As pressure to use and embed ERM increases, what challenges do companies face in making it effective? We look at what five major organisations in the UK and Italy have been doing. By Michela Arnaboldi, Dipartimento di Ingegneria Gestionale, Politecnico di Milano and Irvine Lapsley, Institute of Public Sector Accounting Research, University of Edinburgh Business School.
Recent financial scandals have ramped up the pressure on companies to adopt and embed enterprise risk management (ERM) in business processes. ERM is intended to be a holistic approach to assessing and evaluating organisational risk. More and more companies are embracing the approach but there are still several worries and doubts among practitioners and academics about what ERM means in practice and how to implement it.
This article presents the initial results of research in non-financial companies to answer these questions and find out whether ERM is embedded into organisations. The research includes three Italian and two UK companies.
Table 1 reports the main characteristics of the companies, which are all subsidiaries of major international companies.
Table 1: main characteristics of the companies
|
Employees |
Industry |
Nationality |
| ITA-TEL |
Less than 5,000 |
Telecommunications |
Italian |
| ITA-INFO |
Nearly 10,000 |
Automation, Information and Control |
Italian |
| ITA-UTILITY |
Less than 5,000 |
Utility |
Italian |
| UK-TEL |
More than 10,000 |
Telecommunications |
UK |
| UK-UTILITY |
Between 5,000 and 10,000 |
Utility |
UK |
Who is the implementer and owner?
One of the first choices companies need to face when they undertake ERM is choosing who will implement the system and who will routinely manage it. The five companies analysed had chosen to develop ERM internally without external consultants. However they can be differentiated on three main interrelated decisions: which competencies and background they wanted; whether they hired a new person or not; and where the implementers were positioned in the organisation. As shown in the following table, their choices were different.
Table 2: ERM owners
|
Background and competencies |
Newly hired |
Organisational hierarchical positioning |
| ITA-TEL |
External auditing consultancy |
Externally hired |
Internal auditing |
| ITA-INFO |
Management accounting |
Designated from inside |
Management accounting |
| ITA-UTILITY |
Internal auditing |
Task assigned to internal audit, no dedicated figures |
Internal auditing |
| UK-TEL |
Risk management consultancy |
Externally hired |
CFO and audit committee |
| UK-UTILITY |
Operational risk management |
Designated from inside |
Executive committee and group risk director |
Two companies decided to search for competencies outside (ITA-TEL and UK-TEL). In both cases the experience in consultancy was favoured although the Italian company hired external auditors, while the UK company enrolled a consultant with specific experience in risk management.
The other three companies searched for internal corporate competencies - in one case (ITA-UTILITY), without assigning ERM to a dedicated person. Here the ERM process is directly carried out by the internal auditor. The remaining two companies have assigned the task to a person with considerable experience in operational risk management (UK-UTILITY) and in management control (ITA-INFO). The organisational / hierarchical relations of the ERM owners is varied: positioned within the internal auditing; under management control, under the chief financial officer or the executive committee.
How is ERM implemented in practice?
A second important choice in implementing ERM is defining how to implement it in terms of technical measures and interaction with measures. The five companies have chosen different approaches which can be differentiated at the technical level on three elements: how risks are measured, how they are presented in a unique framework/measure and which type of interaction is maintained with managers.
Table 3: ERM techniques
|
Risk measurement |
Holistic measure |
Interaction with managers |
| ITA-TEL |
Qualitative scale |
Risk map |
Through questionnaires, once a year |
| ITA-INFO |
Impact on profit |
Risk map and profit at risk |
Through meetings, continuous |
| ITA-UTILITY |
Qualitative scale |
Risk map |
Through questionnaires, once a year |
| UK-TEL |
Qualitative scale |
Risk map |
Through meetings, monthly |
| UK-UTILITY |
Impact on profit and cash |
Risk capital |
Through meetings, continuous |
Three companies (ITA-TEL, ITA-UTILITY, UK-TEL) measure risks in terms of impact and probability with a qualitative scale, which are then presented holistically with a qualitative risk map. UK-TEL differentiates in term of interactivity with managers, favouring a face to face monthly meeting with senior members of the organisation instead of a formal interaction through questionnaire.
The highest level of interaction is however visible in ITA-INFO and UK-UTILITY, where the chief risk officers (CRO) have a team of people (12 and 15) who support managers across the organisation on a daily basis. In both cases the CROs have chosen to measure risk quantitatively: impact on profit for the Italian company and impact on profit and cash for the UK companies.
The quantification and discussion of all these risks lead to two aggregated measures: profit at risk (ITA-INFO) and risk capital (UK-UTILITY). This latter concept is an attempt to quantify that portion of the company’s resources which is deemed to be at risk during normal business operations. The proportion of risk capital is a major consideration in new investment programmes.
How does ERM relate to existing risk and control processes?
A final challenge is the manner in which these organisations articulate with the other control processes and experts that often are already present in the organisation carrying out risk analyses.
In all the five organisations, there were other processes dealing with risk before the introduction of ERM. Two types of expertise were present:
- risk specialists in charge of specific categories, such as financial or IT risks
- management accounting, where risks are considered within the planning and control cycle. Table 4 presents the relation between ERM and these processes in the five companies.
Table 4: ERM relationship with risk and control processes
|
Risk specialists |
Management accounting |
| ITA-TEL |
Separated |
Separated |
| ITA-INFO |
Supporting managers, CRO and the controller within ERM framework |
Tightly coupled |
| ITA-TEL |
Separated |
Separated |
| UK-TEL |
Supporting both CRO and managers |
Separated |
| UK-UTILITY |
Supporting managers, CRO and the controller within ERM framework |
Collaborating |
In two cases (ITA-TEL, ITA-TEL) the risk specialists and management accountants continue to carry out their processes separately without using the information collected and processed by ERM. In one case (UK-TEL) management accounting deals separately with short and medium term risks and the CRO deals with strategic risk with the advice of risks specialists.
ERM is more embedded in UK-UTILITY and in ITA-INFO. Here CROs, risk specialists and management accountants collaborate in the attempt to build an overall risk and control awareness in managers. In ITA-INFO the link between ERM and management accounting is even stronger - it carries out planning and ERM with a coupled approach and includes ERM risks in budget negotiations and managers’ incentives.
This research is continuing and the authors would be keen to hear from UK companies that are interested in discussing their approaches in this area.
Contact
michela.arnaboldi@polimi.it
Irvine.Lapsley@ed.ac.uk
Links
Managing risk
Risk management Mastercourse