risk management.

The second is the London Olympics; my association organised a seminar to discuss the risks and opportunities associated with the 2012 games. Let’s remember that this event aims to capture the imagination of the nation and to be a showcase for us all. It will provide 12,000 long-term jobs in a rundown area, create thousands of new homes with infrastructure to match and turn the Lea Valley into Europe’s largest park.

The Olympics will, however, only achieve their objectives if they go to plan and we all know the disasters that can befall big projects. That is where risk management comes in. Speaker after speaker made the same point: the process of identifying, prioritising, mitigating and monitoring the risks inherent in the project at several different levels will be essential to its success. The work may be unglamorous and often painstaking, but it is about achieving something very worthwhile.

To return to our study, what did we learn? The main conclusion was that ERM can be shown to reduce significantly the net risk exposure of organisations and to support improved decision making. In many cases, we were able to measure the difference. For example, one large government agency had cut its exposure by between £10 million and £20 million.

To quote Paul Howard, who chairs our risk management group, “This research shows that Enterprise Risk Management really does help companies in both their strategic and operational decision-making, provided it rests on firm foundations. The important point here is that ERM actually enables organisations to become more enterprising because, if you understand and minimise your risks, you have the knowledge and confidence to do new things.”

Research findings

The key words, however, are “provided it rests on firm foundations”. If you get it wrong at the outset, ERM can be very frustrating. As with any project, the first thing you have to do is define the exercise in a precise way, what you hope to achieve and how you will measure success. You must communicate what you are doing effectively across the organisation and you must have enthusiastic backing from the top. The way you go about ERM must be aligned to the business processes and culture of the organisation, with progress measured against a series of targets.

Another point to emerge from the report is that, to be successful, ERM has to be proportionate to the level of risk involved. In total, 13 hallmarks of successful ERM were identified, including the use of risk management as a creative process, ensuring sufficient effort is allocated to treating risks after the analysis phase and senior managers seeking risk information to help decision making.

Provided you achieve these things, then understanding risk exposure enables the organisation to take cost-effective steps to reduce it and to become more enterprising. Unfortunately, getting to that happy situation requires a lot more clarity and focus than many organisations appear to have. It is our hope that this latest research and the publicity it generates will help to close this gap in understanding.

AIRMIC-DNV ERM research – the main findings

  1. Key benefits obtained from ERM are improved decision making and a reduction in risk exposure.
  2. To launch an ERM initiative successfully, the organisation needs to adopt a suitable risk management framework.
  3. Organisations should develop a risk-aware culture. The key components of the risk-aware culture vary, but the preparation of risk management policies and procedures is always required.
  4. For ERM to succeed, organisations have to develop an approach that is proportionate, aligned, comprehensive, embedded and dynamic.
  5. Successful embedding of ERM is essential. It is essential that the sustainability of the initiative does not depend on the efforts of a single individual.
  6. The organisation should identify the benefits that it seeks to achieve, so that it can focus on the measurements to monitor progress.
  7. The setting of targets, objectives and expectations is critical to success.

Paul Hopkin is Technical Director at the Association of Insurance and Risk Managers (AIRMIC), the UK-based risk-management association, paul.hopkin@airmic.co.uk.

For further information on the matters raised in this article, go to www.airmic.com.

Tweet article
BW on TwitterBW RSS feed