Everybody faces some degree of danger and risk. The key for most of us is learning to identify the risks we might encounter and deciding what we should do to mitigate them. Individuals practice risk management through insuring their property and planning ahead for various contingencies. Corporations develop complex strategies that allow them to protect their capital and prevent disasters.
An area that’s skyrocketed in popularity in the past two years is “integrated enterprise risk management” —the notion that a business entity needs to manage all kinds of risk holistically.
Historically, business approaches to risk management have been largely “silo-based.” That is, assurance specialists such as internal auditors, environmental analysts, safety officers, and others assessed risks within their own specialty field, without looking at the total universe of risks to the business entity as a whole. However, these traditional forms of risk management and assurance haven’t worked very well. Many major global studies are concluding that these silo-based approaches no longer can address the complexity and speed of change in today’s environment.
Today, the term risk management is more and more often used generically to mean identifying and assessing any situation or circumstance that could have a negative impact on the achievement of business objectives. An area that’s skyrocketed in popularity in the past two years is “integrated enterprise risk management”—the notion that a business entity needs to manage all kinds of risk holistically.
Extensive research supports the concept of this new risk management paradigm. For instance, McKinsey & Co. has published research indicating that organizations that operate from an enterprise risk perspective, as opposed to a traditional, silo-based perspective, are likely to have higher price earnings ratios and higher share prices. Towers Perrin has done similar studies that show better risk management results in lower earnings volatility, which can result in higher share value.
Backed by the Banks
To a large extent, the enterprise risk movement today is being led by changes occurring in financial institutions worldwide, where a massive reorganization is under way. In the past, regulators have required banks to maintain certain levels of reserve capital. In the future, banks will have to conform to new guidance that is being established by the Basel Committee on Banking Supervisions, which comprises supervisory banking authorities from many European countries and the United States.
This committee has recently finalized the Basel Capital Accord II, which specifies radical new approaches to supervisory oversight and capital reserve requirements. Now banks will need to look at credit and market risk as well as “operational risks”—that is, all forms of risk. System interruptions, rogue traders, a decline in the customer base, regulatory irregularity, or errors in processing credit card transactions all will have to be considered as potential risks. Banks that do not implement holistic, enterprisewide risk management systems will receive a negative “fitness score” that may require them to make adjustments in the amount of capital they reserve. Literally trillions of dollars will be on the line.
Along with banks, utility companies of all types are expected to begin adopting enterprise risk approaches. Utilities are attempting to move from a sleepy, regulatory, monopolistic culture to an environment where they can compete in an open market. To do so, they need massive and rapid changes in the way they behave and think.
Where Are the Business Schools?
In contrast to the activity in other sectors, business schools and the entire academic community appear to have their heads in the sand when it comes to understanding, implementing, and teaching enterprisewide risk management. Very few professors currently specialize in the field of holistic enterprise risk management, so the topic is being taught by very few faculties.
Most of the current research studies on enterprise risk management have been driven by consultant firms, professional accounting associations, or internal auditors, rather than by the academic community. In fact, academics globally appear to have vigorously resisted the notion of applying holistic risk and control management to their own work. With the possible exceptions of legal and public accounting firms, no other sector has been so opposed.
For example, how many colleges and universities are ISO-certified, meeting quality system standards set by the International Organization for Standardization? The percentage would be miniscule. How many colleges and universities utilize systems such as the Baldrige quality system, where they think of their students as customers, regard their courses and teaching as products, and utilize a precise system to score and report on the “quality” process in each faculty? Not many. It is, therefore, unlikely that many colleges and universities will leap to join the global trend to integrated, enterprisewide risk management.
To be fair, the academic community in some parts of the world—including Canada, the United Kingdom, and Australia— is making some progress. To be blunt, I believe the U.S. as a whole is going to have a great deal of difficulty implementing rigorous, effective enterprise risk management systems. The reason is simple: America is the most litigious culture in the world. Good risk management means making conscious decisions on risk acceptance. Conscious decisions mean documented decisions. Documented means discoverable; discoverable means that, when you guess wrong, evidence is available that proves you understood the possible consequences of your decision—a key element in many court cases.
Let me give you a raw example. Say you teach at a business school where decent data leads you to conclude that 20 percent of your students are cheating, but your school decides formally not to put any more resources toward solving the problem. You have an MBA student who becomes aware that the university has accepted this number of cheaters—and this student fails. Now, if the school has practiced formalized risk management, there will be documentation that shows the faculty consciously considered its percentage of cheaters, understood what it meant to honest students, and accepted the risk. This failed student uses the documentation as part of a class action suit against the business school, using a contingency fee legal firm.
Although it is important for business schools to think consciously about such risks and make decisions about how to handle them, there are consequences. In the U.S., such consequences argue in favor of approaches that support claims of “plausible deniability” on the part of senior management. Unfortunately, the academic community is not the only one that faces deterrents to good risk management practices, particularly in the U.S. All sectors of the economy face the same deterrents, leading to vulnerability to terrorists, false stock market disclosure, and other topical events.
Whether or not the academic community decides to apply holistic enterprise risk and assurance management practices to itself, business schools should address the risk management learning needs of their students. Those students almost certainly will be joining organizations that will be expected to implement some form of holistic enterprise risk systems over the next decade. As I recently told a group of professors at a conference in Toronto, if business schools don’t teach students enterprise risk management, they are harming their students by teaching antiquated concepts and approaches. In light of recent events, the importance of better approaches to risk and assurance has never been greater.
Tim J. Leech, FCA•CIA, CCSA, CFE, MBA, is founder and president of CARD®decisions Inc. in Mississauga, Ontario, a company that provides integrated enterprise risk and assurance management software and training systems for clients around the world.