|
|
What you don't know about corporate "enterprise risk management" (ERM) may hurt you - and probably already is. Think of the number of post-Enron cases that have resulted in retirement benefits and stock value being wiped out overnight and weaknesses in corporate information technology systems that have allowed hackers to steal your identity (if not your wealth). All of these and a growing number of events are debacles you might have avoided had companies had an effective ERM program in place.
What Exactly is ERM?
Enterprise risk management is difficult to define, but generally it's a relatively new (less than a decade old) management discipline that calls for corporations to identify all the risks they face, to decide which risks to manage actively, and then to make that plan of action available to all stakeholders (not simply shareholders) as part of their annual reports. (To read more about risk, check out Determining Risk And The Risk Pyramid and Measuring And Managing Investment Risk.)In putting together ERM initiatives, companies are supposed to focus not only on the downside of risk but the upside as well. The traditional approach was to focus on the downside - the losses from currency or interest rate trades in financial markets, for instance, or financial losses that might be caused by a disruption in a supply chain or cyber or terrorism attack that impairs a company's information technology. In thinking about the upside, companies are supposed to consider competitive opportunities and strategic advantages that might arise out of deft management of risk. Some of these "better decisions" involve items like where to locate a plant or office abroad based on a risk analysis that would look at the political environment in a country.Evolving Risk Management
Studying how corporations manage the incredibly diverse number of risks they face - everything from movements in currencies, interest rates to public perceptions of their reputations is playing an extremely important role in the investment process. Knowledge of individual corporate "risk profiles" might have led you to invest in companies with the confidence that they could meet corporate objectives and investor expectations (not only in good times, but also in bad). Knowledge of these profiles might have also helped you identify up-and-coming organizations for investment - or helped you better understand which companies to let into your community through a new plant or office, believing that they would do everything possible to avoid environmental damage and to treat employees well.Until now, particularly in the U.S., the vast majority of corporations have made very little information about their overall risk profiles available to stakeholders. Companies in many other industrialized countries, like Canada, the U.K. and Australia, are much more forthcoming about their risk and ERM activities. The situation's poised to change as rating companies start to factor in a company's ability to manage ERM. Stakeholders will start to gain a plethora of new risk-related data and information available to them. This story of risk management is likely to expand greatly over the next decade.ERM: A Constantly Changing Management Discipline
Of course, companies have been managing risk for years. Historically, they've done this by buying insurance. More recently, companies have managed risk through the capital markets with "derivative instruments" that help them manage the ups and downs of moment-to-moment movements in currencies, interest rates, commodity prices and equities. From a mathematical point of view, all of these risks or "exposures" have been reasonably easy to measure, with resulting profits and losses going straight to the bottom line.
Where ERM comes in is where companies manage the risks that defy easy measurements or a framework for management. These include crucial risks such as reputation, day-to-day operational procedure, supply chain, legal and human resources management, financial and other controls related to the Sarbanes-Oxley Act of 2002 (SOX), and overall governance. All of these and other exposures fall under the ERM umbrella.
Back to the Upside
The "upside" that we discussed earlier also includes focusing on preventive measures that help a company avoid potential disasters down the road. For example, some of these actions may include determining when and how the physical assets they own need to be maintained and replaced. This way, the company can avoid unexpected and costly plant and equipment failure that might result in shutdowns, explosions or other events that put a company's employees, communities and reputations at risk.
|
|
|
|
|
•
