Pull It All Together

When enterprise risk management started hitting corporate radar screens 10 or so years ago, much of it was being done in the financial sector as growing numbers of Wall Street companies started to go global and hence to recognize the need to be proactive on risk.

Those early efforts were marred by the creation of numerous risk management silos within organizations, as the insurance people, the strategic planners, the people concerned with project and portfolio risk and the financial guys all began doing their own thing. Cutter's Charette says it gradually became obvious these companies were not managing their risk in any type of cohesive fashion.

"For instance there was a very large multinational that I did some work for, a large petrochemical company, and the chief executive officer, one of his complaints was that he was getting several different risk management reports telling him what the risks were to the company from the various sectors, but the risk management strategies were contradictory," he says.

Now, with enterprise risk management gaining ground, organizations are moving away from the traditional, top-down, financially-oriented risk management approach driven from the treasury and risk management arenas, towards the more "top-down-directed" but "bottom-up-implemented" ERM view, which seeks to view risks from the line manager's perspective.

Most ERM frameworks put forth today - such as COSO's Draft Enterprise Risk Management Framework (coso.org) - arose out of the accounting community rather than the strategic planning, program or project management communities. Indeed, an accounting slant still dominates much ERM literature, where ERM is discussed mainly in terms of the financial risk aspects of the corporation, and ERM is portrayed as an extension of internal corporate governance bodies.

Now, Charette says, growing numbers of organizations are recognizing that a financially driven approach to ERM reinforces the notion that risk management should focus on tangible elements of a corporation that have a "hard" financial value, rather than the intangible but in many ways more important "soft" assets. The risks to the corporate reputation or brand or to a company's business model, intellectual property or business relationships are not easily addressed through a financial perspective.

"It is not an exaggeration to say that there is a fight over the direction - possibly the soul - of ERM today, between those advocating a financial (that is, governance-dominant) versus those advocating a more business (that is, innovation- and entrepreneurial-dominant) approach. The ideal, of course, is to recognize that both approaches are important, that both overlap, and that both will create necessary tensions because they serve different but complementary functions," Charette writes.

The best companies will find an appropriate balance between managing internal risks and the risks of growing the company (although Charette concedes this is a fine line to walk), and they will do so by adopting what he describes as a "holistic, top-down, bottom-up approach". And while the developers of COSO's framework will tell you that is exactly what they offer, Charette firmly disagrees.

"Their perspective is much different," he says.

Charette says adopting a top-down, bottom-up approach can significantly broaden the view of the organization, and effectively involves a three-pronged approach to modelling the risks and the opportunities in the organization. First, take a top-down look at the management of risk, understanding what is required to set the direction and set the strategic approach. At the same time, put in place a continuous bottom-up risk management approach to day-to-day decisions and their execution, to map to the top-down management of risk direction already taken.

"Finally, both of those are wrapped in a kind of coil around centralized decision-making processes like a phased key decision process which tries to interconnect the two. Such a top-down, bottom-up, middle-out approach is really trying to focus in on the decisions that people make on a day-to-day basis as well as this strategic approach that the corporation's senior executives are trying to take," he says.

The approaches must be principle driven, consistent and must identify the kind of behaviours people should adopt in the face of risk.

"For instance, it's all well and good to say we need to have a risk-taking culture, but if the moment that the first project manager brings up risk to the senior leader he gets his head chopped off, risk management isn't going there. The very senior leadership must set the tone," Charette says