In fact, articulating this value is the #1 challenge facing risk managers across industry, according to Carol Fox, Director of the Strategic and Enterprise Risk Practice at the Risk and Insurance Management Society.
"It's quite difficult to demonstrate ERM value through traditional investment metrics, whether that be return on investment, return on equity, return on assets, or even through a risk adjusted return on capital," Fox says. "Instead, many companies utilize the business case that looks at ERM in four categories: shareholder value, risk mitigations, process consolidation and silo elimination. While these are worthy goals, they can be difficult to measure and therefore nearly impossible to articulate adequately to a board or an executive management team that is focused on organizational value, creation and capture."
In an exclusive interview on risk management, Fox discusses:
- How risk managers can convey value;
- How organizations are overcoming their strategic risk management challenges;
- What it takes to make it as a risk management professional today.
Fox was previously the senior director of risk management for Convergys Corporation, a $2.8 billion, publicly traded company headquartered in Cincinnati. There, she created, directed and executed advanced risk management, crisis management and business continuity systems that are recognized as leading practices by clients and industry leaders. Prior to her position with Convergys, Fox was director of risk management for Cincinnati Bell, a U.S. local exchange and wireless provider, where she assessed business risks and advised executives on mergers and acquisitions, corporate insurance, and contractual risks.
Fox has served RIMS as a member of its board of directors, as vice president of Professional Development and as vice president of Governance and Secretary. She has held a number of other leadership positions within the organization, including chair of the membership, governance, enterprise risk management development and standards and practices committees.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself please and about your work with RIMS as well?
CAROL FOX: Well first of all, I do want to thank you for inviting me to speak with you today. As Tom mentioned, my name is Carol Fox, and as Director of RIMS Strategic and Enterprise Risk Practice, I will be leading new research in the development of innovative yet practical strategic and operational risk practices that are applicable across all types of organizations. I graduated from Miami University of Ohio, where I currently serve as a founding member of the Advisory Board for Miami Center of business excellence. I hold an Associate in Risk Management designation from the Insurance Institute of America. I serve on the Committee of Experts Advisory Counsel for Voluntary Preparedness Certification for the American National Accreditation Institute, and most recently I joined the US Technical Advisory Group, otherwise known as US TAG, on the ISO 31000 Risk Management Standard serving as the TAG's Vice-Chair. For over 10 years I was Senior Director Risk Management for Convergys Corporation. Convergys is a $2.8 billion dollar publicly-traded company headquartered in Cincinnati Ohio. At the time, Convergys employed 75,000 people in over 80 worldwide locations, providing outsourced customer care, human resources and billing services to 1,450 clients. While there, I created, directed and executed advanced risk management, crisis management and business continuity systems that were recognized as leading practices by our client and industry leaders.
Tom, your audience may be interested to know while at Convergys, I successfully led a cross-functional enterprise information risk management project that was championed by our CIO in conjunction with our information security team. In addition, I've authored and contributed to articles and white papers on numerous risk management topics that have been published by organizations such as Forbes.com, the Alfred P. Sloan Foundation, National Underwriter, the Center for the Advancement of Risk Management Education and the Disaster Recovery Journal. Some of your audience may know me as a presenter at risk management and business continuity forums as well.
Risk Management Challenges
FIELD: Well, Carol, you get a great perspective on this. If you could sum it up, what would you say is today's biggest strategic risk management challenge or challenges?
FOX: Well, Tom. two come to mind immediately. One is articulating risk management's value. and secondly linking risk management practices with the achievement of an organization's objectives. Those two would be at the top of my list. This is highlighted by a survey conducted recently ... All told, 244 risk managers were surveyed; about 45 percent of the respondents were from companies with revenues above $1 billion. While 55 percent responded that an ERM process is in place, 45 percent said no, ERM is not in place.
Citing the difficulty of articulating its value within the company as the greatest challenge, it's quite difficult to demonstrate ERM value through traditional investment metrics, whether that be return on investment, return on equity, return on assets, or even through a risk adjusted return on capital. Instead many companies utilize the business case that looks at ERM in four categories: shareholder value, risk mitigations, process consolidation and silo elimination. While these are worthy goals, they can be difficult to measure and therefore nearly impossible to articulate adequately to a board or an executive management team that is focused on organizational value, creation and capture. Their understanding of value involves strategies that increase the demand for the organizations prior to the services, and they gain organizational efficiencies. Value articulation for risk management that is linked to the organization strategy generally is weak at best. Even those organizations that have an ERM program in place are leaving value on the table but not fully utilizing ERM for risk base decisions.
Quoting from that same report, for many of the respondents, even those that had implemented programs, the results indicate only a partial understanding of the ERM. Even among those companies with existing programs, only one-third said they used ERM as part of their decision-making process. So, I guess it's not surprising that with so few respondents linking around to how the organization makes better decisions, ERM value is difficult to explain. Traditionally, many organizations expect risk management to play a very tactical and limited role. For example in preventing, mitigating, or transferring known risks, but that really underestimates the role risk practitioners, including IT risk practitioners, can play at increasing the odds of strategic success. Achieving organizations' overall objectives requires attention to the full spectrum of its risk, including a strategic risk and the managing the combined impact of those risks as an interrelated risk portfolio to create an optimized opportunity.
Organizations can gain even more value when risk practitioners bring their unique skills and proven methods to the table. Leading an enterprise risk management approach provides a value producing opportunity for all the risk-related functions, whether that be legal, audit, compliance, physical, information security, business continuity, treasury, to name just a few of the traditional roles. When they work with the rest of the organization, they can create additional value as well as protect the existing enterprise value.
Tackling the ChallengesFIELD: Well, Carol, you are in a great position with RIMS and a good perspective on organizations. You articulated these challenges well. How do you see organizations tackling the challenges, whether that is for better or for worse?
FOX: Well, I believe that strategic and enterprise risk practices actually fuel the larger strategy and enable a higher level of execution. Boards and CEOs are most concerned with that full spectrum of risk I talked about related to the organization strategy. Organizations actually limit the value they can create through enterprise risk management, as their approach to risk is primarily one's controls and compliance. Controls and compliance are important, but they certainly don't address the upside of uncertainty. Unfortunately, there are very few organizations tackling these challenges. Steve Dreyer, who is a practice leader at Standards and Poors, stated in a June 2010 report, companies that have a formal ERM program [are] by no means a majority. ERM is generally an in its earliest stage, and very few companies we have reviewed seem fully in view with a culture that integrates risk assessment into strategic decision making. So, what does that mean? Well, RIMS own research supports these observations that the majority of companies do not yet have a formal ERM program. In our 2010 Excellence and Risk Management Report ... we found that adoption of an enterprise risk management program has increased significantly from 9 percent to 28 percent over the period of 2009 to 2010, but it's still not the norm for most organizations. That is changing however. Economic conditions have sparked greater interest in risk management practices by legislative and regulatory bodies. Take for instance last year's SEC Rule, requiring transparency and the proxy filing of publicly traded companies regarding risk management oversight and compensation practices. Regulators, customers, investors and other key stakeholders are really pressuring organizations to identify and explain how they manage the risks they save.
Forward-thinking companies are bridging the gap between risk management strategies. Quite a few of our RIMS members are beginning to integrate enterprise risk management practices into strategic planning based on the successes they have enjoyed by applying risk management practices and operation. They are partnering with a strategist to try to value creation for their organization by considering opportunities through risk exploitation and managing a risk that may arise from strategies themselves. This is leading to better decisions and more confident risk takings.
LeadershipFIELD: Carol, I'm curious: Do you see particular industries that are stronger at enterprise risk management, or does it tend to be particular organizations?
FOX: I think it depends a lot on the leaders, the risk management professional leaders, as to whether they are content to play in their traditional role or whether they are really looking to lead risk management further. Interestingly enough at the conference last year, I talked to a number of what I would consider non-traditional risk managers, people from compliance, people from other areas and other functions in the company, legal for example who came saying "We've been doing risk mapping for a lot of years, and we really need to take it to the next level." So those people are driving these risk management practices I think.
FIELD: Well, let's talk about risk management professionals. What do you find is required of them today versus say when you got into the field?
FOX: Well as I said, I think it's no longer adequate to be a specialist only. Whether that specialty is risk transfer, which is how I grew up in risk management, or information systems or loss prevention, business continuity, security or compliance, it is vitally important to thoroughly understand the organization, its operations and its industry. By thinking like a business owner, today's risk management professionals really need to take a strategic view of managing risk to be relevant in achieving the organization's expected outcome. At times that may mean playing devil's advocate to check what I call "unbridled enthusiasm" within the organization. At other times, it may mean changing the way you and the organization think about risk to see uncertainty as an opportunity.
I love to tell the story about the University of California Davis with its 1200 olive trees on campus. When they were faced with lawsuits due to slips and falls from fallen olives, the grounds crew, instead of mitigating the risk by spending more for additional maintenance, decided to harvest the olives and sell olive oil under the UC Davis label. Not only did they reduce the downside of risk with fewer claims, they actually won awards at country fairs and made a profit for the University while enhancing its reputation. That's what we mean by changing the way you think about risk.
Career AdviceFIELD: For someone entering the field today, whether they are starting a career or re-starting a career, what advice would you offer to them if you could boil it down to just one piece of advice?
FOX: Well, not surprisingly first and foremost my best advice is to join RIMS to start your journey. That is what I did. You have access to timely and innovative information, education, networking, advocacy across all types of organizations. One of our tools, the RIMS Professional Growth Model, identifies the skills necessary for effective risk practitioners at every level from entry to executive and provides examples of distinguishing features at each of these levels. I'd really dive into education, formal and that you can gain through networking. We offer courses from basic risk management fundamentals to advanced workshops that can lead to professional designations. These programs typically are lead by senior risk practitioners who apply the theory into every day practice with personal examples and case studies. And you have access to literally thousands of other risk practitioners through networking ... But most importantly, don't wait to be invited. I think the risk professional today success lies in the ability to seize the moment and really act as one of the organization's leaders.
Improving Risk ManagementFIELD: Final question for you Carol. For organizations that want to improve their risk management strategy, what fundamental advice would you offer to them?
FOX: Well. Tom, I think strategic risk practice is addressed, the uncertainties that an organization faces are in achieving its strategic objectives. How risk can be exploited and used as a competitive advantage, as well as the emerging and dynamic risk and opportunities posed by the strategic objectives themselves. RIMS leadership encourages organizations and its risk practitioners to change the way they think about risk by really considering its upside. Uncovering new opportunity through a vibrant strategic risk management capability and using robust risk informed decisions to protect the enterprise value. This is where RIMS expects to lead organizations and risk practitioners over the long term, and personally I think it's a lot more fun creating a supporting growth than only worrying about everything that could go wrong and all the disasters that could possibly occur.