Published:
May 26 2009, 07:00 AM
by
Sumner Blount
I attended a risk management seminar last week in Boston sponsored by RIMS (www.rims.org). They have been instrumental in promoting best practices of enterprise risk management (ERM). There was a lot of good information in the class, but the most interesting part of it was the opinions expressed by the participants during random discussions.
(By the way, I was the only "vendor" in the class, but the other participants were very willing to tolerate me in their midst. :-) )
For the most part, the participants were new risk officers, along with a few who already had risk management as part of their job responsibilities. So, topics such as "creating the risk management business case" were high on their priority list because they want to enlist support among executive management for their goals.
There were a few interesting discussions that we had. Most of the opinions expressed weren't too surprising, but it was still interesting to hear the commonality of opinion among the participants.
Here's a quick recap of what I thought were interesting discussion points.
First, there was a lot of concern related to "selling ERM" within their organization. They were experiencing a lot of skepticism about the value of an ERM program, and wanted to learn how to demonstrate its business value to key stakeholders throughout all the silos in the organization. Encountering skepticism about a particular area is pretty common in large companies, but when it's your program that the skepticism is directed towards, it brings a whole new level of importance to combating that view.
Second, there were, for all practical purposes, no formal ERM programs in any of their companies. All risk management seemed to be done in silos, with no central oversight, and generally no good visibility to total enterprise risk. Someone also mentioned a statistic that only around 20-25% of companies had formal ERM programs at the corporate level. There was discussion that this view was because of the perceived high cost of true ERM. One person said: "if you do ERM correctly, it's ten times the cost of SOX."
Next, one of their biggest drivers is the rating agencies. Companies live and die by their ratings (more so than I had thought), and so their risk activities were driven in large part by their desire to increase their credit rating.
We had a discussion relating to the use of technology in order to help with risk management. We went around the table and asked them how they managed their risk information. Here are the responses: "a risk management info system, spreadsheets, spreadsheets, spreadsheets, spreadsheets, spreadsheets, spreadsheets, spreadsheets,"¦." You get the idea. Spreadsheets was the clear winner. And, although everybody used them, nobody was happy about it. This only served to reinforce what I have seen in my travels and discussions with customers "" namely, spreadsheets are the most common way to track risk and compliance information. But, despite their ubiquity, there is often a general sense of dissatisfaction and acknowledgement that they aren't really a good solution to the management of unified risk and compliance info.
As is often the case with classes like this, the biggest benefit came from interacting with other people who were attempting to solve these problems, rather than strictly the material from the course.