Software companies started using the adjective “enterprise” a couple of decades ago to connote its ability to scale to the needs of the largest corporations and to span the needs of multiple departments or business units. Skeptics, however, have come to think the word is either meaningless or synonymous with overpriced. I confess that at times I sympathize with this view. However, it strikes me that when it comes to risk management, there are times when “enterprise” is precisely what a company needs. I’ve written on the need for enterprise risk management (ERM) from the standpoint of increasing the degree of automation companies use or using techniques such as prediction markets to improve risk management effectiveness. It’s also important for corporations, especially larger ones, to have compensating controls at its highest levels to mitigate regulatory or legal compliance risk.
Corporations use incentives in an attempt to align the behavior and decisions of executives, managers and individual employees with the organization’s objectives. In the more than half century since Peter Drucker began instilling some discipline into theories of what we now call “performance management,” one of the clearest lessons learned is that managing to a single, simplistic short-term objective means that long-term disaster is not being left to chance. The “balanced” score card came into being because in business almost all decisions involve trade-offs: market share versus profitability, for example. With a single performance measurement, managers are easily tempted to make trade-offs that will benefit them but harm the corporation. Even multiple metrics may produce perverse outcomes if the metrics are unrelated. “Balance” means the incentive system possesses compensating controls – for instance, setting production incentives but balancing these against scrap or defect rate metrics.
Measuring performance-to-production goals against scrap rates is an example where the compensating control exists within the business unit. However, there are plenty of occasions when the control is at a higher level within a company. This is especially true for regulatory or legal compliance. Instructing managers not to break the law or violate regulations may be effective for a large majority of them. Companies take some care in who they hire and promote but experience shows that there are limits to the effectiveness of this approach. Anticipating where legal or regulatory problems may arise and keeping tabs on indicators of problems in this area will reduce the risk of an “unfavorable development.”
Compensating controls have an important role in other aspects of legal or regulatory compliance, especially where the judgment call on one individual may unduly increase the risk to the company at large. For instance, an integrated oil company is interested in maximizing its profits but it (and its board and shareholders) do not want a refinery to blow up, killing employees and nearby residents, especially if the explosion is the result of shoddy maintenance. The vice president of this refinery division has incentives based on production, profitability and safety objectives. Although he or she has incentives not to cut corners and may have impeccable moral character, they may find themselves tempted to postpone some bit of scheduled maintenance for the sake of boosting output and profitability. The reason is that plenty of managers have cut corners in the past and nothing bad has come of it. Indeed, after successfully cutting corners to achieve a short-term goal, a manager may be tempted to push the envelope further the next time.
Which brings me to the point of this blog: enterprise risk management. Corporations need to put into place controls that will alert them to the possibility of risky or illegal decisions being made at lower levels of the organization. In the refinery example this would mean something as obvious as uptime but also other evidence that might point to unsafe practices (such as money not paid to the usual maintenance contractor or too few hours paid to certain types of workers). Usually these sorts of checks require pulling information from disparate systems because of the need to triangulate data from financial and multiple operating systems such as production, employee scheduling, MRO (maintenance repair and overhaul) and so on. Moreover, it needs an enterprise risk management system to be able to handle large quantities of data and easily accommodate an evolving set of controls and measurements. This form of risk management is still in its infancy and companies will want to introduce new controls and drop ones that turn out to be less important or irrelevant.
Let me know your thoughtsor come and collaborate with me on Facebook,LinkedInand Twitter.
Robert D. Kugel - SVP Research