A Toolkit for Enterprise Risk

Managing the totality of risks facing an organization is far easier said than done, and yet the nuts and bolts of enterprise risk management are being practiced successfully by companies like ClubCorp and Goodrich. Here's how to master the tools of enterprise risk.

By Maura C. Ciccarelli

For Jo Harris, vice president of business risk for ClubCorp, developing an enterprise risk management program for the Dallas-based owner and operator of private clubs and golf resorts is a matter of dollars and sense.

“I could sit here for hours to just figure out and implement a safety strategy and maybe reduce losses by $2 million with finite results,” says Harris.  “If we also put in place processes to increase customer satisfaction [one of the designated risk areas] by one point, we could increase our business results by $30 million.”

This expanded thinking shows the charm that enterprise risk management holds for so many companies whose mantra is "shareholder value:” For them, enterprise risk management includes traditional hazard risk but looks beyond to both insurable and uninsurable risks such as financial and operational risks that affect the corporate bottom line.

Enterprise risk management also means developing a common risk language for an organization, getting people to think outside of their silos and implementing processes that address the impact of various risks on shareholder value.

"Enterprise risk management is a process, not a product," says Robert C. Card, a consultant with Risk International and director of Risk Management Services for BFGoodrich of Charlotte, N.C. Like ClubCorp, this aerospace, industrial products and performance materials manufacturer will spend the year developing an enterprise risk management program.

"We're making the transition to the new concept of enterprise risk management," explains Card. "It is important to think beyond just simply reducing the cost of risk and looking for ways to increase shareholder value and competitive advantage. The process leads people into thinking beyond simply looking at the financial and operations management of a company.”

Think Different

Step one in developing an enterprise risk management program is to understand the various risks that affect a company's bottom line and their interaction with business processes. That means involving not only risk management but also finance, business line managers and top executives.

Harris teamed up with ClubCorp's chief legal officer to champion the enterprise risk management cause.  “We didn't have any idea what we were facing at the time,” she says. But they did know that the organization's focus on developing a culture of excellence required a new way of looking at the risks facing ClubCorp and its association of 235 subsidiaries around the U.S. and the world. So they brought in a consulting firm - Arthur Andersen - to help develop an enterprise risk management process that took into account all business risks, including litigation, regulatory, union and environmental issues.

"What we wanted to do was develop a common risk languages – a lot of organizations don't have that," says Harris.

For example, if they'd determined that member satisfaction is a risk, they investigated bow different areas of the company defined it. "From there, we identified business risks and aligned management's attention to these business risks to help the executives identify those that have the biggest impact," says Harris.

In the end, ClubCorp identified 16 critical business risks and evaluated its operations and business processes against those risks.

Rising to the Top

“Identifying business risks and mapping out the processes they affect lets the most material risks rise to the top, allowing their financial impact to be modeled in both today's environment and more extreme environments,” says Randy O'Connor, principal of the financial services practice at Tillinghast-Towers Perrin, based in Minneapolis.

"Sounds like the typical risk management approach, doesn't it?" adds Jim Swanke Jr., a principal who works on the property & casualty side with O'Connor in Minneapolis. "You're using a time-tested method that's being applied on a holistic basis. You're still identifying all the exposures and quantifying them, but you're moving beyond hazard risk and picking up all the enterprise risks."

“With a more workable list,” says Card of BFGoodrich, "we would review the methods that we already have in place that address those risks and look for risks that might have natural offsets."

For example, BFGoodrich's landing gear sells well when the airline business is booming and airlines are buying new planes. But, when the economy isn't going as well, there's more of a demand for BFGoodrich's replacement parts. That means there's an opportunity to shift manufacturing focus to address a risk.

After identifying the risks with internal offsets or those that can be reduced through improved processes, that's when the company looks at insurance or financial tools to take care of the rest.

"You might consider a dual trigger policy or, taking a more aggressive approach, purchase a policy that integrates insured hazard risks-workers' comp, GL, P&C, auto - with risks that haven't traditionally been included, such as interest rate fluctuation," says Card.

Enterprise’s Operational Side

When it comes to enterprise risk management, getting a handle on operational risk is both the most important and the most difficult thing for companies focusing on the bottom line.

The problem is that operational risk has a very broad definition.  In last year’s PricewaterhouseCoopers survey of financial institutions, respondents defined it as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

Bernard Friemann, president of the Risk Management Division’s financial area at Reliance National based in New York City, defines operations risks as the risks involved in day-to-day business operations, such as reduced customer demand, increased competition and supply chain disruptions.

Friemann considers strategic risk as an adjunct to operational risks, “These get blurred around the edges,” he says.  A strategic risk is, for example, whether a company does acquisitions or builds from the ground up.

Operational risks’ broad impact was shown in a Mercer Management Consulting study last year that found more than 90 percent of earnings shortfalls among leading corporations were caused by operational risks and strategic risks (which are the risks related to strategies rather than processes).

“As companies, particularly financial institutions, start looking at enterprise risk and analyzing what they’ll need to mitigate or eliminate risks, the specter of operational risks often looms ominously because it involves addressing processes, and that means looking across the whole organization. So its not surprising that people will put up resistance,” says Friemann.

“The financing guy, the sales guy, the purchasing guy - they all have a big responsibility for [operational risk management],” he says. “They don’t want people from those other silos sticking their noses into their bailiwick.  The question is, can the risk managers cut through all the walls effectively? Often, you’re never going to get it done unless you convince the CFO or the treasurer that it’s important. The risk manager ends up with the coordinating role.”

Despite the difficulties, the insurance market is taking up the challenge with products that integrate operational triggers --- business results, for example--into an insurance contract that adjusts its terms--e.g., retention levels - based on the activity of the trigger.

“There's been a lot of activity in the lost several years around operational risks,” says Friemann, whose company introduced an Enterprise Earnings Promotion Insurance program last year. “But the problem with it is that it’s taken a lot of time. You need the tools to identify how to price the operational risks, you need to know how the risks behave. The quantifying guys want to model it but there's a lack of historical data. It has taken a lot of time to do the analysis and make both sides [insurers and customers] comfortable with the transaction.”

But identifying and dealing with operational risks is becoming a necessity, according to a study of financial institutions conducted by PricewaterhouseCoopers last year.

“The majority of institutions surveyed realize that this new approach to operational risk management was a real value in comparison to the traditional approach,” says Mike Haubenstock, a partner with PricewaterhouseCoopers, New York. '”Operational risk management will be viewed as a core competency by management, customers and stockholders.”

Of Hot Dogs and Newsprint

So what do you do about risks that can’t easily be insured directly because the insurance market doesn’t traditionally address them? “That’s when relating intangible aspects to the tangible ones helps,” says Ken Zignorski, senior consultant with MMC Enterprise Risk, an operating unit of the Marsh & McLennan Companies.

"This is the next evolution of risk management," says Zignorski, who is based in New York. “The insurance market has a lot of capital that they're trying to figure out what to do with. They are professional risk takers who will take on risks if they can be measured and quantified,” he says.

The trick is to help figure out what the right measurement tool is, especially for risks that traditionally haven't been measured. Take, for example, the hot dog. Zignorski gives this scenario: "A food processor needs to include pork and a portion of turkey meat in its hot dogs. Pork bellies are traded in the marketplace but turkeys are not on the board. So, what's the appropriate index for monitoring the turkey supply? Well, you can track corn feed. There's real data there. You can't get a turkey swap from a Lehman Brothers or a Morgan Stanley, but the insurance market knows how to take risks if it can determine the appropriate price."

The same principal works for other commodities, such as newsprint, that can't be handled by the capital markets.

"Companies are asking themselves, how do I model and measure this risk," says Zgnorski. "That's the next evolution of enterprise risk management."

To Ground Zero

“After all the mapping, matrices and modeling, bringing the discussion down from 30,000 feet to what can be done at ground zero requires an unusual marriage,” says ClubCorp's Harris.

"We needed to marry internal audit and risk management and created a business risk operation:” says Harris. "Previously, traditional risk management for insurable risks and internal audit for financial risks were separate. We said, let's marry the two together because they both work in unison to drive the business risk process."

It was especially helpful because implementing an enterprise risk management process over widely separate facilities is difficult. ClubCorp included various business risk-related processes in its performance evaluation system and then audited locations to see how the implementation was going.

Why the macro/micro approach? "We decided that we had grown awfully fast over the last five years - we doubled our locations - and with that growth comes additional risks,” says Harris. As a result, the organization was not able to understand all the risks facing these new facilities.

Taking a holistic approach addressed that issue. "Like many organizations, we have had a breakdown in certain processes that resulted in litigation or loss, so we said, how do we take this lesson and learn it 235 times over," says Harris.

O'Connor of Tillingbast-Towers Perrin agrees. In addition to communicating business process guidelines, establishing an incentive system to encourage people to follow the guidelines is crucial.

"You also need to report risk exposures regularly to the CFO, CEO and your board. You send condensed reports to that level and more expanded reports to the people who are responsible for those risks,” he says.

Silos and CROs

But doing all this work is for naught, says Swanke of Tillinghast-Towers Perrin, if the people who can impact the risk remain in organizational silos.

“These different groups don't think about interactivity,” he says. “The bottom line is that they should be optimizing shareholder value.”

Swanke sees a continued growth in enterprise programs as organizations discover their unique level of risk tolerance. “Three years ago, there was kind of an intellectual debate about enterprise risk management,” he says. “Now that a few of these programs have been done A to Z, and some organizations have taken an incremental approach, the insurance marketplace is welcoming this with open arms.”

“To get people thinking outside their silos requires slow, incremental change as the organization learns its risk tolerance level,” says O'Connor. A jump-start for such attitudinal changes is to create the position of a Chief Risk Officer (CRO) to champion the enterprise risk management cause.

That's the same advice given by James Lani, former CRO for Fidelity Investments who now is founder and president of Enterprise Risk Solutions and erisks.com, a subsidiary of Oliver, Wyman & Company based in New York.

"One of the CRO's roles is to be the evangelist for the enterprise risk management program, winning support from senior management and the board of directors,” he says. "Other sills include being credible with the business units and gaining their alignment with the risk management program."

He estimates there are at least 100 CROs, many within financial services institutions such as banks, brokers, and insurance companies - organizations that have a high risk profile.

"Companies have seen the external disasters and internal near misses and they wake up to the fact that enterprise risk management is the best practice model for managing risk," says Lam. "Within the organization there's a conversion of risk management functions and in the marketplace there's a convergence of risk management products between the capital markets and insurance markets. Those two trends indicate the need for an enterprise risk management approach."

Many non-financial companies are taking their cues from the financial services industry, which has been a leader in using CROs and developing enterprise risk management programs due to regulatory requirements and scandals (remember the Barings Bank debacle?) where rogue employees went around standard business processes and pulled organizations into financial ruin.

“The last step in the enterprise risk management process,” O'Connor suggests, “is developing a feedback process for continual improvement.”

“What you put in place a year ago may not be operable today,” he says. “That's why you set up a scorecard to see the deviations and set up solutions. For example, do you set up more capital? Do you change reinsurance coverage? Do you enter or exit lines of business? Do you put more checks and balances in place? Do you modify your current procedures? Do you do training?”

That way, he adds, risk management becomes a competitive advantage and optimizes shareholder value, largely because leveling out the volatility in a business makes Wall Street investors happy.