Beyond Sarbanes-Oxley


Energy Trading & Risk Management: How to evaluate risk and improve decision-making capabilities.

Fortnightly Magazine - October 2005

In an effort to comply with Sarbanes-Oxley, many companies spent thousands of hours assessing controls around financial reporting. When all was said and done, their main complaint was that the efforts failed to focus on the key processes, reports, and systems the companies used to make daily operational decisions.

This is where enterprise risk management (ERM) enters the picture. ERM was a methodology that was discussed by many organizations several years ago. Some utilities even implemented certain aspects of ERM, but broader application of the concept was shelved as problems developed within the energy trading sector. The reality is, most utilities applied components of ERM to specific risks, namely commodity market risks and interest-rate risks. This was a great place to start but, unfortunately missed many other important risks within these companies, such as operational risks, integrity risk, compliance risk, strategic and reputation risk, .

Boards of directors also have a heightened sense of need regarding governance and control infrastructure, given the current environment. The Committee of Sponsoring Organizations (COSO), the same organization that set forth the standards that most companies are using for compliance with Sarbanes-Oxley, recently introduced an integrated framework for ERM. Boards are under increasing pressure to understand how management is assessing and managing risks across the organization. This expectation has, in turn, increased the pressure on management. Yet, research consistently indicates that six of 10 senior executives "lack high confidence" that their company's risk-management practices identify and manage all potentially significant business risks.

With a heightened focus on risk management, it has become increasingly clear that traditional risk-management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalized. These risk management approaches often limit the scope to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in ways that better reflect this rapidly changing world.

An ERM approach integrates risk management with existing management processes, identifies future events that can have both positive and negative effects, and evaluates the effectiveness of strategies for managing the organization's exposure to those possible future events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused, and process-driven activity.

A New Approach

ERM differs from traditional risk-management approaches in terms of focus, objective, scope, emphasis and application. It aligns strategy, people, process, technology, and knowledge. The emphasis is on strategy, and the application is enterprise-wide.

Under an ERM approach, management's attention is directed to the uncertainties around the enterprise's entire asset portfolio, including intangibles such as customer assets, employee and supplier assets, and such organizational assets as its differentiating strategies, distinctive products and brands, and innovative processes and systems. This expanded focus is important in our era of market capitalizations significantly exceeding balance-sheet values and the desire of many companies to focus on protecting their reputation from unacceptable risks relating to potential future events.

An ERM framework does not replace the "internal control" framework. Instead, it incorporates it. As a result, businesses may decide to implement ERM to address their internal control needs and to move toward a more robust risk management process.

Why Implement ERM?

ERM provides a company with the process it needs to become more anticipatory and effective at evaluating, embracing, and managing the uncertainties it faces as it creates sustainable value for stakeholders. It helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance.

These contributions redefine the value proposition of risk management to a business. One way to think about the contribution of ERM to the success of a business is to take a value-dynamics approach. Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets. This is the essence of what ERM contributes to the organization: the elevation of risk management to a strategic level by broadening the application and focus of the risk-management process to all sources of value, not just physical and financial ones.

ERM transitions risk management from "avoiding and hedging bets" to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of new opportunities for growth and returns. ERM invigorates opportunity-seeking behavior by helping managers develop a true understanding of the risks and capabilities to manage those risks within an organization.

Five Steps to Implementation

Organizations broadening their focus to ERM should follow five practical steps:

1. Conduct an enterprise risk assessment (ERA) to assess and prioritize the critical risks.

    An enterprise risk assessment identifies and prioritizes the organization's risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. If an organization has not identified and prioritized its risks, ERM becomes a tough sell because the value proposition only can be generic. Using the entity's priority risks to identify gaps provides the basis for improving the specificity of the ERM value proposition. The message: Avoid endless dialogues about ERM. Get started by conducting an enterprise risk assessment to understand your risks.

    2. Articulate the risk-management vision and support it with a compelling value proposition.

      This step provides the economic justification for going forward. The "risk-management vision" is a shared view of the role of risk management in the organization and the capabilities desired to manage its key risks. To be useful, this vision must be grounded in specific capabilities developed to improve risk-management performance and achieve management's selected goals and objectives.

      "Risk-management capabilities" include the policies, processes, competencies, reporting, methodologies, and technology required to execute the organization's response to managing its priority risks. They also consist of what we call "ERM infrastructure." To illustrate:

      Item A. Defining the specific capabilities around managing the priority risks begins with prioritizing the critical risks and determining the current state of capabilities around managing those risks. Once the current state of capabilities is determined for each of the key risks, the desired state is assessed, with the objective of identifying gaps and advancing the maturity of risk management capabilities to close those gaps.

      Item B. ERM infrastructure consists of the policies, processes, organization oversight, and reporting to instill the appropriate discipline around continuously improving risk-management capabilities. Examples of elements of ERM infrastructure include, among other things, an overall risk-management policy, an enterprise-wide risk assessment process, presence of risk management on the board and CEO agenda, a chartered risk committee, clarity of risk-management roles and responsibilities, dashboard and other risk reporting, and proprietary tools that portray a portfolio view of risk.

      Here is the message: The greater the gap between the current state and the desired state of the organization's risk management capabilities (Item A), the greater the need for ERM infrastructure (Item B) to facilitate the advancement of those risk management capabilities over time. A working group of senior executives should be empowered to articulate the role of risk management in the organization and define relevant goals and objectives for the enterprise as a whole and its business units.

      3. Advance the risk management capability of the organization for one or two priority risks.

        This step focuses the organization on improving its risk management capability in an area where management knows improvements are needed. Like any other initiative, ERM must begin somewhere.

        Possible starting points include:

        • Compliance with the Sarbanes-Oxley Act (specifically Sections 404 and 302 of the act);
        • Risks other than financial reporting risk (for example, one or two priority financial or operational risks, environmental, health and safety risks, regulatory compliance risks, IT security risks, facility protection risks, and/or governance reform issues, etc.);
        • Evaluating enterprise-wide risk-assessment results to identify priority areas (in other words, migration to ERM begins with first selecting the priority risks and assessing the current state of risk-management capabilities addressing those risks, as discussed in Step 1);
        • Integration of ERM with the management and operating processes that matter (for example, strategic management, annual business planning, new product launch or channel expansion, quality initiatives, performance measurement and assessment, capital expenditure planning, etc.).

        Many public companies in the United States may begin their evolution to ERM with Section 404 compliance because the first-year compliance investment is significant and a company cannot have sound governance without transparency in its financial reporting. A strong focus on reliable financial reporting is a good foundation on which to build ERM capabilities. Regardless of where an organization begins its journey, the focus of ERM is the same: to advance the maturity of risk management capabilities for the organization's priority business risks.

        4. Evaluate the existing ERM infrastructure capability and develop a strategy for advancing it.

          It takes discipline to advance the capabilities around managing critical risks. The policies, processes, organization, and reporting that instill that discipline are called "ERM infrastructure." We have asserted that the purpose of ERM is to eliminate significant gaps between the current state and the desired state of the organization's capabilities around managing its key risks. We provided some examples of ERM infrastructure earlier when discussing Step 2. Other examples include a common risk language and other frameworks, knowledge sharing to identify best practices, common training, a chief risk officer (or equivalent executive), definition of risk appetite and risk tolerances, integration of risk responses with business plans and supporting technology.

          ERM infrastructure facilitates three very important things with respect to ERM implementation. First, it establishes fact-based understanding about the enterprise's risks and risk management capabilities. Second, it ensures there is ownership over the critical risks. Finally, it drives closure of gaps.

          ERM infrastructure is not one-size-fits-all. What works for one organization might not work for another. The elements of ERM infrastructure vary according to the techniques and tools deployed to implement the eight ERM components, the breadth of the objectives addressed, the organization's culture, and the extent of coverage desired across the organization's operating units. Management should decide the elements of ERM infrastructure needed according to these and other appropriate factors.

          5. Advance the risk management capabilities for key risks.

            This step begins with selecting the enterprise's priority risks. After the first four steps are completed, it often is necessary to update the ERA for change. Once the priority risks are defined, based on the updated ERA, management must determine the current state of the capabilities for managing each risk and then assess the desired state, with the objective of advancing the maturity of the capabilities around managing those risks. This already has been accomplished for one or two priority risks (see Step 3). Now management broadens the focus to other priority risks.

            Risk-management capabilities must be designed and advanced, consistent with an organization's finite resources. For each priority risk, management evaluates the relative maturity of the enterprise's risk-management capabilities. From there, management needs to make a conscious decision: How much added capability do we need to continually achieve our business objectives? Further, what are the expected costs and benefits of increasing risk-management capabilities? The goal is to identify the organization's most pressing exposures and uncertainties and to focus the improvement of capabilities for managing those exposures and uncertainties. The ERM infrastructure that management has chosen to put in place drives progress toward this goal.

            Companies in the early stages of developing their ERM infrastructure often lay the foundation with a common language, a risk-management oversight structure, and an enterprise-wide risk assessment process. Some companies have applied ERM in specific business units. A few companies have evolved toward more advanced stages, such as the management of market and credit risks in financial institutions and the management of compliance risks in other industries.

            Wherever a company stands with respect to developing its risk-management process, directors and executive management would benefit from a dialogue around how capable they want the entity's risk management to be with respect to each of its priority risks. The capability maturity model provides a scale for evaluating the maturity of an organization's risk-management capabilities. The model provides five states for rating the maturity or capability of any process ranging from "initial" to "optimizing."

            The capability maturity model is a powerful tool for evaluating sustainability. Using this model, management rates the enterprise's capabilities in key risk areas, identifies gaps based on the level of capability desired in specific areas, and shifts the dialogue on operating metrics to incorporate appropriate emphasis on process maturity. The ERM infrastructure ensures that the rating process is fact-based and conducted with integrity by the participating risk owners.

            The model provides a valuable framework for facilitating substantive dialogue among directors, management and others regarding the capability of the organization's processes as compared with the critical risk areas identified in their risk assessments. Armed with this tool, boards and management are able to satisfy themselves that risk management improvements are directed to the areas of greatest concern and exposure. The focus is then directed to implementing those improvements according to management's plan over time. Again, the ERM infrastructure provides oversight to ensure that improvements are on schedule.

            Improving Risk Management Capabilities

            Companies evolving toward ERM should keep in mind that it is a journey, not a destination. ERM can potentially represent a sea change in organizational attitude and behavior. As with any significant change, the adoption of ERM is fundamentally a process of building awareness, developing buy-in and ultimately driving the acceptance of ownership throughout the organization. Change enablement is, therefore, a significant aspect of an ERM initiative because everyone's perspective about risk varies.

            To help ensure success, keep the following in mind when implementing ERM:

            • Develop a compelling business case linking the ERM agenda to real priority business needs, garner support from the top, and manage progress against milestones over time.
            • Obtain agreement on risk management objectives and the necessary ERM infrastructure, consider relevant cultural issues, and focus on enterprise-wide application. n Implement an effective enterprise-wide risk assessment process early.
            • Clarify process ownership issues: Who decides, who designs, who builds, and who monitors?
            • Integrate risk management with the business planning process.
            • Don't forget the true purpose of ERM infrastructure-be sure to define the future goal state of the capabilities around managing the critical risks and contrast it with the current state.
            • Use the COSO ERM components as a framework against which to benchmark ERM requirements.

            Properly implemented, ERM can help organizations pursue strategic growth opportunities with greater speed, skill, and confidence. Opportunity-seeking behavior is invigorated if managers have the confidence that: (1) they understand the risks they are taking on; and (2) the organization's risk taking is aligned with its core competencies and risk appetite. Markets will differentiate competing organizations by the quality and extent-real or perceived-of their risk-management capabilities.