Lee Coppack reviews the enterprise risk management seminar held by StrategicRISK in conjunction with Protiviti.

Leaner, meaner organisations with no margin for error," is how Peter Berring, director of group risk for De la Rue, describes businesses today. They have to make the most efficient use of all their resources, capital and people. They depend as never before on their supply chains. "Nothing is being wasted, but when some element of the process stops, you have a real problem," he told the StrategicRISK seminar on enterprise risk management (ERM) held on 28 June 2006 at the Grocer's Hall in the City of London.

Chaired by risk and governance specialist Sheryl Lawrence, and sponsored by independent risk consultants Protiviti, the seminar attracted an audience of more than 100 professionals from across the risk management spectrum, including specialists in risk management, corporate governance, audit, treasury and health and safety.

Following Peter Berring's overview of the forces driving the development of ERM, Andy Bulgin, director of risk for Coca-Cola Hellenic Bottling Company, described the history and progress of ERM in his company, the world's second largest bottler of Coke. Jonathan Burnett, the European managing director of sponsor Protiviti completed the panel of speakers, speaking of his "passionate" belief in ERM, but also stressing that it needs more investment in technology and better techniques for measurement.

A recurring theme of the day was the need for a common risk assessment language and ways of measuring materiality of risk. As Bulgin said, "If you don't have that, you can't have an apples for apples comparison in any way."

ERM, it became clear, is work in progress. Its value as a concept seems obvious, but it needs to be demonstrated across the whole range of those involved with the company, not least the man whose role is to "put pop into bottles and make lots of money".

Setting the scene

Peter Berring began by describing ERM as the process of joining up the non-speculative risk management activities in various parts of the organisation, such as treasury, health and safety, and operations. It concerns itself with the way business processes function and the potential impact of their failure to do so, with the consequent damage to suppliers, employees, the environment and the share price.

Companies are under pressure from investors to drive down costs, explained Berring. "Our customers focus very much on price, so we have to provide better services, better products, lower priced and faster than we have ever done before. Once we have done that, we have to accelerate to do it faster and faster again. We make decisions today in times that in the past we would still be considering making that decision. We are a leaner, meaner organisation," he said.

As a result, however, the capacity to absorb shocks has gone, and managing risks has become even more critical. Businesses depend on their suppliers to an extent they have never done before. Production is concentrated in one or, perhaps, two factories working at high capacity. It is efficient financially but potentially damaging if something goes wrong. When it does, asked Berring, how well is the supplier's business continuity plan going to cope? The business must ensure that outsourced partners continue to supply the required quantity and quality of products and services at the right time.

To do so means understanding the strengths and weaknesses of the entire chain, suppliers, customers and competitors, and reinforcing the weak parts. "We need greater profile for risk management and greater involvement in true risk awareness across the whole market process," said Berring. "We have to pay more attention to areas of business continuity. We have to drive and manage market expectation. We also need people to understand what we are delivering. We have to say: Here is the cost you may have to pay for the more efficient processes. Costs don't always come in price."

This remark highlighted the comment that all speakers made on the need for a common risk language, without which, as Berring said, it is difficult to communicate issues on an enterprise wide basis.

ERM means that all the functions work together to understand the exposures - upside and downside - so the business can take the right decisions. Then it is a question of working with stakeholders like the insurers who protect the balance sheet and the investment community, so that they understand the true value of what you are doing.

A case study

Andy Bulgin then described the history of ERM in Coca-Cola Hellenic Bottling Company (CCHBC). He took as his own definition of ERM: "Understanding the key risks facing an organisation and aggregating this information so that the right decisions can be made about where to allocate capital to facilitate business improvement and ultimately profitability."

CCHBC operates across 28 countries, spanning established, developing and emerging markets. There is operational and financial return dependence on the developed markets, but the emerging markets are also significant. Process, systems and procurement methods are standardised for economies of scale, but the countries have a lot of freedom to drive performance through volume, operating income and return on invested capital. "This is great for the company, but bad for us at the centre when we are trying to understand what people are doing and give them systems and methods," commented Bulgin.

Challenges to risk management are considerable. In addition to the wide geographical and cultural spread, management of risk is at varied levels of maturity, and the organisation is under pressure to continue the excellent growth it has enjoyed since its formation.

When CCHBC came together in 2000, it merged a number of different cultures, creating a group with a completely different risk profile. One of the constituent companies had already introduced ERM the previous year, working with the Anderson consultancy. Bulgin believes the Anderson ERM model has not been bettered: "You understand the goals of the business, you identify the risks that might threaten goals, you look at solutions to manage to those risks you think are currently not managed effectively, identify the controls for monitoring purposes, hopefully improve your internal risk management and then do the thing again as and when you redefine your goals."

The aim of the ERM project, explained Bulgin, was to understand risk for internal purposes and optimise the company's capital. He described how they had set about the process of building ERM across a much larger group. For example, once corporate goals were defined, risk workshops were key to identifying risks and evaluating their potential severity and frequency and the quality of controls. Country lists were created and amalgamated, which went back to regional managers to refine into key country risks to address as part of the business planning process.

"After this, we wanted to have country and group action plans, and the final piece was to try to get to country performance management. Could you say you had five risks that were so important that managing them had to form part of their overall objectives? If so, could you embed that, could you measure it in such a way that they didn't get their bonus if they didn't manage them."

Most risk specialists believe that risk management is an intrinsic part of good management practice, but trying to make it work at a local level can be extremely difficult. The typical complaint from a country general manager, said Bulgin, is, "This risk management rubbish is a waste of time. My business is to sell pop and make lots of money."

By end of 2005, Bulgin felt they had made good progress in reporting of risk, for example in the annual and the corporate social responsibility (CSR) reports. Yet, he knew that pressure for information would continue to grow. Being able to report effectively on an aggregated basis did not just help retain investors, who want to know that the company understands and controls its risk, but it also helped the board direct resources to the right place to deal with the things that ultimately could kill the business. Again, the issue of a consistent risk language, implying also some form of measurement, came forward. Said Bulgin, "If you can't get that measurement at least partly in financial terms, you can't aggregate and you can't say what are the killer risks for the organisation."

He described how difficult it is to put a value on risk in product quality. Small incidents occurred all the time and were managed effectively and inexpensively, while the scare in Belgium in 1999 that involved no actual contamination, cost the Coca-Cola system more than $500m, because it was not well handled. "Fortunately," he added, "it is easier to do for a lot of other risks."

CCHBC's objective is to have an enterprise wide risk assessment sitting in the middle supported by input from different areas of the business that responds internally to the demands of the board and the audit committee. It is all part of the protective shield CCHBC wants to be able to hold up to show its strength in terms of managing risks, particularly in those areas of reputation which are highly emotive and damaging to a brand.

Bulgin added, "It also supports external reporting, and the further risk professionals can go to satisfy the board that internal control processes are adequate and effective, the easier the project is to implement."

The last, essential piece was whether from that risk assessment, measurable action plans could be created. Could they say: If we follow this will it improve us operationally and will it have a direct financial impact? Said Bulgin, "I think we are almost at a point where that will happen, certainly at a country level."

He anticipated Jonathan Burnett's comments when he explained that they had worked with an external supplier to create a risk management information system that captured all the assessments and had the capability to capture the action plans. It provides useful reports, aggregates the information and offers capability to report to individuals for validation and upwards to the regional directors and function heads. Finally, it gives good, consistent reporting back to the operating committee, the audit committee and, ultimately, the board.

In the next six to 12 months, Bulgin plans to take the 2005-6 process forward. It is now clear that there are a number of common risks across countries and it seems natural to put some group level resource into addressing them, while still taking into account the local operating environment.

Finally, he asked, "Can we reach Nirvana? Can we get effective key business indicators for monitoring what we are doing? I think we probably can."

Passionate belief

Jonathan Burnett began, "I believe passionately in enterprise risk management." He reflected on its importance to him as CEO himself, where he is looked upon as chief risk officer, and in his consultancy business trying to help other CEOs get their jobs done.

Burnett reviewed the results of the survey done by StrategicRISK with Protiviti in May 2006, which gives views from the UK market on ERM. Responses to the survey, he explained, gave three principal explanations why businesses are embarking on ERM: regulatory needs, improved business performance and decision making.

The majority (58%), said Burnett, see ERM's main attraction as enhancing business performance, and more specifically issues like reducing unacceptable performance variability, responding to a changing environment and building confidence among the investment community and other stakeholders. At present, however, only 11% believed their employers had fully defined ERM policies and processes, and only six per cent felt that those frameworks were fully effective.

He said, "There is an un-met demand for simple ERM guidance. If we decide ERM is the Nirvana and we have to do it at once, I think we'll fail. It's just too big and too complicated to bite off all at one time. Take one or two risks, not the whole lot, and go deep and demonstrate that an action plan can be developed, it can be accountable and it can be fixable. It can improve business performance: that is important to the board. It's all right not to do everything at once."

Burnett then listed five practical steps to ERM implementation: understand the risks, define the directions, broaden the focus, focus the line of sight and establish accountability. He described in more detail a method for analysing risk and developing an action plan.

However, he added the qualification that the lack of a common risk language and system of measurement made it more difficult to define where you are and where you want to go. Measurement was essential for comparison when you had nine risk assessments, and each manager was convinced his risks were the most important in the world. You needed a measurement system using quantitative and qualitative techniques, depending on the maturity of the risk, that was comparable enterprise wide.

It was unthinkable, he argued, that companies would report their financial results using some home grown language instead of GAAP, yet that was the current state in risk management. Most clients, said Jonathan, were trying to develop measures using impact on earnings before interest and tax (EBIT) as a basis as much as possible.

He also called for more investment in technology, which has the advantage of structuring the process. If you had to use a particular program to report, you had no choice, he said. You did it and filled in the right boxes. "Technology forces that."

He encouraged the audience to maintain their efforts to implement ERM. A lot had been accomplished, he said, and the drivers were here to stay. Finally, he reminded them not to forget the importance of culture and change management that ERM involved.

Discussion

The presentations provoked a lively discussion. One question focussed on Burnett's practical step: define the direction. Do companies articulate their strategic objectives clearly enough, it was asked. "No, they do not," said Burnett. "Often, we go to do a risk assessment and decide we can't assess it against anything. We end up helping management articulate their objectives, so we can start."

In response to questions about getting commitment to the ERM process from senior management and the shop floor, the speakers' answers were similar: demonstrate its value, whether by showing an impact on EBIT or by how it can make them more effective. Andy Bulgin's comment could really cover both ends of the corporate spectrum, "I think it's about the value of demonstrating risk management in everyday business and operations."

How can reputational risk be managed since it is not on the balance sheet? was another question. Burnett's response was that if you are doing a risk assessment, the balance sheet was not the place to start. You look at the sources of value. The brand is the most important thing many companies have and it is a pretty tough thing to manage.

Yet, he added that good, in the form of much improved corporate governance regimes, had come from corporate disasters. The lesson from Enron and other cases was that: "Having honest, ethical people running the business is probably more important than being able to detect some of risks that we spend a lot of money trying to manage down in the organisation and its systems and processes."

- Lee Coppack is a risk management writer and analyst. She is editor of StrategicRISK's sister publication, Catastrophe Risk Management, E-mail: lee@coppack.co.uk