Connecting ERM with Strategy - Key take-aways from the spring 2016 ERM Roundtable Summit
Connecting ERM with strategy was the theme running through the NC State ERM Initiative's spring 2016 ERM Roundtable Summit, held on April 22. The program included for the first time an interactive session for participants to share best practices.
It also included four unique presentations covering current topics in Enterprise Risk Management:
- Ensuring the Staying Power of ERM | David Hughes, Assistant Vice President of ERM and Business Continuity Planning Office, Hospital Corporation of America
- Incorporating Risk-Based Capital into a Risk Assessment Framework | Joel Tietz, Managing Director of ERM, TIAA
- Assessing the Maturity of an ERM Program | Maticia Sims, Vice President of Audit & Chief Risk Officer, Blue Cross Blue Shield of NC
- Case Study Examples of Integrating ERM and Strategy | Bonnie Hancock, Executive Director, ERM Initiative, NC State University Poole College of Management
Following a key theme of the previous ERM Roundtable Summit – evolving Enterprise Risk Management (ERM) to be integrated with strategy – the ERM professionals speaking at the spring 2016 event each gave examples of the connection between ERM activities and strategic planning. From analyzing what gives an ERM process staying power to quantifying risks to evaluating ERM maturity to case studies of the integration of ERM and strategy, each demonstrated the value proposition for ERM.
Identify risks to strategic objectives
Hughes set the tone at the outset by emphasizing that a key part of Hospital Corporation of America (HCA)’s enduring risk management process begins with identifying risk to strategic objectives. ERM has been in place at HCA for 15 years, and while it has continued to gain momentum, there have not been dramatic changes in the process. At the heart of the process are interviews and surveys that ask three key questions:
- What are the top three business risks the Company faces over the next two years that could have a significant adverse effect on the Company’s ability to achieve its strategic and/or financial objectives?
- What are some of the things the Company is doing to help manage/mitigate each of these three risks?
- In your opinion, are these risk mitigation strategies effective?
He emphasized the importance of having employees at all levels of the organization understand the strategic objectives in order to be effective in identifying the most critical risks. Thus the ERM process can be useful in assessing whether strategy has been successfully communicated through the organization. At HCA the communication around the company’s strategic goals and objectives has improved as a result of the ERM process. Other keys were ensuring that the Board of Directors and Executive Management found value in the process. HCA’s process includes interviews of members of the Board of Directors to get their input on key risks and mitigation strategies. The level of engagement from the Board, the allocation of time at Board meetings and the usefulness of the ERM team’s work in satisfying the Board’s oversight responsibilities were all ways that demonstrated the value of ERM. Internally, HCA’s ERM process has provided clarity on risk owners and the process for managing the top risks. Risk discussions have now become part of the strategic planning and budget approval process.
Protecting the firm's financial strength, reputation
Tietz shared that the ERM mission at his organization (TIAA) was to protect the firm’s financial strength and reputation and help ensure that the organization delivers on its long term promises and meets its strategic objectives. The ERM function’s strategy is to enable all areas of the organization to make more informed and effective risk/reward decisions to achieve better business outcomes. With this mission and strategy in mind, it is easy to see the importance of implementing quantitative assessments of risk. Tietz walked the audience through an understanding of the importance of risk-based capital and the development of risk appetite around potential loss scenarios and the impact on capital measures. He also presented some key differences and best applications for qualitative risk assessments vs. quantitative risk assessments:
- Qualitative descriptors tell you the potential event while quantitative descriptors define risk as a measure of exposure.
- Qualitative assessments look at likelihood and impact while quantitative assessments look at frequency and severity.
- Results cannot be aggregated unless you use a quantitative risk assessment approach.
- Qualitative assessments typically measure a loss from one specific event while quantitative assessments can measure a cumulative loss for one or more risks.
- Quantitative assessments lend themselves to the optimization of risk-reward relationships in the context of cost-benefit analysis.
Tietz concluded that both approaches can yield effective results and both are frequently combined, and then went on to cover the use of structured scenario analysis to provide key insights to allow the quantification of non-financial risks in the context of risk appetite. Risk appetite statements can be used to create greater awareness of the amount and type of risk being taken as well as facilitating risk-based decision making and ensuring that risks taken are within appetite.
At the conclusion of Tietz’s presentation, participants had the opportunity for interactive discussions of topics that are top of mind for them. A member of NC State's ERM Initiative Advisory Board was seated at each table and helped to facilitate the discussions on topics that included tips for starting an ERM process to risk reporting, effectively defining strategic risks, developing risk appetite, and more.
Moving toward ERM maturity
After lunch, Sims provided insights and lessons learned in her organization’s journey towards a more mature ERM process. She defined the key periods of progressing maturity as defining the risk universe, developing the ERM framework, facilitating enterprise risk assessments, and developing ERM standards and procedures. From the initial launch to full implementation took about three to four years. Sims emphasized that even as the process was fully implemented the ERM team was continuing to enhance processes and provide training and guidance.
One lesson learned that she shared was around the development of risk appetite. Early in the implementation process her team had worked throughout the organization to develop detailed, quantitative risk appetite and risk tolerance statements in multiple key areas such as financial risks, customer service risks, etc. This effort was not well received in the organization. Her team then went back and developed a bigger picture framework for risk appetite. This framework used four categories of appetite:
- No appetite for risk
- Limited appetite for risk
- Appetite for favorable risk
- Appetite for calculated, intelligent risk and failure
Risk types were then placed into one of these categories. This broader framework worked better, but the process has continued to evolve as the organization’s needs have changed over time.
The keys to the successful maturation of the ERM process at BCBSNC were understanding the culture, not underestimating the level of organizational training needed, celebrating and acknowledging successes, and persistence in re-working processes that don’t work initially.
Student-led case study
To wrap up the day, Hancock shared the results of a student-led case study of three companies that had successfully linked the ERM processes with the strategic planning process. Several key themes emerged from these case study examples:
- Identify and assess risks to strategic goals and objectives
- “Sell” the ERM function
- Involve the right people in the ERM process
- Align the timing of the ERM process with the strategic planning process
- Look for logical process integration points
- Continue to evolve
In terms of selling the ERM function (within the organization), it is critical to be able to show how the ERM function can add value. This would include:
- Sharing an enterprise view of risks with individuals that may only be looking at risks from the perspective of their business unit,
- Sharing risks insights that are external to the organization, such as broader emerging risks, and
- Keeping the focus on managing risks to provide greater assurance that the organization will reach its strategic goals.
Another key point that case study participants identified was having the same people involved in ERM that were involved in the strategic planning process. In one case, the ERM core team included strategic planning professionals whose time was split between ERM and strategic planning.
Even those organizations that had integrated ERM and strategic planning fairly well still had identified areas where the process could be improved, such as expanding to include consideration of opportunities and not just risks, and revisiting the resource allocation process to look at the allocation of resources to risk mitigation at the same time resources are allocated to strategic initiatives. “Consistently, across all facets of ERM, we continue to see evolving processes as the discipline of Enterprise Risk Management itself continues to mature,” Hancock said.
“Watch our website for the publication of this case study on integrating ERM and strategic planning as well as an additional case study regarding key risk indicators. And mark your calendars for our next ERM Roundtable Summit on November 4, 2016 at the Renaissance Raleigh North Hills Hotel,” she said. Click here for details. .
This article originally appeared on the NC State ERM Initiative website. Download a copy of this ERM article.