Perilous Times Require Strong ERM Programs

Each day as we read the news across the globe, it is apparent that the business environment continues to be laden with a myriad of risks. Without advance preparation, companies looking to advance their strategies will find themselves at the mercy of some unforeseen event that will threaten their success or perhaps their very survival. In times like these, it is critical to have a strong enterprise risk management (“ERM”) program that is woven into the fabric of a company’s strategy as well as its day-to-day business operations.

However, implementing an effective ERM program today is no easy task. Faced with an uncertain regulatory and economic outlook, many companies struggle to create a cost-effective, focused program that will provide the necessary insight to anticipate the most critical risks.  While each company and industry may be unique, there are a few common steps that can be taken that will lead to a more effective ERM program.

1. Start with the strategic plan – focus ERM efforts on where the company is going, not where it has already been

2. Create a simple framework and process that is easily understood – too many companies try to make ERM more complicated than it needs to be

3. Demonstrate importance of the program with a C-level champion – whether it is a new Chief Risk Officer, the CFO or even the CEO, a key leader must lead the charge

4. Tie risk management objectives and metrics to existing performance metrics – business goals require incentives and risk management objectives are no different

5. Invest in cost-effective enabling technologies – a wide range of risk management technology solutions exist today and choosing the wrong solution can result in cost overruns and poor results

By taking these steps, you will certainly be headed in the right direction on your ERM journey. However, the ultimate success factor is maintaining a long-term commitment to ERM as a valued business discipline. To learn more about creating a successful ERM program, visit


ERM Adds Strategic Value

As enterprise risk management (“ERM”) becomes a more widely accepted practice, many companies are realizing the value of including a risk viewpoint in their strategic planning exercises. In the past, many executives viewed risk management purely as a loss avoidance exercise.  However, now that ERM is providing a broader view of risks and allowing companies to become more resilient, companies are more willing to incorporate the employment of calculated risks into their strategy formation.  A recent study by the Economist Intelligence Unit provides the following insight into this changing view of ERM.

One important indication that a shift might be occurring, however, is that 75% of executives think that risk considerations are playing an increasingly important role in strategy at their organisations. This suggests that rather than playing a preventative role—avoiding financial losses, for example—risk management could be moving towards an enabling role that contributes more fully to corporate strategy.

To navigate risks for both the shorter and the longer term, many firms are beefing up their risk management systems. ABB, for one, is increasingly moving away from a decentralized risk management model and putting in place a more group-wide strategy. “We’ve put in place a centralized enterprise risk management program over the last 12 months, and viewing holistically all the risks we face in the organisation,” confirms Mr Hall. “What we realized in the financial crisis, particularly from a financial point of view, is that the best way to manage risk is centrally.”

Martin ten Brink, a director at Shell, a British oil giant, says his company intends to refine some aspects of its enterprise risk management system in the coming year, particularly the pricing of risk. Furthermore, he says, Shell is improving the way it gauges risk velocity. The firm is targeting “a better understanding of the speed with which a risk can materialize and impact business performance.”

Wheelhouse Advisors is uniquely qualified to help companies build ERM programs that can be a source of strategic value. To learn more, visit

Demand for ERM Continues to Grow

More companies are beginning to realize the value of Enterprise Risk Management (“ERM”) as a discipline that can propel a business forward rather than hold it back. In the recent past, many ERM programs focused primarily on revisiting problems from the past or examining all risks regardless of size. While these types of exercises can keep people busy, they rarely benefit a company that is trying to navigate forward to achieve successful outcomes. However, according to recent comments by a risk expert at the Risk and Insurance Management Society, ERM is evolving into a highly valued business practice. Here is what she had to say in an interview conducted by

Today, a growing perception that ERM “is a business discipline that can advance an organization’s [big-picture] objectives” is driving higher adoption rates across all types of organizations, says Carol Fox, director of strategic and enterprise-risk practice with the Risk and Insurance Management Society.

While there is also a perception that risk managers are having difficulty getting invited to a seat at the C-suite table, Fox believes that most corporate leaders, with only rare pockets of resistance, are eager for expert input about the strategic risks the organization faces.

“With all the external pressures—whether it’s Dodd-Frank, shareholders or the disclosures required now by the SEC for public companies—there is plenty of demand, visibility and support at the board level and at senior-management level” for ERM, she says.

As more board members and senior executives become acquainted with the usefulness of a well-designed ERM program, the discipline will become a “must have” for companies looking to compete in the new economy.

When Assessing Risk, Don’t Forget the People

The Conference Board released a report today about the need for stronger integration of human capital risks into a company’s overall enterprise risk management program.  Too often, these risks are left to the human resources department to manage alone with little understanding of the potential impact to a company’s entire operation.  After surveying 161 leading companies worldwide, here is what the researchers discovered.

At most companies, human capital accounts for at least half of operating costs and can have a significant impact on business results. However, the study finds that human capital risk (HCR) — which can range from unionization/labor relations to offshoring and outsourcing to staffing in a pandemic — tends to be siloed in human resources departments, away from the companywide assessment and mitigation processes of enterprise risk management (ERM). This arrangement prevents information about HCR from having a role in the comprehensive, aggregate view of risks, root causes, interactions, and impacts through which leaders set priorities and determine overall strategy.

Out of eleven risk categories, executives ranked HCR as having the fourth highest impact on business results, ahead of financial, reputational, supply chain, and IT risks. This high ranking is evidence that HCR should be taken seriously as an enterprise risk.  However, less than one-third (31 percent) of companies believe they effectively assess human capital risk, and 24 percent believe they do an ineffective job.

During an economic crisis such as the one we have experienced, many companies lose sight of what really drives a business – people.  Understanding the risks associated with the primary business driver is certainly a no-brainer.

Now Is Not The Time to Reduce Investment in Risk Management

As we head into the second half of 2011, the economic recovery here in the US and abroad is taking hold much more slowly than most expected. Given the modest recovery, some executives may be looking to slash expenses to boost profitability and achieve their near-term goals. However, while tempting, cutting staff and investment in the wrong areas may prove to be a company’s undoing. For financial services companies, this is particularly true in the area of risk management because they are still mending their practices in the wake of the recent financial crisis.

According to the Financial Times, US regulators are keenly aware of what may be on the minds of bank executives and are issuing warnings to avoid cutting risk management budgets. According to Michael Alix, a senior vice-president at the Federal Reserve Bank of New York who heads the risk-management function within the regulator’s financial-institutions supervision group, the regulators are paying close attention to any plans to lower investment in risk management programs. “We haven’t seen it yet, but we’re vigilant,” says Alix.

Sacrificing the progress made in strengthening risk management programs at this precarious stage of recovery is certainly short-sighted and could lead to even greater problems for companies looking to weather the next storm.

New Proposed Guidance on Stress Testing for Banks

Yesterday, the Office for the Comptroller of the Currency (”OCC”), the Federal Reserve and the Federal Deposit Insurance Corporation (”FDIC”) issued proposed guidance for banking institutions to create a robust stress testing framework to adequately assess potential risks. The largest financial institutions have been subject to direct stress testing during the financial crisis in association with the administration of the Troubled Asset Relief Program (”TARP”). This new guidance formally outlines requirements for a broader population of institutions, specifically those with $10 billion or more in assets. According to the guidance, all banks of this size should structure their framework in the following manner.

“….. a banking organization’s stress testing framework should include, but are not limited to, augmenting risk identification and measurement; estimating business line revenues and losses and informing business line strategies; identifying vulnerabilities and assessing their potential impact; assessing capital adequacy and enhancing capital planning; assessing liquidity adequacy and informing contingency funding plans; contributing to strategic planning; enabling senior management to better integrate strategy, risk management, and capital and liquidity planning decisions; and assisting with recovery planning.”

While this guidance does not explicitly meet the requirements of section 165(i) of the Dodd-Frank Wall Street Reform and Consumer Protection Act for non-bank companies, the OCC, Federal Reserve and FDIC plan to issue rules consistent with this guidance for those companies. So, this serves as a preview of what is to come. Public commentary on this proposed guidance is requested by June 29, 2011.

Collaboration is Key for GRC Success

An interesting study on the current state of Governance, Risk Management & Compliance (“GRC”) programs has just been released and the results are quite revealing. Entitled “The Role of Governance, Risk Management & Compliance in Organizations”, the study was conducted independently by the Ponemon Institute for EMC.  The study covered four primary domains – IT GRC, Operations GRC, Finance GRC and Legal GRC – and surveyed 190 GRC practitioners across the United States.

One of the primary findings was the fact that organizations are still limited by their ability to collaborate and communicate risk information across the enterprise. Part of the problem lies in the lack of a comprehensive strategy to improve collaboration. Beyond the lack of a strategy, organizations are also limited by their technological support of GRC programs. Here’s what the Ponemon Institute surmised.

We believe this study reveals the importance of an enterprise-wide strategy and increased collaboration among domains to meeting eGRC objectives. Currently, only 20 percent have an enterprise-wide strategy and collaboration among GRC areas is far from perfect. Only 28 percent of respondents say their organizations enjoy frequent collaboration or cooperation among GRC areas. However, the good news is that only 12 percent say GRC areas operate in silos in their organizations.

In order to address the barriers related to collaboration, it has been recommended that organizations make it a priority to encourage people from the various lines of business to talk together and establish “risk ambassadors”. The need to gain visibility and control through effective cross-enterprise eGRC collaboration is important to reducing gaps in how risk is assessed and managed.

Finally, according to respondents, managing risk is and will continue to be the biggest eGRC focus for their organizations. This is understandable because organizations are finding that the cost of complying with the plethora of regulations can be daunting. Taking a risk-based approach toward compliance requirements enables them to focus their resources on the most at-risk areas of their business and achieve real value from their eGRC activities.

Building the right processes, involving the right people and utilizing the right technology are all key to achieving the sort of value that GRC programs should provide. Wheelhouse Advisors is uniquely qualified to bring these key elements together for your organization. Email us at to learn more.