Members of the Corporate ERM Group talk about integrating ERM at their Spring meeting.
Enterprise risk management is a relatively steady discipline, without governing bodies imposing new regulation, or significant developments in technology or theory. However, one thing that does change is the growth and maturity of individual programs, which was evident at the Corporate ERM Group’s seventh annual meeting in May, hosted at Intel’s offices in Hillsboro, OR.
Members addressed the ever-evolving themes of integrating ERM with strategic planning and the related operationalization of ERM into the businesses beyond governance and reporting functions, getting to the heart of ERM culture. Given recent events, cyber security also played a prominent role in the meeting, as did the management of black swan events—cyber and otherwise.
Below are a few highlights of the meeting:
(For a more in-depth look at the key takeaways from this and other groups in The NeuGroup Network, subscribe to iTreasurer at iTreasurer.com.)
- ERM and strategic planning—all year round. Key to one company’s successful integration of ERM into strategic planning is having a board and CEO that not only fully support the program, but also requested that it be created. The board sees ERM as a strategic priority for the company and wants the program to be world class in status. While many companies’ ERM programs are characterized by an assessment calendar with a 12-month cycle, this program has risk discussions all year long. There are certain calendared steps along the way, but ERM is not allowed to slip into the background between scheduled discussions.
- Look at operationalization data. A new but related twist on working ERM into strategic planning is the notion of “operationalizing ERM,” the idea that ERM thinking is so ingrained in the business that it is not a separate activity but a natural component of operations. Illustrating the importance of ERM, one company has developed a proprietary in-house tool for gathering risk data from business leaders. The tool makes no assessment or judgments, but organizes the data to inform all relevant parties and ensure effective discussions.
- Cyber security education. An early and unsettling remark in Intel’s Chief Security and Privacy Officer’s discussion of cyber security was that “most IT security people don’t get the enterprise element of this risk.” Using the example of what could happen if a breach occurred at a national payroll processing company through just one computer, he emphasized that employees need to understand the basics of how their own cyber security measures work. This includes knowing when files are and are not encrypted, understanding that someone can use one employee’s unscrupulous clicking to hack into enterprise data, and keeping informed about new vulnerabilities.
- Management vs. optimization. Not all risks are universally harmful. Some can be leveraged for business expansion and increased profitability, as illustrated by one member of a privately held company that views risks as opportunities for increased return on capital. Much of this balance between mitigating and accepting risk depends on risk appetites and cost-benefit analysis, but sometimes a loss from a risk is small enough in comparison to the potential gain from taking it that it’s worth the gamble…with appropriate stops in place.
The Corporate ERM Group, the NeuGroup for MNC heads of enterprise risk management, is an invitation-only group for senior executives who have direct oversight or who are champions of ERM and alternative risk-finance initiatives. Members meet to discuss topics on their agendas, share experiences and discuss solutions to common challenges. For more about The NeuGroup Network or peer groups, go to neugroup.com. For more key topics from this meeting, subscribe to iTreasurer.com.