For most companies, the challenge remains as to how to stop ERM frameworks from becoming white elephants.

Publications outline the major benefits of an ERM framework, including improved business performance resulting from a clearer view of which activities add value, and greater transparency around the rationale for making the decision to take on certain risks. Why is this different from the past?

For a period up to the 1990s, some companies had used accounting techniques to control the volatility of their earnings. Management relied on the ‘good times’ (times of making premium returns on risks) to provide the return to restore the margins held to manage future fluctuations. In the current business environment, these practices are no longer acceptable. Economically, this is not sustainable in the longer term as it suggests risks are not being understood properly or managed. ERM helps management understand its risks and provides a framework to ensure they can be managed or mitigated. The old adage of ‘know your business’ is now more true than ever – at its core, knowing your business is about knowing what the risks are, why you are taking them and how they are mitigated.

The vision for ERM is that it enables the business to grow shareholder value through making smart risk-return-based decisions.

In turn, this gives rise to increased organisational effectiveness as a result of the business having the right information available to make decisions such that opportunities can be entered and exited in a timely manner to optimise the return. This capability will enhance the company’s reputation across many stakeholders, including regulators and rating agencies, by evidencing the executive is skilled enough to manage the uncertainties, demonstrably reducing the likelihood of insolvency directly or indirectly. This is what leads to improved access to capital markets over the long term, with reduced costs of financing, as it is clear that you ‘know your business’.

Since the inception of ERM, a lot of time, effort and financial resources have been dedicated to the enhancement of companies’ ability to manage risk. Within the phrase ‘enterprise risk management’, the use of the term ‘risk’ is now rather misleading as it has evolved over the same period from a word that related to the ability to apply internal controls to a word used to cover how a business is managed strategically. This has led to a lot of confusion and debate about what ERM is and how it interacts with other aspects of managing a business.

The term ‘risk’ is more usefully articulated as the ‘uncertainty of outcome, good or bad’.

Some observers define risk as the quantifiable element, and ‘uncertainty’ as the non-quantifiable dimension. However, we find this difficult as all aspects of what we do involve making some form of judgment about the implications of events based on available information. Not all that information is directly relevant, and those judgments themselves may not be borne out in practice. Hence, the line between risk and uncertainty being quantifiable and non-quantifiable may only exist in the minds of those who live in the mathematical ‘modelled world’, rather than those who operate in the ‘real world’.

‘As CEO, I am aiming to deliver the business plan, which encapsulates our vision for the organisation over the coming years. I want to make sure the plan is delivered in a manner that is within the boundaries we established as “our way of getting things done around here”, and that manages the dynamic tensions between the various stakeholder groups.

The plan outlines the uncertainties and volatility that we face over the planning horizon, the sorts of issues that might emerge to prevent us from achieving the plan, and what we believe we can do to keep things on track should these arise.

As an executive team, we are fully aware that events may occur that give rise to new opportunities, and we have a framework that helps us, on an ongoing basis, identify these opportunities, determine the implications of taking them and understand how we can go about harnessing them.

As the plan is broken down into bite-sized segments, such as the budget and forecast for the coming year, I have outlined how we make sure that information of sufficient quality is delivered in a timely manner in order for us to assess what is happening and whether we need to take action in full knowledge of all the relevant facts. This includes the systems and tools that underpin getting the right information to the decision-makers at the right time and in a way that can help them make those decisions.

To make this process operate efficiently and effectively, my management team needs to have the appropriately delegated authority to take action on a day-to-day basis so that they can manage the delivery of their components of the plan. To avoid confusion and angst about what we do within the business, the Board needs to clarify where the authority that has been delegated starts and ends, to ensure that when an event occurs that is significant, others have been engaged appropriately, or if it is sufficiently material, the Board has been engaged.

Having agreed upon this framework, we will cascade this down and through the organisation in a consistent manner, communicating the link between the strategy and employees’ operational limits and performance objectives so that people are not working in silos and know how what they do impacts the delivery of the plan for the whole organisation’.

This is a top-down view of ERM, which concerns how a company goes about doing things. The advantage of adopting this approach is that it highlights the key value-adding areas, which is useful when trying to build a business case for a Board to assist them to understand what benefit they will obtain for the investment in time and money.

It is also essential to separate ERM from the historic role of risk functions, as it is now evolving to include more about seeing risk management as the identification of strategic opportunities rather than purely a process for monitoring internal controls.

The driver for evolution is that people invest in companies for them to take risks in order to earn a return. Where there is risk, there is opportunity to make a return – the decision is whether that is a risk-return trade-off that the company wants to take.

Figure 2.1 outlines the holistic ERM framework, shaping and informing the business strategy and operating through the key processes that deliver the results throughout the year – effectively the Business Operating Model. Additionally, if one can imagine the information flows between these components, it is possible to develop a report that includes these aspects, which under Solvency 2, the new European regulatory framework, would be known as an Own Risk and Solvency Assessment.

The ERM framework in Figure 2.1 illustrates how risk management is integral to the development of the strategic plan and facilitates an understanding of which risks are producing an optimal profile of returns and how capital can be allocated effectively to make this happen. Achieving this is as much about the capabilities to understand the risks we choose to take and the reasons why we did not take others.

The ERM framework illustrates how decision-making needs to be supported by the infrastructure and models capable of delivering accurate information in a timely manner, with management in full knowledge of the shortcomings of the models so that they can apply their judgment effectively.

The delegation of authority exists to help us respond operationally to day-to-day fluctuations and issues efficiently and effectively, escalating for approval when events and situations are more extreme.

Those to whom authority has been delegated need to act as behavioural role models, as others will be watching them for clues to the appropriate way to react, respond and manage issues when they arise.

The core to a business strategy is developing the ‘competitive advantage’ or determining ‘what makes us different from others’. Without the threat from competition, there would be little need for a strategy, as the company could just plan how it would continue over the coming years without any need to differentiate itself. Thus, the...