Diverse risks….

From safety issues…


…and e-Commerce disruptors…


…to piracy, brand reputation…


…external disruption risks…


…and local and country-specific issues

In seeking to understand how world-class businesses manage risk, Mr Mehta closely studied a whole gamut of industries. What he found was that each sector faces its own unique risks, demanding different types of ERM programmes. For example:

• Boeing’s entire ERM focus is on engineering and safety, because if those areas fail, the business fails.
• For US retailer Safeway disruptors like Amazon present the most serious long-term risks.
• Microsoft faces critical issues around licensing and piracy, and has mobilised huge resources to deal with this.
• For mature businesses like PepsiCo and Coca-Cola, nothing is more important than brand reputation.
• Technology companies are disruptors, but they also face disruption risks. For them, ERM is about the interplay between internal resilience and external awareness: being innovative, nimble-footed, and having the right financial and operational controls.
• Large construction and other ‘project’ companies face a range of local- or country-level issues that must be closely integrated with their overall risk framework.

…but a common aim: Making risks visible

One goal to guide them all


Moving away from ad-hocism

The risks they face vary, but a common goal guides many of the world’s most sophisticated companies: making risks – whether current or future, hidden or in plain sight – visible. This includes evaluating impact, readiness, and the quality of decision-making in the organisation. In parallel, it means creating a strong awareness of where the company stands, in the most efficient manner possible, and getting both managers and the Board to respond. On a related note, leading firms have done away with the old ad-hoc approach to risk, towards one that is more systematic and institutionalised. Instead of a pure art, ERM must be strongly backed by science. Today’s computing power allows for insights that are derived from billions of data points, and endless correlations between causal factors – something that was previously impossible. Multiple scenarios can be built, though ultimately, a human being must choose between these scenarios.

Proactive, reactive, or compliance-driven?

Compliance lies at one end of the scale…


…but the choice between proactive and reactive ERM is not so clear-cut

Broadly, there are three approaches to risk management. At one end of the scale is a tick-box style, compliance-driven ERM, which is usually of limited value. Choosing between a proactive and a reactive approach is less clear-cut, and one is not necessarily ‘better’ than the other. Dominant firms – Microsoft, say, or Coca-Cola – lean towards being proactive, but this also tends to slow down decision-making. Since the value at risk is huge – one bad decision can destroy years of hard work – it breeds caution. On the flip side, disruptive businesses tend to be more reactionary about managing risk. A new entrant in the Indian telecom industry, for example, will be faster to react to evolving situations, but even faster to reverse bad decisions. Taking a risk without understanding all of the underlying factors is acceptable only so long as it is possible to quickly change tack. A failure on this count can destroy value, and damage the business model no end.

Varying focus areas

Strategy is foremost for certain types of companies…


…but for others, financial and operational issues are key…


…while still others combine the two


Start-ups will focus more on operations and finance…


…as will companies that take an enterprise-wide approach to risk

Companies vary also in where they focus their ERM programmes. Some concentrate only on strategic risks, while for others, it is mainly about operational/financial ones. The choice depends on where the company stands in its life-cycle, and the nature of its business. ‘Steady state’ firms like Pepsi – they know what to produce, how to produce it, and where to sell it – are concerned mainly with strategic and emerging risks. In contrast, project-based companies like GE or Bechtel keep an eye on softer issues as well as financial risks. There is also a third category of firms – those like Cisco, which outsources much of its manufacturing to contractors, who further outsource to sub-contractors, including in other countries. This extra layer of intermediation makes it hard to monitor quality, or to assure supply-chain continuity. It also brings strategic risks, such as when a trade war erupts. To overcome this challenge, Cisco mapped its supply chain from end to end, determining precisely where the disruption risks lay.

In general, financial and operational risks are easier to quantify, and usually also less ‘damaging’ to a company’s long-term health than strategic ones. That said, for start-ups, they are actually more important: until an organisation has its house in order, and has scaled up sufficiently, strategic issues are secondary. Finally, ERM programmes can be either enterprise-level or enterprise-wide. Firms that focus on strategic risks usually tilt towards the former, while those focused on financial and operational risks are more inclined to the latter.

ERM implementation: guiding principles

There is no one-size-fits-all, but…


…setting the tone matters…


…as does overcoming resistance to change


ERM programmes can be housed nearly anywhere, depending on need…


…but a mature ERM manager is key


The business must own risk, with ERM managers acting as facilitators


Adequate resource commitment is crucial

An ERM programme and risk culture are two sides of the same coin. Indeed, a risk manager’s primary role is to build or strengthen a risk culture, by fostering awareness, starting conversations, and breaking down silos. While there are no silver bullets, a number of principles might guide ERM implementation in any situation:

• Accountability must be held at each level, but the tone at the top is what sets the overall direction
• Resistance to change, especially at the mid-manager level, is often a constraint. People may say they are on board with new practices, but this does not automatically translate into behavioural change. Winning their confidence, including by building communities, is essential
• It is unimportant where the ERM is housed, or even to have a separate ‘ERM function’. What matters is structuring it in a way that maximises impact, by making risks visible and equipping the organisation for change
• Equally critical is to have a mature, well-respected, resourceful and dynamic ERM manager – one who can galvanise cross-functional teams, who understands the business, and can leverage technology the fullest
• The ownership of risk must lie with the business, and in no circumstances should ERM managers operate in parallel with the existing management structures. Ideally, they should serve as independent facilitators who provide thought leadership and institutionalise knowledge, instead of acting as the ‘risk police’
• Some companies place the ERM programme within strategy and planning, while for others, it may reside with Treasury (if they have large forex exposures), controllership, internal audit, or even the CEO’s office. The goal should be to make risks visible and find ways to manage them, in ways that best suit the business, so structures will vary accordingly
• Most ERM teams are small, and some are a ‘one-person army’. Yet, while it may be expensive to commit additional resources, it is critical: if those individuals leave, so does the knowledge that resides with them