Late last Summer, RIMS and Advisen published the results of their joint 2013 Enterprise Risk Management Survey in which they reported that ERM has reached “critical mass…the point in time within the adoption curve that the sheer number of adopters assures that continued adoption…becomes self-sustaining and creates further growth.” When an organization like RIMS (founded in 1950, representing over 3,500 organizations and 11,000 risk management professionals in more than 60 countries) makes a statement like this, it’s worth taking note.
The rationale for adopting ERM has been around for a very long time. COSO laid out the advantage of ERM in their seminal 2004 publication of the Enterprise Risk Management-Integrated Framework, stating that “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.” Well, it has taken a while but it looks like this value proposition is finally being widely recognized. More and more organizations are coming to the realization that managing risk in silos (such as Financial, Regulatory Compliance, Market, Operational, Strategic, Info Security, Reputation) results in incomplete and incongruent risk knowledge and misaligned governance.
For organizations that have not yet fully embraced ERM, critical mass means there will be growing pressure to do so. Questions from rating agencies, investors, regulators, boards of directors, and C-Suite executives will become more frequent and pronounced: “Everybody else is doing it, why aren’t you?”, “Why is our program behind in comparison to others?”, “Is the organization truly well run?”, “What are we missing?” These kinds of questions will burden management and boards, increasing regulatory scrutiny and micro-management, and potentially affecting shareholder value.
However, this isn’t just about keeping up with the Jones’s, chasing the management fad de jour, or keeping the regulators and analysts off your back, it’s about recognizing that this ERM-stuff is the secret sauce to balance objectives, risk (bad things and opportunity cost), and resources along an efficient frontier where an organization is able to obtain the best possible expected level of return for the level of risk it is willing to take. ERM helps to maximize the performance and competitiveness of the organization within the context of the objectives it has chosen to pursue.
Stakeholders in organizations practicing effective ERM will continue to be the beneficiaries of success, with fewer surprises and more consistent earnings and strategy execution. For those that have not yet boarded the ERM train, there will be increasing motivation to buy a ticket. The good news is that late comers benefit from lessons learned from early adopters and standards setting bodies, and they capitalize on ERM capabilities enabled via technology solutions. Unfortunately, for those individuals tasked with risk management responsibilities, you can get to the train station too late. It’s not that that these organizations won’t board a train at all, but they just might not be boarding with the folks that couldn't get them to the station in time to catch an earlier train.