Editor: Please give us an overview of your practice areas.
Ravi: Kevin and I are in the Risk Advisory Services practice, which focuses on providing corporate governance, risk and compliance services. We help companies meet and exceed their objectives and goals by consulting with them on Enterprise Risk Management ("ERM") and operational efficiencies within the organization.
Editor: Do either of you have a definition for ERM?
Ravi: I define ERM as a framework through which you may address all aspects of your business, not only in terms of future uncertainty but also potential missed opportunities. Good ERM supports value creation by enabling management to respond to potential events in a way that reduces the downside and increases the upside.
Sullivan: Over the past years, at least at the board level, the concept of ERM has connoted safeguards. However, many in the business community are lobbying to change "ERM" to "SRM" - strategic risk management - which is a more accurate term. Three or so years ago, most people saw ERM as another compliance tool, almost a check-the-box exercise for the benefit of ratings agencies. Today in the marketplace, we're seeing ERM develop into something much more robust - a strategic tool.
Editor: Is it qualitative as well as quantitative?
Sullivan: Definitely. Several years ago, our clients would readily admit that their ERM was completely quantitative. Quantitative models serve a purpose as a starting point, but the qualitative piece means getting a group of people from very disparate business units and sections of the company to sit down and talk candidly about the risks in each area, thus allowing participants to understand where risk correlations exist.
Ravi: Moreover,models by definition are supposed to be simple, but risk models have become highly complex and, worse, cannot accurately reflect a real world scenario. Looking back at default swaps and the mortgage-backed security market, the people who depended on models stayed in during the crisis whereas those who used qualitative reasoning got out. Our clients get the greatest value when we facilitate work sessions in which we gather a group of individuals in a room to discuss their business and the environment around them.
Editor: I understand S&P is now also looking at companies based on their ERM profile.
Ravi: We've actually presented with S&P and talked to them over the last three years. Although S&P is still looking more closely at ERM, no one has really seen much traction yet. On the other hand, A.M. Best - with whom we have also spent a fair bit of time - has taken more of a front seat on ERM in their rating process.
Sullivan: A.M. Best has told the insurance companies they rate that they are not interested in fancy dashboards, nor will they be satisfied with a company claiming it has identified risks and is actively monitoring them. As part of its rating review, A.M. Best will be interviewing senior management so that it has a sense of comfort that the C-suite and others truly understand what risk management is all about - that it's not simply a snapshot in time, but rather a constantly evolving process.
Ravi: I presented with A.M. Best in November, and at that time they were encouraging people to get back to the basics. The new key component is emerging risks. How are you identifying, communicating and addressing them? Their rating meetings are built around the fundamentals of risk management - specifically, the strategic decision-making process. A.M. Best looks at a company's culture, involvement of top management, risk appetite and the roles and responsibilities of the board, as well as the identification, measurement, monitoring and management of risk.
Editor: Please talk about your role in ERM within the firm and with your clients.
Ravi: Our role with our clients is to guide them through this process andto walk away at the end of the day knowing that the company owns ERM. Our role within the firm is to help drive the use of ERM within risk-based audit standards.
Editor: What is the current state of ERM and your view of the marketplace?
Ravi: ERM has largely been driven by boards, but today many more CEOs and CFOs are talking about it. Three years ago, we probably had 50 ERM conversations a year; now we're having triple that with C-level executives and board members. CEOs are utilizing ERM as an effective, holistic tool for building their business strategies, and many C-level executives are sharing ERM best practices with their peers.
Sullivan: The problem with traditional risk management is that it is largely retrospective, whereas ERM is prospective. Over the past six to eight months, two things have become very important to board members: first, their own fiduciary responsibility, and second, reputational risk to a company. As for the first, you can have all the D&O insurance in the world, but if you drop the ball, you find yourself in a pretty bad situation. When we started offering ERM consulting, people were concerned only about satisfying the rating agencies. Today, people are finding great benefit from the necessary conversation across all levels of the organization. Silos are breaking down, and people are learning about their company in ways they never have before.
Editor: Do you think Sarbanes-Oxley is responsible for this new attitude?
Ravi: Sarbanes-Oxley brought accountability and awareness of financial reporting risk management to bear. Those companies complying with SOX since 2004 can ratchet up their programs to consider operational and reputational risk alongside financial risk.
These days, many companies still in the IPO phase are implementing ERM and Sarbanes-Oxley at the same time. They are less concerned about financial reporting risk and more concerned about taking their business to the next level and enhancing shareholder value.
Sullivan: Sarbanes-Oxley was a pure compliance effort, and there were no penalties for making bad - or overly short-term - decisions. In recent years, shareholder suits challenging compensation practices have driven awareness of ERM, especially to the board: compensation committees found themselves having to defend bonus programs that rewarded people for short-term gains at the expense of long-term shareholder value.
Editor: What are the roles of external and internal auditors and general counsel in ERM?
Ravi: If you're a public company, you can leverage your financial reporting process because you have that accountability and awareness around Sarbanes-Oxley.
External audit looks at the risks of an organization from a going-concern standpoint. As external auditors, we can offer insight on what we're seeing in the marketplace. We also can lead work sessions around anything from fraud to taking the business to another level.
The role of internal audit is to advise and facilitate ERM. Internal auditors are the recipients of the information, while management owns the process, and the board oversees it.
The role of general counsel - which I think should be enlarged - is to help build risk awareness and prepare responses to emerging risks, including reputational and product liability risks. General counsel have been pulled into the discussion as companies struggle with how to align compensation to good risk management practices. They are in a position to take the long and broad view, and they must have a seat at the table.
Editor: How do companies address emerging risks?
Sullivan: This is the most difficult conversation to get started. How can anyone anticipate the 100-year event, the "black swan," like the BP oil blowout? What we tell people is to communicate, not only within your own company, but also with your peers. You should be aware of what is going on in your industry and in your geographic location, but beyond that, it is extremely difficult.
Ravi: Furthermore, few people want to engage in the dark conversations that are required. What might take our company down? Management needs to plan for scenarios and build consistency into its responses. In the meantime, they must also have a good monitoring plan in place to quickly identify an emerging risk.
Companies can monitor customer complaints: they can give you clues about what's around the corner. Look at pharma companies with drug side effects. Plaintiffs' counsel is another fruitful place to look for emerging risk.
Editor: How are companies changing the way they look at their risks?
Ravi: We see companies spending a lot of time on reputational risk. Also, liquidity risk is always important. For manufacturers product liability is key, and outsourcing and offshoring present additional risks. In terms of operational risk, many companies are looking to their employees, educating them and encouraging open communication.
Sullivan: The very interesting point about reputational risk is that it defies quantification - it's impossible to accurately or adequately insure it - yet it is the one risk everybody understands intuitively. We strongly encourage folks to start talking about the qualitative piece so they can devise appropriate controls.
Editor: How do companies prioritize the risks they face?
Ravi: A client may have an inventory of 500 risks. We advise them to whittle it down to the top 10 or 15 to make the list meaningful for the board. Linking your risks to strategic objectives is the most powerful tool for prioritization. Set your strategic objectives first, link your risk assessments to those objectives, and then you have the option to accept, avoid or reduce that risk. Make sure you are addressing those top risks and communicate them. A few of my clients have a list of the top five strategic objectives, and the associated risks are deemed "critical," placing them above the "high," "medium" and "low" risks associated with lesser objectives. This list ends up on every dashboard report for every board and management meeting in order to keep it top of mind, as if it were a mission statement.
Editor: There is only so much in the way of funding that you can spend on your risk protection.
Sullivan: Once you've identified a risk and done your risk-reward analysis, you have three choices: insure against it, accept it or avoid it. The actual prioritization phase turns ERM into a value-added process, because it necessitates input from and communication among a large and broad constituency in the organization and requires senior managers and VPs to reach some consensus.
Editor: Do you expect to see improvements in ERM frameworks across businesses in the years ahead?
Ravi: Absolutely. It's playing a big part in everybody's role in the organization. ERM is moving from a compliance exercise to a fully integrated approach. There is no one-size-fits-all framework. The Australians have a good standard, and international standards are coming into play. With the U.S. embracing ERM over the last three years, I anticipate continued development of standards that work internationally.
Editor: What advice would you give to companies rolling out an enterprise-wide risk management strategy?
Ravi: First, you need the support from the board and senior management. You must encourage constructive feedback and open discourse about risks in the organization. You can't have a culture in which a lower-level person believes his or her compensation or reputation will be affected. We also tell companies to conduct a "risk health check," which entails understanding what you are, what your culture has been, what your risk appetite is, what new opportunities there may be, etc. Make it clear who owns the process, and learn from losses and gains. Always view ERM as a process, not a project.
Sullivan: Make your ERM program transparent, and educate people at all levels of the organization. We've seen frontline supervisors and people on shop floors effectively identify emerging risks. We endorse open communication to create a risk-aware culture throughout your organization.
Published May 31, 2011.
