Are you on board with enterprise risk management? You had better be. It's the future of how businesses will be run.
What would you do if, two months after your company went public, one of the two major markets you sell products to simply vanished? If, in the span of seven days, $500 million in sales just disappeared?
Would you throw your hands up and say, No one could have foreseen the events of 9/11, and then just stand by as the company tore off a half-dozen bad quarters? Would you just absorb the discomfiting cuts to your budget and your staff, and eschew any strategic plans you had set up to help the business grow, because, well, no one could have been prepared for such a catastrophe?
Or, would you be like Rockwell Collins, the supplier of military and commercial aircraft parts, which suffered the precise fate described above and yet had a contingency plan in place within 10 days. Despite the fact that Rockwell's commercial market - 20 percent of its business - vanished after 9/11, IT still contributed to the business's growth.
No doubt you want your company to be like Rockwell Collins. So, you ask: How did they pull it off? "Either we're the luckiest company in the world," posits Art Gemmer, the company's principal risk analyst, "or our enterprise risk management mind-set gives us insights that make us do better."
Gemmer clearly believes not in luck, but in the power of enterprise risk management (ERM) - broadly characterized as a system of managing risk across an entire company. Gemmer says ERM helps companies prepare for events on the scale of a 9/11. More important, he says, it improves the way a company handles the more predictable risks that businesses face every day. ERM allows a company to avoid bad investments, and, conversely, make investments that might intuitively seem too risky. You're already trying to improve your IT decision making through better governance. ERM makes governance better.
The few companies that have adopted risk management methodologies report fewer failed ventures and less damage from adverse events. For Rockwell Collins, ERM's value has been proven time and again. Several years ago, a project manager named John-Paul Besong implemented a bet-the-company SAP system using ERM principles. "Every decision became a risk decision," he says. The project went so smoothly that Besong was named Rockwell Collins's CIO shortly thereafter. There is no more persuasive metric at Rockwell Collins to demonstrate the effectiveness of ERM than this: The company has turned a profit every single quarter after 9/11. And in January 2004, Forbes called Rockwell Collins the best-managed aerospace firm in America.
Make no mistake, ERM is hard. It changes how everyone does their jobs. It took Rockwell Collins the better part of a decade to become an organization governed by risk. And while it shouldn't take you that long, because much of the trail has been blazed for you, it won't be a six-month job either.
Every risk expert we spoke with anticipated that you, the CIO, will resist ERM. "For some reason, it's like [CIOs] are snorting novocaine or something. They think they can avoid ERM," says Adrian Bowles, a risk expert with The Robert Frances Group. Bowles urges you not to be dissuaded. "The risks are coming to find you. Your job is at risk. The only defence is to be part of the effort to manage them."
This mind-set is emerging not because risk management is a trendy buzzword being volleyed around boardrooms - though lately it is - but because balancing risk is becoming the only effective way to manage a corporation in a complex world. "We're able to react [to that complex environment] because of our risk mind-set," says Besong. "With what happened to us, our agility was called to task. And we had the risk methodology in place to handle it."